Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07
Denis <denis.ietf@free.fr> Thu, 10 September 2020 12:33 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18B7D3A0858 for <oauth@ietfa.amsl.com>; Thu, 10 Sep 2020 05:33:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.409
X-Spam-Level:
X-Spam-Status: No, score=-0.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, LONGWORDS=2.035, NICE_REPLY_A=-0.948, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HPYFGd1_ivKt for <oauth@ietfa.amsl.com>; Thu, 10 Sep 2020 05:33:03 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE9A23A0846 for <oauth@ietf.org>; Thu, 10 Sep 2020 05:33:02 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d13 with ME id SCYz2300A2bcEcA03CYzVF; Thu, 10 Sep 2020 14:33:00 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 10 Sep 2020 14:33:00 +0200
X-ME-IP: 90.79.51.120
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <AM0PR08MB371667F70B227C3EFA4C3ECAFA290@AM0PR08MB3716.eurprd08.prod.outlook.com> <ae739f88-58e6-40be-e759-3bf7b16715d2@free.fr> <CAD9ie-t4r5Uwzr7FOsedFSsGGMQ0H+9psMZ1LAr=ctB-L=LGNg@mail.gmail.com> <6abcccb8-42a5-60fe-a99b-16c3c154ff81@free.fr> <AM0PR08MB371612EB171DE3BB1166072BFA270@AM0PR08MB3716.eurprd08.prod.outlook.com> <1d877e88-07bb-779f-d252-440ca52a3a37@free.fr> <AM0PR08MB3716B9F5C298A8F681358DD0FA270@AM0PR08MB3716.eurprd08.prod.outlook.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <a4e4da10-c13e-e813-6f09-ef1ffc6b73d7@free.fr>
Date: Thu, 10 Sep 2020 14:33:04 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <AM0PR08MB3716B9F5C298A8F681358DD0FA270@AM0PR08MB3716.eurprd08.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------E6FAB4254340DDE7B92BCFA2"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_Uexi03J5EJGDDqB4rjK9MZcixA>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 12:33:08 -0000
Hi Hannes, All my concerns about the fact that the OAuth 2.0 framework assumes that access tokens are treated opaque by clients are now solved. Thanks ! > Hi Denis, > > Thanks for the clarifications regarding the uniqueness properties of > the values that go into the subject claim. > > Looking at draft-ietf-oauth-access-token-jwt-07 I don’t see where the > draft introduces these two new flavors. > The text is as follows in section 6: Authorization servers should choose how to assign "sub" values according to the level of privacy required by each situation. For instance: if a solution requires preventing tracking principal activities across multiple resource servers, the authorization server should ensure that JWT access tokens meant for different resource servers have distinct "sub" values *tht *cannot be correlated in the event of resource servers collusion. Note the typo: tht -- > that This is the flavor n° 3. Similarly: if a solution requires preventing a resource server from correlating the principal’s activity within the resource itself, the authorization server should assign different "sub" values for every JWT access token issued. This is the flavor n°4. Denis > Additional comments below: > > *From:* Denis <denis.ietf@free.fr> > *Sent:* Thursday, September 10, 2020 11:41 AM > *To:* Hannes Tschofenig <Hannes.Tschofenig@arm.com> > *Cc:* Dick Hardt <dick.hardt@gmail.com>; oauth@ietf.org > *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 > > Hi Hannes, > > Thank you for responses. See below. > > Hi Denis, > > Hi Dick and Hannes, > > 1) While reading RFC 7519, no reader may be able to figure out > that there are more than two flavours of the "sub" claim. > This draft is introducing two new other favours of the semantics > of the "sub" claim which are not present in RFC 7519. > When an element has been defined, its semantics cannot be > changed ... unless making an Errata to RFC 7519 > which would be a clean way to proceed. > > [Hannes] What do you mean by “flavours” of the subject claim? > > [Denis] RFC 7519 states: The subject value MUST *either *be scoped to > be locally unique in the context of the issuer *or * be globally unique. > > This makes two flavours: *either *locally unique in the context of the > issuer *or *globally unique. > > When reading the current text, in addition to these two flavours, two > additional flavours (3) and (4) are discovered > which makes a total of four flavours: > > 1. locally unique in the context of the issuer (i.e. the same for all > RSs), > 2. globally unique (i.e. the same not only for all the RSs but also > for servers that have nothing to do with OAuth), > 3. unique for an AS/RS pair, and > 4. unique for every access token. > > > 2) The argument about "changing the token format at any time" does > not apply in the context of this future RFC. > This sentence should be either removed or modified This means > that the following sentence which is a derivative > of this sentence should also be either removed or modified: > > Hence, any logic in the client relying on the ability to read > the access token content would break without recourse. > > [Hannes] The OAuth 2.0 architecture allows the authorization > server and the resource server to agree on whatever token > format they want. > They can pass the information by value or by reference (which > may then require token introspection or an equivalent mechanism). > This document does not change anything concern this. > > Imagine a third party implementing an OAuth 2.0 Client. If > they make assumptions about the ability to parse the content > of the token, we create a brittle system. > > For this reason, the sentence "changing the token format at > any time" is correct. > > I hope this makes sense. > > [Denis] I do not dispute the sentence you proposed "The OAuth 2.0 > framework assumes that access tokens are treated opaque by clients" > which replaces the previous sentence which was: "The client MUST NOT > inspect the content of the access token". > > The two sentences prior to it are: > > Authorization server and the resource server might decide to > change token format at any time (for example by switching from > this profile to opaque tokens). > Hence, any logic in the client relying on the ability to read the > access token content would break without recourse. > > Once having read your last three responses, I would propose the > following small change in the second sentence: > > Authorization server and the resource server might decide to > change token format at any time (for example by switching from > this profile to opaque tokens). > Hence, any logic in the client relying on the ability to read the > access token content /at an instant of time might /break /later > on/ without recourse. > > You may have noticed that I proposed to change the RFC 2119 > language in the text. I changed my original proposal to make > it more clear (see red text). > > " > > Authorization server and the resource server > > might decide to change token format at any time (for example by > > switching from this profile to opaque tokens). Hence, any > logic in the > > client software relying on the ability to read the access > token content may > > break since the OAuth 2.0 framework assumes that access tokens > > are treated opaque by clients. > > Administrators of authorization servers should also take into > account that > > the content of an access token is visible to the client. > Whenever client > > access to the access token content presents privacy issues for a > > given scenario, the authorization server should take explicit > steps > > to prevent it. > > " > > 3) The following questions have still not been answered: > > Some questions raised during the WGLC have not been answered: > How can a client request an access token compliant to this > profile ? > > [Hannes] The client cannot request the authorization server to > use a specific token format. Since the client is not going to > look at the access token content why would it even care. > > [Denis] While reading all of your three last responses, I now > understand the point. > > > Which parameter(s) allow it to ask an access token compliant > to this profile ? > > [Hannes] There no parameters defined so that the client can > ask for an access token format that is compliant to this profile. > > OK. > > How can the AS know that it got a call for the issuance of an > access token compliant to this profile ? > > [Hannes] The AS only gets a request for an access token and > the AS needs to decide what format to use, like it did in the > past. Nothing changed. > > Your response does help to understand. Section 3 is stating: > > An authorization server /can /issue a JWT access token in response > to any authorization grant defined by [RFC6749] and > subsequent extensions meant to result in an access token. > > I believe, it would be worthwhile to add a sentence, just after this > sentence, with the following text: > > When an authorization server decides to issue a JWT access token > compliant to this profile, then the following requirements apply. > (...) > > [Hannes] That’s fine for me because this is what the intended effect > of the spec is. > > Ciao > > Hannes > > Denis > > Ciao > > Hannes > > Denis > > > > > Denis > > The objective of this document is to standardize the token the > AS shares with the RS. It is not to standardize how the client > can read the token. Just because the user is using the client, > that does not mean the user wants the client to see any claims > about themselves. Letting the client see the contents of the > token may be a privacy violation. > > client != user > > ᐧ > > On Tue, Sep 8, 2020 at 9:10 AM Denis <denis.ietf@free.fr > <mailto:denis.ietf@free.fr>> wrote: > > Hi Hannes, > > Two comments between the lines. > > Hi Victorio, Hi all, > > I am doing my shepherd write-up for > draft-ietf-oauth-access-token-jwt-07. Reading through > the draft I have a few minor suggestions: > > Section 2: > > I would delete this sentence "JWT access tokens are > regular JWTs complying with the requirements described > in this section." > > Reason: You pretty much make the same statement on the > previous page (see terminology section). > > Section 2.1 > > s/asymmetric algorithms/asymmetric cryptography > > (same replacement in Section 4) > > s/ This specification registers the > "application/at+jwt" media type, > > which can be used to indicate that the content is an > access token./This specification registers the > "application/at+jwt" media type, > > which can be used to indicate that the content is a > JWT access token. > > Use capitalized "Section" when a section number is > indicated, such as in Section 2.2. > > Section 2.2 > > s/""aud"/"aud" > > 2.2.1 > > s/ auth_time OPTIONAL - as defined in section 2 of > [OpenID.Core]./ auth_time OPTIONAL - as defined in > Section 2 of [OpenID.Core]. > > s/ acr, amr OPTIONAL - as defined in section 2 of > [OpenID.Core]./ acr, amr OPTIONAL - as defined in > Section 2 of [OpenID.Core]. > > s/Please see/See > > s/For example:/For example, > > Section 4 > > You write: > > "Authorization servers SHOULD implement OAuth 2.0 > Authorization Server Metadata [RFC8414] ... " > > Are you sure you mean "implement" and not "use"? The > paragraph gives me the impression that you talk about > "ASs using RFC 8414" > > s/Please see section Section 5 for further guidance on > security implications./Please see Section 5 for > further guidance on security implications. > > This sentence sounds strange to me: > > " > > When invoked as described in OAuth 2.0 Bearer Token > Usage [RFC6750], > > resource servers receiving a JWT access token MUST > validate it in the > > following manner. > > " > > How about: > > " > > Resource servers receiving a JWT access token MUST > validate it in the > > following manner. > > " > > Question: If you refer to RFC 6750 and then list the > steps are you just repeating the steps from RFC 6750 > or are you augmenting them? > > You write: > > " > > If the JWT access token includes authorization claims > as described in > > the authorization claims section, the resource server > SHOULD use them > > in combination with any other contextual information > available to > > determine whether the current call should be > authorized or rejected. > > " > > Include a reference to the authorization claims section > > s/ For more > > details on cross-JWT confusion please refer to 2.8 of > [RFC8725]./ For more > > details on cross-JWT confusion please refer to Section > 2.8 of [RFC8725]. > > You write: > > " > > Authorization servers should not rely on the use of > different keys > > for signing OpenID Connect ID Tokens and JWT tokens as > a method to > > safeguard against the consequences of leaking specific > keys. > > " > > The phrase "leaking keys" is probably not the best > term to describe what follows afterwards in the text. > > You write: > > " > > The client MUST NOT inspect the content of > > the access token > > " > > This RFC 2119 language is not really enforceable in > terms of interoperability. Maybe you could rephrase a > bit. Something like the following would work: > > " > > Authorization server and the resource server > > might decide to change token format at any time (for > example by > > switching from this profile to opaque tokens). Hence, > any logic in the > > client relying on the ability to read the access token > content would > > break without recourse. The OAuth 2.0 framework > assumes that access tokens > > are treated opaque by clients. > > Administrators of authorization servers should also > take into account that > > the content of an access token is visible to the > client. Whenever client > > access to the access token content presents privacy > issues for a > > given scenario, the authorization server should take > explicit steps > > to prevent it. > > " > > /In the general case, /the OAuth 2.0 framework assumes > that access tokens are treated as opaque by clients. > However, with this coming RFC, we are not in the general > case: since the client gets back an access token > conformant to _this_ RFC, then it knows > exactly its detailed structure. The argument about > "changing the token format at any time" does not apply. In > this case, the client is quite sure > that it would be able to understand most of its content > (at least all the standard claims). The above text > proposal would need to be reconsidered. > > Hiding (by encrypting it) the content of the access token > to the client is odd when an access token contains claims > about a human-user : > these claims are personal data and the human-user is > usually allowed to have access to his own personal data. > > Encryption is nice in theory but complicated in practice, > since a key management system must put in place. Whenever > possible, it should be avoided. > > BTW, some questions raised during the WGLC have not been > answered: How can a client request an access token > compliant to this profile ? > Which parameter(s) allow it to ask an access token > compliant to this profile ? How can the AS know that it > got a call for the issuance of an access token > compliant to this profile ? > > Another comment follows. > > You wrote: > > " > > In scenarios in which JWT access tokens are accessible > to the end > > user, it should be evaluated whether the information > can be accessed > > without privacy violations (for example, if an end > user would simply > > access his or her own personal information) or if > steps must be taken > > to enforce confidentiality. Possible measures > include: encrypting > > the access token, encrypting the sensitive claims, > omitting the > > sensitive claims or not using this profile, falling > back on opaque > > access tokens. > > " > > The first sentence is a repetition of the previous > paragraph. I would suggest to delete > > the first sentence in this paragraph and to move the > second sentence to the previous paragraph. > > You wrote: > > " > > This profile mandates the presence of the "sub" claim > in every JWT > > access token, making it possible for resource servers > to rely on that > > information for performing tasks such as correlating > incoming > > requests with data stored locally for the > authenticated principal. > > Although the ability to correlate requests might be > required by > > design in many scenarios, there are scenarios where > the authorization > > server might want to prevent correlation to preserve > the desired > > level of privacy. Authorization servers should choose > how to assign > > "sub" values according to the level of privacy > required by each > > situation. For instance: if a solution requires > preventing tracking > > principal activities across multiple resource servers, the > > authorization server should ensure that JWT access > tokens meant for > > different resource servers have distinct "sub" values > tht cannot be > > correlated in the event of resource servers > collusion. Similarly: if > > a solution requires preventing a resource server from > correlating the > > principal's activity within the resource itself, the > authorization > > server should assign different "sub" values for every > JWT access > > token issued. In turn, the client should obtain a new > JWT access > > token for every call to the resource server, to ensure > that the > > resource server receives different "sub" and "jti" > values at every > > call, thus preventing correlation between distinct > requests. > > " > > The above paragraph suggests that there are different > levels of privacy. What you are > > talking about in the text is unlinkability and > identification. Ways to deal with such > > privacy threats are described in Section 6 of RFC 6973. > > Hence, I would suggest to slightly rephrase the > paragraph to something like: > > " > > This profile mandates the presence of the "sub" claim > in every JWT > > access token, making it possible for resource servers > to rely on that > > information for correlating incoming > > requests with data stored locally for the > authenticated principal. > > Although the ability to correlate requests might be > required by > > design in many scenarios, there are scenarios where > the authorization > > server might want to prevent correlation. The "sub" > claim should be > > populated by the authorization servers according to > a privacy impact > > assessment. For instance, if a solution requires > preventing tracking > > principal activities across multiple resource servers, the > > authorization server should ensure that JWT access > tokens meant for > > different resource servers have distinct "sub" values > that cannot be > > correlated in the event of resource servers collusion. > > While the idea is really nice, the use of the "sub" claim > in this context is not compatible with the definition of > the "sub" claim > as defined in RFC 7519: > > 4.1.2. "sub" (Subject) Claim > > The "sub" (subject) claim identifies the principal > that is the > subject of the JWT. The claims in a JWT are > normally statements > about the subject. *The subject value MUST either > be scoped to be > locally unique in the context of the issuer or be > globally unique.* > The processing of this claim is generally > application specific. The > "sub" value is a case-sensitive string containing > a StringOrURI > value. Use of this claim is OPTIONAL. > > There are two options and two options only: > > "locally unique in the context of the issuer" means > that it is the same for all RSs. > "globally unique" means that it is the same not only > for all the RSs but also for servers that have nothing > to do with OAuth (e.g. an email address). > > > > > Similarly, if > > a solution requires preventing a resource server from > correlating the > > principal's activity within the resource itself, the > authorization > > server should assign different "sub" values for every > JWT access > > token issued. In turn, the client should obtain a new > JWT access > > token for every call to the resource server, to ensure > that the > > resource server receives different "sub" and "jti" > values at every > > call, thus preventing correlation between distinct > requests. > > The proposed text describes two different cases where the > sub claim is either unique for an AS/RS pair or unique for > each access token. > > These two cases are not included in the definition found > in RFC 7519. > > In the general case, an identifier can be: > > 1. locally unique in the context of the issuer (i.e. the > same for all RSs), > 2. globally unique (i.e. the same not only for all the > RSs but also for servers that have nothing to do with > OAuth), > 3. unique for an AS/RS pair, or > 4. unique for each access token. > > I see different ways to solve this problem: > > 1° Stick to the definition of RFC 7519 and > (unfortunately) remove these possibilities. > 2° Define two new claims which would support the two > cases where the sub claim would be either unique for > an AS/RS pair or unique for one access token. > 3° Define four new claims which would support the four > above cases. > > Denis > > " > > Section 7.2 > > s/ Section Section 2.2.3.1 of this specification > refers to the > > attributes "roles", "groups", "entitlements" defined > in [RFC7643] to > > express authorization information in JWT access tokens. > > / Section 2.2.3.1 of this specification refers to the > > attributes "roles", "groups", "entitlements" defined > in [RFC7643] to > > express authorization information in JWT access tokens. > > References > > RFC 7519 has to be a normative reference: > > [RFC7519] Jones, M., Bradley, J., and N. Sakimura, > "JSON Web Token > > (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, > > <https://www.rfc-editor.org/info/rfc7519> > <https://www.rfc-editor.org/info/rfc7519>. > > RFC 7644 is an unused reference: > > [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., > Wahlstroem, E., > > and C. Mortimore, "System for Cross-domain Identity > > Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, > > September 2015, > <https://www.rfc-editor.org/info/rfc7644> > <https://www.rfc-editor.org/info/rfc7644>. > > The same is true for RFC 3986: > > [RFC3986] Berners-Lee, T., Fielding, R., and L. > Masinter, "Uniform > > Resource Identifier (URI): Generic Syntax", STD 66, > > RFC 3986, DOI 10.17487/RFC3986, January 2005, > > <https://www.rfc-editor.org/info/rfc3986> > <https://www.rfc-editor.org/info/rfc3986>. > > Ciao > > Hannes > > IMPORTANT NOTICE: The contents of this email and any > attachments are confidential and may also be > privileged. If you are not the intended recipient, > please notify the sender immediately and do not > disclose the contents to any other person, use it for > any purpose, or store or copy the information in any > medium. Thank you. > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > IMPORTANT NOTICE: The contents of this email and any attachments > are confidential and may also be privileged. If you are not the > intended recipient, please notify the sender immediately and do > not disclose the contents to any other person, use it for any > purpose, or store or copy the information in any medium. Thank you. > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose > the contents to any other person, use it for any purpose, or store or > copy the information in any medium. Thank you.
- [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07 Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Denis
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Dick Hardt
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… vittorio.bertocci
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Denis
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Denis
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Denis
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Denis
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Hannes Tschofenig
- Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-… Vittorio Bertocci