[OAUTH-WG] draft-ietf-oauth-jwt-bearer-06
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 01 November 2013 20:52 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F46611E816D for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O+l9GXbhqkU8 for <oauth@ietfa.amsl.com>; Fri, 1 Nov 2013 13:52:07 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) by ietfa.amsl.com (Postfix) with ESMTP id 2388011E8166 for <oauth@ietf.org>; Fri, 1 Nov 2013 13:52:05 -0700 (PDT)
Received: from masham-mac.home ([81.164.176.169]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MK4fR-1VbWLo0JRl-001PPf for <oauth@ietf.org>; Fri, 01 Nov 2013 21:52:05 +0100
Message-ID: <52741472.8020405@gmx.net>
Date: Fri, 01 Nov 2013 21:52:02 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20130216 Thunderbird/17.0.3
MIME-Version: 1.0
To: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-15"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:rHvSRvIHQmPYiwV/cGY/2JAM0xeg50hDLqoFuedwFB1HtWBS+no yQl1RFc+u5vO0AD5kzwsra2b+ii95fJhROY03Z7j1ex37/qx89rC5cP2EuPo8XUJ2nR+owj eU4KgEsrEq4G2rVGmP+qU3JMi45ROlWaPsb0yw/Oxda4m+GeYx03ZQV6m1MNxOzfkkKGQJ0 nzGDQyxxZz+j/MkxGekBw==
Subject: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-06
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Nov 2013 20:52:13 -0000
Hi Mike, Hi all, I read through draft-ietf-oauth-jwt-bearer-06 in an attempt to find out whether I would be able to produce an interoperable implementation from this document. A few minor things came to my mind: Section 3: You write: " 1. The JWT MUST contain an "iss" (issuer) claim that contains a unique identifier for the entity that issued the JWT. Issuer values SHOULD be compared using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless otherwise specified by the application. " What is not stated here is what are the two values that are compared against each other. One value is the issuer claim from the JWT and the other value is the, I guess, an entry from a whitelist of trusted issuers. You write: " 2. The JWT MUST contain a "sub" (subject) claim identifying the subject of the transaction. The subject MAY identify the resource owner for whom the access token is being requested. A. When using a JWT as an authorization grant, the subject SHOULD identify an authorized accessor for whom the access token is being requested (typically the resource owner, or an authorized delegate). B. For client authentication, the subject MUST be the "client_id" of the OAuth client. " Should this rather read: " 2. The JWT MUST contain a "sub" (subject) claim identifing the principal that is the subject of the JWT. Two cases need to be differentiated: A. For the authorization grant, the subject SHOULD identify an authorized accessor for whom the access token is being requested (typically the resource owner, or an authorized delegate). B. For client authentication, the subject MUST be the "client_id" of the OAuth client. " Why isn't the SHOULD under (A) actually a MUST? Then, the current text in A is so fuzzy that it actually doesn't allow someone to create a test case to test whether an implementation is interoperable or not. With B the situation is different. Is there something else we can say for A? You write: " 3. The JWT MUST contain an "aud" (audience) claim containing a value that identifies the authorization server as an intended audience. The token endpoint URL of the authorization server MAY be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT. JWTs that do not identify the authorization server as an intended audience MUST be rejected. Audience values SHOULD be compared using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless otherwise specified by the application. " If the endpoint URL of the AS is not used then what else? Wouldn't it be useful to say "The token endpoint URL of the authorization server MUST be used as a value for an "aud" element to identify the authorization server as an intended audience of the JWT."? Then, I have a suggestion for re-phrasing this sentence from : " Audience values SHOULD be compared using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986], unless otherwise specified by the application. " to: " In the absence of an application profile standard specifying otherwise, a compliant JWT Bearer application MUST compare the audience values using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986]. " The same can actually be applied to the issuer claim as well. Given that the JWT had been updated to align it with the JOSE work I suspect that this document also requires an update. Section 5 about "Interoperability Considerations" says: " Specific items that require agreement are as follows: values for the issuer and audience identifiers, the location of the token endpoint, and the key used to apply and verify the digital signature or keyed message digest over the JWT. " I believe that this list is not correct. What is needed is: * At the authorization server there needs to be a whitelist of trusted issuers. For a succesful protocol run the JWT needs to be created by an issuer who is in the whitelist. * Along with the entry in the whitelist of trusted issuers needs to be a key. There is no new endpoint URL defined by this document. As such, I wouldn't mention those. I also do not think that the audience identifier needs to be agreed if you define it as the token endpoint URL of the authorization server (as I suggested above). Ciao Hannes
- [OAUTH-WG] draft-ietf-oauth-jwt-bearer-06 Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-06 Brian Campbell