Re: [OAUTH-WG] a token review of draft-ietf-oauth-access-token-jwt-01/-02

Brian Campbell <> Thu, 25 July 2019 18:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4886E120198 for <>; Thu, 25 Jul 2019 11:19:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gM10HW7skmpr for <>; Thu, 25 Jul 2019 11:19:25 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 006D512018A for <>; Thu, 25 Jul 2019 11:19:24 -0700 (PDT)
Received: by with SMTP id e20so68858552iob.9 for <>; Thu, 25 Jul 2019 11:19:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=U0tFwEOogzymRZ1H5UA4pDB2y4xEDGvEtGrO2qit/dI=; b=fq6UtR28Rs12veSrxQ2GlAXrBClG+O6Sb1T+LpGxeg9R7a5W35Gon+YPrSBOEiwsYT HGidtczA6r24PgCOWGem97f2wGhNOUCe1wX5I4+MN8i1i01WOlCtVo2TalrzDsT6bCm/ B0o5p83c/5rtfKC+63AsC/ZqyPX6YGklvoC9U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=U0tFwEOogzymRZ1H5UA4pDB2y4xEDGvEtGrO2qit/dI=; b=LSlcz84oMLLy6fVM+35iZVWWcwFnive+QDj+2QLjwBtAWxcu4/M+7IiHbWItSGl83Z BlC9FzIS/XVpFAyS3OxoiuVWD0+bzDADU6EWURMoX8Y91d6z1fiXefMKGJJhYAeVJAXa s1iccY3UB4p4ygXR4++hsUk56THjo1irsQAfQGeJb/bDc3d4NulebBBJvtPfUA64Xrkq eSs1dRaHWO+/k9xAga2KffUUmq1Z1uzNzuth8Rw0Qp225D7z/2t/1qkyPOZ/s9QcieUN l+MeEqtrRereS1avOGxDNE1fuMO0rrJFmXWO2BMA1LRJOkXkc9rtckJRw+LLSBTwx6y+ CZoA==
X-Gm-Message-State: APjAAAVHUT/nam2bTVQIsRZSUP3Vfrm4symE03KjotGwFS2Bc7A2WDft uLSzQFyt77SJc2E7vpe52F+IjKQeIga42MFZ8mJG6OMVixmQUk/VJvY0W5DHN+Dso3OWhGyRB0u Wuv57tJc3vvqWwWRad0k=
X-Google-Smtp-Source: APXvYqzp66/NFS/XubG/kQ8ARCy7DepIRmn/6D5mT4iGYTKWdYbbg4KbQbgD8K1hyx9jIf0U0mnaP9ogWEKtnGpdmC4=
X-Received: by 2002:a5d:9b1a:: with SMTP id y26mr18250226ion.238.1564078764010; Thu, 25 Jul 2019 11:19:24 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Thu, 25 Jul 2019 12:18:57 -0600
Message-ID: <>
To: Vittorio Bertocci <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="000000000000214ad5058e8577b1"
Archived-At: <>
Subject: Re: [OAUTH-WG] a token review of draft-ietf-oauth-access-token-jwt-01/-02
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 25 Jul 2019 18:19:27 -0000

You're welcome, of course. And thanks for the prompt response. I've
endeavored to continue the parts of the conversation that needed continuing

On Wed, Jul 24, 2019 at 3:46 PM Vittorio Bertocci <Vittorio=>; wrote:

> Thank you Brian for the thorough and insightful review!
> > On authenticated encryption.
> I did chat with Neil about his draft, but as you mention I didn't
> reference it given that it hasn't bee picked up (yet?).
> On referencing JWE RFC7516 and more JWA RFC7518, I am reluctant. My
> rationale is that this profile attempts to capture current practices or
> practices that are close enough to the capabilities of existing systems to
> have a reasonable chance of being adopted. None of the products/services
> surveyed used authenticated encryption, and the requirement to acquire a
> symmetric key out of band throws  a big wrench in the otherwise clear-cut
> process of preparing your RS to handle JWT ATs. I will bring the matter up
> as open issue on Friday, and if the consensus will be to include symmetric
> authenticated encryption I'll do that; but my personal preference would be
> to preserve the simplicity of a concrete,
> nothing-of-substance-left-as-exercise-to-the-reader solution that can be
> achieved when the key material can be advertised via metadata.

Looking to get consensus is quite reasonable, of course, and I can
sympathize with the aim of simplicity. As I've said before though, I think
the utility it brings is sufficient trade-off with respect to any
additional complexity it brings (which is arguably not that much). And I
imagine I'll continue to recommend it in situations where it makes sense
regardless of where this document ends up. But, well, you know, that's
just, like, my opinion, man.

To set the historical record straight, however, I was among the
products/services surveyed and I explicitly included several examples
showing "AEAD symmetric encrypted AT".

> About the nonce mitigation you mention. Do you think this means that I
> should explicitly forbid the presence of a "nonce" claim in JWT ATs?

I dunno to be honest. The actual validation of the nonce requires enough
other contortions that it probably doesn't really need to be forbidden
here. And proper use of aud (and maybe other stuff?) stuff also makes using
a AT as an ID token infeasible. So it's okay as is as far as I can tell.
But maybe forbidding nonce isn't a bad suggestion just for the sake of
saying something about it and maybe avoiding some potential mix-ups.

> >I think you want to say here that the scope claim in the token has to
> correlate to the scope which was approved. Not necessarily what what
> requested. The authorization request might ask for scope of a+b+c, for
> example, while the user only approves b. Or any other variation on things
> where what was asked for isn't what was gotten..
> Here I am trying not to get into the details of what's inside the scope
> claim, more requesting that if "scope" was in the request, the issued token
> should express a delegation and a symptom of that should be the presence of
> the scope claim. Paradoxically that scope claim might be empty if the user
> only consented to scopes that have effect on the presence of other claims
> in the token (say a functional equivalent of profile). Yes, it does sound
> odd, but that's a side effect of the prohibition of sending id_tokens to
> API that creates the requirement to create functional equivalents.

I must admit to not 100% following all of that I want to bring it back up
to the text in the draft, which to me, reads as saying that if the authz
request contains a scope, then the AT SHOULD contain a scope (noting that
SHOULD is still actually pretty strong language per RFC2119). I think
that's too strong a correlation between something maybe in the authz
request and a claim in the AT.

I *think* it'd be preferable to say something similar to the effect of (and
it sounds almost silly but it's not meant to), "the scope claim has the
scope". Maybe something along these lines in place of the first
sentence/paragraph of 2.2.2.

  "The issued JWT access token SHOULD/MAY/can/could/will/might include a
scope claim as
   defined in section 4.2 of [TE], which expresses the scope of access
authorized by the token."

>I personally think the SHOULD is too strong here because it puts the onus
> on the resource server to know about (via some config option or something)
> and enforce on every transaction a setup/policy thing that the AS is
> responsible for which isn't about the integrity of the authorization data
> in the token. A MAY or even removing the list item would be preferred.
> I borrowed this language straight from the OpenID Connect validation steps
> for idtokens. Given that JWT ATs can carry identity info, the requirement
> seemed appropriate... also, I think it is reasonable to expect the resource
> server to know about its own registration- just like it must know about the
> expected aud value and what key should be used to decrypt messages, it
> should know whether encryption was requested or not. In fact, the fact that
> such option was selected at registration time is likely the reflection of a
> policy of the RS itself, something the RS itself would want to ensure has
> been respected. WDYT?

I was involved in a similar discussion last yearish around some product
requirements and functionality. And, while I can see the merits on both
sides of it, my opinion still falls squarely on the side I previously
expressed. So what I think is unchanged and I believe that it's an
overreach for a spec like this. Some of the details of the argument are a
bit subtle though and I have a hard time putting them into writing (more
than usual even). Perhaps we could try and use some of the time in Montreal
to have a f2f discussion about it?  Which doesn't even have to be during
the official WG time.

> >multi value audiences
> I see the issue. I definitely don't want to redefine the semantic of aud,
> but I also would like to be as crisp as possible on the audience-scope
> correlation and prevent scopes from being misinterpreted as applying to the
> wrong resource. The aud validation will likely happen in some middleware in
> front of the API, but authorization checks might happen in the body of the
> API itself when the actual access is being attempted, and having an OR list
> in the aud claim might lead to false positives. RSes correctly written
> should not suffer from this issue (the authorization logic should receive
> only the value from the aud collection that is an actual match) but I have
> seen enough sloppy implementations to be skeptical about this.
> As a result, I would be inclined to  take out the sentence "or if it
> contains additional audiences that are not known aliases of the resource
> indicator of the current resource server", effectively restricting to
> single value aud and eliminating this issue.

While I guess I am still somewhat skeptical about the need to further
constrain the use of audience, it seems that ship has sailed.  I do find it
much more palatable to constrain aud to a single value than to redefine the
semantics of a multi-valued aud.

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._