[OAUTH-WG] Standardising JWT access token type determination

Akila Amarasinghe <akilaa@wso2.com> Fri, 12 January 2024 09:21 UTC

Return-Path: <akilaa@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 742BAC14F706 for <oauth@ietfa.amsl.com>; Fri, 12 Jan 2024 01:21:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TKj4qIV7mc7A for <oauth@ietfa.amsl.com>; Fri, 12 Jan 2024 01:21:54 -0800 (PST)
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86AF5C14F701 for <oauth@ietf.org>; Fri, 12 Jan 2024 01:21:54 -0800 (PST)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-5e7c1012a42so60136577b3.3 for <oauth@ietf.org>; Fri, 12 Jan 2024 01:21:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; t=1705051313; x=1705656113; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=jyJj8ozyEWOxLHycC1gp5pV/ctzlS/WBXJxz6QpoWxY=; b=bpN1i1yu7W7ZwedNCdK+G6NkwB6Pr80oynpQmtH9cEAeifPmQHTf7mfA8DLHFPIfEO dZYajor3Cm25RYb9mYJB84cFVWwdpkuOROx0bZIfwUig5v/rVJ18QhQ86KyW/zLRmwVe L4CeHXeqwMHMlO2ulAFWtLyygcCPCDjzPgtC8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705051313; x=1705656113; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=jyJj8ozyEWOxLHycC1gp5pV/ctzlS/WBXJxz6QpoWxY=; b=FnacmjZlBcEVMZt1exPQ6cx6xXBwH6pdVnBHB0pqsiRje98PYeylR4vMPbLsrnEpLh FmewzCiBnbX64n4mSLjfWRO86r5/olonQwT2ShxX8p4+bav3lWU0f0SRidf438dEXusq UVZE3XmwlzCVaMer80OKxdLqD6hztlHUkJlZ38IhWI61/4/yOju3iQx80vttOTbuCEuS vLpI7irw5SKm5jCiPlrMnUkkT2R+7N5XicyhVVWdps1/+0SeVWy4nkr3wh55/PwIIqY7 xWb9B627rVRTnxtdbeOHEWgJtwoCpmE0E87HpW+BOaJCLcQqXyhjsptIYN1JTCIucMbD DH9w==
X-Gm-Message-State: AOJu0YzjHBzvUCyjSFnKPkKlz074kxbIqJ7zIJMkAdMq7deeNqmBRg/3 1O0Bm6aMDytx/nyl7TbCoFRRdMEOrxUG2myDhviSdjsiHb5aVE+UqW47t7H3
X-Google-Smtp-Source: AGHT+IHOTxhd98m2lorzDWG7ouPmmRxDjqcNMsZrp4g6iO5o0SJ80njThKUFf5FuZqeAO9TphnL5Ptv7cg2NzUq+YxA=
X-Received: by 2002:a5b:4b:0:b0:dbd:b464:63a with SMTP id e11-20020a5b004b000000b00dbdb464063amr402810ybp.26.1705051313095; Fri, 12 Jan 2024 01:21:53 -0800 (PST)
MIME-Version: 1.0
From: Akila Amarasinghe <akilaa@wso2.com>
Date: Fri, 12 Jan 2024 14:51:16 +0530
Message-ID: <CADo1+pUHvk6uK0pveDKbfxFDwDBkvmFbUEb=n_1pAsFfJ37Gmw@mail.gmail.com>
To: oauth@ietf.org, openid-gain-poc@lists.openid.net
Cc: Lalaji Sureshika <lalaji@wso2.com>
Content-Type: multipart/related; boundary="000000000000d7a041060ebc312e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IDAeyCQwYfyR4Cz7LDR0kNniRG0>
Subject: [OAUTH-WG] Standardising JWT access token type determination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2024 09:47:37 -0000

Hi all,

I am researching a standard way to distinguish the token grant type (client
credentials of authorization code) by inspecting the content of the
self-contained JWT token.

I expect to build a discussion within the Oauth/OpenID community around the
need to identify the grant type in which a JWT access token is issued.

In the context of Open Banking, regulators around the world enforce the API
resource access validation specifying which type of access token should be
used to access the API resources. This is becoming a general enforcement
and the Open Banking solution providers are searching for a standard way to
distinguish the access token type by checking the content of the JWT token.

I researched this and please find my findings below,

1. *"sub" claim is a potential way to distinguish the token type*

In rfc9068 <https://datatracker.ietf.org/doc/html/rfc9068> specification,
it is mentioned that the "sub" claim should contain the client ID of the
authorization server if the resource owner is not involved during
authorization (see the screenshot below).

[image: Screenshot 2024-01-12 at 12.15.42 PM.png]

We had discussions about using this claim to validate the token type (auth
code or client credentials), but it seems this is not a standard way to do
this since there can be client impersonation attacks. However, it is very
rare for an actual authorization code access token to have the same client
ID in the "sub" claim as the client exists in the authorization server.

2. *Add a custom claim to the access token*
Another option is to add a custom claim to determine the token type. This
will be set after determining the grant type of the token request and will
be contained in the JWT access token when issued by the authorization
server. This is a reliable way to identify the token type because the
authorization server determines the grant type by inspecting the request
sent into it. Therefore, making it more reliable. This custom claim will
contain from which grant type the access token is obtained.

3. *Validating the "azp" claim in the token*
This is not applicable generally because this claim is optional and is only
used in OpenID connect. The applications that don't use ID tokens cannot
use this claim.

We seek the help of the OAuth/OpenID community to build up a discussion on
this and find a standard way to do the token type determination using the
JWT token. It could be one of the above scenarios.

The feedback from the Oauth/OpenID community is highly appreciated.

Thanks,
*Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
(M)+94719799034 *| *(E)akilaa@wso2.com
(B) medium.com/@akilaamarasinghe

<http://wso2.com/signature>