IETF Logo Mail Archive

Re: [OAUTH-WG] JWT - scope claim missing

John Bradley <ve7jtb@ve7jtb.com> Thu, 28 February 2013 19:57 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDBD421F88E1 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 11:57:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.365
X-Spam-Level:
X-Spam-Status: No, score=-3.365 tagged_above=-999 required=5 tests=[AWL=0.233, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9cmlOhnXJfC1 for <oauth@ietfa.amsl.com>; Thu, 28 Feb 2013 11:57:14 -0800 (PST)
Received: from mail-pa0-f44.google.com (mail-pa0-f44.google.com [209.85.220.44]) by ietfa.amsl.com (Postfix) with ESMTP id 38C6721F88DD for <oauth@ietf.org>; Thu, 28 Feb 2013 11:57:14 -0800 (PST)
Received: by mail-pa0-f44.google.com with SMTP id kp1so1332576pab.31 for <oauth@ietf.org>; Thu, 28 Feb 2013 11:57:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:message-id:references:to:x-mailer:x-gm-message-state; bh=dj2nr+7RHeK8+E6BCXxTTQciUeD7CRqN7NL0Fo3lcYc=; b=cEKDktBIfNKS27/KurdZGYFDQ3snJCRd3wz0Wm/gbVCm/17A7G3Jv5W7ug101dna6v J644HN0u6eIPFQ7t4zBY1t2yEvqWLCwqcwIDJ/fbUuV3/aoKkMWR/FjeanEHqUd5FuKI +PQjHVcOGD1VLED3L6nKqaZypvz1EdvB+RTJiH0vuvRUCiXxuY8dL4yVDfq7Oexdxsil 5xKuRe82oH7fTcT9qlGbMtZKjDsq0/q+VhBhrQlVx6q//BugW9Q+1xk9fmmh5b09NXIN gvA1jORnpkEUKDWfBzY5uc7wqmH/JHfYGIymk3JV3V3C+5OwKzkyYhAHZP/XSjNhgd1n mngA==
X-Received: by 10.66.145.130 with SMTP id su2mr14904682pab.74.1362081433734; Thu, 28 Feb 2013 11:57:13 -0800 (PST)
Received: from [192.168.43.179] (mobile-166-137-184-056.mycingular.net. [166.137.184.56]) by mx.google.com with ESMTPS id a4sm10226976paw.21.2013.02.28.11.57.10 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 28 Feb 2013 11:57:12 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_B7B7849C-52AA-447C-84F4-2002C676ECE2"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <512FAC0F.5070409@mitre.org>
Date: Thu, 28 Feb 2013 11:57:08 -0800
Message-Id: <3D9DC9D6-35E4-4C86-8891-ED5420D2602E@ve7jtb.com>
References: <0EC2404F-E3C5-4AD1-88B4-E74AA0394DD9@gmx.net> <C75E4871-E907-4EF7-BAF0-9D1A172D581B@ve7jtb.com> <CA6A6425-D0CE-469F-B51E-9F296DA8041C@oracle.com> <CA+k3eCREgN+6z+U=jjJcPo0nZVR0GWn5zXeecZRO+rg=xd-gZg@mail.gmail.com> <A2375FE9-946F-46B3-9356-0709DD56BD4A@ve7jtb.com> <48FD87D1-4DF4-4289-99B7-40A515F31890@oracle.com> <3E472720-31A4-40A0-AAA4-402CF850831A@ve7jtb.com> <7127843B-D7B0-4AB6-87F1-1604D1EFFA79@oracle.com> <50DA292F-32F0-4266-8401-006AD837B775@ve7jtb.com> <CA+k3eCSyE3cPMh17XuivbUZUtHY=RAtjV1UeCdW6gGFk+gv02A@mail.gmail.com> <512FAC0F.5070409@mitre.org>
To: Justin Richer <jricher@mitre.org>
X-Mailer: Apple Mail (2.1499)
X-Gm-Message-State: ALoCoQn9+ivznjaPOspwKlGfECdGpsHKbQObr7jZHY91WiVIKsJWkLFSlEeNQkhequGIftcwwB0/
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWT - scope claim missing
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 19:57:16 -0000

Agreed profiling needs to happen for access tokens someplace.   In the MAC spec is probably not the best place if the claims are used outside of MAC as well.

There is a separate issue once we get to that profile about scope.   I don't know many RS that do a 1 to 1 mapping of scope at the AS.  Not that they couldn't.
I just don't want to start the access token profiling assuming a one to one mapping of scopes is the only way to do it.

John B.
On 2013-02-28, at 11:12 AM, Justin Richer <jricher@mitre.org> wrote:

> Brian, I think you're conflating two things (and John might be, too). On the one hand, we've got the JWT document, which talks about what goes into the token itself. This can be used as an assertion, as an access token, as a floor wax / dessert topping. JWT doesn't really care, and this is really only in the OAuth WG thanks to IETF politics. Then we have the assertion profiles which say how to use things like JWT to do specific things in OAuth, and these are what Brian's talking about below.
> 
> Ultimately, this conversation is about the former and not the latter. That said, since an OAuth access token is a valid (and common) use of JWT, I think that having a common way to put things like "scope" and "client_id" and other OAuthy things into a JWT makes a whole heck of a lot of sense. Whether or not that is inside of the base JWT draft (since it's supposed to be for many use cases), I don't particularly care, and I can see the arguments from both sides.
> 
>  -- Justin
> 
> On 02/28/2013 02:03 PM, Brian Campbell wrote:
>> I'm not sure anyone really "picked" the titles for the bearer token profiles. They just kind of evolved. And evolved in funny ways especially when client authn to the AS was added. 
>> 
>> You won't hear me argue that the titles are "good" and this is not the first time there's been confusion about what they actually do. They define new grant types and new client authentication methods. They *do not* define an access token format or anything else about access tokens. JWT and SAML could be used for that but that's not what these drafts do. 
>> 
>> Suggestions for better title(s) would be more than welcome.
>> 
>> Here's what they are now:
>> 
>> SAML 2.0 Bearer Assertion Profiles for OAuth 2.0
>> draft-ietf-oauth-saml2-bearer
>> 
>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>> draft-ietf-oauth-jwt-bearer
>> 
>> Assertion Framework for OAuth 2.0
>> draft-ietf-oauth-assertions
>> 
>> On Thu, Feb 28, 2013 at 11:36 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> Yes the title likely adds to the confusion given that the bearer tokens are not access tokens.
>> 
>> Things as separate from OAuth as the Firefox browerID spec use JWS signed JWTs.  
>> 
>> The bearer token profiles for OAuth 2 are for OAuth2.
>> 
>> The JSON Web Token (JWT) spec did not start in OAuth and is not OAuth specific.
>> 
>> A JWT is:
>> JSON Web Token (JWT)  A string representing a set of claims as a JSON
>>       object that is encoded in a JWS or JWE, enabling the claims to be
>>       digitally signed or MACed and/or encrypted.
>> 
>> So OAuth or other profiles may define claims to go in a JWT, but the JWT needs to itself only define the claims necessary for security processing.  
>> 
>> John B.
>> PS that was a soft ball If you hadn't responded I would have been disappointed.  I din't pick the title for the bearer token profiles.
>> 
>> 
>> On 2013-02-28, at 10:12 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>> 
>>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>> 
>>> Note the title says "for OAuth2"
>>> 
>>> Sorry. Couldn't resist. 
>>> 
>>> Phil
>>> 
>>> Sent from my phone.
>>> 
>>> On 2013-02-28, at 9:40, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>> 
>>>> JWT is an assertion( I am probably going to regret using that word).
>>>> 
>>>> It is used in openID connect for id_tokens, it is used in OAuth for Assertion grant types and authentication of the client to the token endpoint.
>>>> http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-04
>>>> 
>>>> JSON Web Token (JWT) Bearer Token Profiles for OAuth 2.0
>>>> 
>>>> Dosen't define JWT's use for access tokens for the RS.   
>>>> 
>>>> Bottom line JWT is for more than access tokens.
>>>> 
>>>> John B.
>>>> 
>>>> On 2013-02-28, at 9:28 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>> 
>>>>> Are you saying jwt is not an access token type?
>>>>> 
>>>>> Phil
>>>>> 
>>>>> Sent from my phone.
>>>>> 
>>>>> On 2013-02-28, at 8:58, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>>> 
>>>>>> Yes, defining scope in JWT is the wrong place.   JWT needs to stick to the security claims needed to process JWT.
>>>>>> 
>>>>>> I also don't know how far you get requiring a specific authorization format for JWT, some AS will wan to use a opaque reference, some might want to use a user claim or role claim, others may use scopes,  combining scopes and claims is also possible.
>>>>>> 
>>>>>> Right now it is up to a AS RS pair to agree on how to communicate authorization.   I don't want MAC to be more restrictive than bearer when it comes to authorization between AS and RS.
>>>>>> 
>>>>>> Hannes wanted to know why JWT didn't define scope.  The simple answer is that it is out of scope for JWT itself.   It might be defined in a OAuth access token profile for JWT but it should not be specific to MAC.
>>>>>> 
>>>>>> John B.
>>>>>> On 2013-02-28, at 8:44 AM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>>>>> 
>>>>>>> I think John's point was more that scope is something rather specific to an OAuth access token and, while JWT is can be used to represent an access token, it's not the only application of JWT. The 'standard' claims in JWT are those that are believed (right or wrong) to be widely applicable across different applications of JWT. One could argue about it but scope is probably not one of those.
>>>>>>> 
>>>>>>> It would probably make sense to try and build a profile of JWT specifically for OAuth access tokens (though I suspect there are some turtles and dragons in there), which might be the appropriate place to define/register a scope claim.
>>>>>>> 
>>>>>>> 
>>>>>>> On Thu, Feb 28, 2013 at 9:24 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>>>>>>> Are you advocating TWO systems? That seems like a bad choice.
>>>>>>> 
>>>>>>> I would rather fix scope than go to a two system approach.
>>>>>>> 
>>>>>>> Phil
>>>>>>> 
>>>>>>> Sent from my phone.
>>>>>>> 
>>>>>>> On 2013-02-28, at 8:17, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>>>>> 
>>>>>>> > While scope is one method that a AS could communicate authorization to a RS, it is not the only or perhaps even the most likely one.
>>>>>>> > Using scope requires a relatively tight binding between the RS and AS,  UMA uses a different mechanism that describes finer grained operations.
>>>>>>> > The AS may include roles, user, or other more abstract claims that the the client may (god help them) pass on to EXCML for processing.
>>>>>>> >
>>>>>>> > While having a scopes claim is possible, like any other claim it is not part of the JWT core security processing claims, and needs to be defined by extension.
>>>>>>> >
>>>>>>> > John B.
>>>>>>> > On 2013-02-28, at 2:29 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>>>>>> >
>>>>>>> >> Hi Mike,
>>>>>>> >>
>>>>>>> >> when I worked on the MAC specification I noticed that the JWT does not have a claim for the scope. I believe that this would be needed to allow the resource server to verify whether the scope the authorization server authorized is indeed what the client is asking for.
>>>>>>> >>
>>>>>>> >> Ciao
>>>>>>> >> Hannes
>>>>>>> >>
>>>>>>> >> _______________________________________________
>>>>>>> >> OAuth mailing list
>>>>>>> >> OAuth@ietf.org
>>>>>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> >
>>>>>>> > _______________________________________________
>>>>>>> > OAuth mailing list
>>>>>>> > OAuth@ietf.org
>>>>>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>>> 
>>>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email