IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

David Chadwick <D.W.Chadwick@kent.ac.uk> Mon, 04 October 2021 10:28 UTC

Return-Path: <D.W.Chadwick@kent.ac.uk>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1983A13C2 for <oauth@ietfa.amsl.com>; Mon, 4 Oct 2021 03:28:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.786
X-Spam-Level:
X-Spam-Status: No, score=-1.786 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5pq8SBv4PAeW for <oauth@ietfa.amsl.com>; Mon, 4 Oct 2021 03:28:14 -0700 (PDT)
Received: from mx4.kent.ac.uk (mx4.kent.ac.uk [129.12.21.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9F753A13C4 for <oauth@ietf.org>; Mon, 4 Oct 2021 03:28:13 -0700 (PDT)
Received: from mx5.kent.ac.uk ([129.12.21.36]) by mx4.kent.ac.uk with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <D.W.Chadwick@kent.ac.uk>) id 1mXLCc-000TQp-9P for oauth@ietf.org; Mon, 04 Oct 2021 11:28:10 +0100
Received: from 143.228.189.80.dyn.plus.net ([80.189.228.143] helo=AdministorsMBP2.lan) by mx5.kent.ac.uk with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from <D.W.Chadwick@kent.ac.uk>) id 1mXLCY-0004Yk-C1 for oauth@ietf.org; Mon, 04 Oct 2021 11:28:10 +0100
From: David Chadwick <D.W.Chadwick@kent.ac.uk>
To: oauth@ietf.org
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-sgjUv3fppvTZvPpOyUKXo1H1i9LtkOk2yxzZ1+A+wt6w@mail.gmail.com> <TYCPR01MB56784381BE6799ADAA46E360E5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-tMp44z_b=hG+OWC=Hc83RpC_WZ4AaerRMaOZ8cfEkDSg@mail.gmail.com> <TYCPR01MB56787D963D23F78B0800C6CBE5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-u2MRQygYKCDOHBWvu_xO2p96+-vPHir6E3_SEh5OGbqw@mail.gmail.com> <FA113C6E-2A9A-4DFD-A7AB-500955EF9B2E@alkaline-solutions.com> <TYCPR01MB56784DD748F0977AEA0C0AA9E5AE9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAJot-L3V8t=XgCHtziL6o2JWH52JuUdgx8hGpdUEu7-zAU+9Cg@mail.gmail.com>
Organization: University of Kent
Message-ID: <1441c039-a6b5-e195-7769-ad5324e63aaf@kent.ac.uk>
Date: Mon, 04 Oct 2021 11:28:05 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
In-Reply-To: <CAJot-L3V8t=XgCHtziL6o2JWH52JuUdgx8hGpdUEu7-zAU+9Cg@mail.gmail.com>
Content-Type: multipart/related; boundary="------------4B6E184BCABF2B0282838F65"
Content-Language: en-GB
X-Kent-Spam-Score: -0.9
X-Kent-Spam-Bar: /
X-Kent-Spam-Report: No, tests=ALL_TRUSTED=-1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-0.001, TVD_RCVD_IP=0.001
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IlyIYssuK2g4BsWQzTXWsMXoURs>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2021 10:28:19 -0000

What we have done in our verifiable credentials implementation is to define sub as did:jwk:<base64 encoded public key parameters>. (Note this is a non-standard DID.) Then the JWT is signed with the corresponding private key. This provides a JWT that is tamperproof and provides POP, but of course it does not authenticate the sender as anyone can produce such a JWT. However, in the case of VCs, the claim is a verifiable presentation signed by the sender, contain verifiable credentials issued by a trusted issuer that tells the recipient who the sender is, so this solves the authentication problem.

I don't know if you could adapt the above to your requirements, but it would be nice to find an alternative sub encoding that contains the public key parameters, and is a URI, without it being a DID.

Kind regards
David


On 04/10/2021 10:24, Warren Parad wrote:
fwiw we are currently doing this in some flavor, and there are two things that have come up:
  • Standardize place to read client public keys from (JWKs)--Currently these are uploaded to the AS for storage for a particular client. This helps to avoid needing every client to host the public key. Obviously putting the public key in the jwt is rife with vulnerabilities.
  • Impossible to prevent client impersonation attacks by default with crypto/jwt verification libraries as the client can create tokens that specify a different sub then the clients. Because this extra restriction exists which is non-standard, verification can't be automatically handled by a library that doesn't understand this restriction. Which means that the only place which can verify that the sub is actually valid for the client is also the AS. (Specifically for us we make this easier by authorizing token that fetch AS resource data, including JWKs)
It would be great to have a standard around the second one, but I honestly don't see how, since the client can always lie, there would have to be a signature format that stores the kid/clientId identification information in a way that is tamper proof or still the trusted third party in this case the AS. We tend to call this reverse oauth. A small consolation would be a standard adding an attribute to the JWK and the JWT signally the requirement that the sub has to match some other property, but I also don't see this happening.

- Warren

https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA" width="199" height="34">

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement https://authress.io/" target="_blank" rel="nofollow">Authress.


On Mon, Oct 4, 2021 at 4:28 AM <toshio9.ito@toshiba.co.jp> wrote:

Thanks Dick,

 

Our use case is basically the option 2. There is only one RS. So, to simplify

the architecture, we want to omit the round-trip of getting an access token from

AS.

 

I agree with your idea of using JWTs to convey client's signature. So my

original question was if there was a standardized profile of a JWT for that

purpose. From the responses to this thread so far, I think the answer is no.

 

 

Thanks for comment, David,

 

Yeah, maybe it's wise to have AS anyway for better extensibility.

 

 

Toshio Ito

 

From: David Waite <david@alkaline-solutions.com>
Sent: Saturday, October 2, 2021 6:04 AM
To: Dick Hardt <dick.hardt@gmail.com>
Cc: ito toshio(伊藤 俊夫RDCIT研CNL) <toshio9.ito@toshiba.co.jp>; oauth@ietf.org
Subject: Re: [OAUTH-WG] self-issued access tokens

 

 



On Oct 1, 2021, at 11:06 AM, Dick Hardt <dick.hardt@gmail.com> wrote:

<snip>

If there is really only one service, then there is little value in an AS. I would have the client post a JWT that has the request payload in it, or a detached signature if it is a large payload. Personally, I like sending the request as a JWT as it allows services further down the processing pipeline to independently verify the request from the client.

 

This assumes sufficient computing power on the IoT device, and reasonably low call volume.

イメージは差出人によって削除されました。

 

One interpretation of the purpose in the AS is to create tokens based on its authorization decisions, while direct submission of client-authored JWTs would be more in line with having the RS make those decisions directly.

 

Even if they were hosted on the same hardware, I’d still push to use an AS-role component in order to optimize the decision making process and to not have to refactor (or risk duplication) of that logic later.

 

-DW

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth" rel="noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth" rel="nofollow">https://www.ietf.org/mailman/listinfo/oauth


v2.35.0 | Report a Bug | By Email | System Status