Re: [OAUTH-WG] Comparing the JSON Token drafts

Eve Maler <eve@xmlgrrl.com> Fri, 01 October 2010 13:38 UTC

Return-Path: <eve@xmlgrrl.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C4563A6F15 for <oauth@core3.amsl.com>; Fri, 1 Oct 2010 06:38:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.409
X-Spam-Level:
X-Spam-Status: No, score=-0.409 tagged_above=-999 required=5 tests=[AWL=-0.200, BAYES_00=-2.599, FROM_DOMAIN_NOVOWEL=0.5, HTML_MESSAGE=0.001, SARE_URI_CONS7=0.306, URIBL_RHS_DOB=1.083, URI_NOVOWEL=0.5]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cEoChg9dYie2 for <oauth@core3.amsl.com>; Fri, 1 Oct 2010 06:38:27 -0700 (PDT)
Received: from mail.promanage-inc.com (eliasisrael.com [98.111.84.13]) by core3.amsl.com (Postfix) with ESMTP id DEB7A3A6F16 for <oauth@ietf.org>; Fri, 1 Oct 2010 06:37:54 -0700 (PDT)
Received: from [192.168.168.198] ([192.168.168.198]) (authenticated bits=0) by mail.promanage-inc.com (8.14.4/8.14.3) with ESMTP id o91DcbDm019773 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 1 Oct 2010 06:38:38 -0700
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: multipart/alternative; boundary=Apple-Mail-32-542956409
From: Eve Maler <eve@xmlgrrl.com>
In-Reply-To: <AANLkTimokq-36Xt2hjrD1+Htj74d0L9jubg_c8=4sOXk@mail.gmail.com>
Date: Fri, 1 Oct 2010 06:38:37 -0700
Message-Id: <4AE0093F-E427-446B-8BB3-11D57EC89032@xmlgrrl.com>
References: <4E1F6AAD24975D4BA5B168042967394314AA9AF0@TK5EX14MBXC207.redmond.corp.microsoft.com> <AANLkTimokq-36Xt2hjrD1+Htj74d0L9jubg_c8=4sOXk@mail.gmail.com>
To: Dirk Balfanz <balfanz@google.com>
X-Mailer: Apple Mail (2.1081)
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Comparing the JSON Token drafts
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 13:38:30 -0000

Glad to see this being worked on here.  I wanted to add a few requirements (and maybe, just maybe, a bit of a solution) into the mix.

As you may recall, in the UMA group we've been working on what we called a "Claims 2.0" spec (all UMA specs -- and some OAuth-related specs too -- are linked off of http://kantarainitiative.org/confluence/display/uma/Working+Drafts ).

UMA inserts claims into a slightly different place in the proceedings than core OAuth; the authz server can demand claims from a client before issuing an access token, so that the resource server doesn't have to implement sophisticated policy decision-making logic when it interprets claims (classic PEP/PDP separation). But I think the "claims" we're talking about are essentially the same.

The Claims 2.0 spec contains both a simple JSON-based sub-protocol for requesting and supplying claims, and an (unfinished) claims format.  I think we'd be happy to simply point to an existing claims format if it met our needs, and then define our very thin protocol around that.  (If you look at our short spec called Simple Access Authorization Claims, you'll see some use cases for the protocol piece.)

As long as the claims format spec is JSON-based, and allows each claim to be individually signed for third-party issuer authentication, and allows the claim type to be a URL, that's a big chunk of our requirements. Meeting our claims communication protocol needs is another, but I think it *should* be easy to do. We'll do an analysis on our end to highlight other requirements/use cases and bring them here.

Regarding discovery, the core UMA spec specifies how an authz server/manager can declare its supported claim formats in XRD for a resource server/host (and presumably other parties) to discover, and we might require a short list of such formats for UMA compliance. Our core spec assumes that the OAuth Dynamic Client Registration I-D we contributed (linked off our Working Drafts page), or similar, would be used for discovery of such information. If specific XRD (or JRD) discovery info were "sedimented" into such a spec at the OAuth table, particularly if it specified a suitable OAuth core compliance set, we'd happily point to it.

	Eve

On 28 Sep 2010, at 10:23 AM, Dirk Balfanz wrote:

> On Mon, Sep 27, 2010 at 5:46 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> Dirk and I both posted JSON Token drafts on Thursday.  They are at http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html (which I’ll refer to as Dirk’s draft) and http://self-issued.info/docs/draft-goland-json-web-token-00.html (which I’ll refer to as JWT).  This note points out some of the differences (and commonalities) in the interest of building consensus towards a unified approach.
> 
>  
> Commonalities:
> 
> ·         Both have ways of expressing the signature algorithm, token issuer, token expiration time, and intended audience.
> 
> ·         Both use a form of base64url encoding of the JSON claim data.
> 
> ·         Both require support for the HMAC SHA-256 signature algorithm, and describe how to sign with RSA SHA-256 as well.
> 
>  
> Differences:
> 
> ·         Dirk’s draft uses a base64url encoding that may include one or two ‘=’ pad characters.  The JWT draft uses base64url encoding without padding.
> 
> ·         JWT uses shorter claim names in the interest of brevity (“iss”, “exp”, and “aud”, versus “issuer”, “not_after”, and “audience”).
> 
> ·         JWT also describes how to sign with ECDSA SHA-256, plus HMAC, RSA, and ECDSA with longer key lengths.
> 
> ·         Dirk’s tokens must be signed, whereas signing JWTs is optional.
> 
> ·         Dirk’s draft provides for a key_id parameter and a means of serializing keys.
> 
> ·         Dirk’s draft utilizes a Magic Signatures envelope, whereas the only “envelope” component of a JWT is the encoded signature.
> 
> ·         Dirk’s draft proposes that a particular discovery mechanism be used with JSON tokens.
> 
>  
> Let me tackle the differences one at a time, in hopes of driving towards a consensus position.
> 
> 
> Hi there - thanks for writhing this up. Comments below:
> ·         To pad or not to pad:  The ‘=’ pad characters add length, are not URL-safe (and therefore must be escaped when used in URLs, adding more length), and add no information.  Therefore, I would propose that we agree not to use padding (as permitted by RFC 4648, Section 5), especially since a no-padding implementation is trivial, as shown in JWT Section 13.
> 
> 
> I don't feel strongly about this, but remember John Panzer's cautionary tales here: Apparently, padding-less encoding is not well-supported in some frameworks, which can lead to confusion.
>  
> ·         Claim name length: Given that a core goal of both specs is short tokens, I would propose that we use the shorter reserved claim names.  Having short tokens is especially important when used with mobile browsers, where URL length restrictions may be severe.  (People are always free to use longer ones in any particular application context if they have a reason to do so.)
> 
> 
> I don't feel strongly about this, but I think many people do want to have more descriptive names here. 
>  
> ·         Elliptic curve crypto and longer key lengths:  The JWT spec defines how to use ECC as well as HMAC and RSA.  Given ECC’s inclusion in NSA Suite B and that it has engineering advantages over RSA (shorter key lengths and more efficient computations), it makes sense that any modern spec incorporating cryptography allow its use as an option.  Likewise, it makes sense for the spec to define how to use longer key lengths on an optional basis.
> 
> So this one I do feel more strongly about: We should only include crypto mechanisms that everybody MUST support. Otherwise, we'll have to invent some sort of negotiation step in the protocol: "do you support alg XYZ? No I don't, please use ABC". Let's not do that. 
> 
> As just one datapoint, Google would have a hard time supporting ECC, since it's not in the Java core library. We don't use bouncycastle.
>  
> ·         Unsigned tokens:  In some application contexts, it may make sense to send unsigned tokens if carried in a signed and/or encrypted container or channel.  Allowing for unsigned tokens means that double signing need not occur.
> 
> That one just confuses me :-) What's the difference between OAuth without signatures and unsigned tokens? Is the latter not just a more complicated way of doing the former? 
> 
> ·         Key identification:  I agree that having means of identifying and distributing keys are critical for to end-to-end security of signed tokens.  That’s a separate point from whether the key identification and distribution mechanisms should be part of the token format specification, or treated separately.  I would advocate that it be treated separately (as was done with SWTs as well), but am open to discussion on this point.
> 
> ·         Discovery:  Like key distribution, I believe that an agreement on discovery mechanisms is critical to many use cases.  But like key distribution, I’d like us to take that up in a separate specification, rather than tightly binding the use of JSON tokens to a particular discovery mechanism.
> 
> 
> 
> Here is where I'm coming from: I find the public-key versions of the signatures much more intriguing - they allow for easier key management, key rotation, etc. To actually reap the benefits of key rotation, though, we need to say how to find out what the currently-used key is. If we don't, then a lot of the potential advantage of using public keys evaporates. I'm concerned that, lacking the discovery spec, developers will start hard-coding keys into their servers, and we'll end up in a situation where we can't rotate keys when Something Bad happens.
> 
> ·         Envelope structure:  Dirk’s draft proposes that the signed content be wrapped in a particular kind of envelope.  Among other things, this envelope can help prevent a token from being repurposed from one context to another, by having a clear (and cryptographically verified) declaration that “This is a JSON token”.  I understand this motivation and am open to discussions on how to best achieve it, while still providing as little mechanism as possible (but no less J).
> 
> Well, you've seen my proposal on how to achieve it :-), but I'm also open to better ways, if someone comes up with one...
> 
> Dirk.
>  
>  
> Dirk, and others, please jump in!
> 
>  
>                                                                 -- Mike
> 
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Eve Maler                                  http://www.xmlgrrl.com/blog
+1 425 345 6756                         http://www.twitter.com/xmlgrrl