Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue
"Manger, James" <James.H.Manger@team.telstra.com> Mon, 28 April 2014 00:42 UTC
Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A6C91A0821 for <oauth@ietfa.amsl.com>; Sun, 27 Apr 2014 17:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.499
X-Spam-Level: **
X-Spam-Status: No, score=2.499 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YGRyEwwMeLiG for <oauth@ietfa.amsl.com>; Sun, 27 Apr 2014 17:42:31 -0700 (PDT)
Received: from ipxbvo.tcif.telstra.com.au (ipxbvo.tcif.telstra.com.au [203.35.135.204]) by ietfa.amsl.com (Postfix) with ESMTP id 48E8E1A06D8 for <oauth@ietf.org>; Sun, 27 Apr 2014 17:42:26 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.97,939,1389704400"; d="scan'208,217"; a="209602615"
Received: from unknown (HELO ipcbvi.tcif.telstra.com.au) ([10.97.217.204]) by ipobvi.tcif.telstra.com.au with ESMTP; 28 Apr 2014 10:42:24 +1000
X-IronPort-AV: E=McAfee;i="5400,1158,7421"; a="218166364"
Received: from wsmsg3702.srv.dir.telstra.com ([172.49.40.170]) by ipcbvi.tcif.telstra.com.au with ESMTP; 28 Apr 2014 10:42:24 +1000
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3702.srv.dir.telstra.com ([172.49.40.170]) with mapi; Mon, 28 Apr 2014 10:42:23 +1000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Torsten Lodderstedt <torsten@lodderstedt.net>, John Bradley <ve7jtb@ve7jtb.com>, Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 28 Apr 2014 10:34:40 +1000
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue
Thread-Index: Ac9h/u3vQZvwJo0oRJuQg7CxtNhQDAAcsTAA
Message-ID: <255B9BB34FB7D647A506DC292726F6E11545569E2D@WSMSG3153V.srv.dir.telstra.com>
References: <53577C41.2090606@gmx.net> <CA+k3eCSmVo__OBn7vMoSZ2POeFLUS11y+BNOPTX5b=5C_OpfBg@mail.gmail.com> <5358B8BC.8000508@gmx.net> <CA+k3eCSCtSb42pqz8qE4MQbfXzLQFr9bEAcNm0bgJ24WRL4C4Q@mail.gmail.com> <53590810.8000503@gmx.net> <CA+k3eCRvukGj-oZ214JNdaAENobrdcanxPxZiAUZ9B529Zsd5A@mail.gmail.com> <4E1F6AAD24975D4BA5B16804296739439A1960AA@TK5EX14MBXC288.redmond.corp.microsoft.com> <A83036B3-E093-41C6-A212-B5797E536326@ve7jtb.com> <CA+k3eCToMDJv4KfapoG=9gSHrtzKT5E8L4OFSJMjQZWBO4Q84g@mail.gmail.com> <2DE29BE5-8E48-42E1-96AE-D92336AF66B8@ve7jtb.com> <535CD425.7080506@lodderstedt.net>
In-Reply-To: <535CD425.7080506@lodderstedt.net>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E11545569E2DWSMSG3153Vsrv_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/JunWlUpaCPt_-KTmiWAJShsqwQk
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Apr 2014 00:42:34 -0000
Saying “sub” MUST be present might simplify a spec, but only at the cost of compromising the meaning of messages. “sub” sometimes holds an identifier for a subject that is unambiguous in the context of the issuer. That is, an account needs to be identified by the tuple {iss, sub}. “sub” sometimes holds an identifier for a subject that is globally unambiguous. That is, “sub” alone is sufficient to identify an account. An unstated assumption is that all “sub” values that might be compared need to come from the same (unidentified) namespace. “sub” sometimes holds an ephemeral pseudonym (eg random garbage). “sub” sometimes holds a fixed string such as “anonymous” (with different issuers choosing different strings). Assuming the tuple {iss, sub} identifies an account would be positively dangerous in this case. “sub” sometimes holds a fingerprint of a public key. “sub” is then redundant as it can be recalculated from the key. That introduces the chance that some component uses “sub” without confirming it matches the key that is likely to introduce security vulnerabilities. A “sub” value is sometimes “unique” in its context [draft-ietf-oauth-json-web-token-19#section-4.1.2 ], which I interpret as meaning it is the subject’s one and only identifier. I suspect in practice “sub” will often be “unambiguous”, but not necessarily “unique”. That is, an account might have multiple “sub” values associated with it (due to account merges, key changes, system redesigns, aliases…). Making “sub” mandatory seems to make this mess worse. We would be better with distinct "isub", "gsub", "psub", "asub":null, "ksub", and "unique":true elements so the semantics are clear. -- James Manger From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Torsten Lodderstedt Sent: Sunday, 27 April 2014 7:56 PM To: John Bradley; Brian Campbell Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue +1 (we actually use a sub value of "anonymous" in our id tokens in case age verification, if we do not want to disclose the user's identity to the RP) Am 25.04.2014 22:11, schrieb John Bradley: I am OK with that. On Apr 25, 2014, at 4:57 PM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote: I absolutely agree with always requiring both issuer and subject and that doing so keeps the specs simpler and is likely to improve interoperability. However, without changing that, perhaps some of the text in the document(s) could be improved a bit. Here's a rough proposal: Change the text of the second bullet in http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 to "The assertion MUST contain a Subject. The Subject typically identifies an authorized accessor for which the access token is being requested (i.e. the resource owner, or an authorized delegate) but, in some cases, may be a pseudonym or other value denoting an anonymous user. When the client is acting on behalf of itself, the Subject MUST be the value of the client's client_id." And also change http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 to "When a client is accessing resources on behalf of an anonymous user, a mutually agreed upon Subject identifier indicating anonymity is used. The Subject value might be an agreed upon static value indicating an anonymous user or an opaque persistent or transient pseudonym for the user may also be utilized. The authorization may be based upon additional criteria, such as additional attributes or claims provided in the assertion. For example, a client may present an assertion from a trusted issuer asserting that the bearer is over 18 via an included claim. In this case, no additional information about the user's identity is included, yet all the data needed to issue an access token is present." And maybe also change the subject text in SAML and JWT (item #2 in http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 and http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3) to read a little more like the new proposed text above for section 5.2 of the Assertion Framework draft. Would that sit any better with you, Hannes? Thoughts from others in the WG? On Fri, Apr 25, 2014 at 1:08 PM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote: Agreed. On Apr 25, 2014, at 3:07 PM, Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>> wrote: I agree. We’d already discussed this pretty extensively and reached the conclusion that always requiring both an issuer and a subject both kept the specs simpler and was likely to improve interoperability. It’s entirely up to the application profile what the contents of the issuer and the subject fields are and so I don’t think we need to further specify their contents beyond what’s already in the specs. -- Mike From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell Sent: Friday, April 25, 2014 10:17 AM To: Hannes Tschofenig Cc: oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue I believe, from the thread referenced earlier and prior discussion and draft text, that the WG has reached (rough) consensus to require the subject claim. So text that says "Subject element MUST NOT be included" isn't workable. It seems what's needed here is some better explanation of how, in cases that need it, the value of the subject can be populated without using a PII type value. A simple static value like "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of pairwise persistent pseudonymous identifier would be utilized, which would not directly identify the subject but would allow the relying party to recognize the same subject on subsequent transactions. A transient pseudonym might also be appropriate in some cases. And any of those approaches could be used with or without additional claims (like age > 18 or membership in some group) that get used to make an authorization decision. I wasn't sure exactly how to articulate all that in text for the draft(s) but that's more of what I was asking for when I asked if you could propose some text. On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote: Hi Brian, Thanks for pointing to the assertion framework document. Re-reading the text it appears that we have listed the case that in Section 6.3.1 but have forgotten to cover it elsewhere in the document. In Section 6.3.1 we say: " 6.3.1. Client Acting on Behalf of an Anonymous User When a client is accessing resources on behalf of an anonymous user, the Subject indicates to the Authorization Server that the client is acting on-behalf of an anonymous user as defined by the Authorization Server. It is implied that authorization is based upon additional criteria, such as additional attributes or claims provided in the assertion. For example, a client may present an assertion from a trusted issuer asserting that the bearer is over 18 via an included claim. ***** In this case, no additional information about the user's identity is included, yet all the data needed to issue an access token is present. ***** " (I marked the relevant part with '***') In Section 5.2, however, we say: o The assertion MUST contain a Subject. The Subject identifies an authorized accessor for which the access token is being requested (typically the resource owner, or an authorized delegate). When the client is acting on behalf of itself, the Subject MUST be the value of the client's "client_id". What we should have done in Section 5.2 is to expand the cases inline with what we have written in Section 6. Here is my proposed text: " o The assertion MUST contain a Subject. The Subject identifies an authorized accessor for which the access token is being requested (typically the resource owner, or an authorized delegate). When the client is acting on behalf of itself, as described in Section 6.1 and Section 6.2, the Subject MUST be the value of the client's "client_id". When the client is acting on behalf of an user, as described in Section 6.3, the Subject element MUST be included in the assertion and identifies an authorized accessor for which the access token is being requested. When the client is acting on behalf of an anonymous user, as described in Section 6.3.1, the Subject element MUST NOT be included in the assertion. Other elements within the assertion will, however, provide enough information for the authorization server to make an authorization decision. " Does this make sense to you? Ciao Hannes On 04/24/2014 02:30 PM, Brian Campbell wrote: > There is some discussion of that case in the assertion framework > document at > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1 > > Do you feel that more is needed? If so, can you propose some text? > > > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig > <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>>> wrote: > > Hi Brian, > > I read through the thread and the Google case is a bit different since > they are using the client authentication part of the JWT bearer spec. > There I don't see the privacy concerns either. > > I am, however, focused on the authorization grant where the subject is > in most cases the resource owner. > > It is possible to put garbage into the subject element when privacy > protection is needed for the resource owner case but that would need to > be described in the document; currently it is not there. > > Ciao > Hannes > > > On 04/24/2014 12:37 AM, Brian Campbell wrote: > > That thread that Antonio started which you reference went on for some > > time > > > (http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520) > > and seems to have reached consensus that the spec didn't need > normative > > change and that such privacy cases or other cases which didn't > > explicitly need a subject identifier would be more appropriately dealt > > with in application logic: > > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html > > > > > > > > > > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig > > <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net> <mailto:hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> > <mailto:hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net> > <mailto:hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>>>> wrote: > > > > Hi all, > > > > in preparing the shepherd write-up for > draft-ietf-oauth-jwt-bearer-08 I > > had to review our recent email conversations and the issue > raised by > > Antonio in > > > http://www.ietf.org/mail-archive/web/oauth/current/msg12520.html belong > > to it. > > > > The issue was that Section 3 of draft-ietf-oauth-jwt-bearer-08 > says: > > " > > 2. The JWT MUST contain a "sub" (subject) claim > identifying the > > principal that is the subject of the JWT. Two cases > need to be > > differentiated: > > > > A. For the authorization grant, the subject SHOULD > identify an > > authorized accessor for whom the access token is being > > requested (typically the resource owner, or an > authorized > > delegate). > > > > B. For client authentication, the subject MUST be the > > "client_id" of the OAuth client. > > " > > > > Antonio pointed to the current Google API to illustrate that > the subject > > is not always needed. Here is the Google API documentation: > > https://developers.google.com/accounts/docs/OAuth2ServiceAccount > > > > The Google API used the client authentication part (rather > than the > > authorization grant), in my understanding. > > > > I still believe that the subject field has to be included for > client > > authentication but I am not so sure anymore about the > authorization > > grant since I could very well imagine cases where the subject > is not > > needed for authorization decisions but also for privacy reasons. > > > > I would therefore suggest to change the text as follows: > > > > " > > 2. The JWT contains a "sub" (subject) claim identifying the > > principal that is the subject of the JWT. Two cases > need to be > > differentiated: > > > > A. For the authorization grant, the subject claim MAY > > be included. If it is included it MUST identify the > > authorized accessor for whom the access token is being > > requested (typically the resource owner, or an > authorized > > delegate). Reasons for not including the subject claim > > in the JWT are identity hiding (i.e., privacy > protection > > of the identifier of the subject) and cases where > > the identifier of the subject is irrelevant for making > > an authorization decision by the resource server. > > > > B. For client authentication, the subject MUST be the > > included in the JWT and the value MUST be populated > > with the "client_id" of the OAuth client. > > " > > > > What do you guys think?
- [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subje… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Mike Jones
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… John Bradley
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Torsten Lodderstedt
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Manger, James
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & s… Brian Campbell