Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

vittorio.bertocci@auth0.com Mon, 20 April 2020 07:49 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AB7B3A139F for <oauth@ietfa.amsl.com>; Mon, 20 Apr 2020 00:49:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PWXkGi6ai7AS for <oauth@ietfa.amsl.com>; Mon, 20 Apr 2020 00:49:46 -0700 (PDT)
Received: from mail-pg1-x529.google.com (mail-pg1-x529.google.com [IPv6:2607:f8b0:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C22E23A139C for <oauth@ietf.org>; Mon, 20 Apr 2020 00:49:46 -0700 (PDT)
Received: by mail-pg1-x529.google.com with SMTP id r4so4656632pgg.4 for <oauth@ietf.org>; Mon, 20 Apr 2020 00:49:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:thread-index:content-language; bh=cuj/64J/qr0ZAt3XYQfjLmkrjHRMJju5BhrXoXMv4P4=; b=bh0bELouV4fqnPn4meQhqzacgrW0P4Vd5zkwp8bKXvhViPrGbvKuXAjuJVKPzaWp1h ViZt2BisglXKs1MtTXg1yX/tgTQhGS7YNzBGN66cPzvFkQ9+AZs3bAEi+FqleVRrEWB4 ZhHWHfHeTfs30iww7Ls+quPdCSxhmBVollniY2ScTBm3gqj4KZUuUJ3enkiJ3nSLa32Y +gXicVlemdCqSXhv6Kc7CYuyeVlUNx2GJp0puJzRj+N/Sg0CacxbTV6l/zphZyfnW2tb 2rq4Kdu5UKtxkXcL4sJDqFKjUx9tk/XpTVRAa7ON19tcWaztFfqi+XBkRYHrNT+IHYo1 hOPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :message-id:mime-version:thread-index:content-language; bh=cuj/64J/qr0ZAt3XYQfjLmkrjHRMJju5BhrXoXMv4P4=; b=bvfMV7zJ8WBZRE6uRuIUAPEKjCTIIPrCt8ovqz554eb1ZhX3dd3OjRW2OupdjkrQKK S7Av/pHZSFV0SlHu60COWnSANt6nlcJBtqnvf/luS5dRs0rdHzRd4YvgxCJGOmnDWLl3 niGwmZn+MGvDELRjqqT3fPgyeyFKAHHQSKS05QqsY8NQ9OWX29U55i16y2LJlxab114E ecfrgR4zMKbBgMr3SQJXOI2baUChnzvbOAMojil6PP0RiATpLFYF3yNHgEcfdXSKP7Oq oiYYhdQScRZX1bM7fYR8SVED5522KgZiIX+Ow+cniLdCXD721wbBkCO9hFryfdN6sg86 NW2g==
X-Gm-Message-State: AGi0PubVo8ufU5IgmB5ryup4i045fnbWMnSgHzeH99PahWSon81CeVfa 7JAYOyr/qmrgFa4F7kOuX831Krzyw/bRxA==
X-Google-Smtp-Source: APiQypJGnZEmhiTFIwLER2h/6YHqffJpXD89cg8zqNfWpp+sti5f6weJs2MwREnAP0TGuTTJ0sWi0A==
X-Received: by 2002:a63:d201:: with SMTP id a1mr15275902pgg.3.1587368985996; Mon, 20 Apr 2020 00:49:45 -0700 (PDT)
Received: from vibrosurface7 (c-67-171-8-60.hsd1.wa.comcast.net. [67.171.8.60]) by smtp.gmail.com with ESMTPSA id ml24sm228716pjb.48.2020.04.20.00.49.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 20 Apr 2020 00:49:45 -0700 (PDT)
From: vittorio.bertocci@auth0.com
To: 'Brian Campbell' <bcampbell=40pingidentity.com@dmarc.ietf.org>, 'Aaron Parecki' <aaron@parecki.com>
Cc: 'oauth' <oauth@ietf.org>
References: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com> <CAGBSGjpBqeHxFNJ7OEXZwYQb=SG6ian=zpoNHezQ_OYwFNZNBw@mail.gmail.com> <CA+k3eCQGgnSGAcNP4KJik9riWYdRTpSOV-sgZHXMCJUWhh5U5w@mail.gmail.com> <CAGBSGjopPrTjoKxgkyV3=WwUAn8=hwWkczCPHsJtAd-2wr1ePw@mail.gmail.com> <CA+k3eCSM7DiJVbcHtefaY346iHah2HATAm+O7EyoXETAna1P-A@mail.gmail.com>
In-Reply-To: <CA+k3eCSM7DiJVbcHtefaY346iHah2HATAm+O7EyoXETAna1P-A@mail.gmail.com>
Date: Mon, 20 Apr 2020 00:49:44 -0700
Message-ID: <086201d616e8$4216c2e0$c64448a0$@auth0.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0863_01D616AD.95BB6D50"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQMKsWrR7q68zM9CsrN/StHwRJR9eAFUM/u7AmtkLzQBsagRbQLsZC+xpdVoPJA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K9PYAjtYcl5ljtYFGfGmGr0LOCo>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 07:49:49 -0000

Thanks for the catch! Will add a mention of that in section 2.1 as well.

 

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell
Sent: Thursday, April 16, 2020 1:16 PM
To: Aaron Parecki <aaron@parecki.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

 

I'll +1 that 

 

On Thu, Apr 16, 2020 at 2:14 PM Aaron Parecki <aaron@parecki.com <mailto:aaron@parecki.com> > wrote:

My mistake! In that case, my request is editorial, to mention that in section 2.1 where it first talks about signing algorithms.




----

Aaron Parecki

aaronparecki.com <http://aaronparecki.com> 

@aaronpk <http://twitter.com/aaronpk> 

 

 

 

On Thu, Apr 16, 2020 at 1:12 PM Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com> > wrote:

sec 4 does have "The resource server MUST reject any JWT in which the value of "alg" is "none".'

 

On Thu, Apr 16, 2020 at 1:09 PM Aaron Parecki <aaron@parecki.com <mailto:aaron@parecki.com> > wrote:

Section 2.1 says:

 

> Although JWT access tokens can use any signing algorithm, use of

> asymmetric algorithms is RECOMMENDED

 

Can this be strengthened to disallow the `none` algorithm? Something like adding "... and MUST NOT use the "none" algorithm".

 

Given that the JWT BCP doesn't disallow the "none" algorithm, technically someone could follow both this JWT Access Token spec and the JWT BCP spec and end up with an implementation that allows an AS to accept JWTs with the "none" algorithm.

 

----

Aaron Parecki

aaronparecki.com <http://aaronparecki.com> 

@aaronpk <http://twitter..com/aaronpk> 

 

 

 

On Wed, Apr 15, 2020 at 11:59 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com <mailto:rifaat.ietf@gmail.com> > wrote:

Hi all,

 

This is a second working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens".

 

Here is the document:

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06

 

Please send your comments to the OAuth mailing list by April 29, 2020.

 

Regards,

 Rifaat & Hannes

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.