Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Phillip Hunt <phil.hunt@independentid.com> Thu, 04 June 2020 18:35 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DC883A0D8D for <oauth@ietfa.amsl.com>; Thu, 4 Jun 2020 11:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.15
X-Spam-Level:
X-Spam-Status: No, score=0.15 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, LONGWORDS=2.035, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H7ds_u8MQfFx for <oauth@ietfa.amsl.com>; Thu, 4 Jun 2020 11:35:05 -0700 (PDT)
Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D2573A0D5E for <oauth@ietf.org>; Thu, 4 Jun 2020 11:35:04 -0700 (PDT)
Received: by mail-pg1-x542.google.com with SMTP id e9so3859327pgo.9 for <oauth@ietf.org>; Thu, 04 Jun 2020 11:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=CFZsfA7vs03G6Wi95T9meUH7qIhLas31zJVHRkt08D4=; b=b+nqnzPNdi71sW5L/l2XYrufYpxDlcDblusrEFOb2W49t/TiY68TXARXYWUCwrKcmr M3XE7Ujpn3+UNq6EQDHbr1vG2T8H1Z+bREH5OT2xRommfJRzXy80IMAyfms6Ve/W4QjU CMEgcQIVldXbSxpqgsb4xMIRo/SNqpGjBQ6AJ6aKSaMQIs4paakdSugfpGLQHyeIYb+G axpyi/FzerMkR+Y4+s34W7N47o4XVdRg3nZ/C4xFaJwrOP3Ceu/9y57o86OXrCPhT72Q 6130vdeD7kZtrUWO/agNQ55iU56aV0GIWHtSAzUVEJDt1fYogaSIa2mwVg6RvPQmRawG Uk/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=CFZsfA7vs03G6Wi95T9meUH7qIhLas31zJVHRkt08D4=; b=XtYx3OTf6wqN9icILK0ViUKJW7L55Qt4ppxYdQ7735pexRrPaXqfKwZHC/qmcnOehC udDcDLk3K7IIfljkli5TNnFhpEj9Ebu3cFbgcfqXdpLxS3J+J7MjCVePAxyH2yjb6WRp ssW2LF1ej0oujozC6DLXLB/XxFr65J5O+Un2Mqdj53z6fq12VsDFTKbrNZ6SbJ4REFaV YyD94RURdv/QFK+dblBc7JNyzHS7kiHJ7r95HDZvRBeNbcHZlfk6x4E8y+riEhDD/Tsf IX5OK2pYw8UJ9K2BG8WrLKYTDg8B9Dhd09JHWa9ZzQUJypZKC/A3gA7xq137n40QotMM naeg==
X-Gm-Message-State: AOAM531oWLwfxAv8uIK9gUo0y/CWF/bHFOtaDIrh+9nt7NKNFl+/CI+i lDG7+rOuziknAD2cXCF8aU/0Ag==
X-Google-Smtp-Source: ABdhPJyPRLKomBkc+m4qyA/knpP36Aeio4zyWa1L1nH9TDwfX8CsBLFsW2InprlQELMmg//QcXj4WQ==
X-Received: by 2002:a63:6dc9:: with SMTP id i192mr5215113pgc.402.1591295704138; Thu, 04 Jun 2020 11:35:04 -0700 (PDT)
Received: from ?IPv6:2001:569:79bc:100:9d1:c8fa:c5f1:e69? (node-1w7jr9qqo6k55g3ofnxsal3e1.ipv6.telus.net. [2001:569:79bc:100:9d1:c8fa:c5f1:e69]) by smtp.gmail.com with ESMTPSA id t2sm4651502pgh.89.2020.06.04.11.35.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 04 Jun 2020 11:35:03 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-BE2974D5-E213-4318-ADC1-4460C0C8C59C
Content-Transfer-Encoding: 7bit
From: Phillip Hunt <phil.hunt@independentid.com>
Mime-Version: 1.0 (1.0)
Date: Thu, 4 Jun 2020 11:35:02 -0700
Message-Id: <D4AA296C-1C92-478A-9106-749879701555@independentid.com>
References: <AM0PR08MB37161916ED0662F4CB2C736EFA890@AM0PR08MB3716.eurprd08.prod.outlook.com>
Cc: Denis <denis.ietf@free.fr>, Vittorio Bertocci <vittorio.bertocci@auth0.com>, "oauth@ietf.org" <oauth@ietf.org>
In-Reply-To: <AM0PR08MB37161916ED0662F4CB2C736EFA890@AM0PR08MB3716.eurprd08.prod.outlook.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
X-Mailer: iPhone Mail (17E262)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OYgGsIa_4q8UYnl6SiGyvJ9Hnxw>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jun 2020 18:35:10 -0000

Denis,

I agree with Hannes. Speaking as one of the security consideration and threat model authors for OAuth2, a foundational design assumption was always that access tokens are opaque to clients. 

Even in the case of OIDC they created the id token to be a token defined for the client in the special purpose case of authentication. 

In my experience a client insisting on using and interpreting tokens is often doing something wrong and violating security processing rules like audience. Issues such as sharing a token unintended parties (ie not the resources specified by the aud claim) leading to confused deputy or impersonation attacks. 

Opaqueness of ATs to clients is a foundational architectural principle of the OAuth 2 framework. 

This is not to dismiss new use cases OAuth 2 does not address. But I feel these cases that require access token inspection by clients should be evaluated in the context of a new protocol evolution proposal (eg like xyz). 

Phil Hunt

> On Jun 4, 2020, at 7:26 AM, Hannes Tschofenig <Hannes.Tschofenig@arm.com> wrote:
> 
> 
> Hi Denis,
>  
> Please see my response below.
>  
>  
> From: Denis <denis.ietf@free.fr> 
> Sent: Wednesday, June 3, 2020 12:12 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
> Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>om>; Vittorio Bertocci <vittorio.bertocci@auth0.com>om>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
>  
> Hi Hannes,
> 
> First of all, I do appreciate your efforts to attempt to get rid of the "MUST NOT" in the "Privacy considerations" section.
> 
> Let us look at the following proposed sentence:
> 
>     While this is technical possible, it is important to note that the OAuth 2.0 protocol does not aim to expose the content of the access token 
>     to the client. The access token is therefore, by design, considered to be opaque to the client".
> 
> In the context of this document, a detailed content of the JWT is expected and thus, if a client receives a JWT compliant to this profile 
> (and if the token is not encrypted which is most often the case) it will absolutely be sure to pick up any guaranteed field within the JWT. 
> So, in the context of this document, the access token cannot be considered to be opaque to the client.
> 
> 
> [Hannes] Here we have a disconnect. The OAuth 2.0 design does not assume that the client inspects the access tokens if it flies by. This document could not change that.
> 
> The purpose of this document is actually quite simple: Those who want to use JWT as a format for access tokens they can use the claims described in this document. You are also free to use whatever format you want.
> 
>  
> 
>  
> 
>  
> 
> 
> About the second paragraph, in the context of this document (besides the case where the JWT is encrypted), it is neither difficult, 
> nor impossible to parse the token.
> 
> About the second paragraph, let us look at the following proposed sentence in the context of this document :
> 
>     " Additionally, there is no guarantee that the access token is conveyed by value and the authorization server implementation may change 
>       the token format at any time ".
> 
> The argumentation that the token format may change at any point of time, while being valid in the general case, is invalid in the context of this document. 
> This JWT profile will be stable over time. This means that this quoted sentence is inappropriate in the context of this document.
> 
> 
> [Hannes] Here is the issue. In a given deployment you do not know how the access token is encoded nor whether the claims are in this format. You don’t know whether the token is conveyed by reference or by value. Hence, why should we suddenly even give developers the impression that OAuth Clients should look at the token.
> 
>  
> 
>  
> 
> 
> The third proposed paragraph is stating :
> 
>     " In scenarios where it is where it is desirable for the clients to obtain information transmitted in the access token, OAuth 2.0 token introspection 
>       may provide a useful tool to enable such functionality (proper authorization assumed) ".
> 
> RFC 7662 (OAuth 2.0 Token Introspection) is a protocol to be used by protected resources, but is not a protocol to be used by clients. 
> As indicated, in order to be usable, a "proper authorization" also needs to be managed. Besides the difficulty to support such a protocol for clients 
> and to twist its original usage as defined in RFC 7662, it is simpler to develop the code to examine the content of the JWT, since its content is guaranteed 
> to be stable over time.
> 
> [Hannes] While it may be simpler to inspect the access token, the use of token introspection is a better match for the OAuth architecture. We can talk about updating the token introspection RFC to also describe this use case, assuming there is interest.
> 
> The question in general will surface why the client should get access to the content of the access token in the first place. For those cases where information is passed to the client other mechanisms, such as the identity token in OIDC, have been developed.
> 
>  
> 
> The last proposed paragraph is the following:
> 
>    " Since the content of the access token is accessible to the resource server it is important to evaluate whether the resource server gained the proper entitlement 
>       to have access to any content received in form of claims, for example through user consent in some form, policies and agreements with the organization running 
>       the authorization servers, and so on. The policies and the user interfaces to enable this user consent are, however, part of a specific deployment and therefore 
>       outside the scope of this document ".
> 
> The sentence "for example through user consent in some form, policies and agreements with the organization running the authorization servers, and so on" 
> should be removed, since this example lets believe that the consent is handled by the authorizations servers while it might be handled by the resource servers.
> [Hannes] The information is disclosed by the authorization server and hence the consent has to be with the authorization server.
> 
> 
> The last proposed paragraph would be solution neutral if the example were removed. This would lead to the following sentence:
> 
> Since the content of the access token is accessible to the resource server it is important to evaluate whether the resource server gained the proper entitlement 
> to have access to any content received in form of claims. The policies and the user interfaces to enable this user consent are, however, part of a specific deployment 
> and therefore outside the scope of this document.
> 
> Finally, there are still two questions that have been raised but which have not yet been answered at this time:
> how can a client request a JWT compliant to this profile, and
> how can a client be confident that it got a JWT compliant to this profile ?
>  
> [Hannes] Regarding the two questions: It cannot and it was never the intention of this work.
>  
> Ciao
> Hannes
>  
> 
> Denis
>  
> Let me try to jump in here in order to make a proposal for the text in the privacy consideration section:
>  
> FROM:
> 6.  Privacy Considerations
>  
>  
>    As JWT access tokens carry information by value, it now becomes
>    possible for requestors and receivers to directly peek inside the
>    token claims collection.  The client MUST NOT inspect the content of
>    the access token: the authorization server and the resource server
>    might decide to change token format at any time (for example by
>    switching from this profile to opaque tokens) hence any logic in the
>    client relying on the ability to read the access token content would
>    break without recourse.  Nonetheless, authorization servers should
>    not assume that clients will comply with the above.  Whenever client
>    access to the access token content presents privacy issues for a
>    given scenario, the authorization server should take explicit steps
>    to prevent it as described below.
>  
>    In scenarios in which JWT access tokens are accessible to the end
>    user, it should be evaluated whether the information can be accessed
>    without privacy violations (for example, if an end user would simply
>    access his or her own personal information) or if steps must be taken
>    to enforce cofidentiality.  Possible measures include: encrypting the
>    access token, encrypting the sensitive claims, omitting the sensitive
>    claims or not using this profile, falling back on opaque access
>    tokens.
>  
>    In every scenario, the content of the JWT access token will
>    eventually be accessible to the resource server.  It's important to
>    evaluate whether the resource server gained the proper entitlement to
>    have access to any content received in form of claims, for example
>    through user consent in some form, policies and agreements with the
>    organization running the authorization servers, and so on.
>  
> TO:
>  
> 6.  Privacy Considerations
>    The design of OAuth 2.0 envisions that access tokens are created by
>    authorization servers and consumed by resource servers.
>    As JWT access tokens, as described in this document, carry information by value, it is
>    possible for OAuth clients to peek inside the access token.
>    While this is technical possible, it is important to note that the
>    OAuth 2.0 protocol does not aim to expose the content of the
>    access token to the client. The access token is therefore, by design, considered to be
>    opaque to the client.
>  
>    A number of cases may make it difficult or impossible for clients to
>    inspect the token, for example, the access token may be encrypted,
>    the access token may contain vendor-specific claims that have not been
>    standardized or have been standardized in other consortia making parsing
>    of the token difficult. Additionally, there is no guarantee that the
>    access token is conveyed by value and the authorization server implementation
>    may change the token format at any time.
>  
>    In scenarios where it is desirable for the clients to obtain information
>    transmitted in the access token, OAuth 2.0 token introspection may provide
>    a useful tool to enable such functionality (proper authorization assumed).
>  
>    In scenarios where the content of the access token must not be readable
>    by clients, encrypting the content of the access token is RECOMMENDED.
>   
>    Since the content of the access token is accessible to the resource server
>    it is important to
>    evaluate whether the resource server gained the proper entitlement to
>    have access to any content received in form of claims, for example
>    through user consent in some form, policies and agreements with the
>    organization running the authorization servers, and so on. The policies
>    and the user interfaces to enable this user consent are, however, part
>    of a specific deployment and therefore outside the scope of this document.
>  
>  
> How does this sound?
>  
> Ciao
> Hannes
>  
>  
>  
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
> Sent: Thursday, May 14, 2020 8:03 PM
> To: Denis <denis.ietf@free.fr>
> Cc: Vittorio Bertocci <vittorio.bertocci@auth0.com>om>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
>  
> Denis,
>  
> You are rehashing the same issues that you have already discussed on the mailing list multiple times,
> You could not get the WG to agree with your points, because the WG believe that this issue is outside the scope of this document.
>  
> The best the chairs can do at this stage is to capture your point in the shepherd write-up to the IESG.
> We think this document has the support of the WG and is ready to move forward.
>  
> Regards,
>  Rifaat
>  
>  
> On Thu, May 14, 2020 at 12:29 PM Denis <denis.ietf@free.fr> wrote:
> Hi Vittorio,
>  
> I am referring to the email you sent on April the 29 th which is copied below.
>  
> 1) You wrote:
> > targeting of access tokens
> Let me think about that a bit longer.
> I acknowledge that the decision of including an audience has the effect of letting the AS track when the client accesses a particular resource, 
> but at the same time that’s completely mainstream and very much by design in a very large number of cases. As such, I find the language 
> you are suggesting to be potentially confusing, as it positions this as an exception vs a privacy protecting mainstream that is in fact not common, 
> and ascribes to the client more latitude than I believe is legitimate to expect or grant.
> 
> I’ll try to come up with concise language that clarifies to the reader that the current mechanism does allow AS tracking.  
> Since the last draft has been published on the 27 th, you have not proposed any "concise language that clarifies to the reader 
> that the current mechanism does allow AS tracking".
>  
> 2) You also wrote about the "sub" uniqueness:
> As long as an identifier identifies one resource only, it satisfies uniqueness. It doesn’t have to be a singleton.
> RFC 7519 defines in section 4.1.2 the semantics of the "sub" claim using the following sentence:
> The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
> The text does NOT say that the subject value "MUST be scoped to be locally unique in the context of the resource server".
> Changing the semantics of an already defined claim is not permitted. If you would like to have such a semantics available, 
> a new claim should be defined (and it would be very nice to have it !).
>  
> 3) The text is the privacy considerations section states:
>  
>    Although the ability to correlate requests might be required by design in many scenarios, there are scenarios where the authorization
>    server might want to prevent correlation to preserve the desired level of privacy.
>  
> In the real world, it is also clients or end-users which would like to prevent correlation to preserve their desired level of privacy.
>  
> A better sentence would be:
>  
>    Although the ability to correlate requests might be required by design in many scenarios, there are scenarios where the authorization
>    server or the client might want to prevent correlation to preserve the desired level of privacy.
>  
> 4) The text continues with:
>  
>    Authorization servers should choose how to assign "sub" values according to the level of privacy required by each
>    situation.  For instance: if a solution requires preventing tracking  principal activities across multiple resource servers, 
>    the  authorization server should ensure that JWT access tokens meant for different resource servers have distinct "sub" 
>    values that cannot be correlated in the event of resource servers collusion. 
>  
> Authorization servers are not necessarily able to choose the level of privacy required by each situation. When there are different 
> situations for the same resource server, the scope is (unfortunately at the moment) the only way to select the "level of privacy that is required".
>  
> The example ("For instance:") is only an example that provides a vague recommendation for the ASs which is NOT conformant
> with the semantics of the "sub" claim as defined in RFC 7519.
>  
> What should be discussed here are not "examples" or what an authorization server should do, but explanations about the implications 
> for the end-user or for the client for the various values that can be placed into the "sub" claim by an AS. The problem is wider that simply 
> a collusion between resource servers, but also with other servers that DO NOT participate in any OAuth exchange.
>  
> RFC 6973 (Privacy Considerations) states in section 7 : Guidelines
> This section provides guidance for document authors in the form of a questionnaire about a protocol being designed.  
> The questionnaire may be useful at any point in the design process, particularly after document authors have developed 
> a high-level protocol model as described in [RFC4101].
> One of the questions is:
> f.  Correlation.  Does the protocol allow for correlation of identifiers ?  Are there expected ways that information exposed 
> by the protocol will be combined or correlated with information obtained outside the protocol ?
> It is important to provide an answer to these two questions.
>  
> Hereafter is some text that is fully conformant with RFC 7519 which should be incorporated into the privacy considerations section 
> which explains the implications of the two (and only two) flavours of the "sub" claim.
> When the sub claim contains a locally unique identifier in the context of the issuer, this allows the tracking of principal activities 
> across multiple resource servers.
>  
> When the sub claim contains a globally unique identifier, this allows to correlate principal activities across multiple resource 
> servers, while in addition, this globally unique identifier may also allow to correlate the principal activities on servers where 
> no access has been performed by the principals to these servers but where the same globally unique identifiers are being used 
> by these servers.
> Denis
> 
> Thanks Denis for the thorough commentary.
>  
> > The title of this spec.
> Fixed, thanks!
>  
> > The client MUST NOT inspect the content of the access token
> This is really a sticky point. I really want to acknowledge your PoV on this, but at the same time I found this to be one of the biggest sources of issues in the use of JWT for access tokens hence I feel we really need to give solid guidance here. Let me expand further on the reasoning behind it, and perhaps we can get to language that satisfies both PoVs.
> To me the key point is that clients should not write code that inspects access tokens. Taking a dependency on the ability to do so is ignoring fundamental information about the architecture and relationships between OAuth roles, and suggests an ability of the client to understand the semantic of the content that cannot be assumed in the general case. I expanded on the details in my former reply to you on this topic, I would recommend referring to it. Clients violating this simple principle has been one of the most common sources of production issues I had to deal with in the past few years, and one of the hardest to remediate given that clients are hard to update and sometimes the things they relied on were irremediably lost. This is why I am inclined to put in here strong language.
> That said: I have nothing against client developers examining a network trace and drawing conclusions based on the content of what they see. That doesn’t create any hard dependencies and has no implications in respect to changes in the solution behavior. However I am not sure how to phrase that in the specification, given that referring to the client inevitably refers to its code. I am open to suggestions.
>  
> >  3)…
> I have a pretty hard time following the chain of reasoning in this section. Let me attempt to tackle it to the best of my understanding.
> I think the key might be   
> > a client should be able to choose whether it wishes the sub claim to contain [..]
> I don’t think that should be a choice left to the client. In business systems, my experience is that the type of identifiers to be used (when the IdP gives any choice at all)  is established at resource provisioning time. I am not aware of mechanisms thru which a client signals the nature of the identifier to be used, nor that would be fully feasible (the resource knows what it needs to perform its function).
> Furthermore:
> > which has nothing to do with uniqueness since the value changes for every generated token.
> Again, this is something that was touched on in my former reply to your message. As long as an identifier identifies one resource only, it satisfies uniqueness. It doesn’t have to be a singleton.
> Finally, the scope is optional (for good reasons: 1st party and non delegation scenarios don’t require it) hence it cannot be relied upon for properties that should hold in every scenario.
> In summary: per the preceding thread on this topic, the consensus was that varying the sub content was a satisfactory way of protecting against correlation. I don’t a gree that clients should have a mechanism to request different sub flavors, as that decision should be done out of band by the AS and RS; and the scope isn’t always available anyway.
> > targeting of access tokens
> Let me think about that a bit longer.
> I acknowledge that the decision of including an audience has the effect of letting the AS track when the client accesses a particular resource, but at the same time that’s completely mainstream and very much by design in a very large number of cases. As such, I find the language you are suggesting to be potentially confusing, as it positions this as an exception vs a privacy protecting mainstream that is in fact not common, and ascribes to the client more latitude than I believe is legitimate to expect or grant.
> I’ll try to come up with concise language that clarifies to the reader that the current mechanism does allow AS tracking.   
>  
> From: OAuth <oauth-bounces@ietf.org> on behalf of Denis <denis.ietf@free.fr>
> Date: Wednesday, April 29, 2020 at 09:12
> To: "oauth@ietf.org" <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
>  
> You will find four comments numbered 1) to 4).
> 1) The title of this spec. is:
> 
> JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
> 
> So, this spec. is supposed to be targeted to OAuth 2.0.  However, the header at the top of the page omits to mention it. 
> 
> Currently, it is : 
> Internet-Draft       OAuth Access Token JWT Profile           April 2020
> It should rather be:
> Internet-Draft       OAuth 2.0 Access Token JWT Profile           April 2020
> 
> 2) The following text is within section 6.
> 
> The client MUST NOT inspect the content of
> the access token: the authorization server and the resource server
> might decide to change token format at any time (for example by
> switching from this profile to opaque tokens) hence any logic in the
> client relying on the ability to read the access token content would
> break without recourse.
> Nonetheless, authorization servers should
> not assume that clients will comply with the above.
> It is of a primary importance that clients MAY be able to inspect tokens before transmitting them.
> The "MUST NOT" is not acceptable.
> The above text should be replaced with:
> 
> Reading the access token content may be useful for the user to verify that 
> the access token content matches with its expectations.  However, 
> the authorization server and the resource server might decide to change the 
> token format at any time.  Thus, the client should not expect to always be 
> in a position to read the access token content.
> 
> The remaining of the text about this topic is fine.
> 
> 
> 3) The next topic is about the sub claim.
> 
> The text states:
> 
> Although the ability to correlate requests might be required by
> design in many scenarios, there are scenarios where the authorization
> server might want to prevent correlation to preserve the desired
> level of privacy. Authorization servers should choose how to assign
> sub values according to the level of privacy required by each
> situation.
> 
> I have a set of questions:
> How can authorization servers choose how to assign sub values according to the level of privacy required "by each situation" ?
> How can authorization servers know the level of privacy required "by each situation" ?
> How can the users be informed of the level of privacy required "by each situation" ?
> How can the users consent with the level of privacy required "by each situation" ?
> Currently, the request MUST include either a resource parameter or an aud claim parameter, while it MAY include a scope parameter.
> The syntax of the scope parameter is a list of space-delimited, case-sensitive strings (RFC 6749). It is thus subject to private agreements 
> between clients and Authorization Servers. Since the scope is being returned, it is a primary importance that the returned scope matches 
> with its expectations before transmitting the token to a Resource Server.
> 
> In theory, a client should be able to choose whether it wishes the sub claim to contain :
> a global unique identifier for all ASs ("globally unique"),
> a unique identifier for each AS ("locally unique in the context of the issuer"),
> a different pseudonym for each RS, or
> a different pseudonym for each authorization token request.
> The only variable parameter that it can use for this purpose in the token request is the scope parameter.
> 
> RFC 7519 states is section 4.1.2:
> 
> The subject value MUST either be scoped to be locally unique in the context of the issuer 
> or be globally unique.
> 
> It is quite hard to recognize that the sub claim is able to carry a different pseudonym for each RS, i.e. for case (c), or 
> a different pseudonym for each authorization token request, i.e. for case (d), which has nothing to do with uniqueness 
> since the value changes for every generated token.
> 
> This has implications about the following text:
> 
> For instance: if a solution requires preventing tracking
> principal activities across multiple resource servers, the
> authorization server should ensure that JWT access tokens meant for
> different resource servers have distinct sub values that cannot be
> correlated in the event of resource servers collusion.
> 
> Since it addresses case (c).
> 
> and also about the following text:
> 
> 4.b) Similarly: if a solution requires preventing a resource server from 
> correlating the principal’s activity within the resource itself, the 
> authorization server should assign different sub values for every JWT 
> access token issued.
> 
> Since it addresses case (d).
> 
> This means that the current text placed in the privacy considerations section was a good attempt to address the case, 
> but that the text needs to be revised.
> 
> Proposed text replacement for all the previously quoted sentences:
> 
> According to RFC 7519 (4.1.2): The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
> 
> When the sub claim contains a globally unique identifier, this allows to correlate principal activities across multiple resource servers, while in addition, 
> this globally unique identifier may also allow to correlate the principal activities on servers where no access has been performed by the principals 
> to these servers but where the same globally unique identifiers are being used by these servers. 
> 
> When the sub claim contains a locally unique identifier in the context of the issuer, this also allows the tracking of principal activities across multiple resource servers.
> 
> The scope request parameter is the only way to influence on the content of the sub claim parameter. Its meaning is subject to a private agreement 
> between the client and the AS, which means that the use of the scope parameter is the only way to choose between a locally unique identifier 
> in the context of the issuer or a globally unique identifier.
> 
> Since the scope parameter is being returned, it is a primary importance that the returned scope matches with the expectations of the client before transmitting 
> the token to a Resource Server.
> 
> However, there are other cases where the client would like to be able to choose whether it wishes the sub claim to contain : 
>     - a different pseudonym for each RS so that different resource servers will be unable to correlate its activities, or
>     - a different pseudonym for each authorization token request, so that the same resource server cannot correlate its activities performed at different instant of time. 
> 
> Considering the semantics of the sub claim, these two cases cannot be currently supported.
> 
> 
> 4) The next topic is about the targeting of access tokens
> Text had been proposed before the last conference call. Then, the topic has been presented at the very end of the last conference call, but no text has been included 
> in the next draft.
> Here is a revised text be included in the privacy considerations section:
> For security reasons, some clients may be willing to target their access tokens but, for privacy reasons, may be unwilling to disclose to Authorization Servers 
> an identification of the Resource Servers they are going to access, so that Authorization Servers will be unable to know which resources servers are being accessed. 
> The disclosure of the Resource Servers names allows the Authorization Servers to list all the Resource Servers being access by all its users and in addition to list pairs 
> of (Principal, Resource Servers) which allow to trace all the users accesses to Resource Servers performed through a given Authorization Server. When a token is targeted, 
> this profile does not contain provisions to address these two threats.
> 
> Denis
> Hi all,
>  
> This is a second working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens".
>  
> Here is the document:
> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-06
>  
> Please send your comments to the OAuth mailing list by April 29, 2020.
>  
> Regards,
>  Rifaat & Hannes
>  
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>  
> 
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
>  
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth