IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Vittorio Bertocci <Vittorio@auth0.com> Tue, 26 March 2019 00:13 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11DFA120165 for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 17:13:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0plZM-5yg-Kk for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 17:13:15 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B76112011F for <oauth@ietf.org>; Mon, 25 Mar 2019 17:13:14 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id k8so9481900lja.8 for <oauth@ietf.org>; Mon, 25 Mar 2019 17:13:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=n7MhYsykUnCCdrrx/q25Mz2LeGgWVPXSr8ztMZa6LGY=; b=bf7rMZf+I2DvZQIwtUEldFRuu+oB0a7tnddRD0bZiYLgKSC6/BmWnURsMrznfArXvo jPNIe+/j7YkznGVca2xjHyDGuoadMY3V1QeyRf5E4n+IQqzGizfGOdm/6A4B7Dk/Y7yq jw0KQ+pY8oidlSU3iVpIewk40GOCCKLJZlkkq0kbkf+pKbPilyl6p6vgDXT6HP4g+fG4 F7DgcNjNvTsKlyv3205V6eDkUiCzKrzgpdZJY2CySBuYT+Q2qMTUM6Lz268yUqq4XHSm 71WjRQLZYiXhEWtghXxE3+02YO/61LWyk4R055g30J8/SzTFIifXLWVFdZ3unFMhcFH3 Hqsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=n7MhYsykUnCCdrrx/q25Mz2LeGgWVPXSr8ztMZa6LGY=; b=tXwbZaRPOoI19whWB4V8FiOAZsYR1S8z544lGTF+YR+yBYF1Ru3tZmM0/qHyW9ahV4 bzZfuNpFXjLdh2HWW64j27Bfg4aJbZlQn/mjPzQlyXUWRC3w9OrLx/rn3RSgDqe0xn6A 9mJKAKAFUb+BR1MsDqK9utWbkyLuxlOYyB3uYfQy2D1TywNyJzeYh00l8elsLiht4HJM 4GpulBuAK/3RW6Un67f4QJPNAX405OJRZoIxtBCYlgrb19uUhMeHH4emq2lSWGpNz8L8 RfV9Yp5sEp6BebdAeq4qOOLV3pE4Z/P/B6XVJOpvhCEUmADpCOHtYNSEir9WypnpFpp9 oNUA==
X-Gm-Message-State: APjAAAXDnDnIZRkcU8dLgcrKgY18mKj6VsqvCs/+T8WPbY6ySZCNWhlf uGUIzNdnPDIiDgM9nX3ZfOeM/3P1lOb1olvtXYPG2g==
X-Google-Smtp-Source: APXvYqz9X8rgrq1SEj4nJ1m1ap6cH0ryDW8z3CogJ8dSm1puQoXGlSZfXaSlXwrTrtgVmRbZNtTaYTHcHSMX/S3qyMU=
X-Received: by 2002:a2e:8794:: with SMTP id n20mr10568333lji.76.1553559192134; Mon, 25 Mar 2019 17:13:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com> <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com> <025601d4e32a$ef918510$ceb48f30$@reminetworks.com>
In-Reply-To: <025601d4e32a$ef918510$ceb48f30$@reminetworks.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Mon, 25 Mar 2019 17:13:02 -0700
Message-ID: <CAO_FVe7v4MQ1Ze2cO0zqoETLDtDyJh7ockWj+q_ATxnPeO8kTA@mail.gmail.com>
To: donald.coffin@reminetworks.com
Cc: Dominick Baier <dbaier@leastprivilege.com>, Hans Zandbelt <hans.zandbelt@zmartzone.eu>, IETF oauth WG <oauth@ietf.org>, Nov Matake <matake@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000c920a30584f42fb5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QO9OYh9pU52YAwRvZD0glCp4uSs>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Mar 2019 00:13:20 -0000

Thanks Don for your perspective on this!

On Mon, Mar 25, 2019 at 10:13 AM <donald.coffin@reminetworks.com> wrote:

> Dominick,
>
>
>
> While you assumption of how OIDC and OAuth are used may apply to Federated
> solutions, the North American Energy Standards Board (NAESB) Energy Service
> Provider Interface (ESPI) REQ.21, which defines the data transmission
> standard for Energy utilities (electricity, gas, and water) to use in
> providing consumer’s and Third Party applications information about their
> customer’s energy consumption only allows OAuth 2.0 opaque ATs.
>
> The Green Button Alliance, is reviewing how to update the standard to
> utilize the various IETF standards associated with OIDC this coming year,
> but currently the standard does NOT support a mixture of OIDC and OAuth.  I
> am very happy to see the IETF attempting to standardize the content and
> usage of JWT based OAuth ATs.
>
>
>
> Best regards,
>
> Don
>
> Donald F. Coffin
>
> Founder/CTO
>
>
>
> REMI Networks
>
> 2335 Dunwoody Xing #E
>
> Dunwoody, GA 30338-8221
>
>
>
> Phone:      (949) 636-8571
>
> Email:       donald.coffin@reminetworks.com
>
>
>
> *From:* Dominick Baier <dbaier@leastprivilege.com>
> *Sent:* March 25, 2019 10:39 AM
> *To:* Hans Zandbelt <hans.zandbelt@zmartzone.eu>
> *Cc:* IETF oauth WG <oauth@ietf.org>; Nov Matake <matake@gmail.com>;
> vittorio@auth0.com
> *Subject:* Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
>
>
>
> Yes I know - and I think in hindsight it was a mistake to use the same
> claim type for multiple semantics.
>
>
>
> All the “this is OIDC not OAuth” arguments are making things more
> complicated than they need to be - in my experience almost no-one (that I
> know) does OIDC only - nor OAuth only. They always combine it..
>
>
>
> In reality this leads to potential security problems - this spec has the
> potential to rectify the situation.
>
>
>
> Dominick
>
>
>
> On 25. March 2019 at 14:58:56, Hans Zandbelt (hans.zandbelt@zmartzone.eu)
> wrote:
>
> Without agreeing or disagreeing: OIDC does not apply here since it is not
> OAuth and an access token is not an id_token.
>
> The JWT spec says in https://tools.ietf.org/html/rfc7519#section-4.1.2:
>
>
>
> "The "sub" (subject) claim identifies the principal that is the
>
>    subject of the JWT.  The claims in a JWT are normally statements
>
>    about the subject.  The subject value MUST either be scoped to be
>
>    locally unique in the context of the issuer or be globally unique.
>
>    The processing of this claim is generally application specific"
>
>
>
> which kind of spells "client" in case of the client credentials grant but
> I also do worry about Resource Servers thinking/acting only in terms of
> users
>
>
>
> Hans.
>
>
>
> On Mon, Mar 25, 2019 at 2:41 PM Dominick Baier <dbaier@leastprivilege.com>
> wrote:
>
> IMHO the sub claim should always refer to the user - and nothing else.
>
>
>
> OIDC says:
>
>
>
> "Subject - Identifier for the End-User at the Issuer."
>
>
>
> client_id should be used to identify clients.
>
>
>
> cheers
>
> Dominick
>
>
>
> On 25.. March 2019 at 05:13:03, Nov Matake (matake@gmail.com) wrote:
>
> Hi Vittorio,
>
>
>
> Thanks for the good starting point of standardizing JWT-ized AT.
>
>
>
> One feedback.
>
> The “sub” claim can include 2 types of identifier, end-user and client, in
> this spec.
>
> It requires those 2 types of identifiers to be unique each other in the
> IdP context.
>
>
>
> I prefer omitting “sub” claim in 2-legged context, so that no such
> constraint needed.
>
>
>
> thanks
>
>
>
> nov
>
>
>
> On Mar 25, 2019, at 8:29, Vittorio Bertocci <
> vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:
>
>
>
> Dear all,
>
> I just submitted a draft describing a JWT profile for OAuth 2.0 access
> tokens. You can find it in
> https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
>
> I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting
> remotely). I look forward for your comments!
>
>
>
> Here's just a bit of backstory, in case you are interested in how this doc
> came to be. The trajectory it followed is somewhat unusual.
>
>    - Despite OAuth2 not requiring any specific format for ATs, through
>    the years I have come across multiple proprietary solution using JWT for
>    their access token. The intent and scenarios addressed by those solutions
>    are mostly the same across vendors, but the syntax and interpretations in
>    the implementations are different enough to prevent developers from reusing
>    code and skills when moving from product to product.
>    - I asked several individuals from key products and services to share
>    with me concrete examples of their JWT access tokens (THANK YOU Dominick
>    Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel Dobalian
>    (Microsoft), Karl Guinness (Okta) for the tokens and explanations!).
>    I studied and compared all those instances, identifying commonalities
>    and differences.
>    - I put together a presentation summarizing my findings and suggesting
>    a rough interoperable profile (slides:
>    https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
>    <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
>    ) - got early feedback from Filip Skokan on it. Thx Filip!
>    - The presentation was followed up by 1.5 hours of unconference
>    discussion, which was incredibly valuable to get tight-loop feedback and
>    incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov,
>    Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there and
>    contributed generously to the discussion. Thank you!!!
>    Note: if you were at OSW2019, participated in the discussion and
>    didn't get credited in the draft, my apologies: please send me a note and
>    I'll make things right at the next update.
>    - On my flight back I did my best to incorporate all the ideas and
>    feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat,
>    Hannes and above all Brian were all super helpful in negotiating the
>    mysterious syntax of the RFC format and submission process.
>
> I was blown away by the availability, involvement and willingness to
> invest time to get things right that everyone demonstrated in the process.
> This is an amazing community.
>
> V.
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> --
>
> hans.zandbelt@zmartzone.eu
>
> ZmartZone IAM - www.zmartzone.eu
>
>

v2.23.0 | Report a Bug | By Email