Re: [OAUTH-WG] Francesca Palombini's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)

Francesca Palombini <francesca.palombini@ericsson.com> Wed, 21 April 2021 16:48 UTC

Return-Path: <francesca.palombini@ericsson.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F072A3A2F3E; Wed, 21 Apr 2021 09:48:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FEvSBVTdRkbt; Wed, 21 Apr 2021 09:48:15 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60057.outbound.protection.outlook.com [40.107.6.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5F8F3A2F29; Wed, 21 Apr 2021 09:48:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GfoVVGSa5QNr5zg3QCA4l1EEmp8swNWP9CYoKiPi9STwXHnCv+SQADr9waV5mnKwDUs1triH6LtJPVYKfjkbBeX2wAlRbuheF2eQDWkZzTb7VxtOenzCLfJFUDqiRDs4fgOUFDU5fJMZ/7pksUokabylcaMJg0Cmiq2+Ex3/9T3k/mUQe6BRMg/yfu0KcNMLtZoTJkSoQHpSk2mUFlqBPkdtymJCWNt7cKTqMJr6VKpsA3uxZzOKZs/PFEFIiSiEweW0n+4iBm+PFnVk/GL954jQu2ehbKlmGusauBNKik7WY66Xx0W/AssZQPqdyM0jCQQavsssF+EAloEVgbQmsA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CCTWadiuGuhhdVBravumWluiEBA9mGzkdUEWt6SYbAI=; b=YK9oTQC5K51vL0obGsgdgiC50lh00PCavD8HpA0oKI0owdXZ+qtruZBeu+TPhakzY3fdjAQcYdq4S/dYNE7oUuwAkcUsQcGsJsvOcwndfk0PNZt7nwzl0N+pga1KvSnEyVGLOI7TVNiB3YWurSpkbPHXoInnicU/6H0tDFjTGCVo+EStc2Ya9Aqt7dvwOgGmxWdbmwr+vACjJfwlY4ezGLA8uYJTZ0WdyAWF3oPCazLO3mZLn26/KYbItPJZ0oHO50aywGZGlVXSdV2CZl1Q5qwcr5MTHXpfB7u69HQXs2zBYRhZ8dXrrH8S2TQb2GThRpDRfJhu0MqgfT2HjDln9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CCTWadiuGuhhdVBravumWluiEBA9mGzkdUEWt6SYbAI=; b=cs6EpDcQwIniBxaQ5K5yIn3B0pJHPCKXLN5riR7zXqJey/mB2Iij0CJZdt7rjbDZW+ILwuJLeshj9VnxskQekq130Evb1O+WcxafsIwyy+ytb3bvV3Az4nu1AVAIzUSpxIddUIjMjpjuTNXHPMIWjgvkkvPbdHdi0tBWKcXt5Mk=
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com (2603:10a6:7:96::33) by HE1PR07MB3098.eurprd07.prod.outlook.com (2603:10a6:7:38::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.12; Wed, 21 Apr 2021 16:48:09 +0000
Received: from HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::593:f4fd:94e3:d90b]) by HE1PR07MB4217.eurprd07.prod.outlook.com ([fe80::593:f4fd:94e3:d90b%5]) with mapi id 15.20.4087.016; Wed, 21 Apr 2021 16:48:09 +0000
From: Francesca Palombini <francesca.palombini@ericsson.com>
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-oauth-access-token-jwt@ietf.org" <draft-ietf-oauth-access-token-jwt@ietf.org>, "oauth-chairs@ietf.org" <oauth-chairs@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "hannes.tschofenig@arm.com" <hannes.tschofenig@arm.com>
Thread-Topic: Francesca Palombini's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
Thread-Index: AQHXKXyD5hOK0id2SE6ls8YO/IoD/6qzqeEAgAvA4wA=
Date: Wed, 21 Apr 2021 16:48:09 +0000
Message-ID: <979E7789-1F3A-47DB-A1F1-94C746079B3F@ericsson.com>
References: <161755926036.31657.529017576412672874@ietfa.amsl.com> <CO6PR18MB405236B0471F363FA20045C8AE4E9@CO6PR18MB4052.namprd18.prod.outlook.com>
In-Reply-To: <CO6PR18MB405236B0471F363FA20045C8AE4E9@CO6PR18MB4052.namprd18.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.47.21031401
authentication-results: auth0.com; dkim=none (message not signed) header.d=none;auth0.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:1ba8:147a:eb00:f0de:f0f3:791a:7da1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: df238987-2f83-4c1c-838e-08d904e53ed2
x-ms-traffictypediagnostic: HE1PR07MB3098:
x-microsoft-antispam-prvs: <HE1PR07MB30983E4759FDF60927AFC0F098479@HE1PR07MB3098.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6J6s22GCKcYqDrO2PhGtqVhJoznnpn65/7neULnBy8IwjteluKqt/DM7KhetzV81DR7xFMSsds7J9R4c7+mY7RvTeD54GfZIsfbV9JjI2uCqewJ+yWkcG8WLGr8sRQacu00t+tiguuDWUivBz2NXRvw64q5aYWqyFImRAJjLJShx9mKtcsMaEZki+vrMdfC3PXQFpPi4IZZYPkgV//kxwMpN2idtQvMxIfpW8XdkOlBZWZ5TMr5cKUv6BMlvjGU+YkB0J9rVp01K/7GElF+Q2sY2xO9PWMVrQNjY8OJiOhxbVpY5cRM2mIwzVTHNNk3KCLgbW6zlkEo4U6hOWmssICcCYNVB1XcrTQWM8prV7qbGaZrsci3pv624RwA3Xd0/i08GRXpA/U7jNWFPIBuBy0/yzQL0xYCIEuYs9YhQpv9wMGYXbGH/YvtJA9FPG3xyftr/J+SibgivjTHFpBNNYYLnjyR99PpoGO50IbRVBsopzwk4XYbywE57QyumKXPS8ztaBUidB+jeS2ZpPNtZhwQOnwKx0oenD1mST76TKHB+woggAW8SIzXovRtmruGrGmpNr/D4SDtCWA837uUHKrtUcE6ksphYmW2TXpgMyaiTYwTq+biu7Upz67WJgvPrMCxS0mnqsHFw9nK33zKCQRtMsVs3V+2ne0O4l5rEY8N/6Ae1Zyk3latM8sdcrimrWZQBztqT9OSTHuOzgJQLF+KuKJyYtSGoN/isYgtThq8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4217.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66946007)(5660300002)(186003)(54906003)(33656002)(36756003)(66476007)(2616005)(86362001)(44832011)(122000001)(966005)(64756008)(66446008)(6486002)(71200400001)(2906002)(6512007)(38100700002)(110136005)(76116006)(4326008)(8676002)(53546011)(83380400001)(8936002)(6506007)(66556008)(498600001)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?bU9zNFYvNFNIbHhSR2EwUzRwQ1Frb2YzUnBsY2NoaCtYZWtWbDRQTVJ0c1VD?= =?utf-8?B?UTRXT2FEOFVXOVFhOWNDRi9JMEF1clc5WjI0SDZUaklnalBPaWR1VU1nK09O?= =?utf-8?B?ZXkzWlhSNHl4R095WVNwNXdqOXdDTFMxRjV5ZjY5UmNvak1hMXhmWGNZTDF5?= =?utf-8?B?blAzYzgzSTZhejNwSlJDNHN5UVprYzBFSFlNMDhFQTYvNC9XVzhNTHNZSlpD?= =?utf-8?B?UW9lOHh2MnQ2TDM4MWp0SGRyNlpBSXpnUWJsVTY5K1lCNGhZeGlaRWNSSWtx?= =?utf-8?B?YmlyOVZxUkpidkZoS2o0bGUyRjErMzJET3Yvek43Znp1NGFUcUFjeFhyZS9l?= =?utf-8?B?d0xsTDl4RDBIRENjZDdvdVJ6WnZJK2JCRWY0ME9KQzdTbzJoQUQ0WkVRWkJy?= =?utf-8?B?VzZTNFZmUEQ4czlSSWw3WEJzek5JS2ROSXUrbll1UjFadndmVkZqb3dnQ2JZ?= =?utf-8?B?eUp1a3dDVmlCbFFSR1R4dWdIbkpHcGRxb3ByKzFaZi9FK2ZqSFh1bnBFcVUy?= =?utf-8?B?bjZFWnJLS29kV091NTlsVFJveDRvY3FuT2lZL3Y5UXpjaEl5SDJkdGdhQ3pk?= =?utf-8?B?cjNlcGV0cFUyZjVscmoxeDJzZER4ZEVoMjQ3c1RNRjFyL0FKMEFjNFpSOHl6?= =?utf-8?B?Q0FCUkYvL05JVnZQdEhOS05hTFM3cG9zYllKem9VS3BQN3pTRi9iWk5tcHhu?= =?utf-8?B?UTF3YXZKTUFUd1E4MVNzRTVtTmtSNkZ6UGg4aGNXREx1UTBUcGVCQStKb2FD?= =?utf-8?B?VThzUDNBV3dqdVZaUTU5bWhHb2ovZ1NBWmEzbEFHZERhTzh5Z1J1VFA3ZWtH?= =?utf-8?B?cWtscXZkL1BMZVpOaEMxNGxZam1YM3ZkbjJVSDNUNUM5ZW9ydktDYWVFcW9u?= =?utf-8?B?OGIvMWJSRFFFWFZyZDhrckFINWZWby9sejlJbmNrdDhraHBkZGVYdm1KZU00?= =?utf-8?B?eXlyT3NwUGFIem1iZi8vcy80djZ1cWFFVVQ1V0xlWVB3M2VDVy96V0U3RTMr?= =?utf-8?B?MDh2MlBjdTE5TkZFdkpnTGpXWFJWYkV5VDBMWlFJdktmeitrQTlQS09mWUpF?= =?utf-8?B?Ykh1Z0lTYk9Oc2RPbzVidXVob0xOV2hIajN1ck9TS0Q2TEIrSGlIU2R3ZEd3?= =?utf-8?B?bW44WlJzU1hnbWRyYkJ3WkUvUGN4WDlFdTFCSURjWXlKcDVZYXdubjRPVFpL?= =?utf-8?B?NHJZMFFMZVhkNzBqY3Q3allnZ0E1Ymphcyt1QkhrU0Nrb3VjbnhDNklCMk92?= =?utf-8?B?NXg0UmZjL05nKy9McXVPdFZGT0kvNm5SSHR3Z241Q0tuRU5HQ0VRUE8yQnNX?= =?utf-8?B?TDBSRGd4SWpDRWtGNS9oaElJVExyeGg3Qis1YnExc3h3b0tWOTh6ZG1sSmNM?= =?utf-8?B?TW5pV0FnMUphSmwwdzRrQmZKNS8ycGFEZEFSeWZRdnJ0TFdnN3k2bkRiZGZJ?= =?utf-8?B?MEgzNzF4b2lhVGJnY2ttc2lOTDArVHJtWG5XNGFDQ3VDb3Z6NkpxYjFUT3NP?= =?utf-8?B?dFlxczZ5VnI3dmJlL2FYY004NEZDZDhsTGZyNnc4U2ZmSCtSVjk2aDk3eFdr?= =?utf-8?B?U0VCWmNUMWQzSzZsWGYveExVazcxQU5EWFAyQXBrWWNKOW1Mdjh6cDNmc0My?= =?utf-8?B?MXFGNWdSczNBcWJFd0tQbmpYaDJsTW01YnRKY0Yxayt2YnNmeUNEOWFTclRP?= =?utf-8?B?SFdISzdSNzgwVEV0YVlzVjI5Ulh5VlJWMjBZSjQ5ZUs4Q1h2YjlSbERmOE92?= =?utf-8?B?VUNtT25CenBMMEhaVkh0WWJPNlI4bHE3SUZRcUZSQjJnQ2hCWXhpdDU5K291?= =?utf-8?B?eG0vQmtKU3Z4bFBmL09GWWtzWGdlRFBTSjQ2alZWSkY0SmZUVHk0TSsyNDMy?= =?utf-8?B?TU5MbThSZVNRM01DQWJIdWk3TUxXY2V2cUsvMDM2d0VaWkE9PQ==?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <00C2063ADE8AEC4EB2C5665656D8F7E6@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4217.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df238987-2f83-4c1c-838e-08d904e53ed2
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Apr 2021 16:48:09.5652 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aRa88Rn2qTdj7gEKlWZ0jGqqR1W3EZTdI1GsE1szCJGRRYv2R/RG3dkQMKwVa/OhFocIjaTwwOwEzxwEXaisuifcwL5wuyQagI9x8FPhMKdvyA+ylMFddqcng5/Z7SW9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3098
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KXrGenaB_ygCWYoJ1dHbdkFXfI4>
Subject: Re: [OAUTH-WG] Francesca Palombini's No Objection on draft-ietf-oauth-access-token-jwt-12: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 16:48:26 -0000

Hi Vittorio!

Thanks for the answers. I'm ok with the motivation for using "application/at+jwt", thanks for clarifying, and thanks for addressing 2.
Re 1. IMO it would clarify the intention of the SHOULD to add what you wrote in response to my comment into the draft itself, but I'll leave it up to you.

Francesca

On 14/04/2021, 09:19, "Vittorio Bertocci" <vittorio.bertocci@auth0.com> wrote:

    Hi Francesca,
    Thanks for your review and thoughtful comments!
    Comments below.

    >    1. -----
    >    [...]
    While it is reasonable to expect that a RS receiving an unencrypted token after requesting it to be encrypted will reject it, there are a number of cases where the RS might elect to do otherwise. For example, the solution might be already working in production: the encryption requirement might be an improvement that is still propagating thru the system, and there might still be access tokens cached in clients that the RS might still be willing to accept to guarantee business continuity. "SHOULD" gives a strong signal to implementers of what the desired behavior is, but leaves them some freedom to accommodate situations like the aforementioned one.

    > 2. ---
    > [...]
    Fair enough. I added the following text at the beginning of 2.1. Thanks for catching this.
         JWT access tokens MUST be signed. Although JWT access tokens can use any signing algorithm[..]
    This change will appear in the next revision, which I will post soon.

    >     3. -----
    > [...]

    Formally, I agree that JOSE would also work. The choice of media type derives from https://tools.ietf.org/html/rfc7519#section-10.3.1. There is no functional difference between JWS and JWE in the intent a client has when calling an RS, here there's not much to be gained in using different MIME types for those cases. Furthermore, whereas developers are familiar with the term "JWT", both from direct use and thanks to the popularity of OpenID Connect (which does use application/jwt), terms like JWS, JWE or JOSE wouldn't be as promptly understood as JWT. Throughout the discussions in the last couple of years, the consensus on the use of at+jwt was solid- my hope is that will make intuitive sense for implementers, too.


    On 4/4/21, 11:01, "Francesca Palombini via Datatracker" <noreply@ietf.org> wrote:

        Francesca Palombini has entered the following ballot position for
        draft-ietf-oauth-access-token-jwt-12: No Objection

        When responding, please keep the subject line intact and reply to all
        email addresses included in the To and CC lines. (Feel free to cut this
        introductory paragraph, however.)


        Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
        for more information about IESG DISCUSS and COMMENT positions.


        The document, along with other ballot positions, can be found here:
        https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/



        ----------------------------------------------------------------------
        COMMENT:
        ----------------------------------------------------------------------

        Thank you for the work on this document. Please find some comments and
        clarifying questions below.

        Francesca

        1. -----

              registration.  If encryption was negotiated with the authorization
              server at registration time and the incoming JWT access token is
              not encrypted, the resource server SHOULD reject it.

        FP: Why is this just SHOULD and not MUST? In which case does it make sense to
        accept a non-encrypted token when encryption was negotiated?

        2. -----

        Section 2.1:

           Section 4).  JWT access tokens MUST NOT use "none" as the signing
           algorithm.  See Section 4 for more details.

        Section 4:

           For the purpose of facilitating validation data retrieval, it is here
           RECOMMENDED that authorization servers sign JWT access tokens with an
           asymmetric algorithm.

           ...

           o  The resource server MUST validate the signature of all incoming
              JWT access tokens according to [RFC7515] using the algorithm
              specified in the JWT alg Header Parameter.  The resource server

        FP: It might be obvious, but I think it would be useful to have an explicit
        sentence stating that JWT MUST be signed. The quoted text from Section 2.1 seem
        to imply it. Section 4 only RECOMMENDS that the JWT is signed with and
        asymmetric algorithm. Later on, Section 4 implies that all JWT are signed. On
        the other hand I note that encryption can be negotiated (and is optional) from
        the followig point; in that case it is not clear that the token is still signed
        (so the nested JWT would be a JWE nested in a JWS), or only JWE is used. What I
        am looking for is simple clarifications to be added for example in the
        introduction.

             o  If the JWT access token is encrypted, decrypt it using the keys
              and algorithms that the resource server specified during
              registration.  If encryption was negotiated with the authorization

        3. -----

        On the same note, and depending on the previous answer, why is the media type
        registered and used "application/at+jwt" and not something like
        "application/at+jws"/"application/at+jwe" or rather "application/at+jose" to be
        compliant with https://protect2.fireeye.com/v1/url?k=cf968f69-900db66b-cf96cff2-869a14f4b08c-d9afc9515caac1c4&q=1&e=e0795065-865a-4950-87a5-ac1b2b1d8e58&u=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc7515.html%23section-9.2.1 ? I
        think that the structure transported is in fact a JWS or a JWE, rather than the
        JWT, and if that's the case that should be made clear in the text (one example
        where this could be clarified is in the following sentence)

           Resource servers receiving a JWT access token MUST validate it in the
           following manner.