Re: [OAUTH-WG] OAuth Digest, Vol 137, Issue 110
Andre Triverio <andretriveriocjm@gmail.com> Fri, 03 April 2020 13:22 UTC
Return-Path: <andretriveriocjm@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00B443A0805 for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2020 06:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ag7uD8gCu8Wl for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2020 06:22:16 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9355C3A0806 for <oauth@ietf.org>; Fri, 3 Apr 2020 06:22:16 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id d11so7874227qko.3 for <oauth@ietf.org>; Fri, 03 Apr 2020 06:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=I1HA3BjTSn2FN9ey3hwQH8Ey67xvia60Koi7sZkESds=; b=rGj4zHqwNU7XGgohIiaHGW3K9fld8CCNJ+dLqEXX3jCVtsqDNHypHXMiAZ1JfjwoQx oqlAE6ARX/f7fq6CfEL76TEsdq9FVCZns2kdzgIBOEd9i/ynN6u8jq+StRhKTfTyjTLJ NB3JAGLsvanIAcDSTEdFdQm0HhDBDgZV0cryhSiMlMhIcS5NYJelWjjOPF6iAJ1ad1J+ jRaZtoebYtDHZcMv5pwolWmemc56D6EVUHgV5H4fprFN5Hd3VhCqSI6ETpnzzFtba+CZ XM86I1bPBiU5oNbxANNesrm/7HtVFwFpzLtGmmtzvDQ/7mH/KQiCP+xLkLj1jp6GntLB NiAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=I1HA3BjTSn2FN9ey3hwQH8Ey67xvia60Koi7sZkESds=; b=ZjzvTcJEwtM9cOfkw/F1eDCvGHmAedthKPkxR0irxLQOmgHJavLAF/2MqoYayZ9Lbx 9yJMjra2sJGMCybKFiXgq3GssonIdI0eyVYREff7qP+6qlXeaQ1qAaSRuK+vakTL/04Z OJvgByMHeD/QT2miZ9X634GdInQTtgUBfB8kBaHZlf/qn926/QRv3FLeLb/nwABQoX+j iLQ0lpP392kyOKpsQlunxTeQfKIAEX7Yf2rt9MxjOJe5dVdXHntdg387TuRTsJneCx8/ jGcXLosx+OgidW5+t1aj8wwGGmcWgRiO3xbkynX51faivaB7MTNdm0/UTa1XraIPIPTc YtpQ==
X-Gm-Message-State: AGi0PubT5C4ZbpOvffq31kSfgWHpPT8J/GvahNAy9laUkU78JJs2BhHz 8ZZMjBlQqA+IOJ6MAXV59Ox2GnKAb6NeHKWG8FYsTauUxDY=
X-Google-Smtp-Source: APiQypLzP/8PnEls04naMxI88sVbEjcfFYpyil/yZ1QOrYdo8XYD2XzwC9T/aLqciNtWozlJMy9of8VLTQNAD8Qy1yE=
X-Received: by 2002:a37:884:: with SMTP id 126mr8333248qki.72.1585920135340; Fri, 03 Apr 2020 06:22:15 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.214.1585586308.31256.oauth@ietf.org>
In-Reply-To: <mailman.214.1585586308.31256.oauth@ietf.org>
From: Andre Triverio <andretriveriocjm@gmail.com>
Date: Fri, 03 Apr 2020 15:22:04 +0200
Message-ID: <CAJjaZpt552j-SpiK=mpd7kaDQt5qTAADyOYJ-Qik7GcKiiCMdg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004f28c105a262ce76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OjCoseba0Doa3UAp5ccSaN8nvEU>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 137, Issue 110
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 13:22:21 -0000
Allez-vous cesser de m'envoyer des mails ! Je n'en veux pas ! Et pour se desabonner, tout est fait pouir ne pas y réussir ! Le lun. 30 mars 2020 à 18:41, <oauth-request@ietf.org> a écrit : > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. RAR - Example JWT for Payment (Jared Jennings) > 2. Re: Error Responses in JWT Profile for OAuth 2.0 Access > Tokens (Karl McGuinness) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 30 Mar 2020 08:18:49 -0500 > From: Jared Jennings <jaredljennings@gmail.com> > To: oauth <oauth@ietf.org> > Subject: [OAUTH-WG] RAR - Example JWT for Payment > Message-ID: > < > CAMVRk+LP6be1-dZ3bmpsT+3OPXWs_cP7gvsNEA7-T7Km1UEeOQ@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I have a question about the example and maybe it's more for > clarification than anything. > > The example contains type and also location. > A couple of things > 1. Would it add clarity if the domain was the same for both? vs. > someorg.com > / example.com > 2. While only an example, would it bring clerity to past examples if the > type was https://schema.example.com/payment_initiation and the location > was > https://api.example.com/payments > > or am I missing something what the values represent? > > Here's the example I am referring to on page 17. > > { > "iss": "https://as.example.com", > "sub": "24400320", > "aud": "a7AfcPcsl2", > "exp": 1311281970, > "acr": "psd2_sca", > "txn": "8b4729cc-32e4-4370-8cf0-5796154d1296", > "authorization_details": [ > { > "type": "https://www.someorg.com/payment_initiation", > "actions": [ > "initiate", > "status", > "cancel" > ], > "locations": [ > "https://example.com/payments" > ], > "instructedAmount": { > "currency": "EUR", > "amount": "123.50" > }, > "creditorName": "Merchant123", > "creditorAccount": { > "iban": "DE02100100109307118603" > }, > "remittanceInformationUnstructured": "Ref Number Merchant" > } > ], > "debtorAccount": { > "iban": "DE40100100103307118608", > "user_role": "owner" > } > ] > > > -Jared > Skype:jaredljennings > Signal:+1 816.730.9540 > WhatsApp: +1 816.678.4152 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20200330/cdb44a38/attachment.html > > > > ------------------------------ > > Message: 2 > Date: Mon, 30 Mar 2020 16:38:04 +0000 > From: Karl McGuinness <kmcguinness@okta.com> > To: "vittorio.bertocci=40auth0.com@dmarc.ietf.org" > <vittorio.bertocci=40auth0.com@dmarc.ietf.org> > Cc: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 > Access Tokens > Message-ID: <90853492-D222-463A-9DB0-BA0EC82826B1@okta.com> > Content-Type: text/plain; charset="utf-8" > > Hi Vittorio, > > I was chatting with Aaron offline about this issue and my concern is the > addition of Authentication Information Claims in this spec opens up more > interoperability issues that can?t be addressed with just a JWT Access > Token spec. > > OAuth 2.0 AFAIK, doesn?t define any behaviors around resource owner > authentication assurance with respect to issuing, introspecting, or > presenting access tokens. > > * Token introspection > * Token validation error responses > * Token refresh > * Client Remediation (oidc defined prompt=login, max_age, and > acr_values) > * Metadata > > This spec is defining AS behaviors that are orthogonal to the format and > should be available via token introspection for example > > > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-2.2.1 > > > The claims listed in this section reflect in the access token the the > types and strength of authentication that the authentication server > enforced prior to returning the authorization response to the client. > Their values are fixed, and remain the same across all access tokens > that derive from a given authorization response, whether the access > token was obtained directly in the response (e.g., via the implicit > flow) or after one or more token exchanges (e.g., obtaining a fresh > access token using a refresh token, or exchanging one access token > for another via [RFC8693<https://tools.ietf.org/html/rfc8693>] > > > I was hoping one of the outcomes of this spec was toolkit/sdk interop for > clients and resource servers. I don?t see how this possible if all the > semantics around requesting, validating, and remediating resource owner > authentication assurance is implementation specific. The end-to-end > scenarios are not achievable with just OAuth 2.0 which breaks interop. > > I think there is a real need to define resource owner authentication > assurance interoperability for access tokens, but I fear this may require > its own spec. > > -Karl > > Karl McGuinness > Chief Product Architect > www.okta.com<http://www.okta.com/> > > On Mar 25, 2020, at 12:59 PM, vittorio.bertocci=40auth0.com@dmarc.ietf.org > <mailto:vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote: > > This message originated outside your organization. > > Thanks Aaron! > You are right, we could be clearer re:errors. AFAIK the only errors we can > rely on from an RS are in RFC6750, and the entire section is about what to > look for in an incoming AT to validate, hence it doesn't look like we have > much choice but to return invalid_token for every error in the validation > checks enumerated in Section 4. I can definitely add a paragraph to that > effect (does it have to be a section?). > > The re-authentication part is tricky. Technically we are still rejecting > the > incoming token, hence the above should still apply. > I am not aware of tools we can use from the primitives defined in the > OAuth2 > family of standards for telling people how to make reauthentication happen- > and making reauth happen can be quite involved. In Azure AD there are semi > proprietary mechanisms that can be used to signal the need to repeat > authentication, say for triggering a step-up auth, by sending back together > with the error response a challenge that can in turn be used by the client > to communicate policy requirements to the AS (which is assumed to support > OIDC and accept/understand those policies in form of claim). Giving > equivalent guidance but relying only on standards seems tricky, especially > without making strong assumptions about how auth happens (e.g can we assume > OIDC?). > To solve this for the profile, I see two main ways forward: > A) We warn the reader that it's on them to decide how to signal the reauth > requirement from the API to the client, and how to use that in the client > to > AS subsequent authorization request > B) We venture in devising a standard mechanism for propagating errors that > require reauth, basically extending RFC6750 with a new use case (perhaps by > detailing extra info to be put in WWW-Authenticate?). > > I can see how B) might be useful in general, but it doesn't seem > particularly tied to the fact that the ATs being discussed here are JWTs... > hence I'd be inclined to declare it out of scope here, tho I would really > love for us to devise a standard solution for it _somewhere_. > WDYT? > > > > -----Original Message----- > From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On > Behalf Of Aaron Parecki > Sent: Wednesday, March 25, 2020 12:07 PM > To: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>> > Subject: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 Access > Tokens > > Section 4 talks about validating JWT Access Tokens > > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-4 > > It has a list of things the RS MUST do when validating a request made with > a > JWT access token. This section contains phrases like "...and reject > tokens..." and "MUST be rejected if...", without clear instructions on > *how* > to reject this request. For these, I could infer that the RFC6750 error > code > "invalid_token" is the correct response, but these could benefit from being > more explicit about that here. > > Step 7 says: "the resource server SHOULD check the auth_time value and > request re-authentication..." But there are no instructions on how the RS > should respond to indicate that the client should request > re-authentication. > This sounds like a different response than "invalid_token" to me, but in > any > case, regardless of what the correct response is, Section 4 really needs a > description of how to respond in these error cases. > > ---- > Aaron Parecki > aaronparecki.com > @aaronpk > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20200330/6db2d3fd/attachment.html > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 137, Issue 110 > *************************************** > -- André Triverio, CJM
- Re: [OAUTH-WG] OAuth Digest, Vol 137, Issue 110 Andre Triverio