Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Ad 1) the language is tricky but it does not say forbid the client from
sending in two resource values to the authorization endpoint, it says that
when access token is issued (i.e. the authorization_code grant at the token
endpoint) one of the granted resource values must be part of the request or
default to end up with an access token with a single audience. A resulting
refresh token contains all granted resource values. I don't see this as a
conflict but rather further profiling.

Ad 2) I disagree with making `aud` optional.

S pozdravem,
*Filip Skokan*

On Tue, 24 Mar 2020 at 07:48, Takahiko Kawasaki <taka@authlete.com> wrote:

> (1)
> The requirement in the paragraph below excerpted from "3. Requesting a JWT
> Access Token":
>
> *If it receives a request for an access token containing more than one
> resource parameter, an authorization server issuing JWT access tokens MUST
> reject the request and fail with "invalid_request" as described in section
> 4.1.2.1 of [RFC6749] or with "invalid_target" as defined in section 2 of
> [RFC8707].  See Section 2.2 and Section 5 for more details on how this
> measure ensures there's no confusion on to what resource the access token
> granted scopes apply.*
>
>
> apparently conflicts with RFC 8707. I'm afraid vendors that support RFC
> 8707 won't support this draft unless the requirement is loosened, for
> example from MUST to SHOULD.
>
> (2)
> Regarding another paragraph shown below from the same section.
>
> *If the request does not include a resource parameter, the authorization
> server MUST use in the aud claim a default resource indicator.  If a scope
> parameter is present in the request, the authorization server SHOULD use it
> to infer the value of the default resource indicator to be used in the aud
> claim.  The mechanism through which scopes are associated to default
> resource indicator values is outside the scope of this specification.  If
> the values in the scope parameter refer to different default resource
> indicator values, the authorization server SHOULD reject the request with
> invalid_scope as described in section 4.1.2.1 of [RFC6749].*
>
>
> The rule described here whereby to determine the default value of the
> "aud" claim is unintelligible. In addition, I don't think the rule
> referring to the "scope" parameter is worth being defined. That "aud" is
> missing but "scope" is available is enough for resource servers. In other
> words, if "aud" is determined based on the "scope", why do we have to set
> "aud" redundantly?
>
> Requiring the "aud" as a MUST claim is the reason that this draft has to
> introduce philosophy about "aud" that may conflict with other
> specifications and may not be supported by all implementers. I would
> suggest changing "REQUIRED" to "OPTIONAL".
>
>
> Best Regards,
> Takahiko Kawasaki
> Authlete, Inc.
>
> On Tue, Mar 24, 2020 at 10:32 AM Nikos Fotiou <fotiou@aueb.gr> wrote:
>
>> Hi all,
>>
>>
>>
>> Allow me some comments and forgive me if some of them are naïve.
>>
>> - In Section 2.2 why nbf claim (
>> https://tools..ietf.org/html/rfc7519#section-4.1.5)
>> <https://tools.ietf.org/html/rfc7519#section-4.1.5)> is not considered?
>> I can imagine some interesting applications of this claim.
>>
>> - In the same section, it is not clear why some claims are required,
>> especially exp, sub, and client_id. The last two claims are not even used
>> during token validation.
>>
>> - RFC7519 specifies that, in the general case, the aud claim is an array
>> of StringOrURI values. In this draft it is not clear if this still the
>> case, or here aud is a simple string (e.g., in page 5 it is stated: the
>> resource indicated in the aud claim, rather than the resource*s*).
>>
>> - In the token validation procedure, i.e., Section 4, is there any reason
>> why the resource server first checks the aud claim, then the signature, and
>> finally the exp claim? Given the fact that Error responses are not
>> specified, returning something like “invalid aud claim” even for tokens
>> with invalid signature may result in privacy/security attacks.
>>
>> - IMHO The token validation procedure it too bound to the particular
>> discovery mechanisms mentioned at the beginning of this section. E.g., Step
>> 2 mentions a “registration” process, and Step 3 mentions and an “Issuer
>> Identifier” which must much the iss claim. Moreover, I think it should be
>> explicitly mentioned that the resource server “must validate that the JWT
>> access token has been singed with a signing key that corresponds to the
>> authorization server included in the iss claim”
>>
>>
>>
>>
>>
>> Best,
>>
>> Nikos
>>
>>
>>
>> *From:* OAuth <oauth-bounces@ietf..org <oauth-bounces@ietf.org>> *On
>> Behalf Of *Hannes Tschofenig
>> *Sent:* Monday, March 23, 2020 11:18 PM
>> *To:* oauth <oauth@ietf.org>
>> *Subject:* [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth
>> 2.0 Access Tokens"
>>
>>
>>
>> Hi all,
>>
>>
>>
>> this is a working group last call for "JSON Web Token (JWT) Profile for
>> OAuth 2.0 Access Tokens".
>>
>>
>>
>> Here is the document:
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04
>>
>>
>>
>> Please send you comments to the OAuth mailing list by April 6, 2020.
>>
>>
>>
>> Ciao
>>
>> Hannes & Rifaat
>>
>> IMPORTANT NOTICE: The contents of this email and any attachments are
>> confidential and may also be privileged. If you are not the intended
>> recipient, please notify the sender immediately and do not disclose the
>> contents to any other person, use it for any purpose, or store or copy the
>> information in any medium. Thank you.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>