IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Vittorio Bertocci <Vittorio@auth0.com> Tue, 24 March 2020 18:14 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B75703A09A5 for <oauth@ietfa.amsl.com>; Tue, 24 Mar 2020 11:14:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1AbcXNg8zEAn for <oauth@ietfa.amsl.com>; Tue, 24 Mar 2020 11:14:48 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E9BB3A09C8 for <oauth@ietf.org>; Tue, 24 Mar 2020 11:14:48 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id n21so19033954ioo.10 for <oauth@ietf.org>; Tue, 24 Mar 2020 11:14:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zOxxrupDjdpLsj+YhdMRpORRqnttIdvQR4mdsW4EMJc=; b=O8KZi59RRbE3oegcNtefTCM4rTBGb13j2Zbg5sUhs/jc745m0fIhtoMXtYF+9ZNkdY 8ZBwYEgKUIimPB88vdFQ1lsao3A0YJ8oY+EOmgrRaWod2aEM1opqe6QDFX1qAqxxzzDg 2hsySe8K+ygj+KobBlDqeGz9F7b+hmdMkvV9nrj/iHytOGGknYmL93DwNOy5rGJiiTke 4h64UrnWCEYZ90FxNS6wCTlIMsleVJYqTzCRyMgArQd8qmaMdEYVFONZz6Co+CSXesK4 f3I2n8Jn55NVX5ptAirNguc0R7pFSfLtywqw0SC27jelDKoVT4QtgduZ7kj/t2lqBmad rYpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zOxxrupDjdpLsj+YhdMRpORRqnttIdvQR4mdsW4EMJc=; b=STpYm63op0WeBaTV7cemg23QSRDdtV4rDQ66Ujxgs9ScBy+2Nym6knCMjeg+nn9k6C c4hVS/zQ6yvTHlzp9TDV2joBLYIRkta5J1R3AAYlwXDDNBKwa6Flnw1MNgp57LvF8Prx G9grDEtQex4KntDDL1juvdR7hxlbmOgSGoj+scka6vfnpGWETzpJG9FvKVu11Q5S3aOv C9SdrNszbAZTs8Ff4SkgwFLEdPuw5Y1A/V/1HEA8My82GnjUl+ouZKKoYBrPtTTx5dmb w9heyd7haPHnVtsNDuKbU3dP6t3tGRn3sNF+NlwPWJMcS1DJcFkLVNi5lAo9/M9mlnvb zk9g==
X-Gm-Message-State: ANhLgQ1BZ4EPLeUTuZ/U6x5yBpHeGxLc3Y2I8Ctqd1rejLX5QPIM4zZF 1F2WnT3XTTf5n4zo8G4++K0hIAurDrnXz9Jplp8VBNmZZzfTxQ==
X-Google-Smtp-Source: ADFU+vtvjuD7XXq9IbA0N4owWNhtMD5U44qP9tslyJkkGI6EYuTBqmWoIKZEzoQoA2WnKhOcKZGkh6hw9Wg4aJ2uZRM=
X-Received: by 2002:a02:cd31:: with SMTP id h17mr10965637jaq.72.1585073686889; Tue, 24 Mar 2020 11:14:46 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com> <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr> <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com>
In-Reply-To: <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Tue, 24 Mar 2020 11:14:35 -0700
Message-ID: <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com>
To: Takahiko Kawasaki <taka@authlete.com>
Cc: Nikos Fotiou <fotiou@aueb.gr>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000d10de05a19dba53"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JdqJhRmmIh3XSXRC0RmJogP99yI>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Mar 2020 18:14:51 -0000

Hi Takahiko,
thank you for reviewing and taking the time to write down your feedback!
Inline

[..]  apparently conflicts with RFC 8707. I'm afraid vendors that support
> RFC 8707 won't support this draft unless the requirement is loosened, for
> example from MUST to SHOULD.

I don't think this can be characterized as conflict. As a profile, it is
expected that this spec will be more restrictive. As long as a token
complying with the profile requirements is also valid according to 8707, I
believe we are in valid territory even if the vice versa does not hold (eg
a token can comply with 8707 but not be well formed according to a profile).

  The rule described here whereby to determine the default value of the
> "aud" claim is unintelligible.

Could you expand on the specific points you find unclear?

  I don't think the rule referring to the "scope" parameter is worth being
> defined. That "aud" is missing but "scope" is available is enough for
> resource servers. In other words, if "aud" is determined based on the
> "scope", why do we have to set "aud" redundantly?

Scope is actually not sufficient for many resource servers. Whenever an RS
is facading a collection of existing finer grained resources, scopes
representing permissions might be ambiguous - if my API facades both
calendar and inbox, what does the "read" scope refer to? Having an audience
resolves that ambiguity.
Also, many AS operate as multitenant services, where the need to solve
resource references ambiguity is even greater; and plenty of real world 1st
party solutions use OAuth for calling their first party API, without
implementing delegated authz logic hence not using scopes directly.
Also, see the next point.

  Requiring the "aud" as a MUST claim is the reason that this draft has to
> introduce philosophy about "aud" that may conflict with other
> specifications and may not be supported by all implementers. I would
> suggest changing "REQUIRED" to "OPTIONAL".

The most widespread JWT token validation logic deployed today is repurposed
from OIDC, where aud is mandatory. Most of the JWT AT solutions in the wild
use it. I believe that's enough reason to mandate aud in an interop profile.

On Mon, Mar 23, 2020 at 11:47 PM Takahiko Kawasaki <taka@authlete.com>
wrote:

> (1)
> The requirement in the paragraph below excerpted from "3. Requesting a JWT
> Access Token":
>
> *If it receives a request for an access token containing more than one
> resource parameter, an authorization server issuing JWT access tokens MUST
> reject the request and fail with "invalid_request" as described in section
> 4.1.2.1 of [RFC6749] or with "invalid_target" as defined in section 2 of
> [RFC8707].  See Section 2.2 and Section 5 for more details on how this
> measure ensures there's no confusion on to what resource the access token
> granted scopes apply.*
>
>
> apparently conflicts with RFC 8707. I'm afraid vendors that support RFC
> 8707 won't support this draft unless the requirement is loosened, for
> example from MUST to SHOULD.
>
> (2)
> Regarding another paragraph shown below from the same section.
>
> *If the request does not include a resource parameter, the authorization
> server MUST use in the aud claim a default resource indicator.  If a scope
> parameter is present in the request, the authorization server SHOULD use it
> to infer the value of the default resource indicator to be used in the aud
> claim.  The mechanism through which scopes are associated to default
> resource indicator values is outside the scope of this specification.  If
> the values in the scope parameter refer to different default resource
> indicator values, the authorization server SHOULD reject the request with
> invalid_scope as described in section 4.1.2.1 of [RFC6749].*
>
>
> The rule described here whereby to determine the default value of the
> "aud" claim is unintelligible. In addition, I don't think the rule
> referring to the "scope" parameter is worth being defined. That "aud" is
> missing but "scope" is available is enough for resource servers. In other
> words, if "aud" is determined based on the "scope", why do we have to set
> "aud" redundantly?
>
> Requiring the "aud" as a MUST claim is the reason that this draft has to
> introduce philosophy about "aud" that may conflict with other
> specifications and may not be supported by all implementers. I would
> suggest changing "REQUIRED" to "OPTIONAL".
>
>
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
>
> On Tue, Mar 24, 2020 at 10:32 AM Nikos Fotiou <fotiou@aueb.gr> wrote:
>
>> Hi all,
>>
>>
>>
>> Allow me some comments and forgive me if some of them are naïve.
>>
>> - In Section 2.2 why nbf claim (
>> https://tools..ietf.org/html/rfc7519#section-4.1.5)
>> <https://tools.ietf.org/html/rfc7519#section-4.1.5)> is not considered?
>> I can imagine some interesting applications of this claim.
>>
>> - In the same section, it is not clear why some claims are required,
>> especially exp, sub, and client_id. The last two claims are not even used
>> during token validation.
>>
>> - RFC7519 specifies that, in the general case, the aud claim is an array
>> of StringOrURI values. In this draft it is not clear if this still the
>> case, or here aud is a simple string (e.g., in page 5 it is stated: the
>> resource indicated in the aud claim, rather than the resource*s*).
>>
>> - In the token validation procedure, i.e., Section 4, is there any reason
>> why the resource server first checks the aud claim, then the signature, and
>> finally the exp claim? Given the fact that Error responses are not
>> specified, returning something like “invalid aud claim” even for tokens
>> with invalid signature may result in privacy/security attacks.
>>
>> - IMHO The token validation procedure it too bound to the particular
>> discovery mechanisms mentioned at the beginning of this section. E.g., Step
>> 2 mentions a “registration” process, and Step 3 mentions and an “Issuer
>> Identifier” which must much the iss claim. Moreover, I think it should be
>> explicitly mentioned that the resource server “must validate that the JWT
>> access token has been singed with a signing key that corresponds to the
>> authorization server included in the iss claim”
>>
>>
>>
>>
>>
>> Best,
>>
>> Nikos
>>
>>
>>
>> *From:* OAuth <oauth-bounces@ietf..org <oauth-bounces@ietf.org>> *On
>> Behalf Of *Hannes Tschofenig
>> *Sent:* Monday, March 23, 2020 11:18 PM
>> *To:* oauth <oauth@ietf.org>
>> *Subject:* [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth
>> 2.0 Access Tokens"
>>
>>
>>
>> Hi all,
>>
>>
>>
>> this is a working group last call for "JSON Web Token (JWT) Profile for
>> OAuth 2.0 Access Tokens".
>>
>>
>>
>> Here is the document:
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04
>>
>>
>>
>> Please send you comments to the OAuth mailing list by April 6, 2020.
>>
>>
>>
>> Ciao
>>
>> Hannes & Rifaat
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email