Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
Sergey Beryozkin <sberyozkin@gmail.com> Thu, 11 August 2016 22:31 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91E9E12D82C for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2016 15:31:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWYqGcXtSAet for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2016 15:31:00 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64A812D605 for <oauth@ietf.org>; Thu, 11 Aug 2016 15:30:59 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id o80so19950890wme.1 for <oauth@ietf.org>; Thu, 11 Aug 2016 15:30:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=ESSliqjx7CR4GL2YOs2UvIMZjcsBQ9jnp2orQIzrFgM=; b=xnJfD7mgncntDBlEROTFnNkqTLKyb5HXvujS9Cs6BO5ltoEKLrbME6S0rEbCo0t2Dl GIkoYKWqKRjtd4QIhIYMocBjQSwSAKCge+MHC5RPlcUmUj4dOSrTri880uwGPUiw0H+K n+htQzbJO19zkE5E9gmtkrDOyVyGI8ZKN3KFCFs4IXuVzQddhPC+C+vTrK36uxVlAUyW PnGtbeMCznrZ9d2OBYLJF5KCapUeiFphK8EZ0q+LHhrKPm53K7hFNG1yj+WucXMghQ2H +kpeNhwdAsbdRSsf6aqxK9vA27WxQebg8J5J0z60+B5ckb7wjy9MS3weaVX9LlusryUc Pnng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=ESSliqjx7CR4GL2YOs2UvIMZjcsBQ9jnp2orQIzrFgM=; b=HC0ujdf+S4Y27aACNGqRUSBGdpZAvHEt2aOPdW5M86bL5tr7vY74hPFlqGCzcnp86n mKLudQZgawj/Aow7fQodDf6azps1UZMx5hWU47gdeKPAgfEIzSyvBCiEBWDK07SHS8Y5 xI8wXo/Sjv1mn7GTpZNxKofXxgM69Cysoe7J0zbNemd7/PJt2EQFh5HEfTkxs9bjk1rj Z9w9OG1gMdGLaIV24VZ7wLKdiFoO9QczBnjpp1FneGsRUxd07ikCM7U7mTMCk6ZyqzMm 6btXLx4jJpjTJ1cwXeVa+ZWzmt5SUlnBLSSVMBvM2yhsSU1CY+T8SDpPjpJoizulkOLJ dekw==
X-Gm-Message-State: AEkoouvz9Cq5CGto3fYGkdUNb7xRlV4bEpEyDkaVtCv21/BYvmrkkD8c4uREXfmAoFvzyA==
X-Received: by 10.194.107.33 with SMTP id gz1mr14646194wjb.178.1470954658123; Thu, 11 Aug 2016 15:30:58 -0700 (PDT)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id a203sm2117869wma.0.2016.08.11.15.30.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Aug 2016 15:30:57 -0700 (PDT)
To: John Bradley <ve7jtb@ve7jtb.com>
References: <8472e581-1382-a364-a232-07ce6eeb0115@gmail.com> <852DC4F5-B9A0-4402-8550-6AB725546C63@ve7jtb.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <9912591c-ce6c-b13c-e9f2-f0fb66b557d8@gmail.com>
Date: Thu, 11 Aug 2016 23:30:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <852DC4F5-B9A0-4402-8550-6AB725546C63@ve7jtb.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_0EbOscoYBmCxQo6FtzpAI5ijlg>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 22:31:01 -0000
Hi John On 11/08/16 23:24, John Bradley wrote: > I think most people put the a resource URI in the aud. > > Connect uses the client ID as that is bit more stable than trying to use a redirect URI when there could be multiple ones. > Given that a resource server doesn’t typically have a client_id the resource uri make a reasonable value. > > You could put it in resource if you like, but that is probably not what others are doing. I was suspecting I might be on my own here yes :-) > > It may be time for a interoperable JWT access token profile of some sort. +1 > We keep getting close with some of the PoP stuff but only specify parts. Thanks, Sergey > > John B. >> On Aug 11, 2016, at 6:16 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: >> >> Hi All >> >> Awhile back I was asking why would self-contained JWS JWT access tokens would be used (as opposed to JWE JWTs), my concern was that anyone with a JWT library can read this token's content - but as I was explained that should not be a problem if such a JWS JWT token contains non-sensitive information. Besides, in some cases, it gives RS an option to validate this JWS JWT locally, without having to make a remote validation call. >> >> So I've started experimenting and the immediate question I have is this one: which claim should one use to represent a resource server audience to get the most inter-operable RS level validation logic ? >> >> For example, a given RS may talk to different 3rd party authorization servers, say AS1 (vendor1) and AS2 (vendor2), and either AS1 or AS2 JWS JWT tokens that this RS validates locally should ideally use the same claim to represent a resource audience. RS validation logic is written independently (without using AS1 or AS2 aware validation libraries). >> >> We do expect such requirements coming in our deployments. AS1 & independent validation logic is already in use. Just a matter of time before AS2 is introduced. >> >> So JWT has a standard 'aud' claim - but I believe this should be a 'clientId' of the client a token is issued to, similarly to the way the 'aud' is treated in IdToken. >> >> So I've prototyped the code where JWT has these claims: >> >> "aud" = clientId >> "resource" = 'http://myResourceServer' >> >> where 'resource' is borrowed from OAuth2 Resource Indicators draft and represent a specific RS target address, the resource server audience. >> >> Am I on the right path ? How would others do it when facing a task of including a resource audience in a self-contained JWS JWT access token ? >> >> Many thanks, Sergey >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Brian Campbell
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… John Bradley
- [OAUTH-WG] JWS JWT Access Tokens and resource aud… Sergey Beryozkin