Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

"Richard Backman, Annabelle" <richanna@amazon.com> Thu, 26 March 2020 00:53 UTC

Return-Path: <prvs=34744b713=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 695783A092F for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 17:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dbCM1Bapwxml for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 17:53:44 -0700 (PDT)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A6E53A079C for <oauth@ietf.org>; Wed, 25 Mar 2020 17:53:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1585184023; x=1616720023; h=from:to:cc:date:message-id:references:in-reply-to: mime-version:subject; bh=obvRJh5Latwq3HQ75vrWeyJzq7qdb+3zwgV8CTieGH0=; b=g+yfX1IItKsr9sYVaBT+FSj9PSfGCd9EeweJCqxDJpdF7qlVfVQMOAE3 t9hhCcrjGt3OAHVauIa+Nc0uYuKK0dONFh5tuY3Ow5k5mhI3aelM3v2kc LOmhXeVqyBqeA4BH3FHUu04wr5Ue2C7T+/J+N0vyhPmUXa2TQRTnyeLcg s=;
IronPort-SDR: thCvi5jwlrNT+QA6Z/VUarfmh8vm9OzpCXD20oDF7KLgkGBAOv3zwcbLiGE17iasqXQv/rjp5q 7Dl726yLG+Xg==
X-IronPort-AV: E=Sophos; i="5.72,306,1580774400"; d="scan'208,217"; a="23193409"
Thread-Topic: [UNVERIFIED SENDER] Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-1e-17c49630.us-east-1.amazon.com) ([10.43.8.2]) by smtp-border-fw-out-2101.iad2.amazon.com with ESMTP; 26 Mar 2020 00:53:19 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan3.iad.amazon.com [10.40.159.166]) by email-inbound-relay-1e-17c49630.us-east-1.amazon.com (Postfix) with ESMTPS id 04CBCA2785; Thu, 26 Mar 2020 00:53:17 +0000 (UTC)
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 26 Mar 2020 00:53:17 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 26 Mar 2020 00:53:17 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.006; Thu, 26 Mar 2020 00:53:16 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, "vittorio.bertocci=40auth0.com@dmarc.ietf.org" <vittorio.bertocci@auth0.com>, 'George Fletcher' <gffletch@aol.com>, 'Brian Campbell' <bcampbell@pingidentity.com>
CC: 'oauth' <oauth@ietf.org>
Thread-Index: AQHWAwCkHpO0ufV1EU+oqmYSdPJNFKhZ/94A//+WpgA=
Date: Thu, 26 Mar 2020 00:53:16 +0000
Message-ID: <F372DD65-C9B8-4CEE-9928-C052921988BA@amazon.com>
References: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com> <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr> <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com> <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com> <52f18114-4f8e-da86-5735-4c4e8f8d2db5@aol.com> <BL0PR08MB5394CA3CB524E95EA87CD6B6AEF10@BL0PR08MB5394.namprd08.prod.outlook.com> <74da4cc3-359c-c08a-0ae5-54c8ca309f32@aol.com> <D080BE8B-BD0D-4F63-9F33-BA23C2FB42DD@amazon.com> <DM6PR08MB5402639817677AD59898CD65AECE0@DM6PR08MB5402.namprd08.prod.outlook.com> <CA+k3eCS29X28CBXGiUtDAV8nceTcpfJ4Jr_x=E3x8_9crOqsOQ@mail.gmail.com> <13b6801d602c0$02ebea00$08c3be00$@auth0.com> <CA+k3eCSTKNMchR_20z7VRi1XS+kkzi3+8ey_+hB7bK-onRv2Bg@mail.gmail.com> <a0842eb4-582b-59ab-855d-8e48828e92ee@aol.com> <CA+k3eCQdQggPrVatvT2COrtEw2E4F2TTp_3uU6iSk1AsXeRwMg@mail.gmail.com> <13c4701d602d5$5990cdc0$0cb26940$@auth0.com> <29046ca9-71df-430c-80ec-8cf1700be0d9@aol.com> <13c7701d602d7$403eccd0$c0bc6670$@auth0.com> <86323681-E625-4EFB-ACFB-E79476117FDC@amazon.com> <DM6PR08MB540241FDC18A12D85D4EDDD0AECE0@DM6PR08MB5402.namprd08.prod.outlook.com> <DM6PR08MB54026B29CA95A6C3172C2634AECF0@DM6PR08MB5402.namprd08.prod.outlook.com>
In-Reply-To: <DM6PR08MB54026B29CA95A6C3172C2634AECF0@DM6PR08MB5402.namprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.21.0.200113
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.219]
Content-Type: multipart/alternative; boundary="_000_F372DD65C9B84CEE9928C052921988BAamazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DTJL5yK35YBZ4kC0_COZnT3JudE>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2020 00:53:54 -0000

Yes, there isn’t a clear solution to this problem. My main concern at this point is that we don’t give the impression that an AS can establish security boundaries or prevent token mix up by using different keys. The text changes you suggest would address that.

–
Annabelle Backman (she/her)
AWS Identity
https://aws.amazon.com/identity/


From: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Date: Wednesday, March 25, 2020 at 5:10 PM
To: "Richard Backman, Annabelle" <richanna@amazon.com>, "vittorio.bertocci=40auth0.com@dmarc.ietf.org" <vittorio.bertocci@auth0.com>, 'George Fletcher' <gffletch@aol.com>, 'Brian Campbell' <bcampbell@pingidentity.com>
Cc: 'oauth' <oauth@ietf.org>
Subject: [EXTERNAL] [UNVERIFIED SENDER] Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

OK, I caught up with the discussion. Very interesting.
It seems that the conclusion is that there’s no simple mechanism we can add at this point that would easily gel with existing deployment, hence either we tell people to STOP using multiple keys, or we make them aware of the futility of doing so as a way of enforcing security boundaries.
Is that the correct conclusion? If yes, I would suggest we use the language I suggested in Brian’s thread (“The RS should expect the AS to use any of the keys published in the JWKS doc to sign JWT ATs”) to warn the RS developer that the AS could do that, and in the security section we warn the AS developer that using multiple keys won’t help much given that the RS won’t differentiate between tokens signed with keys from the same metadata collection anyway, hence it’s enough to compromise one key to generate tokens that will be accepted regardless of type or any other classification.
WDYT?

From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Date: Wednesday, March 25, 2020 at 16:53
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, "vittorio.bertocci=40auth0.com@dmarc.ietf.org" <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, 'George Fletcher' <gffletch@aol.com>, 'Brian Campbell' <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: 'oauth' <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Oh wow, I completely missed that thread. Thanks for the link. Reading…

From: OAuth <oauth-bounces@ietf.org> on behalf of "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Date: Wednesday, March 25, 2020 at 14:26
To: "vittorio.bertocci=40auth0.com@dmarc.ietf.org" <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, 'George Fletcher' <gffletch@aol.com>, 'Brian Campbell' <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: 'oauth' <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

This is another manifestation of the limits of jwks_uri that I’ve brought up on the list previously<https://mailarchive.ietf.org/arch/msg/oauth/eCZ-wUU2iwTyfx-zuqr2K3bM8-8/>.

Using different signing keys does not actually limit the blast radius of each key, since the validator doesn’t know that each key should only be considered valid for one type of token. This takes away one of the major drivers for using different keys. If the text says deployments can use different keys, it needs to clarify the limited value of that.

–
Annabelle Backman (she/her)
AWS Identity
https://aws.amazon.com/identity/


From: OAuth <oauth-bounces@ietf.org> on behalf of "vittorio.bertocci=40auth0.com@dmarc.ietf.org" <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Date: Wednesday, March 25, 2020 at 12:01 PM
To: 'George Fletcher' <gffletch@aol.com>, 'Brian Campbell' <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: 'oauth' <oauth@ietf.org>
Subject: RE: [EXTERNAL] [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


That works for me!

From: George Fletcher <gffletch@aol.com>
Sent: Wednesday, March 25, 2020 11:56 AM
To: vittorio.bertocci@auth0.com; 'Brian Campbell' <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: 'Brian Campbell' <bcampbell@pingidentity.com>; 'oauth' <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

If we don't want to give guidance on how the RS determines the correct key to use to validate the token, then maybe we should state that explicitly. "The mechanism used by the RS to determine the correct key to use to validate the access token is out of scope for this specification".

That way at least we are being very clear that the spec is not trying to specify how that happens.

Thoughts?
On 3/25/20 2:44 PM, vittorio.bertocci@auth0.com<mailto:vittorio.bertocci@auth0.com> wrote:

Brian, there are plenty of ways in which an RS can surprise you with odd behavior- for example, developers might see that you used a key for signing an IDtoken and use that for init all their validation middleware for ATs as well, say because the library only supports one key at a time, and then end up failing at runtime when/if the assumption ceases to apply in the future.



Would that be legitimate of them to take such a dependency, even without warning text? No. However I am not looking at this from the “lawyering up” perspective, but from the useful guidance standpoint as well. I am well aware that being concise is a feature, but I am also not crazy about making every specification into an intelligence test for the reader. If a 16 words sentence can help prevent a likely misstep, I’d be inclined to keep it. But if the consensus is that the sentence is confusing, I can also take it out.







Brian & George, in the spirit of keeping things simple, and given that this was more of a “just in case” warning rather than a security feature clamored for- if the language is problematic I’d be more inclined to take the sentence out rather than complicating the guidance further.







From: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org><mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>

Sent: Wednesday, March 25, 2020 11:21 AM

To: George Fletcher <gffletch@aol.com><mailto:gffletch@aol.com>

Cc: Brian Campbell <bcampbell@pingidentity.com><mailto:bcampbell@pingidentity.com>; Vittorio Bertocci <vittorio.bertocci@auth0.com><mailto:vittorio.bertocci@auth0.com>; oauth <oauth@ietf.org><mailto:oauth@ietf.org>

Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"







I don't think you are missing anything, George (except that, to be pedantic, `kid` is a header rather than a claim).







The question gave me pause, however, and makes me think that maybe the draft, with the aim of improved interoperability, should have some more explicit text about the use of the 'kid' header in a JWT AT and how it references the verification key in the content at the jwks_uri.























On Wed, Mar 25, 2020 at 11:54 AM George Fletcher <gffletch=40aol.com@dmarc.ietf.org<mailto:gffletch=40aol.com@dmarc.ietf.org> <mailto:40aol.com@dmarc.ietf.org><mailto:40aol.com@dmarc.ietf.org> > wrote:



Can we not use the 'kid' claim to inform the RS as to which key is being used? What am I missing?



On 3/25/20 1:51 PM, Brian Campbell wrote:



I think, even without that statement in the draft, that ASes already have

license to use different keys if they so choose. And maybe I'm not creative

enough but I can't think of what problematic assumptions RSes might make

that would prevented by it. So perhaps just removing that whole sentence,

"An authorization server MAY elect to use different keys to sign id_tokens

and JWT access tokens."? Just a thought anyway.



On Wed, Mar 25, 2020 at 10:11 AM <vittorio.bertocci=

40auth0.com@dmarc.ietf.org<mailto:40auth0.com@dmarc.ietf.org> <mailto:40auth0.com@dmarc.ietf.org><mailto:40auth0.com@dmarc.ietf.org> > wrote:





Thank you for the perspective- I guessed something similar (“there would

be no way for the RS to know what key is used for what").



As stated below, the intent wasn’t to prevent substitution/confusion, but

mostly to give ASes license to use different keys if they choose to (for

the reasons listed below, or any other reason they might have) and a

headsup to RSes so that they don’t make assumptions.







*From:* Brian Campbell  <mailto:bcampbell=40pingidentity.com@dmarc.ietf.org><mailto:bcampbell=40pingidentity.com@dmarc.ietf.org> <bcampbell=40pingidentity.com@dmarc.ietf.org><mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>

*Sent:* Wednesday, March 25, 2020 8:48 AM

*To:* Vittorio Bertocci  <mailto:vittorio.bertocci@auth0.com><mailto:vittorio.bertocci@auth0.com> <vittorio.bertocci@auth0.com><mailto:vittorio.bertocci@auth0.com>

*Cc:* Richard Backman, Annabelle  <mailto:richanna@amazon.com><mailto:richanna@amazon.com> <richanna@amazon.com><mailto:richanna@amazon.com>; oauth <

oauth@ietf.org<mailto:oauth@ietf.org> <mailto:oauth@ietf.org><mailto:oauth@ietf.org> >

*Subject:* Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth

2.0 Access Tokens"







I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's

comment was an assumption that signing ATs and ID Tokens with different

keys would be done to prevent token substitution/confusion. And there's not

really a practical way to achieve that with the mechanics of the jwks_uri..







On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci <vittorio.bertocci=

40auth0.com@dmarc.ietf.org<mailto:40auth0.com@dmarc.ietf.org> <mailto:40auth0.com@dmarc.ietf.org><mailto:40auth0.com@dmarc.ietf.org> > wrote:



*>§4 p3: The only practical way for the AS to sign ATs and ID Tokens with

different keys is to publish the keys in two different JWK sets. This only

way to do this today is by publishing separate OAuth 2.0 authorization

server metadata and OIDC Discovery metadata files, where the JWK set in the

former applies to access tokens and the JWK set in the latter applies to ID

Tokens.*



Hmm, I don’t follow. The OIDC jwks_uri can contain multiple keys, and they

all can be used for signing. What prevents the AS to use one key from that

list for IDtokens and another for ATs? Separate discovery docs shouldn’t be

necessary. Sure, there would be no way for the RS to know what key is used

for what- but similar mechanisms are already in place today for handling

signing key rotation: e.g. the discovery doc lists the current key and the

future key, but uses only the current- and the RS has no way of

distinguishing between the two. The situation here can be analogous, any

key in the discovery doc should be considered valid by the RS, and in fact

there’s no requirement about selecting specific keys in the validation

section. That doesn’t mean this is useless, an AS might elect to use

different keys for its own purposes (eg separation of concerns for

forensics, different strengths, different lifecycles, and so on).













*CONFIDENTIALITY NOTICE: This email may contain confidential and

privileged material for the sole use of the intended recipient(s). Any

review, use, distribution or disclosure by others is strictly prohibited...

If you have received this communication in error, please notify the sender

immediately by e-mail and delete the message and any file attachments from

your computer. Thank you.*









_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth







_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org><mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth