Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
Sergey Beryozkin <sberyozkin@gmail.com> Fri, 12 August 2016 10:13 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1591C12D69A for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2016 03:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3bhntRYpevr for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2016 03:13:35 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA7DE12D13E for <oauth@ietf.org>; Fri, 12 Aug 2016 03:13:34 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id q128so19553206wma.1 for <oauth@ietf.org>; Fri, 12 Aug 2016 03:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=qlXJ7jtnMF3lIoxiU8N/7xCyU7xdzwcfEaPlWyPxHn8=; b=qG0hSOK/Wkgsb1wXszs05Ki512nOtXCCuUz8d/VMCOUxvWYwpPrshHnOCwCMH7gxwv Eh3ORN80XvIXs4d4S489n/XuWabCJab+gNvt0itZn/Pgo4QMbtdHNgT9x559HfWBzZt2 sGKn3t50SIqzkqVo2iBI8ZDjZYFqV/p0RkqnrmM9Hqq/gpwbetKP4KJfAUIM4ENVKhmw yffV/dAKMJ56w90Z4F57ktDjvWcEoJPQC863RdcOLDRP7CuyxtCyV8HRpI0GIrhhr4hz pPkYM0WWy/Mcj+Q6lOTHlQUo1m80ccS9aliM8hGO5cZfqCcYlLVPb95YyTXQpmAN00Z3 GNEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=qlXJ7jtnMF3lIoxiU8N/7xCyU7xdzwcfEaPlWyPxHn8=; b=mg1aZn2/dzZzKxSK1ZzzynfK2BjLwUN05+ZAwt26DR7uvl2eSs3cTsEaq8wQ2ab9/d 3KcvsMoRwyURuYD9O0JiZPjhLMwQ0zfkB833vhSHt76sxDrCt10aONBzmhkG6vpjWicY ISCY1/RPm/pllDA0kaeLbiZta28qzqNUJY+3Qlo2hSvnTrlGmejRvpW+BnLf8cBg/khx K8mtCDSIFGeRSOP7Uccd7qrMC4QVhum7D6wVORykRzUsckb703XM6xrH+sAR7aNHcDwH zzVJMhkgIPdMkN02RfDl4tMzrn2HM9luppJKRgGgZiCPoQmeSjIhQnZgv/BwKgMUNENR /BWQ==
X-Gm-Message-State: AEkoouuvLB8TOR6CZllkpdQf1k6B2LFccNGIAtHc/uPzS5Ar0M1PdkxLJSRIWEygOOLslA==
X-Received: by 10.28.100.70 with SMTP id y67mr2249047wmb.23.1470996813127; Fri, 12 Aug 2016 03:13:33 -0700 (PDT)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id a184sm1907158wmh.1.2016.08.12.03.13.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Aug 2016 03:13:32 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>
References: <8472e581-1382-a364-a232-07ce6eeb0115@gmail.com> <852DC4F5-B9A0-4402-8550-6AB725546C63@ve7jtb.com> <9912591c-ce6c-b13c-e9f2-f0fb66b557d8@gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <6b6457e2-9cf1-9fdc-25f8-a0ee6be6976e@gmail.com>
Date: Fri, 12 Aug 2016 11:13:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <9912591c-ce6c-b13c-e9f2-f0fb66b557d8@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YlNIgkjqfrNrecIHXACHGWMKfB4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 10:13:37 -0000
Hi, After updating my earlier code (where 'client_id' was set as the standard JWT access token 'aud' property) to use 'aud' to represent the resource audiences I'm now thinking how to represent a 'client_id' in this token. For now if I'm using a 'client_id' claim, to be consistent with a standard token introspection response. The other thing is how to represent a name of the user who authorized the code grant which was exchanged for this token. Again I'm using a "username" claim, to be consistent with a standard token introspection response. Also thinking, what value if any a 'sub' claim in such a token should have. I'm setting it to a unique user identifier (similarly to IdToken). Any comments are welcome Sergey On 11/08/16 23:30, Sergey Beryozkin wrote: > Hi John > On 11/08/16 23:24, John Bradley wrote: >> I think most people put the a resource URI in the aud. >> >> Connect uses the client ID as that is bit more stable than trying to >> use a redirect URI when there could be multiple ones. >> Given that a resource server doesn’t typically have a client_id the >> resource uri make a reasonable value. >> >> You could put it in resource if you like, but that is probably not >> what others are doing. > I was suspecting I might be on my own here yes :-) > >> >> It may be time for a interoperable JWT access token profile of some sort. > > +1 > >> We keep getting close with some of the PoP stuff but only specify parts. > > Thanks, Sergey > >> >> John B. >>> On Aug 11, 2016, at 6:16 PM, Sergey Beryozkin <sberyozkin@gmail.com> >>> wrote: >>> >>> Hi All >>> >>> Awhile back I was asking why would self-contained JWS JWT access >>> tokens would be used (as opposed to JWE JWTs), my concern was that >>> anyone with a JWT library can read this token's content - but as I >>> was explained that should not be a problem if such a JWS JWT token >>> contains non-sensitive information. Besides, in some cases, it gives >>> RS an option to validate this JWS JWT locally, without having to make >>> a remote validation call. >>> >>> So I've started experimenting and the immediate question I have is >>> this one: which claim should one use to represent a resource server >>> audience to get the most inter-operable RS level validation logic ? >>> >>> For example, a given RS may talk to different 3rd party authorization >>> servers, say AS1 (vendor1) and AS2 (vendor2), and either AS1 or AS2 >>> JWS JWT tokens that this RS validates locally should ideally use the >>> same claim to represent a resource audience. RS validation logic is >>> written independently (without using AS1 or AS2 aware validation >>> libraries). >>> >>> We do expect such requirements coming in our deployments. AS1 & >>> independent validation logic is already in use. Just a matter of time >>> before AS2 is introduced. >>> >>> So JWT has a standard 'aud' claim - but I believe this should be a >>> 'clientId' of the client a token is issued to, similarly to the way >>> the 'aud' is treated in IdToken. >>> >>> So I've prototyped the code where JWT has these claims: >>> >>> "aud" = clientId >>> "resource" = 'http://myResourceServer' >>> >>> where 'resource' is borrowed from OAuth2 Resource Indicators draft >>> and represent a specific RS target address, the resource server >>> audience. >>> >>> Am I on the right path ? How would others do it when facing a task of >>> including a resource audience in a self-contained JWS JWT access token ? >>> >>> Many thanks, Sergey >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Brian Campbell
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… John Bradley
- [OAUTH-WG] JWS JWT Access Tokens and resource aud… Sergey Beryozkin