Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Vittorio Bertocci <> Fri, 24 April 2020 20:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6B07A3A0A94 for <>; Fri, 24 Apr 2020 13:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id MQp62qXmn3JA for <>; Fri, 24 Apr 2020 13:24:07 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5E90F3A0A90 for <>; Fri, 24 Apr 2020 13:24:07 -0700 (PDT)
Received: by with SMTP id x77so5353073pfc.0 for <>; Fri, 24 Apr 2020 13:24:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :mime-version; bh=5O4QAiT3afxDdJ2AU0FrblY8TdE5xFwUoGRN/7R5mag=; b=DE1XTbuyJPVtg6Wff/XkogEM2qPghaDf6xHJQZobozX7SbI7mnjhy5wK25LPSrEVhm OeVS4vebZhl8prSwJPweeF1444e6AvW2xEklY53l3zLXN2CPLp7TtnUjtiP6JhEXa/O3 nWdWFypnp09ycs8PhS6Z6lGE3ruNT71QXgy3ddlS2TqP1Nyw5btQd1Zc0h5ek1+0CLIr Z79XGW78YOgor5AJmRMtQDTk0kcSLEw/Aqjv4x0c45Qy6pAdMpx9UAweOXHxTPlU9xnL TLyd2i0OpM0d0jzOlZtdLJqkzi/lxv7OfK+SDqV2gwoEnl0Sz+2erO/7e512DiU5yK3s ngDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:mime-version; bh=5O4QAiT3afxDdJ2AU0FrblY8TdE5xFwUoGRN/7R5mag=; b=jEcZFDzjoYX8mN8EiNeyTie0Elt29dW9Ihzo8ZHdoAfYeZV81eLvCm6nBa0Ii5uzDJ uoYrf3SY1NydDKwbkXZriO5ctv2C/l3LrrV9A2u2eqW3e79/kSPOJqnz/LhNWXhC0yRi 7bzQLlpV+Sf7+EXbp/LWoqz2xbaCKRWX20BqkaA2m4nG81LhT+mbMDOlsb7JZHZuRJtg ggkeMIHINy1Id+7eWJtsrW3N2eISbEdoYphvfkUNjlF+KfibNMHQSnZd6loorpECw4an kXU1TzZ8wm9y1/9MEEwCMkPzKphFihBMdla4fHtozJinKGDCKe3kyCa5O9u9f4g+PUef oJ5g==
X-Gm-Message-State: AGi0PuZpG5SJ8047ywJzZ3j1QB/Q9E6a2bCD4dazrN0gTfPsELtuK/pS r6JLybPWlOQYmlQDHsukTP6RXA==
X-Google-Smtp-Source: APiQypLW2ngH3ykdsqL6r61Ztyf9iqOYqo6cnHcLsaiXRHfOyBwcdpyiy2Ti9uJU6vGUxM+zlyy0Xw==
X-Received: by 2002:aa7:9683:: with SMTP id f3mr11887537pfk.278.1587759846169; Fri, 24 Apr 2020 13:24:06 -0700 (PDT)
Received: from ([2603:1036:120:1d::5]) by with ESMTPSA id f2sm5275709pju.32.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Apr 2020 13:24:05 -0700 (PDT)
From: Vittorio Bertocci <>
To: Takahiko Kawasaki <>, oauth <>
CC: Vittorio Bertocci <>
Thread-Topic: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-MS-Exchange-MessageSentRepresentingType: 1
Date: Fri, 24 Apr 2020 20:24:04 +0000
Message-ID: <>
References: <> <> <085301d616e8$21029750$6307c5f0$> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-RecordReviewCfmType: 0
Content-Type: multipart/alternative; boundary="_000_MWHPR19MB15012F3B9748A9CB00DE46C4AED00MWHPR19MB1501namp_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 24 Apr 2020 20:24:12 -0000

Before I acknowledge your comments, I would like to clarify some important points.
Your first email, and various tweets you published contextually (, suggest that with my work on the spec I am driving some hidden agenda for my company, and you are exposing this thanks to some findings you uncovered- and that the WG somehow missed.
This is of course nonsense, insulting to my own professional integrity and to the intelligence of the chairs, working group and everyone who participated in the discussion. I include the tweets in the discussion because you included in them a link to the mailing list archives, hence involving the WG in the process.

Some basic facts:

  *   The profile as it exists today does NOT work out of the box with Auth0, there are several things that would need to change in the product for that to happen- including adding support for resource indicators which is currently missing
  *   The layout of the Auth0 token is certainly not a secret, given that it was presented alongside all the other tokens obtained from other vendors at the OSW2019 in March, in the initial draft pitch at IETF104 as recorded in, in the first discussion at IETF105 as shown in The use of resource indicators for client cred flows is certainly not a dark ploy to smuggle the Auth0 way, in fact it’s informed more by my work on Azure AD- where I found the transition from pseudo resource indicators to scopes to be riddled by challenges. Once again, all discussions were made in full transparency.
  *   The concerns about symmetric algorithms being allowed, which you are oddly bringing up in a tweet rather than on the list, are disconnected from the discussion: people in the working group explicitly asked for symmetric to be an option and even to relax the current language to be more permissive, which I gently pushed back against. Again, not an obscure ploy.

I am saddened that you chose to make those statements on twitter. There was nothing for you to discover, everything was already out in the open.
You might want to consider retracting your accusations. I am not worried about myself, my conscience is perfectly clean and the IETF process records back me up, but by suggesting lack of transparency you are unfairly portraying the IETF, standardization process and the people who do their best to check at the door their affiliations and contribute their time and expertise for the benefit of the industry as a whole.

I am adding the tweets here for reference, together with the translation Twitter provided.

Taka@Authlete, BaaS for OAuth 2.0 & OpenID Connect
もしやと思って調べてみたら、Auth0(スペックリードの所属企業)の client_credentials フローの実装は audience(RFC 8707 の resource 相当)が必須で、生成する JWT アクセストークンの sub にクライアント ID を埋め込む。JWT アクセストークン仕様ドラフトが歪んでいるのはこれが理由だろう。
Suddenly, I searched and thought, implementation of client_credentials flow of Auth0 (company of Spec Lead) requires audience (equivalent to resource of RFC 8707), and embed client ID in sub of generated JWT access token. This is probably the reason why the JWT access token specification draft is distorted.

元々 Auth0 の現実装を業界に認めさせるために JWT アクセストークン標準仕様策定作業が開始されたと噂では聞いていたが、実際にそうだったか。技術的に不自然な点が多いし裏事情がはっきりした今となっては黙っている訳にもいかないので、メーリングリストで意見を述べた。
I've heard rumors that the JWT Access Token standard specification work was started to get the industry to accept the current implementation of Auth0, but was that really the case? Since there are many technical unnatural points and it is impossible to keep silent now that the circumstances are clear, I made an opinion on the mailing list.

ついでに言っておくと、Auth0 が生成する JWT アクセストークンの署名アルゴリズムとして選択できるのは、HS256 と RS256 のみのようだ。HS256 は対称鍵系アルゴリズム。一方の RS256 は非対称鍵系アルゴリズムだが、セキュリティー上の理由で Financial-grade API Part 2 では使用禁止とされている。
Incidentally, it seems that only HS256 and RS256 can be selected as the signature algorithm for the JWT access token generated by Auth0. HS256 is a symmetric key algorithm. On the other hand, RS256 is an asymmetric key algorithm, but for security reasons, it is prohibited in Financial-grade API Part 2.

From: OAuth <> on behalf of Takahiko Kawasaki <>
Date: Thursday, April 23, 2020 at 18:01
To: oauth <>
Cc: Vittorio Bertocci <>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

I apologize if my previous post has made you all here feel unpleasant, especially I'm sorry for the author, the chairs, and people who directly joined the discussion about the spec. I could have expressed my disagreement on the requirements for "aud" and "sub" in another different way. For software specifications and architectures, I'm liable to get excited and aggressive. Please forgive me.

Regarding the relationship between "aud" and "scope", the assumption in the draft is not necessarily applicable to all possible use cases. For example, multiple resources may share the same scopes. What if both "/resource1" and "/resource2" recognize "get" scope and "update" scope? In this case, it is not appropriate to determine the default resource indicator for "aud" from the scopes. It is also impossible to map scopes to resources and vice versa. The assumption in the current draft is too narrow to be included in a standard.. If the current description continues to exist, it will impose big restrictions on the design of scopes and resources.

If you still think the "aud" claim should always exist, then the authorization endpoint and/or the token endpoint (and/or the backchannel authentication endpoint and/or the device authorization endpoint) of your system can require the "resource" request parameter as mandatory. We don't have to put rules to determine the default "aud" value into the spec about JWT access tokens. The "resource" parameter defined in RFC 8707 can work regardless of whether the format of access tokens is JWT or not. Therefore, it is not appropriate to discuss the necessity of the "aud" claim only in the context of "JWT" access tokens.

Regarding the "sub" claim, setting the client ID there, rather, will confuse resource servers. If the "sub" claim is set even in the case of the client credentials flow, resource servers cannot judge whether the "sub" claim represents either the subject of the resource owner or the client ID. On the other hand, if the "sub" claim is null or absent in the case of the client credentials flow, resource servers can always handle the value of the "sub" claim as the subject of the resource owner. For resource servers, this logic is easier. Setting the "sub" claim in every case to make resource server implementations simpler is not convincing.

Best Regards,

On Fri, Apr 24, 2020 at 2:15 AM Takahiko Kawasaki <<>> wrote:
First, to make the discussion fair, I think I should share what I observed today. Auth0's client_credentials flow requires an "audience" parameter, which is equivalent to the "resource" parameter defined in RFC 8707, and embeds the client ID in the generated JWT access token as the value of the "sub" claim.

My opinion as a software engineer is as follows.

The "aud" claim should be null or absent when the "resource" parameters are not given in an authorization request. It is not good to introduce inflexible rules to determine the default value for the "aud" claim based on the "scope" parameter.

The "sub" claim should be null or absent when a resource owner is not involved in an authorization request. To be concrete, the "sub" claim should be null or absent in the client credentials flow. The spec draft says in "5. Security Considerations" as follows.

- - - - - - - - - -
Authorization servers should prevent scenarios where clients can affect the value of the sub claim in ways that could confuse resource servers.  For example: if the authorization server elects to use the client_id as the sub value for access tokens issued client credentials grant, the authorization server should prevent clients to register an arbitrary client_id value, as this would allow malicious clients to select the sub of a high privilege resource owner and confuse any authorization logic on the resource server relying on the sub value.  For more details please refer to section 4.13 of [OAuth2.Security.BestPractices].

To preventing cross-JWT confusion, authorization servers MUST use a distinct identifier as "aud" claim value to uniquely identify access tokens issued by the same issuer for distinct resources.
- - - - - - - - - -

However, the attack vector is brought about merely by introducing the following rule defined in "2.2. Data Structure".

- - - - - - - - - -
In case of access tokens obtained through grants where no resource owner is involved, such as the client credentials grant, the value of sub SHOULD correspond to an identifier the authorization server uses to indicate the client application.
- - - - - - - - - -

If the rule is not introduced, the attack vector disappears and the "aud" claim doesn't have to be mandatory.

Finally, to make the discussion fair, I should also mention that I myself is a co-founder of Authlete, Inc. that provides an implementation of OAuth and OpenID Connect. My thoughts about implementations of access tokens are publicly described here:

OAuth Access Token Implementation

Best Regards,
Takahiko Kawasaki
Authlete, Inc.

On Wed, Apr 22, 2020 at 4:19 AM Vittorio Bertocci <<>> wrote:
Ouch! Sorry 😊 fixed

From: Dominick Baier <<>>
Date: Tuesday, April 21, 2020 at 10:23
To: oauth <<>>, Rifaat Shekh-Yusef <<>>, Vittorio Bertocci <<>>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Oh and while we are at it - could you also fix the typo in my name? Thanks ;)

Dominick Baier

On 21. April 2020 at 09:43:49, Vittorio Bertocci (<>) wrote:
This is a great point. In my head I just considered the OIDC semantic and thought only of highlighting the app identity case, but you are absolutely right that not mentioning the user case at all is confusing. I added the language you suggested at the beginning of the sub definition.

From: Dominick Baier <<>>
Date: Monday, April 20, 2020 at 22:54
To: oauth <<>>, Rifaat Shekh-Yusef <<>>, "<>" <<>>
Subject: RE: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

In case of access tokens obtained through grants where no resource owner is involved, such as the client credentials grant, the value of sub SHOULD correspond to an identifier the authorization server uses to indicate the client application.

Maybe I am missing something, but does it say anywhere what to explicitly do in the case of an access token where a resource owner is involved?

There’s some language that seems to imply that, e.g.:

as this would allow malicious

   clients to select the sub of a high privilege resource owner
I would have expected to see something stronger like above just -

In case of access tokens obtained through grants where a resource owner is involved, such as the authorisation code grant, the value of sub SHOULD correspond to the subject identifier of the resource owner.

If this spec is about interop, I think this should be at least a recommendation...

Dominick Baier

On 20. April 2020 at 09:48:51,<> (<>) wrote:
Thanks Dominick for your comments!

> All other OAuth specs make a very clear distinction between users and client.
There’s a nuance worth highlighting here: sub != user. In previous discussions on this topic it has been brought up that the JWT spec defines sub as identifying the principal that is the subject of the JWT, and that’s not necessarily limited to users.

However I get the potential confusion, and I am happy to add clarifying language if you have specific passages in the space you are particularly worried about: however I feel the matter is addressed upfront by the language in Section 2.2. in the sub entry, “In case of access tokens obtained through grants where no resource owner is involved, such as the client credentials grant, the value of sub SHOULD correspond to an identifier the authorization server uses to indicate the client application.“ and Section 5 has an entire paragraph discussing things to watch out in assigning sub values in the app identity case. Feel free to suggest additional language if you want to clarify further.

> sub has a different semantic here as in OIDC
The  spec refers to RFC7519 in the sub definition in 2.2, rather than OIDC, to preempt that concern and keep the original sub semantic available.

> I am not fully clear why aud is required.
Aud is there mostly because of three reasons:

•         Many existing specs postulate its existence in the token. No one declares it as a proper MUST (apart from the BCP, but that’s partial) however I think its importance comes across..
-Bearer token usage RFC6750 calls it out (in threat mitigation) as the mechanism to prevent token redirect (and adds scope restriction as also important, however here we make it optional to acocut for non-delegations scenario).
-Resource indicators RFC8707 refers to the same section of RFC7519 as one of the assumptions that must hold to prevent bearer tokens misuse
-BCP225 makes aud mandatory for AS which can issue JWTs for more than one app

•         Apart from Ping, for which some of its examples are without aud (but also without identifying scopes, given that the one I retrieved had only “openid”), all of the sample JWT ATs I received from vendors all featured an aud. I know one shoulnd’t overindex on those examples, but together with the above it seemed to point to something universally useful. One possible reason is that use of a format for the AT is correlated with topologies where AS and RS are separated by some boundary (network, logical, business, code factoring, etc) hence identifying the resource seems like a natural need. Again, not an iron clad law, but an indication.

•         A lot of people repurpose existing libraries for the JWT AT case, and some people even sends id_tokens in lieu of ATs. That doesn’t mean that we should condone any bad practices, but in tis particular case it suggests that lots of developers already expect/can handle an audience in the JWT used to call their API
None of those are a slam dunk argument for mandatory, but I find them compelling enough to simplify validation and just require an aud to be there, as opposed to introduce complications that make it conditional to the presence of scopes or other disambiguation.. One reason I feel pretty good about that is that adding a default audience isn’t very hard if any of the above assumptions end up not being true for a particular case

> What’s the rationale for using iat instead of nbf.
That’s just straight from OIDC ID_tokens, and the considerations about repurposing existing logic. I see there’s a thread on this specifically, let me answer further on that branch.

> This spec feels somehow in between a profile and a BCP
You are right that this spec attempts to go beyond just declaring a layout, and I agree this means that this profile will not apply to absolutely everyone. The reason I tried that route (at the cost of working way harder in the last year for reaching consensus than if we would have just listed the possible content), is that I often observe implementers make questionable choices because of the large leeway specifications allow. My hope was that the scope of this profile was small enough to make that extra level of guidance achievable, whereas trying to do the same with a larger spec would have been prohibitively expensive.
I believe things worked out well so far: we had lots of constructive discussions, and I ended up relaxing A LOT of the constraints I was originally envisioning. Nonetheless, my hope is that we identified the right set of guidelines that will help people actually interoperate out of the box for the most basic/common scenarios, as opposed to complying with the letter of the spec but still having a lot to figure out out of band.

From: OAuth <<>> On Behalf Of Dominick Baier
Sent: Thursday, April 16, 2020 12:10 AM
To: Rifaat Shekh-Yusef <<>>; oauth <<>>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Since this is the last call, I thought I bring up some of thoughts / concerns. Some of them have been discussed before.

client_id vs sub
I am still not entirely happy with the “re-purposing” of the claim types based on flow.
If the intention is, that sub expresses the entity against which the resource will do authorisation (and that might be a client or a user) - I get it (and maybe it should be stated like that) - but
this thinking reminds me of the old AD days where there was no distinction between user and service accounts (something that has been fixed IIRC in Windows Server 2012 R2).

All other OAuth specs make a very clear distinction between users and client.

Furthermore it says

"Authorization servers should prevent scenarios where clients can
   affect the value of the sub claim in ways that could confuse resource

If we keep that dual semantics of the sub claim - it must be clearly stated, that subject ID and client ID are now in the same collision domain. So when an AS / OP creates them, they need to be unique across user ids and client ids.

Maybe it should be also explicitly mentioned that sub has a different semantic here as in OIDC - even though a majority of the software built today will use them together.

audience claim
I am not fully clear why aud is required. OAuth itself does not have a notion of an audience (in the JWT sense) - they have scopes (which is very similar). But in simple scenarios where resources don’t exist, you'd need to make up an audience just to fulfil this requirement. And in many case this will be either static or just repeat the scope values. What’s the value of that?

If the concept of resources are used, I absolutely agree that aud should be used too. But I wouldn’t make it required.

iat vs nbf
What’s the rationale for using iat instead of nbf. Aren’t most JWT libraries (including e.g. the .NET one) looking for nbf by default?

This spec feels somehow in between a profile and a BCP. On one hand you define some claims and their semantics (good) - on the other hand there is some prescriptive guidance and maybe over-specification. My concern is, that in the end no-one will fully comply with it, because it doesn’t work one way or the other for them.

I know we just went though the discussion to make certain claims required as opposed to optional - but maybe less is more.

Tbh - the most valuable part of the doc to me is the definition of the “at+jwt” typ. For the rest I’d rather like to see just some standard claims and IF they are used, which semantics they have.

Dominick Baier

On 15. April 2020 at 20:59:31, Rifaat Shekh-Yusef (<>) wrote:
Hi all,

This is a second working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens".

Here is the document:

Please send your comments to the OAuth mailing list by April 29, 2020.

 Rifaat & Hannes

OAuth mailing list<>
OAuth mailing list<>