[OAUTH-WG] About draft-ietf-oauth-access-token-jwt-10
Denis <denis.ietf@free.fr> Wed, 23 September 2020 09:40 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E993A0E5C for <oauth@ietfa.amsl.com>; Wed, 23 Sep 2020 02:40:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.534
X-Spam-Level: **
X-Spam-Status: No, score=2.534 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, LONGWORDS=2.035, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, SPOOFED_FREEMAIL=1.997, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sm42XPJZUFmU for <oauth@ietfa.amsl.com>; Wed, 23 Sep 2020 02:40:18 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 612913A0DFF for <oauth@ietf.org>; Wed, 23 Sep 2020 02:40:17 -0700 (PDT)
Received: from [192.168.1.11] ([90.91.135.171]) by mwinf5d61 with ME id XMgD2300G3i31rN03MgDr9; Wed, 23 Sep 2020 11:40:15 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Wed, 23 Sep 2020 11:40:15 +0200
X-ME-IP: 90.91.135.171
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Cc: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <11ceb124-9164-267b-8f7a-22c4c888f933@free.fr>
Date: Wed, 23 Sep 2020 11:40:16 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------D7BA03B6BA5A6F0D2CC73EA2"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UXqilEr3fhAahD6fYjgTif3mexY>
Subject: [OAUTH-WG] About draft-ietf-oauth-access-token-jwt-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 09:40:21 -0000
Hello Vittorio, I have three comments numbered 1, 2 and 3. *Comment 1:** * Section 3 states: 3. Requesting a JWT Access Token An authorization server can issue a JWT access token in response to any authorization grant defined by [RFC6749] and subsequent extensions meant to result in an access token. If the request includes a "resource" parameter (as defined in [RFC8707]), the resulting JWT access token "aud" claim SHOULD have the same value as the "resource" parameter in the request. I had a discussion I had on the mailing list with Hannes on September 10: [Denis] I believe, it would be worthwhile to add a sentence, just after this sentence, with the following text: When an authorization server decides to issue a JWT access token compliant to this profile, then the following requirements apply. (...) [Hannes] That’s fine for me because this is what the intended effect of the spec is. This portion of text from section 3 should be changed into: 3. Requesting a JWT Access Token An authorization server can issue a JWT access token in response to any authorization grant defined by [RFC6749] and subsequent extensions meant to result in an access token. *When an authorization server decides to issue a JWT access token compliant to this profile, then the following requirements apply. * If the request includes a "resource" parameter (as defined in [RFC8707]), the resulting JWT access token "aud" claim SHOULD have the same value as the "resource" parameter in the request. *Comment 2:** * Section 6 states: 6. Privacy Considerations As JWT access tokens carry information by value, it now becomes possible for clients and potentially even end users to directly peek inside the token claims collection. The client *MUST NOT* inspect the content of the access token: the authorization server and the resource server might decide to change token format at any time (for example by switching from this profile to opaque tokens) hence any logic in the client relying on the ability to read the access token content would break without recourse. RFC 2119 defines the meaning of MUST NOT or SHOULD NOT: 2. *MUST NOT* This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification. (...) 4. *SHOULD NOT* This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label. The first sentence of section 6 recognizes that it is technically possible for clients and potentially even end users to directly peek inside the token claims collection. There may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but there is no assurance that this can be done since the authorization server and the resource server might decide to change the token format at any time. The sentence : The client *MUST NOT* inspect the content of the access token: should be changed into: The client *SHOULD **NOT* inspect the content of the access token: *Comment 3:** * Section 6 also state: This profile mandates the presence of the "sub" claim in every JWT access token, making it possible for resource servers to rely on that information for correlating incoming requests with data stored locally for the authenticated principal. Although the ability to correlate requests might be required by design in many scenarios, there are scenarios where the authorization server might want to prevent correlation. The "sub" claim should be populated by the authorization servers according to a privacy impact assessment. For instance, if a solution requires preventing tracking principal activities across multiple resource servers, the authorization server should ensure that JWT access tokens meant for different resource servers have distinct "sub" values that cannot be correlated in the event of resource servers collusion. Similarly, if a solution requires preventing a resource server from correlating the principal’s activity within the resource itself, the authorization server should assign different "sub" values for every JWT access token issued. In turn, the client should obtain a new JWT access token for every call to the resource server, to ensure that the resource server receives different "sub" and "jti" values at every call, thus preventing correlation between distinct requests. As already mentioned on this mailing list, the above sentences would modify the semantics of the "sub" claim. While reading RFC 7519, no reader may be able to figure out that there are more than two flavours of the "sub" claim. This draft would be introducing two new other favours of the semantics of the "sub" claim which are not present in RFC 7519. When an element has been defined, its semantics cannot be changed ... unless making an Errata to RFC 7519 which would be a clean way to proceed. RFC 7519 defines the sub claim in the following way: 4.1.2. "sub" (Subject) Claim The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. *The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.* The processing of this claim is generally application specific. The "sub" value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL. Change into: This profile mandates the presence of the "sub" claim in every JWT access token, making it possible for resource servers to rely on that information for correlating incoming requests with data stored locally for the authenticated principal. The "sub" claim is scoped to be either locally unique in the context of the issuer or be globally unique (see section 4.1.2 from RFC 7519). When the "sub" claim is scoped to be locally unique in the context of the issuer, in the event of resource servers collusion, it can be used to correlate principals. When the "sub" claim is scoped to be globally unique, in the event of resource servers collusion, it can be used to correlate principals not only between resource servers but it can also be used to correlate principals between resource servers and other servers that do not implement this protocol but are using the same globally unique identifiers. Denis > Thanks Brian, Logan. > > On clarity. I tweaked that section and produced a new draft (-10). > Details: > > * Formally, the fact that we are referring to the User entity should > be unambiguous. 4.1.2 is a subsection of 4.1, which is titled > "User Resource Schema”. > However as a frequent critic of the excessive cyclomatic > complexity of the specs, I am making myself guilty of precisely > the same sin 😊 your suggestion can save the reader the need to > follow and parse the reference to understand the situation, hence > it’s a good improvement to clarity. > * For what concerns the actual format of the claims. The groups > entity actually appears as non-normative example in > https://tools.ietf.org/html/rfc7643#section-8.2; I can make an > explicit reference to that and make things a bit more discoverable. > * For roles and entitlements, things are murkier. > Before embarking in this endeavor I too had the expectation that > this would be a flat list of strings, but digging a bit in > existing implementations it turns out that’s not necessarily the > case. For example, Slack SCIM represents individual roles as two > possible forms { “value”:<name>, “primary”; <bool>}| { > “value”:<name>}, whereas databricks uses{ “value”:<name>}; WSO2 > uses{ “value”:<name>, “type”; <enum>}. > So for those two I don’t think we can do better than the current > statement about SCIM not supplying a vocabulary for them. > * I had some issues w the references where the section links were > turned into local links, as it happened in the past. That should > be fixed too. > * I applied the “” notation to the attributes, given that we are > turning them into claims it seems clearer to sue the same > typographic concention. > > * side note… <nonexistent section reference> > > Excellent point, fixed. >