IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt

Vittorio Bertocci <vittorio.bertocci@auth0.com> Mon, 22 July 2019 15:13 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 803E91201D3 for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 08:13:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gCmquk7xfOcM for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2019 08:13:22 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32666120289 for <oauth@ietf.org>; Mon, 22 Jul 2019 08:13:22 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id v85so26882511lfa.6 for <oauth@ietf.org>; Mon, 22 Jul 2019 08:13:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:reply-to:from:date:message-id :subject:to:cc; bh=omq7/GwbYYPDQIT+jQFnMPD7RwWDRVAb/75NudqeDSg=; b=VCcuNVx/h2kAA3eTSwoYruAuM/rUp1Dt36jUmUMgWr/vsZF8Zodl/ldbmII/w2cpES wlsUy2qwi5WakzN7COPniKDKGhl40dRyS0d/8IhHUl2IYlr7rX9bH7vb1oLU3K1WHt8f V9IVrtRpLrYqfg2Yl8ieCxly0K75LrtpSNZMcrITYbVve1mDjx2NlOVmnmbnhYFxfgeJ C/uQUAmv1TzLjq5L6dcwcqOftXY2Yv+eoqein2vzydLo9pmkxCda5Zm2N5qALEebtPIA IC2zdGZ+mK1Lmp4+++Yi+sdlGIzBfvp1VIsHVXOMtSufgrWIsailzSJguYHkdMV/h8fE Fnow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=omq7/GwbYYPDQIT+jQFnMPD7RwWDRVAb/75NudqeDSg=; b=qG4pbAgXKTiD3NwFmYuj5265HFyDDWLwsRCERfl4rhRrozyN8hPvRBLkpu8dcwVWqt 9SjUiJNfzkS2iE2S3BZp1axGPFkDyc9MUymYcuZq4tu8FupqKxcsygA2zxZpFgd5Mg6P fUOFZDkfp9EtNJLar5yERIk+vPE6ILiZipVnwNAlQJngJrhJmZluxUVJ52GNGKQQFpjP O+KN9cADu6KZXmr1nf/p6WNWxza3PYz3PgeNeCRnAnWQ43n8aTmhp5DDOFLdSNMIURug Vc1kEO77mUgmyrom3lgXjTLuNmjtESi7xugEb5bc9jfQfdfldeXYQAuufp0nAQB6QgGp 2O3g==
X-Gm-Message-State: APjAAAU+aoE5+ANbddCWtwmo4KFw7Q2NFWurmfwLyXwkPAuQPRcBgxE4 RIyHv/ZTPU/uBiZc7AI3ACKzNnRAmap4InqncIYToXnoD8OtNQ==
X-Google-Smtp-Source: APXvYqyx4xCuCctYYXUAA/tE3R0Uvq6U3KVvciRHkPFXSrS6b3l1Ti+XHlN2uAjXCilremgRNR79BCFE1ExeBXLgdEw=
X-Received: by 2002:ac2:5c1d:: with SMTP id r29mr29526078lfp.72.1563808400221; Mon, 22 Jul 2019 08:13:20 -0700 (PDT)
MIME-Version: 1.0
References: <156371372426.20589.10365011724092335159@ietfa.amsl.com> <4A5EA92D-0B76-4383-9827-CF49CC363AA6@lodderstedt.net>
In-Reply-To: <4A5EA92D-0B76-4383-9827-CF49CC363AA6@lodderstedt.net>
Reply-To: Vittorio@auth0.com
From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Date: Mon, 22 Jul 2019 08:13:11 -0700
Message-ID: <CAO_FVe4rYRBnZ7_unzDVM9S7eEbPBc-hN0UeyFWJ_UfeoUhRGg@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000313a00058e46847f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_17t6ZVe-yYMGQvTfyzf7oixxWM>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2019 15:13:26 -0000

Thank you Torsten for the prompt review and insightful comments!

2.2.1 - excellent point. I added the suggested language.

2.2.2 - interesting. I did think of cases similar to profile in OIDC, where
the effect of the request is influencing the layout of the resulting
idtoken, but concluded that it didn't apply as is for access tokens. Given
that you have direct knowledge of such cases in the wild, I am happy to
relax the MUST into a SHOULD.

5. - this is going to be problematic in the wild. For example, in the azure
AD world a registered application can play both the role of an API and a
client; and requests for tokens targeting the app can use any identifier
assigned to the app. That means that although idtokens will only be issued
if the request identifies the client via clientID, access tokens requests
for it will be honored (and reflected in aud) both in the case the resource
parameter contains the clientID or the API URI of the target application.
In fact I suspect that the most recent version of the service uses the
clientID as preferred identifier, if not the only one. Mike/Tony can
confirm or deny.
As a compromise, we could add language in the spec that recommends the use
of a unique audience when viable, as an extra measure in case the typ value
isn't honored. WDYT?


On Mon, Jul 22, 2019 at 7:01 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> Hi Vittorio,
>
> thanks for contributing this specification. It fills a further gap in the
> OAuth universe :-)
>
> Here are my comments:
>
> - 2.2.1 there are other sources for identity claims, e.g.
> https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html.
>
> I recommend to open the clause
>
> "Any additional attributes whose semantic is well described by the
>    attributes description found in section 5.1 of [
> OpenID.Core] SHOULD
>    be codified in JWT access tokens via the corresponding claim names in
>    that section of the OpenID Connect specification.  The same holds for
>    attributes defined in [RFC7662]."
>
> by adding
>
> "and other identity related specifications.”
>
> Alternatively, the draft could also refer to the IANA “OAuth Token
> Introspection Response” registry as source for JWT claims.
>
> - 2.2.2.
>
> "If an authorization request includes a scope parameter, the
>    corresponding issued JWT access token MUST include a scope claim as
>    defined in section 4.2 of [TokenExchange]."
>
> Why do you establish such a strong link between the scope in the
> authorization request and the access token? I’m aware of implementations
> that map scope values to audience values and therefore do not carry the
> scope value to the resource server. I suggest to soften this requirement
> and make it a recommendation.
>
> - 5.
>
> "The JWT access token data layout described here is very similar to the
> one of the id_token as defined by [OpenID.Core].  Without the
>    explicit typing required in this profile, in line with the
> recommendations in [JWT.BestPractices] there would be the risk of
>    attackers using JWT access tokens in lieu of id_tokens."
>
> I like this practice but it is not established yet in the OpenID Connect
> universe. This means any OIDC RP will process an access token because it
> will just ignore the type header.
>
> draft-ietf-oauth-jwt-introspection-response therefore gives recommendation
> on how to use iss and aud claim to prevent JWT abuse (
> https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-04#section-6.1).
>
>
> Mapping this pattern to JWTs as access token requires that there must not
> be the same aud value for a resource server and any other JWT consumer,
> e.g. an OpenID Connect RP.
>
> kind regards,
> Torsten.
>
> > On 21. Jul 2019, at 14:55, internet-drafts@ietf.org wrote:
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> > This draft is a work item of the Web Authorization Protocol WG of the
> IETF.
> >
> >        Title           : JSON Web Token (JWT) Profile for OAuth 2.0
> Access Tokens
> >        Author          : Vittorio Bertocci
> >       Filename        : draft-ietf-oauth-access-token-jwt-01.txt
> >       Pages           : 15
> >       Date            : 2019-07-20
> >
> > Abstract:
> >   This specification defines a profile for issuing OAuth2 access tokens
> >   in JSON web token (JWT) format.  Authorization servers and resource
> >   servers from different vendors can leverage this profile to issue and
> >   consume access tokens in interoperable manner.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-01
> >
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-01
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-access-token-jwt-01
> >
> >
> > Please note that it may take a couple of minutes from the time of
> submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email