[OAUTH-WG] Correct use of jku claims in JWT/JWS bearer assertions
Jared Hanson <jaredhanson@gmail.com> Wed, 12 February 2014 18:26 UTC
Return-Path: <jaredhanson@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D261E1A0602 for <oauth@ietfa.amsl.com>; Wed, 12 Feb 2014 10:26:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LVwuKJkH5GS for <oauth@ietfa.amsl.com>; Wed, 12 Feb 2014 10:26:34 -0800 (PST)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 2EAEA1A0635 for <oauth@ietf.org>; Wed, 12 Feb 2014 10:26:34 -0800 (PST)
Received: by mail-we0-f171.google.com with SMTP id u56so6409380wes.16 for <oauth@ietf.org>; Wed, 12 Feb 2014 10:26:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=VyTVBlj9VR1dCMtCe6dQcJ8tPl22zxQA5Hr/MQsmHFI=; b=Vi7YV5uWAk40WOO76nfoMLnddu5JXUVICvHFOPSEhvunCWlC2lj95CgjUiqGEyraMb VBjgfTmXw1Mgy/SULSJslnVMDFPsLnXRp5MzhIhqtvOeXDwyygAxhITM7cKxqyX7YmPR Gy0vuspbmI1hrDjWrJwl9D4GEfSI6Aq0eToNKuHtSFy/wtuq3i9Efqbjb6GfLAMzcZFW VprZsmbbXi42qXu3wIS+I+QnZ0W8fve02DEabG0iNfA4ITNN/1HZB5dxVYCaoUTi6Ri1 HsmtkWoX05YVH92UBGmjX2J1cz1OZZnY0iUajb0aFx3m5E2EGB+cEceLEVzcGXZ8yw24 CKDQ==
MIME-Version: 1.0
X-Received: by 10.194.134.132 with SMTP id pk4mr2143927wjb.82.1392229592825; Wed, 12 Feb 2014 10:26:32 -0800 (PST)
Received: by 10.180.7.106 with HTTP; Wed, 12 Feb 2014 10:26:32 -0800 (PST)
Date: Wed, 12 Feb 2014 10:26:32 -0800
Message-ID: <CAExnpZB_Wd4jvC9vvu2VbrtdzvRRTdZv54sLYGt9CTJeVR_RAQ@mail.gmail.com>
From: Jared Hanson <jaredhanson@gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="089e01227f4453b4c404f239b66d"
Subject: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer assertions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2014 18:26:38 -0000
I'm wondering if there is any guidance on including "jku", "jwk", "x5u", and "x5c" claims in a JWT/JWS used as a bearer assertion for authentication. Specifically, in the case of service-to-service authentication, where the "iss" is set to the service acting as a client, say "https://client.example.net/" making a request to "https://api.example.com/", and the assertion is signed using client.example.net's private key. In this situation, api.example.com authenticates the assertion by finding the corresponding public key (possibly in a JWK set, the location of which can be obtained by something like OpenID Provider Configuration [1]). It is clear that any claims in the assertion are self-asserted until validated, including both the "iss" and any keys or URLs to keys. Thus, when a service validates the assertion, it *must not* use the values of "jku", etc to validate the signature. Instead it should use some trusted channel to obtain the keys directly from the issuer. If this were not done, a malicious entity could freely generate assertions claiming to be client.example.net, using any private key and including a malicious reference to its own public key using a "jku" set to " https://malicious.com/jwks.json" This security consideration is not called out anywhere that I've noticed, which I've seen leading to insecure implementations and/or bad examples. For example, this example on Gluu's wiki: http://ox.gluu.org/doku.php?id=oxauth:jwt is blindly using the value of "jku" to fetch the key used to validate the signature, without any way to validate that the URL itself belongs to the issuer. I'm raising this point hoping that guidance can be clarified and included in the specification. Thanks, Jared Hanson PS. I separately sent this same message to the JOSE list, and later figured it was equally relevant to OAuth, if not more so. [1] http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig -- Jared Hanson <http://jaredhanson.net/>
- [OAUTH-WG] Correct use of jku claims in JWT/JWS b… Jared Hanson
- Re: [OAUTH-WG] Correct use of jku claims in JWT/J… Brian Campbell
- Re: [OAUTH-WG] Correct use of jku claims in JWT/J… Mike Jones