Re: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 Access Tokens
Karl McGuinness <kmcguinness@okta.com> Mon, 30 March 2020 16:38 UTC
Return-Path: <kmcguinness@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 518863A1868 for <oauth@ietfa.amsl.com>; Mon, 30 Mar 2020 09:38:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hj78ErND_-C0 for <oauth@ietfa.amsl.com>; Mon, 30 Mar 2020 09:38:14 -0700 (PDT)
Received: from us-smtp-delivery-163.mimecast.com (us-smtp-delivery-163.mimecast.com [216.205.24.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9176E3A186D for <oauth@ietf.org>; Mon, 30 Mar 2020 09:38:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; s=mimecast20191020; t=1585586292; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=r6QaEo1YcXu99+ZMkYIGtYIm4JBheSqcvrgn/vL5l5A=; b=oljGZc+nmgN2uI0jJbR++S4DaXfzcqBJSmZ1Sxlxwc7BYJ2rVWpsFfs/TB37XC3Ho1uUrC FcurjwLCr19geCIKUyzCpRs8j7cjcAm87Mv67NZqt98Lj9DJZjZtPGEbi9fw+LmQhHM4qr XusnPr1Mr9vetJQorEYKnhY6jr6yShkw+ohOZ5OUH+jjN+KLxMhTqCseac38Gt4r4jHBQR M8+0HNYliLtCmEMsv1JAq8RSwK+VG6JxAWbsP/+yd4QRG7oK2Q7dcZpJF5bIdCGxxY37y7 xoLnDoV0l4CLEMd1/3SQ5LC1E9wI+/5VkRly9FZJhvWDQ7RvjNONHT4OBGDggw==
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2054.outbound.protection.outlook.com [104.47.36.54]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-195-dQNEZCVsPIWn57wPcEv_rA-1; Mon, 30 Mar 2020 12:38:07 -0400
X-MC-Unique: dQNEZCVsPIWn57wPcEv_rA-1
Received: from BYAPR05MB4133.namprd05.prod.outlook.com (2603:10b6:a02:83::11) by BYAPR05MB6663.namprd05.prod.outlook.com (2603:10b6:a03:e5::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.15; Mon, 30 Mar 2020 16:38:05 +0000
Received: from BYAPR05MB4133.namprd05.prod.outlook.com ([fe80::5d41:a28a:12ce:7532]) by BYAPR05MB4133.namprd05.prod.outlook.com ([fe80::5d41:a28a:12ce:7532%5]) with mapi id 15.20.2878.013; Mon, 30 Mar 2020 16:38:04 +0000
From: Karl McGuinness <kmcguinness@okta.com>
To: "vittorio.bertocci=40auth0.com@dmarc.ietf.org" <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
CC: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 Access Tokens
Thread-Index: AQHWAtkCk4DRn6m4cUCrH/Ra3eIDMKhZujAAgAejSAA=
Date: Mon, 30 Mar 2020 16:38:04 +0000
Message-ID: <90853492-D222-463A-9DB0-BA0EC82826B1@okta.com>
References: <CAGBSGjrzYcLaHY3n01rxpaYvDMiM1s9fdbpC6Wj67F7p7kex6g@mail.gmail.com> <13cbd01d602df$f19f7490$d4de5db0$@auth0.com>
In-Reply-To: <13cbd01d602df$f19f7490$d4de5db0$@auth0.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [73.162.34.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 56330529-1c6e-4cdb-3c78-08d7d4c8b864
x-ms-traffictypediagnostic: BYAPR05MB6663:
x-microsoft-antispam-prvs: <BYAPR05MB6663DB0E8650E7887F98BD93DFCB0@BYAPR05MB6663.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0358535363
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR05MB4133.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(366004)(5660300002)(4326008)(81156014)(8676002)(186003)(26005)(81166006)(6512007)(86362001)(36756003)(66446008)(66946007)(64756008)(66476007)(66556008)(2906002)(33656002)(6506007)(53546011)(54906003)(6486002)(8936002)(2616005)(71200400001)(76116006)(498600001)(966005); DIR:OUT; SFP:1102;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nyrvi2HCdvRgpVZ40Kitug0/LD9sTdNO79DQHDm97Q5iWlenydHyfZtQ9DG7GolortWUGr1MI+HEn/e5+mE8V3wvxfyX1upD77UOWdO1N5Pz1XMEZdWjre7eB4X2turgNEaDaftaOrMA0jd3J91allAwVWa3ZpCLJwm+Lzdyv01HVTzJ6VeHOxRjmMIlAk3d9JXLpLhQZ39eaDGhBSSBcSZN87NUs+HnoRpv4gMYZK1ZOPpEL5WHBjTaBMuneKwHvovDiJhSKp9CwsTV/7mHnaJ2WqkZfc52IsTOAdNZYx5WJ3mpPOPt5CZ6vb9MplJT3ETGWn20QN3K3SFsuTBqMd3rs4pIboQ/sFbsRSZsG4Ivqm69U/D0xvq1Jp84VnwJBhOS9MDX9MLx9UVJGpnk0DsOSuPS4h35pJzvNJGIaHn0nXJr7ASwVHUeZ1twr+RUzQK2JCKr0U6ahrarWwBSwce+4sRZAg89J0lXMHuSFs60JNCpgYRJA1ifyUa5SHSQeKA8ITxDvXf0FR9ht1dqNg==
x-ms-exchange-antispam-messagedata: 6Cy2zBURs/RXw5S9ATXCZtXD4qkmb81HwvsO4UF0OihaAiUOEp5IZX77gw/bceZM6Wc9AGaNkvPVWmdvGV2R42k5ZH8vyHX4y2A7Fs2Up79tvuFWMpcUEH7dEJNaHb6qK8fMRM3Oe8QMXHssLK7XMA==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: okta.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 56330529-1c6e-4cdb-3c78-08d7d4c8b864
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Mar 2020 16:38:04.6959 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f1f9fcc4-c616-4261-8a82-855dc9cb8486
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: m3f8RFDrpyIRfqSIB5oL82nwaQyq+B6GalUYH88bvdAeHQhy+rLFEZNtVg4rw2R2l+6YaDgDfmjh51rJ7j1sNA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6663
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: okta.com
Content-Type: multipart/alternative; boundary="_000_90853492D222463A9DB0BA0EC82826B1oktacom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aFO1w0DsH9hnPvuOZJvbTlfQeQk>
Subject: Re: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 16:38:27 -0000
Hi Vittorio, I was chatting with Aaron offline about this issue and my concern is the addition of Authentication Information Claims in this spec opens up more interoperability issues that can’t be addressed with just a JWT Access Token spec. OAuth 2.0 AFAIK, doesn’t define any behaviors around resource owner authentication assurance with respect to issuing, introspecting, or presenting access tokens. * Token introspection * Token validation error responses * Token refresh * Client Remediation (oidc defined prompt=login, max_age, and acr_values) * Metadata This spec is defining AS behaviors that are orthogonal to the format and should be available via token introspection for example https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-2.2.1 The claims listed in this section reflect in the access token the the types and strength of authentication that the authentication server enforced prior to returning the authorization response to the client. Their values are fixed, and remain the same across all access tokens that derive from a given authorization response, whether the access token was obtained directly in the response (e.g., via the implicit flow) or after one or more token exchanges (e.g., obtaining a fresh access token using a refresh token, or exchanging one access token for another via [RFC8693<https://tools.ietf.org/html/rfc8693>]). I was hoping one of the outcomes of this spec was toolkit/sdk interop for clients and resource servers. I don’t see how this possible if all the semantics around requesting, validating, and remediating resource owner authentication assurance is implementation specific. The end-to-end scenarios are not achievable with just OAuth 2.0 which breaks interop. I think there is a real need to define resource owner authentication assurance interoperability for access tokens, but I fear this may require its own spec. -Karl Karl McGuinness Chief Product Architect www.okta.com<http://www.okta.com/> On Mar 25, 2020, at 12:59 PM, vittorio.bertocci=40auth0.com@dmarc.ietf.org<mailto:vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote: This message originated outside your organization. Thanks Aaron! You are right, we could be clearer re:errors. AFAIK the only errors we can rely on from an RS are in RFC6750, and the entire section is about what to look for in an incoming AT to validate, hence it doesn't look like we have much choice but to return invalid_token for every error in the validation checks enumerated in Section 4. I can definitely add a paragraph to that effect (does it have to be a section?). The re-authentication part is tricky. Technically we are still rejecting the incoming token, hence the above should still apply. I am not aware of tools we can use from the primitives defined in the OAuth2 family of standards for telling people how to make reauthentication happen- and making reauth happen can be quite involved. In Azure AD there are semi proprietary mechanisms that can be used to signal the need to repeat authentication, say for triggering a step-up auth, by sending back together with the error response a challenge that can in turn be used by the client to communicate policy requirements to the AS (which is assumed to support OIDC and accept/understand those policies in form of claim). Giving equivalent guidance but relying only on standards seems tricky, especially without making strong assumptions about how auth happens (e.g can we assume OIDC?). To solve this for the profile, I see two main ways forward: A) We warn the reader that it's on them to decide how to signal the reauth requirement from the API to the client, and how to use that in the client to AS subsequent authorization request B) We venture in devising a standard mechanism for propagating errors that require reauth, basically extending RFC6750 with a new use case (perhaps by detailing extra info to be put in WWW-Authenticate?). I can see how B) might be useful in general, but it doesn't seem particularly tied to the fact that the ATs being discussed here are JWTs... hence I'd be inclined to declare it out of scope here, tho I would really love for us to devise a standard solution for it _somewhere_. WDYT? -----Original Message----- From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On Behalf Of Aaron Parecki Sent: Wednesday, March 25, 2020 12:07 PM To: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>> Subject: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 Access Tokens Section 4 talks about validating JWT Access Tokens https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-4 It has a list of things the RS MUST do when validating a request made with a JWT access token. This section contains phrases like "...and reject tokens..." and "MUST be rejected if...", without clear instructions on *how* to reject this request. For these, I could infer that the RFC6750 error code "invalid_token" is the correct response, but these could benefit from being more explicit about that here. Step 7 says: "the resource server SHOULD check the auth_time value and request re-authentication..." But there are no instructions on how the RS should respond to indicate that the client should request re-authentication. This sounds like a different response than "invalid_token" to me, but in any case, regardless of what the correct response is, Section 4 really needs a description of how to respond in these error cases. ---- Aaron Parecki aaronparecki.com @aaronpk _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Error Responses in JWT Profile for OAu… Aaron Parecki
- Re: [OAUTH-WG] Error Responses in JWT Profile for… vittorio.bertocci
- Re: [OAUTH-WG] Error Responses in JWT Profile for… Karl McGuinness
- Re: [OAUTH-WG] Error Responses in JWT Profile for… Vittorio Bertocci
- Re: [OAUTH-WG] Error Responses in JWT Profile for… Vittorio Bertocci