Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Mike Jones <Michael.Jones@microsoft.com> Thu, 01 May 2014 07:15 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 272DB1A0A1C for <oauth@ietfa.amsl.com>; Thu, 1 May 2014 00:15:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.302
X-Spam-Level:
X-Spam-Status: No, score=-1.302 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLnaIeHhwwgd for <oauth@ietfa.amsl.com>; Thu, 1 May 2014 00:15:49 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id 078C71A0A15 for <oauth@ietf.org>; Thu, 1 May 2014 00:15:48 -0700 (PDT)
Received: from BY2PR03CA032.namprd03.prod.outlook.com (10.242.234.153) by BY2PR03MB192.namprd03.prod.outlook.com (10.242.36.144) with Microsoft SMTP Server (TLS) id 15.0.929.12; Thu, 1 May 2014 07:15:45 +0000
Received: from BY2FFO11FD022.protection.gbl (2a01:111:f400:7c0c::122) by BY2PR03CA032.outlook.office365.com (2a01:111:e400:2c2c::25) with Microsoft SMTP Server (TLS) id 15.0.934.12 via Frontend Transport; Thu, 1 May 2014 07:15:45 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD022.mail.protection.outlook.com (10.1.15.211) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Thu, 1 May 2014 07:15:45 +0000
Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.03.0181.007; Thu, 1 May 2014 07:15:18 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, 'Brian Campbell' <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
Thread-Index: AQHPYHPsqQW6K7XM2UikgyZnVh8GF5siTKYAgARrqoCAAEewAIAAHAEAgAASguCABCnZ8A==
Date: Thu, 1 May 2014 07:15:17 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A1A1570@TK5EX14MBXC288.redmond.corp.microsoft.com>
References: <535A3AF4.4060506@gmx.net> <CA+k3eCTyA3PPY4BLKUjwJa91ovY5v6EhbwH+Ss2OSsajJdOOPw@mail.gmail.com> <535E127B.2010504@gmx.net> <CA+k3eCRxcSSJpk+uAxB-FfhsB7UFavNGhtDbwDYhS8tT1=65Jg@mail.gmail.com> <535E661C.9080002@gmx.net> <4E1F6AAD24975D4BA5B16804296739439A19888B@TK5EX14MBXC288.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439A19888B@TK5EX14MBXC288.redmond.corp.microsoft.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.32]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(6009001)(438001)(51694002)(53754006)(199002)(189002)(377454003)(479174003)(13464003)(51704005)(51914003)(24454002)(43784003)(74502001)(74662001)(55846006)(80976001)(15395725003)(76176999)(54356999)(97736001)(50986999)(31966008)(6806004)(76482001)(87936001)(2656002)(86612001)(33656001)(83322001)(46102001)(15975445006)(19580395003)(44976005)(4396001)(81342001)(19580405001)(99396002)(20776003)(79102001)(50466002)(84676001)(77982001)(2009001)(86362001)(575784001)(83072002)(81542001)(80022001)(23676002)(47776003)(85852003)(15202345003)(92566001)(66066001)(92726001); DIR:OUT; SFP:1101; SCL:1; SRVR:BY2PR03MB192; H:mail.microsoft.com; FPR:EE6DF1E6.96FA5111.BFEF7597.5BFB6241.20807; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 01986AE76B
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/TiQWlpJeBo46bSoiC01QUOqRYtk
Cc: "'oauth@ietf.org'" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 May 2014 07:15:52 -0000

Hannes, the example at http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-20#section-3.1 (and the other examples) have been clarified to address the concerns you raised, pointing out that the JSON objects presented in the drafts can be ambiguous and making it clear that the octets of the UTF-8 encoding also supplied are authoritative for these examples.

Thanks again for the useful feedback.

				-- Mike

-----Original Message-----
From: Mike Jones 
Sent: Monday, April 28, 2014 8:48 AM
To: Hannes Tschofenig; Brian Campbell
Cc: oauth@ietf.org
Subject: RE: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

I'm not opposed to saying more about the fact that in order to verify the examples, people need to use the octet sequence representation, rather than the ASCII representation, since aspects of the ASCII rendering will vary, including whether lines are terminated by CRLF or LF sequences and in the number of spaces at the beginning and ends of lines.

I already have to produce an updated draft to swap whether two references are normative or informative, so I can add this caveat this at the same time.

				-- Mike

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
Sent: Monday, April 28, 2014 7:31 AM
To: Brian Campbell
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

It would be nice to be able to verify the examples in the document(s). I understand that the ASCII draft format provides a number of limitations.

I wonder what others think. Have you tried to verify the examples? Have you encounter problems yourself as well?

Ciao
Hannes

On 04/28/2014 02:50 PM, Brian Campbell wrote:
> To be honest, I'm kind of indifferent to it. Yes, the input into the 
> example encodings do include CR+LF (the editor is a Microsoft guy 
> after
> all) but they also have space characters that are removed from the 
> beginning of each line, which isn't exactly obvious. Describing that 
> in a way that everyone will find easy to understand and use seems like 
> a difficult endeavor. The octet sequence is there to unambiguously 
> show what the input into the encoding was. And one can also always 
> decode the base64url content too, to see exactly what the input was.
> 
> So, yeah, I don't know. I'm not against mentioning the \r\n but I 
> don't personally think it helps much.
> 
> 
> 
> 
> On Mon, Apr 28, 2014 at 2:34 AM, Hannes Tschofenig 
> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> 
>     Hi Brian,
> 
>     thanks for the pointers.
> 
>     It is easy to see from your code where the issue is. In your code the
>     \r\n sequence is added at the end of each line but due to the nature of
>     the ASCII draft formatting a reader only sees the \n (new line) but not
>     the \r carriage return.
> 
>     While the draft provides the UTF-8 representation of each individual
>     character but, as I mentioned in my email below, none of the tools I
>     found produce a convenient way to use this as input for the base64url
>     encoding procedure.
> 
>     I believe it would be good to mention that each line in the examples is
>     followed by the \r\n character sequence to make it easier for those who
>     want to re-create the examples.
> 
>     What do you think?
> 
>     Ciao
>     Hannes
> 
> 
>     On 04/25/2014 03:03 PM, Brian Campbell wrote:
>     > So JWT 3.1 is based entirely on, and is just a subset of, JWS Appendix
>     > A.1. And I've got a test which validates that example in my JOSE
>     library
>     > <https://bitbucket.org/b_c/jose4j>:
>     >
>     https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsUsingHmacSha256ExampleTest.java
>     >
>     > And here's a verification of the Example Encrypted JWT from Appendix
>     > A.1:
>     >
>     https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jwe/EncryptedJwtTest.java
>     >
>     > The example in Section 6.1 is different than 3.1 - it's a "Plaintext
>     > JWT" using the "none" JWS alg. I've got verification of that one
>     as well
>     > at the top of
>     >
>     https://bitbucket.org/b_c/jose4j/src/master/src/test/java/org/jose4j/jws/JwsPlaintextTest.java
>     >
>     >
>     > On Fri, Apr 25, 2014 at 4:37 AM, Hannes Tschofenig
>     > <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>
>     <mailto:hannes.tschofenig@gmx.net
>     <mailto:hannes.tschofenig@gmx.net>>> wrote:
>     >
>     >     Hi all,
>     >
>     >     As a document shepherd I have to verify the entire document
>     and this
>     >     includes the examples as well.
>     >
>     >     Section 3.1:
>     >
>     >     You write:
>     >
>     >     "
>     >        The following octet sequence is the UTF-8 representation of
>     the JWT
>     >        Header/JWS Header above:
>     >
>     >        [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44,
>     13, 10, 32,
>     >        34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]
>     >     "
>     >
>     >     The values IMHO are represented in Decimal code point rather
>     than Octal
>     >     UTF-8 bytes, as stated above.
>     >     See the following online tool to see the difference:
>     >     http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char
>     >
>     >     Note that you could also show a hex encoding instead (e.g., via
>     >     http://ostermiller.org/calc/encode.html). Hixie's decoder
>     would then
>     >     produce the correct decoding. Here is the link to his software:
>     >    
>     http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder
>     >     (Note that this program seems to have flaws for most other
>     options.)
>     >
>     >     When do a Base64URL encoding of
>     >
>     >     {"typ":"JWT","alg":"HS256"}
>     >
>     >     then I get
>     >
>     >     eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
>     >
>     >     but your spec says:
>     >
>     >     eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
>     >
>     >     Same with
>     >     {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}.
>     >
>     >     My result:
>     >    
>     eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>     >
>     >     Your result:
>     >    
>     eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>     >
>     >     Note: I am using this online tool for Base64URL encoding:
>     >     http://kjur.github.io/jsjws/tool_b64uenc.html.
>     >     Interestingly, when I dump the data into http://jwt.io/ then I
>     get a
>     >     correct decoding. It might well be that the kjur.github.io
>     <http://kjur.github.io>
>     >     <http://kjur.github.io> has a flaw.
>     >
>     >     Just wanted to check what tool you have used to create these
>     encodings.
>     >
>     >
>     >     Section 6.1:
>     >
>     >     The example in Section 6.1 is the same as in 3.1. Maybe it
>     would be
>     >     useful to show something different here.
>     >
>     >     The example in Appendix A.1 is more sophisticated since it
>     demonstrates
>     >     encryption. To verify it I would need to have a library that
>     supports
>     >     JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which
>     library
>     >     have you been using?
>     >
>     >     I was wondering whether it would make sense to add two other
>     examples,
>     >     namely for integrity protection. One example showing an
>     HMAC-based keyed
>     >     message digest and another one using a digital signature.
>     >
>     >     Here is a simple example to add that almost all JWT libraries
>     seem to be
>     >     able to create and verify:
>     >
>     >     Header:
>     >     {"alg":"HS256","typ":"JWT"}
>     >
>     >     I use the HS256 algorithm with a shared secret '12345'.
>     >
>     >     Body:
>     >
>     >     {"iss":"https://as.example.com","sub":"mailto:john@example.com
>     <mailto:john@example.com>
>     >     <mailto:john@example.com
>     <mailto:john@example.com>>","nbf":1398420753,"exp":1398424353,"iat":1398420753}
>     >
>     >    
>     jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com
>     <mailto:john@example.com>
>     >     <mailto:john@example.com
>     <mailto:john@example.com>>","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345",
>     >     "HS256")
>     >
>     >     I used http://www.onlineconversion.com/unix_time.htm to create the
>     >     date/time values:
>     >     "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
>     >     "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT
>     >     "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
>     >
>     >     Here is the output created with
>     https://github.com/progrium/pyjwt/ and
>     >     verified with http://jwt.io/:
>     >    
>     eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4
>     >
>     >     Ciao
>     >     Hannes
>     >
>     >
>     >
>     >     _______________________________________________
>     >     OAuth mailing list
>     >     OAuth@ietf.org <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
>     <mailto:OAuth@ietf.org>>
>     >     https://www.ietf.org/mailman/listinfo/oauth
>     >
>     >
> 
>