IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

David Waite <david@alkaline-solutions.com> Mon, 01 April 2019 19:02 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0E11204E8 for <oauth@ietfa.amsl.com>; Mon, 1 Apr 2019 12:02:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cTtFpMElfIt for <oauth@ietfa.amsl.com>; Mon, 1 Apr 2019 12:02:23 -0700 (PDT)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id BB42012004C for <oauth@ietf.org>; Mon, 1 Apr 2019 12:02:23 -0700 (PDT)
Received: from [IPv6:2601:282:202:b210:1f3:1570:3349:8b27] (unknown [IPv6:2601:282:202:b210:1f3:1570:3349:8b27]) by alkaline-solutions.com (Postfix) with ESMTPSA id 09A6331625; Mon, 1 Apr 2019 19:02:21 +0000 (UTC)
From: David Waite <david@alkaline-solutions.com>
Message-Id: <CB442B2B-4084-4C0D-8B4C-59C10423B387@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_AE3592FB-A2E8-4F9F-B2C0-CE78F7077A9F"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Mon, 01 Apr 2019 13:02:20 -0600
In-Reply-To: <2a523e40-470b-4727-4e38-7a60552a285a@aol.com>
Cc: Vittorio@auth0.com, IETF oauth WG <oauth@ietf.org>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <2a523e40-470b-4727-4e38-7a60552a285a@aol.com>
X-Mailer: Apple Mail (2.3445.104.8)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_MD1-B6_SnL8PHb6ClF8mH2wC4k>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 19:02:34 -0000

Do we know if there is a justifying use case for auth_time, acr, and amr to be available in OAuth JWT access tokens? These are meant to be messages about the client, either directly (in the case of client credentials) or about its delegated authorization of the user.

Embedding attributes about the user (such as group membership and roles) can be used for the resource to make finer-grained decisions than scopes, but normally I would expect say acr limitations enforced by a resource to instead be controlled by the AS requiring a higher quality authentication to release certain scopes.

Thats of course not to say extensions to OAuth such as OIDC can’t provide these values, just that they might better be defined by those extensions.

-DW

> On Apr 1, 2019, at 9:12 AM, George Fletcher <gffletch=40aol.com@dmarc.ietf.org> wrote:
> 
> Thanks for writing this up. One comment on auth_time...
> 
>    auth_time  OPTIONAL - as defined in section 2 of [OpenID.Core <https://tools.ietf.org/html/draft-bertocci-oauth-access-token-jwt-00#ref-OpenID.Core>].
>       Important: as this claim represents the time at which the end user
>       authenticated, its value will remain the same for all the JWT
>       access tokens issued within that session.  For example: all the
>       JWT access tokens obtained with a given refresh token will all
>       have the same value of auth_time, corresponding to the instant in
>       which the user first authenticated to obtain the refresh token.
> 
> During a current session a user can be challenged for additional credentials or required to re-authenticate due to a number of different reasons. For example, OIDC prompt=login or max_age=NNN. In this context, I'd assume that the auth_time value should be updated to the latest time at which the user authenticated. 
> 
> If we need a timestamp for when the "session" started, then there could be a session_start_time claim.
> 
> Thanks,
> George
> 
> On 3/24/19 7:29 PM, Vittorio Bertocci wrote:
>> Dear all,
>> I just submitted a draft describing a JWT profile for OAuth 2.0 access tokens. You can find it in https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/ <https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/>.
>> I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting remotely). I look forward for your comments!
>> 
>> Here's just a bit of backstory, in case you are interested in how this doc came to be. The trajectory it followed is somewhat unusual.
>> Despite OAuth2 not requiring any specific format for ATs, through the years I have come across multiple proprietary solution using JWT for their access token. The intent and scenarios addressed by those solutions are mostly the same across vendors, but the syntax and interpretations in the implementations are different enough to prevent developers from reusing code and skills when moving from product to product.
>> I asked several individuals from key products and services to share with me concrete examples of their JWT access tokens (THANK YOU Dominick Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel Dobalian (Microsoft), Karl Guinness (Okta) for the tokens and explanations!). 
>> I studied and compared all those instances, identifying commonalities and differences. 
>> I put together a presentation summarizing my findings and suggesting a rough interoperable profile (slides: https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx> ) - got early feedback from Filip Skokan on it. Thx Filip!
>> The presentation was followed up by 1.5 hours of unconference discussion, which was incredibly valuable to get tight-loop feedback and incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov, Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there and contributed generously to the discussion. Thank you!!!
>> Note: if you were at OSW2019, participated in the discussion and didn't get credited in the draft, my apologies: please send me a note and I'll make things right at the next update.
>> On my flight back I did my best to incorporate all the ideas and feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat, Hannes and above all Brian were all super helpful in negotiating the mysterious syntax of the RFC format and submission process.
>> I was blown away by the availability, involvement and willingness to invest time to get things right that everyone demonstrated in the process. This is an amazing community. 
>> V.
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email