IETF Logo Mail Archive

Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 12 August 2016 10:13 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1591C12D69A for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2016 03:13:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b3bhntRYpevr for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2016 03:13:35 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA7DE12D13E for <oauth@ietf.org>; Fri, 12 Aug 2016 03:13:34 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id q128so19553206wma.1 for <oauth@ietf.org>; Fri, 12 Aug 2016 03:13:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=qlXJ7jtnMF3lIoxiU8N/7xCyU7xdzwcfEaPlWyPxHn8=; b=qG0hSOK/Wkgsb1wXszs05Ki512nOtXCCuUz8d/VMCOUxvWYwpPrshHnOCwCMH7gxwv Eh3ORN80XvIXs4d4S489n/XuWabCJab+gNvt0itZn/Pgo4QMbtdHNgT9x559HfWBzZt2 sGKn3t50SIqzkqVo2iBI8ZDjZYFqV/p0RkqnrmM9Hqq/gpwbetKP4KJfAUIM4ENVKhmw yffV/dAKMJ56w90Z4F57ktDjvWcEoJPQC863RdcOLDRP7CuyxtCyV8HRpI0GIrhhr4hz pPkYM0WWy/Mcj+Q6lOTHlQUo1m80ccS9aliM8hGO5cZfqCcYlLVPb95YyTXQpmAN00Z3 GNEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=qlXJ7jtnMF3lIoxiU8N/7xCyU7xdzwcfEaPlWyPxHn8=; b=mg1aZn2/dzZzKxSK1ZzzynfK2BjLwUN05+ZAwt26DR7uvl2eSs3cTsEaq8wQ2ab9/d 3KcvsMoRwyURuYD9O0JiZPjhLMwQ0zfkB833vhSHt76sxDrCt10aONBzmhkG6vpjWicY ISCY1/RPm/pllDA0kaeLbiZta28qzqNUJY+3Qlo2hSvnTrlGmejRvpW+BnLf8cBg/khx K8mtCDSIFGeRSOP7Uccd7qrMC4QVhum7D6wVORykRzUsckb703XM6xrH+sAR7aNHcDwH zzVJMhkgIPdMkN02RfDl4tMzrn2HM9luppJKRgGgZiCPoQmeSjIhQnZgv/BwKgMUNENR /BWQ==
X-Gm-Message-State: AEkoouuvLB8TOR6CZllkpdQf1k6B2LFccNGIAtHc/uPzS5Ar0M1PdkxLJSRIWEygOOLslA==
X-Received: by 10.28.100.70 with SMTP id y67mr2249047wmb.23.1470996813127; Fri, 12 Aug 2016 03:13:33 -0700 (PDT)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id a184sm1907158wmh.1.2016.08.12.03.13.32 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 Aug 2016 03:13:32 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>
References: <8472e581-1382-a364-a232-07ce6eeb0115@gmail.com> <852DC4F5-B9A0-4402-8550-6AB725546C63@ve7jtb.com> <9912591c-ce6c-b13c-e9f2-f0fb66b557d8@gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <6b6457e2-9cf1-9fdc-25f8-a0ee6be6976e@gmail.com>
Date: Fri, 12 Aug 2016 11:13:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <9912591c-ce6c-b13c-e9f2-f0fb66b557d8@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YlNIgkjqfrNrecIHXACHGWMKfB4>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 10:13:37 -0000

Hi,


After updating my earlier code (where 'client_id' was set as the 
standard JWT access token 'aud' property) to use 'aud' to represent the 
resource audiences I'm now thinking how to represent a 'client_id' in 
this token.

For now if I'm using a 'client_id' claim, to be consistent with a 
standard token introspection response.

The other thing is how to represent a name of the user who authorized 
the code grant which was exchanged for this token.

Again I'm using a "username" claim, to be consistent with a standard 
token introspection response.

Also thinking, what value if any a 'sub' claim in such a token should 
have. I'm setting it to a unique user identifier (similarly to IdToken).

Any comments are welcome

Sergey

On 11/08/16 23:30, Sergey Beryozkin wrote:
> Hi John
> On 11/08/16 23:24, John Bradley wrote:
>> I think most people put the a resource URI in the aud.
>>
>> Connect uses the client ID as that is bit more stable than trying to
>> use a redirect URI when there could be multiple ones.
>> Given that a resource server doesn’t typically have a client_id the
>> resource uri make a reasonable value.
>>
>> You could put it in resource if you like, but that is probably not
>> what others are doing.
> I was suspecting I might be on my own here yes :-)
>
>>
>> It may be time for a interoperable JWT access token profile of some sort.
>
> +1
>
>> We keep getting close with some of the PoP stuff but only specify parts.
>
> Thanks, Sergey
>
>>
>> John B.
>>> On Aug 11, 2016, at 6:16 PM, Sergey Beryozkin <sberyozkin@gmail.com>
>>> wrote:
>>>
>>> Hi All
>>>
>>> Awhile back I was asking why would self-contained JWS JWT access
>>> tokens would be used (as opposed to JWE JWTs), my concern was that
>>> anyone with a JWT library can read this token's content - but as I
>>> was explained that should not be a problem if such a JWS JWT token
>>> contains non-sensitive information. Besides, in some cases, it gives
>>> RS an option to validate this JWS JWT locally, without having to make
>>> a remote validation call.
>>>
>>> So I've started experimenting and the immediate question I have is
>>> this one: which claim should one use to represent a resource server
>>> audience to get the most inter-operable RS level validation logic ?
>>>
>>> For example, a given RS may talk to different 3rd party authorization
>>> servers, say AS1 (vendor1) and AS2 (vendor2), and either AS1 or AS2
>>> JWS JWT tokens that this RS validates locally should ideally use the
>>> same claim to represent a resource audience. RS validation logic is
>>> written independently (without using AS1 or AS2 aware validation
>>> libraries).
>>>
>>> We do expect such requirements coming in our deployments. AS1 &
>>> independent validation logic is already in use. Just a matter of time
>>> before AS2 is introduced.
>>>
>>> So JWT has a standard 'aud' claim - but I believe this should be a
>>> 'clientId' of the client a token is issued to, similarly to the way
>>> the 'aud' is treated in IdToken.
>>>
>>> So I've prototyped the code where JWT has these claims:
>>>
>>> "aud" = clientId
>>> "resource" = 'http://myResourceServer'
>>>
>>> where 'resource' is borrowed from OAuth2 Resource Indicators draft
>>> and represent a specific RS target address, the resource server
>>> audience.
>>>
>>> Am I on the right path ? How would others do it when facing a task of
>>> including a resource audience in a self-contained JWS JWT access token ?
>>>
>>> Many thanks, Sergey
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email