Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
John Bradley <ve7jtb@ve7jtb.com> Thu, 11 August 2016 22:24 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B026C12D594 for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2016 15:24:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O33g1gwp3cLQ for <oauth@ietfa.amsl.com>; Thu, 11 Aug 2016 15:24:48 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04E4712D605 for <oauth@ietf.org>; Thu, 11 Aug 2016 15:24:47 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id v123so9861064qkh.2 for <oauth@ietf.org>; Thu, 11 Aug 2016 15:24:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iN5/YKE7hks9k1poB8Eyi/H560+/TYqU3a/QsM2pbVc=; b=i9h44pGZjkqgj9Ig3jEVdkX6RM00hZsp2wpki+aZ3U/REVJLX0hMdA5jdHhCTiU4z5 ioiqGd0j0YjRd3nYG7BOOGk+uFwMImrh/wPuZjC2bG9Grvg79srZGofc9tAO3cj1fQWM veskc8s2C1iul7kno1vaCbSVnMFs3Adbi+G3taFG17SfIEguJUrnqsKoSvj/UogM8MAg YMDGQZ7jGlORq+Kw8U0IGuNF4c9D1w/TAYUbWFO73ADoLsxf5nZkLJstA+PIL2SnL/D8 A80LFbq2HncGT3d42FO/jIP1RMBIeGWFE5x0ivpxqI6UuZ4g2DUkOdrpX3qLCJqfWe0j rUVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iN5/YKE7hks9k1poB8Eyi/H560+/TYqU3a/QsM2pbVc=; b=PU1kF3EKuXpm+nvyX8Qx/oVd5t4xd7x45BM+UcD6rmQEpSP9ZCLtU1ej7WYPYyv01X JisufEUU3AFxReTqdr5EP/qsWIQUk1zXOvWxK9lD9AMSoVj3mirqD6b0EsS6oi0EnoTG mrhpNOxGkTLHVc6M1V3B1iLFC9NyM/Ionjg9P9DlGmSYf3z/uRp/+gODi+HHH45mgGo2 Tsnsbwizl/HHZj5c4U7kBGqge7II1viS59grt0NI515iFHr8NkeuzfIIicwj4sT5y+9P PI+V/F6/6P0ANW8zl8QjcN6aP74PcUQryjiOZ9JoVFhNG8u/E0bmCyG3IaTl2GZr3CaF uyng==
X-Gm-Message-State: AEkooutIVOEfPp7LAiOJHQGiqtd9gDEYKUYHvzbGrbKjZ10qETbaPy/PpXaS1v1+M+3i35xH
X-Received: by 10.55.162.67 with SMTP id l64mr13913419qke.106.1470954287005; Thu, 11 Aug 2016 15:24:47 -0700 (PDT)
Received: from [192.168.8.100] ([181.201.74.47]) by smtp.gmail.com with ESMTPSA id 50sm2722333qts.11.2016.08.11.15.24.45 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 11 Aug 2016 15:24:46 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <8472e581-1382-a364-a232-07ce6eeb0115@gmail.com>
Date: Thu, 11 Aug 2016 18:24:43 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <852DC4F5-B9A0-4402-8550-6AB725546C63@ve7jtb.com>
References: <8472e581-1382-a364-a232-07ce6eeb0115@gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/apn5w-wrbVtyhtE4QOMuLEXppWk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Aug 2016 22:24:50 -0000
I think most people put the a resource URI in the aud. Connect uses the client ID as that is bit more stable than trying to use a redirect URI when there could be multiple ones. Given that a resource server doesn’t typically have a client_id the resource uri make a reasonable value. You could put it in resource if you like, but that is probably not what others are doing. It may be time for a interoperable JWT access token profile of some sort. We keep getting close with some of the PoP stuff but only specify parts. John B. > On Aug 11, 2016, at 6:16 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > > Hi All > > Awhile back I was asking why would self-contained JWS JWT access tokens would be used (as opposed to JWE JWTs), my concern was that anyone with a JWT library can read this token's content - but as I was explained that should not be a problem if such a JWS JWT token contains non-sensitive information. Besides, in some cases, it gives RS an option to validate this JWS JWT locally, without having to make a remote validation call. > > So I've started experimenting and the immediate question I have is this one: which claim should one use to represent a resource server audience to get the most inter-operable RS level validation logic ? > > For example, a given RS may talk to different 3rd party authorization servers, say AS1 (vendor1) and AS2 (vendor2), and either AS1 or AS2 JWS JWT tokens that this RS validates locally should ideally use the same claim to represent a resource audience. RS validation logic is written independently (without using AS1 or AS2 aware validation libraries). > > We do expect such requirements coming in our deployments. AS1 & independent validation logic is already in use. Just a matter of time before AS2 is introduced. > > So JWT has a standard 'aud' claim - but I believe this should be a 'clientId' of the client a token is issued to, similarly to the way the 'aud' is treated in IdToken. > > So I've prototyped the code where JWT has these claims: > > "aud" = clientId > "resource" = 'http://myResourceServer' > > where 'resource' is borrowed from OAuth2 Resource Indicators draft and represent a specific RS target address, the resource server audience. > > Am I on the right path ? How would others do it when facing a task of including a resource audience in a self-contained JWS JWT access token ? > > Many thanks, Sergey > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Brian Campbell
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… Sergey Beryozkin
- Re: [OAUTH-WG] JWS JWT Access Tokens and resource… John Bradley
- [OAUTH-WG] JWS JWT Access Tokens and resource aud… Sergey Beryozkin