IETF Logo Mail Archive

Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

Brian Campbell <bcampbell@pingidentity.com> Thu, 23 July 2020 20:30 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D6603A0B54 for <oauth@ietfa.amsl.com>; Thu, 23 Jul 2020 13:30:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id punKiRY9w10g for <oauth@ietfa.amsl.com>; Thu, 23 Jul 2020 13:30:11 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA2093A07EC for <oauth@ietf.org>; Thu, 23 Jul 2020 13:30:10 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id 140so4007632lfi.5 for <oauth@ietf.org>; Thu, 23 Jul 2020 13:30:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nmHwMvtdYIGApQSJQzawmyHJCjvWZRUEjpAkFXmWZr4=; b=IVyds+CrFAePTlLNQds3em2H1rOA1rajCTT2ihaHpZM9vla7qhxyBukRtoV5P6p8iw 0yJ3tu9W3LCNy1RK23tI4Fsj5atQFOonXtmgohp2q/1ogUsgAO0LvcljhKQEMJha6Ed+ rgTJVSH29smB3GmtbUm+q6ntW1MgzP1TX2RKOlwmtA68RZ+bKlJVnZhTJx1tACbB4xm6 Y3cmG+vmRTXiKQWUlzaZ/8/KTSJOxFegl/GLndZB+bBbA90/dkDxcAL96F3SQf9flxnP s++W2y2dBMiRFx3ojU92V2YTEExJIEK2ET8DNNhQ7gFlNQBwIUKedjRozAB5jdQ0xb4Y C7IQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nmHwMvtdYIGApQSJQzawmyHJCjvWZRUEjpAkFXmWZr4=; b=enm3YCT8YvfZGfJuGDJ/KQwmJkiFyf74pddRoElFzp9vZ1bjYy2vH2Mxnmkq6dFWSK nfbpJ/lQ4jbmqL7XYmopgsGM2R53dTlmj0MYdEp0PCbeIZ6U4xxTHnbx26ZU+vxyWcx3 QfG8aRZAY7LcJoKidzJ9O82Ta+FYIoGPcPVvcXyfuzkpXNFpVJC8IsgLwxlqoFSshbls IUC+SL141g7N0NzmvCrE9dhqhmoAcZKxKcgfuSorrF7EYK8Dtwf7e25VXt0gpr7Fdocd p3lWK36AHeNjEBCtDYSA0QAXXmarEvoHbt7mq/loIFF2w1D61+ZqdtiDQsKQAlO1s6Pl U+VA==
X-Gm-Message-State: AOAM533LkDSZGzl8NZvWvZ1wgvQsukgdU+DezJmItmhUskO/C/zedtfv EjYSC4zJ0aMA+4YA/cS617NuqOIFZxJsqUL+Eek2My8ctTugJ+4+rkQa9uHfPGd8TIPexZkgXfd Fh5tITtoKCuU9GY/CVJE=
X-Google-Smtp-Source: ABdhPJyFv/PNgsRusKQGfMxZP3dBkVlb+W/F0J2XWk/VyEQL0i6Dz8IWqiV64+NB76pgURY1X2sp5LTPWcrroKkfkqg=
X-Received: by 2002:a19:4857:: with SMTP id v84mr3048371lfa.195.1595536208591; Thu, 23 Jul 2020 13:30:08 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRa9gMimtJ3917GaJPdTQGdCBskLEim0kVeh-qeB8EszQ@mail.gmail.com> <CAO7Ng+u16x7G0JTZg=oZnOWj6n3H39w_jk2fKXh2jc70n71KLw@mail.gmail.com> <CA+k3eCSQTkp1gBnuXJv-1i_-9gLkVBGzeSx_XYyhnnF_=bg68g@mail.gmail.com> <CAO7Ng+vgaPsAo7aQ7uXbcf-M9p2uqQDaxtxoJe1_Av=khbdULg@mail.gmail.com> <CAO7Ng+vUAHtCwnPOh6LMjk4hdmt0T0nhW7b8SywdBttTNatNCA@mail.gmail.com>
In-Reply-To: <CAO7Ng+vUAHtCwnPOh6LMjk4hdmt0T0nhW7b8SywdBttTNatNCA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 23 Jul 2020 14:29:42 -0600
Message-ID: <CA+k3eCS8umKx=od2dHd47yfb51D4MQrEGpgNPH_iqXR9O7sioQ@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f0975305ab21b8ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/S8NZjBQaiL1Vt9VNvzaypGApq1o>
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 20:30:13 -0000

In hindsight, yeah, having explicit JWT typing everywhere would be nice..
But retrofitting would be a very major undertaking, which I don't think
could reasonably be justified considering cost–benefit.

I can't speak directly for the Jwsreq authors but I suspect considerations
around backward/forward compatibility with OIDC's JWT request and even
existing implementations of the Jwsreq draft that has been in draft forever
came into play.

On Wed, Jul 22, 2020 at 11:38 PM Dominick Baier <dbaier@leastprivilege.com>
wrote:

> Even more. Jwsreq should have it. But the authors decided against it.
>
> ———
> Dominick Baier
>
> On 23. July 2020 at 07:38:04, Dominick Baier (dbaier@leastprivilege.com)
> wrote:
>
> Good point. Thanks, Brian.
>
> We should retrofit typs everywhere..in hindsight.
>
> ———
> Dominick Baier
>
> On 22. July 2020 at 23:55:20, Brian Campbell (bcampbell@pingidentity.com)
> wrote:
>
> Because it wouldn't actually prevent it in this case due to JWT assertion
> client authentication (a.k.a. private_key_jwt) having come about well
> before the JWT BCP and the established concept of using the 'typ' header to
> prevent cross-JWT confusion. Thus there's no validation rule regarding the
> 'typ' header defined in RFC 7523 for JWT client authentication. Explicitly
> typing the request object JWT doesn't do anything to prevent it from being
> used in the context of previously existing JWT applications like client
> auth.
>
> On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier <dbaier@leastprivilege.com>
> wrote:
>
>> Why not use a typ header as suggested by the JWT BCP?
>>
>> ———
>> Dominick Baier
>>
>> On 22. July 2020 at 17:37:41, Brian Campbell (
>> bcampbell=40pingidentity.com@dmarc.ietf.org) wrote:
>>
>> The TL;DR here is a somewhat tentative suggestion that a brief security
>> consideration be added to
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
>> <https://datatracker..ietf.org/doc/draft-ietf-oauth-jwsreq/> that
>> prohibits the inclusion of a 'sub' claim containing the client id value in
>> the request object JWT so as to prevent the request object JWT (which is
>> exposed to the user agent) from being erroneously accepted as a valid JWT
>> for client authentication.
>>
>> Some more details and the discussion that led to this here email can be
>> found at https://github.com/oauthstuff/draft-oauth-par/issues/41
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any file
>> attachments from your computer. Thank you.*_______________________________________________
>>
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email