Re: [OAUTH-WG] "cid" claim in JWT
Nat Sakimura <sakimura@gmail.com> Thu, 20 December 2012 07:42 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C46EB21F8A85 for <oauth@ietfa.amsl.com>; Wed, 19 Dec 2012 23:42:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.646
X-Spam-Level:
X-Spam-Status: No, score=-0.646 tagged_above=-999 required=5 tests=[AWL=-2.048, BAYES_00=-2.599, GB_SUMOF=5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id faIaUkTniyc2 for <oauth@ietfa.amsl.com>; Wed, 19 Dec 2012 23:42:52 -0800 (PST)
Received: from mail-ea0-f175.google.com (mail-ea0-f175.google.com [209.85.215.175]) by ietfa.amsl.com (Postfix) with ESMTP id 9B21021F8A83 for <oauth@ietf.org>; Wed, 19 Dec 2012 23:42:51 -0800 (PST)
Received: by mail-ea0-f175.google.com with SMTP id h11so1174098eaa.20 for <oauth@ietf.org>; Wed, 19 Dec 2012 23:42:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LvUzFEB+zkqeUoUuLifvzyNnaY2MvHIk6/DDDVA8FlI=; b=V4cZW72jubhmsnY1YG9IPilq7r56ZZD79qCG8FOkndq6cCfW9uMY/Nph8i0jiBHmFe poZMl75zZG7yfGPagUJCVGOdcOkDXqPSNU1l3DLu0/hnIaL+FAORmLexlqHbTNitpEc/ jBdmVb4JJJrXQH0AlD6YAJKYdHqM4ir6fsaHaEV2G3wJHo2krVz3fLI3Z/5RHEHZ+YUU uU13O8YL80V3XVQxJj8LGNY0pM9TvxGifwNb0BXucBsotnXEY3lbCcKqOsHPrsEHjtWD Y1Q+/+ZClsT2q9cfXyCDEaLkAzIVm/luLpNMynMzLMtcSp3Jki9kYT+mNoGhwh/zC7Hy Vgpw==
MIME-Version: 1.0
Received: by 10.14.206.197 with SMTP id l45mr21369099eeo.17.1355989370416; Wed, 19 Dec 2012 23:42:50 -0800 (PST)
Received: by 10.14.215.66 with HTTP; Wed, 19 Dec 2012 23:42:50 -0800 (PST)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436697EF82@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436697EF82@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 20 Dec 2012 16:42:50 +0900
Message-ID: <CABzCy2B592GjoK2XanVfdKW6orqUF+=VxEA2sPoaC1h_EKzD=g@mail.gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="047d7b34413cbe2ee504d143e08a"
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] "cid" claim in JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 07:42:53 -0000
As "prn" is way under-defined [1], there can be two interpretations for
"prn".
Considering that "subject" is not a defined term (= dictionary term), and
interpreting a boarding pass as:
"Japan Airlines authorizes JL002 to accept passenger John Smith at the Gate
B22 provided safety and other requirements are met between the boarding
time (14:30) and 10 minutes before the departure time (15:10)"
then:
iss: Japan Airlines
prn: JL002 (the flight number)
cid: John Smith (the passenger, who uses the boarding pass)
aud: Gate B22 (Gate assigned to JL002)
nbf: 2012-12-31T14:30+9
exp: 2012-12-31T15:00+9
Alternatively, if we interpret the boarding pass as:
"Japan Airlines authorizes John Smith to board JL002 at the Gate B22
provided safety and other requirements are met the boarding time (14:30)
and 10 minutes before the departure time (15:10)""
iss: Japan Airlines
prn: John Smith
cid: John Smith
aud: Gate B22 (Gate assigned to JL002)
nbf: 2012-12-31T14:30+9
exp: 2012-12-31T15:00+9
This interpretation has lost some information while encoding into JWT, so
prior one may be more appropriate.
Either way, as "prn" lacks exact semantics, what goes into it is subject to
interpretation while "cid" is very clearly defined.
Let me give another example.
An entitlement that says: "John Smith is allowed to activate the system
when Mary White presents this token (#1234) to the System A" that is issued
by the "ABC Corp"
iss: ABC Corp.
jti: #1234
prn: John Smith
cid: Mary White
aud: System A
Note: this is not delegation nor on-behalf-of.
More webby example: "John Smith authorizes photo print service A to access
photo archive service B for John Smith's photo #123 until 2013-04-01 for
the sum of $100."
iss: John Smith's Authorization Server
prn: John Smith's photo #123
cid: Photo print service A
aud: photo archive service B
exp: 2013-04-01
Nat
[1] 4.1.6 "prn" defines its value as what identifies:
"the subject of the JWT"
This can be expanded by replacing "JWT" with its definition as
"the subject of the string consisting of multiple parts, the first being
> the Encoded JWT Header, plus additional parts depending upon the contents
> of the header, with the parts being separated by period ('.') characters,
> and each part containing base64url encoded content."
Further, expanding "JWT Header", it will become
"the subject of the string consisting of multiple parts, the first being
> the string representing a JSON object that describes the cryptographic
> operations applied to the string, plus additional parts depending upon
> the contents of the header, with the parts being separated by period ('.')
> characters, and each part containing base64url encoded content."
To me, it is not clear what it means.
On Thu, Dec 20, 2012 at 3:07 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:
> What would the iss, prn, aud, and cid values represent in the boarding
> pass example?
>
> -- Mike
>
> *From:* Nat Sakimura
> *Sent:* December 19, 2012 9:32 PM
> *To:* Mike Jones
> *CC:* Anthony Nadalin, John Bradley, oauth
> *Subject:* Re: [OAUTH-WG] "cid" claim in JWT
>
> I obviously disagree - if I did agree, I did not send it to the list to
> start with :-)
>
> "cid" (or in my original proposal, "reg") has a very clear and
> established meaning.
> The parallel examples abounds in our daily life.
>
> It has very little to do with On-behalf-of.
> It is not a delegation statement.
>
> "cid" is there to indicate to whom it was issued to.
> The entity who was issued this "token" is eligible to use it at the
> entities indicated by "aud".
>
> Example in our real life are like:
>
> - Airline boarding pass
> - Registered instruments (bond / share)
> - Monthly train pass
> - Disneyland annual passport
> etc. etc.
>
> Please do not mix it up with a delegation statement like on-behalf-of,
> which is much less well defined.
>
> Nat
>
>
>
> On Thu, Dec 20, 2012 at 12:07 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:
>
>> I'm with Tony on this. This seems premature to put into the JWT
>> standard. All the other JWT claims have well established meanings and
>> history behind them. These don't.
>>
>> If the goal is to allow OpenID Connect implementations to not reject
>> tokens using “cid”, there are lots of other ways to accomplish this that I
>> think we should consider first.
>>
>> -- Mike
>>
>>
>> *From:* John Bradley
>> *Sent:* December 19, 2012 6:25 PM
>> *To:* Anthony Nadalin
>> *CC:* oauth
>> *Subject:* Re: [OAUTH-WG] "cid" claim in JWT
>>
>> I agree, audience who requested it and and who it is requested for are
>> all interrelated.
>>
>> However we do need to set down some standard way of expressing it as
>> people are starting to make stuff up on their own that will impact
>> interoperability.
>>
>> If Google starts thawing in cid and clients don't know about it they
>> must reject the JWT etc.
>>
>> John
>>
>> On 2012-12-19, at 9:40 PM, Anthony Nadalin <tonynad@microsoft.com>
>> wrote:
>>
>> It seems premature and we should consider this in the bigger context
>> of the “on behalf of”/delegation work that has been started
>>
>> *From:* oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
>> Behalf Of *Nat Sakimura
>> *Sent:* Tuesday, December 18, 2012 6:22 PM
>> *To:* oauth
>> *Subject:* [OAUTH-WG] "cid" claim in JWT
>>
>> In OpenID Connect WG, we have been talking this for sometime.
>> "cid" claim identifies the entity that the JWT was issued to as a
>> rightful/licensed user.
>> Google already uses this in their implementation of id_token of OIDC.
>>
>> Here is the text proposal. It introduces two new standard claims:
>> "cid" and "cit".
>>
>> It would be very useful in creating a HoK drafts as well.
>>
>> Cheers,
>>
>> Nat
>>
>>
>>
>>
>> *4.1.9. "cid" Client Identification Data Claim*
>>
>>
>>
>> The "cid" (client identification data) claim allows the receiver
>>
>> of the JWT to identify the entity that the JWT is
>>
>> intended to be used by. The audience of the JWT MUST be
>>
>> able to identify the client with the value of this claim.
>>
>>
>>
>> The "cid" value is a case sensitive string containing a StringOrURI value.
>>
>> This claim is OPTIONAL. If the entity processing the claim does not
>>
>> identify the user of the JWT with the identifier in the "cid" claim value,
>>
>> then the JWT MUST be rejected. The interpretation of the registered to
>>
>> value is generally application specific.
>>
>>
>>
>> A typical example of a registered to claim includes following:
>>
>> * client_id that the audience can use to authenticate and
>>
>> identify the client.
>>
>> * A base64url encoded JWK.
>>
>> * A URL that points to the key material that the audience can use to
>>
>> authenticate the user of the JWT.
>>
>>
>>
>> *4.1.10 "cit" (Client Identification Data claim type)*
>>
>>
>>
>> The "cit" (Client Identification Data claim type) identifies the type
>>
>> of the "cid" claim. It is a StringOrURI value. The defined values
>>
>> are the following:
>>
>>
>>
>> "client_id" The value of the "cid" claim is the Client ID of the client
>>
>> that the audience of the JWT is able to use to authenticate the client.
>>
>>
>>
>> "jwk" The value of the "cid" claim is a base64url encoded JWK of
>>
>> the registered client.
>>
>>
>>
>> "jku" The value of the "cid" claim is the "jku" defined in 4.1.2 of
>>
>> JSON web signature [JWS].
>>
>>
>>
>> "x5u" The value of the "cid" claim is the URL that points to the public
>>
>> key certificate of the registered client. The format of the content
>>
>> that x5u points to is described in section 4.1.4 of the JSON Web Signature.
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
- [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Anthony Nadalin
- Re: [OAUTH-WG] "cid" claim in JWT John Bradley
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones
- Re: [OAUTH-WG] "cid" claim in JWT Anthony Nadalin
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Justin Richer
- Re: [OAUTH-WG] "cid" claim in JWT Nat Sakimura
- Re: [OAUTH-WG] "cid" claim in JWT Mike Jones