IETF Logo Mail Archive

Re: [OAUTH-WG] JSON Web Token (JWT) Profile

Antonio Sanso <asanso@adobe.com> Tue, 11 March 2014 20:44 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 784581A072D for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 13:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.146
X-Spam-Level:
X-Spam-Status: No, score=-0.146 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_ADOBE2=2.455, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVNbGdeBgvfd for <oauth@ietfa.amsl.com>; Tue, 11 Mar 2014 13:44:04 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0240.outbound.protection.outlook.com [207.46.163.240]) by ietfa.amsl.com (Postfix) with ESMTP id 1EFE21A072C for <oauth@ietf.org>; Tue, 11 Mar 2014 13:44:03 -0700 (PDT)
Received: from CO1PR02MB206.namprd02.prod.outlook.com (10.242.165.144) by DM2PR02MB318.namprd02.prod.outlook.com (10.141.83.142) with Microsoft SMTP Server (TLS) id 15.0.888.9; Tue, 11 Mar 2014 20:43:56 +0000
Received: from CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.29]) by CO1PR02MB206.namprd02.prod.outlook.com ([169.254.8.185]) with mapi id 15.00.0893.001; Tue, 11 Mar 2014 20:43:55 +0000
From: Antonio Sanso <asanso@adobe.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] JSON Web Token (JWT) Profile
Thread-Index: AQHPPTQaKxckAjMng0+5U95NRYKjsJrb9DEAgAAFrgD///7sAIAABF2A////FQCAAAWCgIAAHd0AgAAhvACAABl8gA==
Date: Tue, 11 Mar 2014 20:43:54 +0000
Message-ID: <CC77962D-E341-4358-B320-E4C4D09FD17A@adobe.com>
References: <3A1BC33F-1AE2-492F-BCE9-CCB9CF4C3C83@adobe.com> <531F1F72.8010805@gmx.net> <5275E1B4-64DD-48FF-A1A9-959C75EA5DE2@adobe.com> <531F234E.90609@gmx.net> <E8EF9394-73F1-413F-A064-C8543C52EAFD@adobe.com> <531F2632.2090204@gmx.net> <DF99C8A6-DD40-40DE-8F01-399C4CB6FFDC@ve7jtb.com> <F3EA5E97-BCC2-40E8-80FB-7170FD7D8BD4@adobe.com> <32BBE66D-883E-465C-91EB-CDB51333F08A@ve7jtb.com>
In-Reply-To: <32BBE66D-883E-465C-91EB-CDB51333F08A@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [178.83.47.250]
x-forefront-prvs: 0147E151B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019001)(6009001)(428001)(189002)(199002)(51704005)(24454002)(479174003)(377454003)(52604005)(51694002)(47446002)(15202345003)(74706001)(59766001)(19580395003)(19580405001)(51856001)(54316002)(79102001)(77096001)(56776001)(83322001)(81542001)(76796001)(46102001)(76786001)(53806001)(50986001)(95666003)(69226001)(49866001)(74502001)(74662001)(94316002)(31966008)(47736001)(94946001)(81686001)(54356001)(80976001)(85306002)(36756003)(76482001)(97186001)(92726001)(63696002)(93516002)(83716003)(82746002)(81342001)(33656001)(92566001)(95416001)(77982001)(47976001)(87936001)(83072002)(74876001)(74366001)(15975445006)(85852003)(2656002)(87266001)(97336001)(90146001)(56816005)(86362001)(65816001)(93136001)(81816001)(80022001)(4396001)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR02MB318; H:CO1PR02MB206.namprd02.prod.outlook.com; CLIP:178.83.47.250; FPR:ECCFF175.AFF2D1D1.387F113B.86E4F772.205E8; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: adobe.com does not designate permitted sender hosts)
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <0D64FDBDCCFAFB4F8323AB34109F5D5B@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/RyryptfTUJosiFG5JpQ-oHUXTSM
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JSON Web Token (JWT) Profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Mar 2014 20:44:06 -0000

agree, but in some cases the subject is not only same as the issuer but simply it doesn’t matter.

In my example below all it matters is that the assertion signed by app1 is valid…. 

Continue in my probably not relevant “Google example” if I set the prn same as the issuer it would not work (keeping only the issuer without any subject gives me back a correct access token instead).

Again this is not relevant spec wise. AFIU there is consensus in the working group to keep the subject mandatory. Would it make sense at least to add a little not that in some situations the issuer and the subject are the same?
This might clarify at least something to people that do wonder...

regards

antonio

On Mar 11, 2014, at 8:12 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> The specification is intended to allow the interoperation of standard libraries.  
> 
> In some cases the subject and the iss may be the same, however the underlying OAuth library may be a general one and always require a subject for security processing.
> 
> It is possible that all libraries could have a special rule for when sub is not present and use the value of iss as sub.  This will save some bytes in the JWT but it is probably not worth creating an extra code path in libraries for the size optimization. 
> 
> I don't think your saying there is no subject just that it is redundant with iss in some cases.
> 
> John B.
> 
> On Mar 11, 2014, at 2:11 PM, Antonio Sanso <asanso@adobe.com> wrote:
> 
>> Ok this is my use case:
>> 
>> - I  am John Doe and going to AS to register my app named app1
>> - I then either upload my public key or download a private key
>> - at this point I am ready to build my assertion, the issuer claim is going to be app1 and should suffice.
>> 
>> is the subject really needed in this use case? 
>> 
>> regards
>> 
>> antonio
>> 
>> 
>> On Mar 11, 2014, at 4:25 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> 
>>> The missing scheme especially on JWT issued by google is something I understand they are working on but need to be careful about breaking existing code, so will possibly need new endpoints that are spec compliant. 
>>> 
>>> While in this google case the subject and the issuer happen to be the same they may well not be even in the self signed case.   In WG discussions being consistent in providing the subject was considered to be better for interoperability than optimizing for the case where sub or issuer could be dropped.  
>>> 
>>> John B.
>>> 
>>> On Mar 11, 2014, at 12:05 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>> 
>>>> Maintaining both information in the JWT is IMHO valuable since it gives
>>>> you some information about the security properties. Needless to say that
>>>> there is a substantial difference between a self-created JWT and a JWT
>>>> from a third party the relying party has some confidence in.
>>>> 
>>>> Why Google has an old implementation and whether they are planning to
>>>> update their code remains to be seen.
>>>> 
>>>> More importantly, however, is why you argue that the subject claim has
>>>> to be optional.
>>>> 
>>>> Ciao
>>>> Hannes
>>>> 
>>>> Ps: I also noticed in the examples that all URIs have their URI scheme
>>>> missing. While that might be OK I am not entirely sure...
>>>> 
>>>> On 03/11/2014 04:08 PM, Antonio Sanso wrote:
>>>>> 
>>>>> On Mar 11, 2014, at 3:53 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>>> 
>>>>>> Thanks for clarifying.
>>>>>> 
>>>>>> I took a quick look at the Google API and it seems that in their use
>>>>>> case the client creates the JWT and consequently the subject and the
>>>>>> issue would actually be the same. I suspect that this is the reason why
>>>>>> they omitted the subject.
>>>>> 
>>>>> agreed that is why in my mail I said the subject might overlap with the issuer.
>>>>> The subject in the google case is still called with its obsolete name (prn) and it is actually listed as ‘additional claims’ hence not mandatory.
>>>>> 
>>>>> regards
>>>>> 
>>>>> antonio
>>>>> 
>>>>>> 
>>>>>> Could you explain why you would like to omit the subject claim in the JWT?
>>>>>> 
>>>>>> Ciao
>>>>>> Hannes
>>>>>> 
>>>>>> PS: Your feedback on the  draft-ietf-oauth-jwt-bearer-07 spec is timely
>>>>>> since we are about to finish all three assertion specs.
>>>>>> 
>>>>>> 
>>>>>> On 03/11/2014 03:56 PM, Antonio Sanso wrote:
>>>>>>> hi Hannes,
>>>>>>> 
>>>>>>> I am aware of the 2 documents,
>>>>>>> 
>>>>>>> I might be wrong but http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07 is also about Authorization Grant Processing (this is the part I do use in my implementation ) and not only Client Authentication Processing.
>>>>>>> 
>>>>>>> Just my 0.02 $ but this seems to be a place where different implementer have the same issue :)
>>>>>>> 
>>>>>>> regards
>>>>>>> 
>>>>>>> antonio
>>>>>>> 
>>>>>>> On Mar 11, 2014, at 3:36 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>>>>> 
>>>>>>>> Hi Manfred, Hi Antonio,
>>>>>>>> 
>>>>>>>> Note that there are two documents that talk about the JWT and you guys
>>>>>>>> might be looking at the wrong document.
>>>>>>>> 
>>>>>>>> The main JWT document (see
>>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18) defines
>>>>>>>> the subject claim as optional (see Section 4.1.2).
>>>>>>>> 
>>>>>>>> The JWT bearer assertion document (see
>>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07) does indeed
>>>>>>>> define it as mandatory but that's intentional since the purpose of the
>>>>>>>> spec is to authenticate the client (or the resource owner for an
>>>>>>>> authorization grant).
>>>>>>>> 
>>>>>>>> The assertion documents are used for interworking with "legacy" identity
>>>>>>>> infrastructure (such as SAML federations).
>>>>>>>> 
>>>>>>>> So, are you sure you are indeed looking at the right document?
>>>>>>>> 
>>>>>>>> Ciao
>>>>>>>> Hannes
>>>>>>>> 
>>>>>>>> 
>>>>>>>> On 03/11/2014 03:13 PM, Antonio Sanso wrote:
>>>>>>>>> hi *,
>>>>>>>>> 
>>>>>>>>> JSON Web Token (JWT) Profile section 3 [0] explicitely says 
>>>>>>>>> 
>>>>>>>>> The JWT MUST contain a "sub" (subject) claim 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Now IMHO there are cases where having the sub is either not needed or
>>>>>>>>> redundant (since it might overlap with the issuer).\
>>>>>>>>> 
>>>>>>>>> As far as I can see “even Google” currently violates this spec [1] ( I
>>>>>>>>> know that this doesn’t matter, just wanted to bring a real use case
>>>>>>>>> scenario).
>>>>>>>>> 
>>>>>>>>> WDYT might the “sub” be optional in some situation?
>>>>>>>>> 
>>>>>>>>> regards
>>>>>>>>> 
>>>>>>>>> antonio 
>>>>>>>>> 
>>>>>>>>> [0] http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3
>>>>>>>>> [1] https://developers.google.com/accounts/docs/OAuth2ServiceAccount
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>> 
>

v2.23.0 | Report a Bug | By Email