IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Hans Zandbelt <hans.zandbelt@zmartzone.eu> Mon, 25 March 2019 13:59 UTC

Return-Path: <hans.zandbelt@zmartzone.eu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C4121204A4 for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 06:59:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=zmartzone-eu.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5lsHvYbydM0J for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 06:58:57 -0700 (PDT)
Received: from mail-qt1-x82f.google.com (mail-qt1-x82f.google.com [IPv6:2607:f8b0:4864:20::82f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28B4B12047C for <oauth@ietf.org>; Mon, 25 Mar 2019 06:58:57 -0700 (PDT)
Received: by mail-qt1-x82f.google.com with SMTP id w30so10310469qta.8 for <oauth@ietf.org>; Mon, 25 Mar 2019 06:58:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zmartzone-eu.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9H/K/UTSL0R6S5jM9jXKCGnOXBRCpnCZZdgo8w6AsCo=; b=hERBfehREfNHBCgisNQEDakEg6Y+5obM+mQNhqSLqVwrnp85xYC+h+pnbA4l4Ctqc+ 5tmi0zuSLbJBliBm9tvI9YaLB1fKPIpevlCdEMaqP5MLjR4imr4pd9H6E/msqZ63nfn0 rEg843WQ3TeRbzTe4/L+2m1Ck2uWKr8lz9mJEFjpW+B1LKHj2Qq2ZJQThj9StrXdRwsh Km8Tigpgawyam9DextTipNh2YNFWECheN4VS9/iTTmc5a8sorzNNavdXzXm8pe9j1iak po6zmQhSAgji+NkMtxL1Ysom2+FTJJgMpGLNWdJXnNC9nL8BbYUpN3IQh4Qe06qATbYu 8Jlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9H/K/UTSL0R6S5jM9jXKCGnOXBRCpnCZZdgo8w6AsCo=; b=dcj4wb6DKGLnNBuge1Mg5z0YkjZ2cCBtXsaL4nvpdmubgECCc02TLnh+W9Towfb35e V9U5uNXaPg4f4XEX40B0gwNj3l+d+SlhPh4JZQjE9lBrrLy0HQDX6xWoYm5KNYB2aXLo ycp+glpK7ccQf7BJjOh2wr3OD1oCa9EZYPPz/z81CVnINVGsdxHLRjUS3PF9sP3gQOcw rfqSwkD5ixJfZ0QBLZs+LbvdvFyJoyZz6gzrjY/C66cL2lvHlYVN5uX98BTwDz9qnaR3 yniHEM0CYqbBpdgAtC/CCQBa1aNTSFJcObP/tmcb9zw/hIo2TdJrlDXXdPywMHK0X26M w3kA==
X-Gm-Message-State: APjAAAU2eYr7KUCszc6og6XCG0sQrfYQx1YXyEEVF7W8/V2MaVb8fD/5 S/hnEXVmto6yb1+Eg7lK3sVzlbhrFSAb67qBMA4tpw==
X-Google-Smtp-Source: APXvYqz/34gGDHlbmaIy8CUFYFSnBRHZBJinagQdA45jk+s307TRXPdAIXguiwQT5e9mvIivYjwf9vr4mNHBKV/rh3U=
X-Received: by 2002:a0c:bd81:: with SMTP id n1mr19168074qvg.65.1553522336185; Mon, 25 Mar 2019 06:58:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com>
In-Reply-To: <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com>
From: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Mon, 25 Mar 2019 14:58:44 +0100
Message-ID: <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
Cc: Nov Matake <matake@gmail.com>, vittorio@auth0.com, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ffda550584eb9abd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/G0V5sbnJPHQPhIM4o1thdSW_qAI>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 13:59:06 -0000

Without agreeing or disagreeing: OIDC does not apply here since it is not
OAuth and an access token is not an id_token.
The JWT spec says in https://tools.ietf.org/html/rfc7519#section-4.1.2:

"The "sub" (subject) claim identifies the principal that is the
   subject of the JWT.  The claims in a JWT are normally statements
   about the subject.  The subject value MUST either be scoped to be
   locally unique in the context of the issuer or be globally unique.
   The processing of this claim is generally application specific"

which kind of spells "client" in case of the client credentials grant but I
also do worry about Resource Servers thinking/acting only in terms of users

Hans.

On Mon, Mar 25, 2019 at 2:41 PM Dominick Baier <dbaier@leastprivilege.com>
wrote:

> IMHO the sub claim should always refer to the user - and nothing else.
>
> OIDC says:
>
> "Subject - Identifier for the End-User at the Issuer."
>
> client_id should be used to identify clients.
>
> cheers
> Dominick
>
> On 25.. March 2019 at 05:13:03, Nov Matake (matake@gmail.com) wrote:
>
> Hi Vittorio,
>
> Thanks for the good starting point of standardizing JWT-ized AT.
>
> One feedback.
> The “sub” claim can include 2 types of identifier, end-user and client, in
> this spec.
> It requires those 2 types of identifiers to be unique each other in the
> IdP context.
>
> I prefer omitting “sub” claim in 2-legged context, so that no such
> constraint needed.
>
> thanks
>
> nov
>
> On Mar 25, 2019, at 8:29, Vittorio Bertocci <
> vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:
>
> Dear all,
> I just submitted a draft describing a JWT profile for OAuth 2.0 access
> tokens. You can find it in
> https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
> I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting
> remotely). I look forward for your comments!
>
> Here's just a bit of backstory, in case you are interested in how this doc
> came to be. The trajectory it followed is somewhat unusual.
>
>    - Despite OAuth2 not requiring any specific format for ATs, through
>    the years I have come across multiple proprietary solution using JWT for
>    their access token. The intent and scenarios addressed by those solutions
>    are mostly the same across vendors, but the syntax and interpretations in
>    the implementations are different enough to prevent developers from reusing
>    code and skills when moving from product to product.
>    - I asked several individuals from key products and services to share
>    with me concrete examples of their JWT access tokens (THANK YOU Dominick
>    Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel Dobalian
>    (Microsoft), Karl Guinness (Okta) for the tokens and explanations!).
>    I studied and compared all those instances, identifying commonalities
>    and differences.
>    - I put together a presentation summarizing my findings and suggesting
>    a rough interoperable profile (slides:
>    https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>    <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>    ) - got early feedback from Filip Skokan on it. Thx Filip!
>    - The presentation was followed up by 1.5 hours of unconference
>    discussion, which was incredibly valuable to get tight-loop feedback and
>    incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov,
>    Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there
>    and contributed generously to the discussion. Thank you!!!
>    Note: if you were at OSW2019, participated in the discussion and
>    didn't get credited in the draft, my apologies: please send me a note and
>    I'll make things right at the next update.
>    - On my flight back I did my best to incorporate all the ideas and
>    feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat,
>    Hannes and above all Brian were all super helpful in negotiating the
>    mysterious syntax of the RFC format and submission process.
>
> I was blown away by the availability, involvement and willingness to
> invest time to get things right that everyone demonstrated in the process.
> This is an amazing community.
> V.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
hans.zandbelt@zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

v2.23.0 | Report a Bug | By Email