IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Vittorio Bertocci <Vittorio@auth0.com> Mon, 06 May 2019 21:49 UTC

Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8218712004D for <oauth@ietfa.amsl.com>; Mon, 6 May 2019 14:49:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tku5o8_yGSFa for <oauth@ietfa.amsl.com>; Mon, 6 May 2019 14:49:29 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8ADBC12002F for <oauth@ietf.org>; Mon, 6 May 2019 14:49:29 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id u27so9987106lfg.10 for <oauth@ietf.org>; Mon, 06 May 2019 14:49:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5B6FLB64S/vOdGSp96IvTocxea/ApiG0mk1AkK6Wwq8=; b=DlW71Ifs6LU6sODWu1ly0uYdlLKc9OjfPmV7QJtfW6yp/5R91Qll7rhS1FvJdTjRvz s6dIJZXvXdqTcW7YOpLozda6Fc14bj2Vic7DgLBpZWdKHu0eDQqHqarp09OknxFj8OpW Gzf6nrEcicg0VuVHshXzfUbwVXgp28XpFFqNrJ5OfAkXDg4t4TlPPQfrWVhwPyiZb6qC PYPXb7paT4iXXGAfLy45e0IAsnFaSW9EGIzt8CVAoKIk4UXCGimXC7HoW2fTucUNK0Jn 01A9iQHDUd7hywpGOTyV/jX6Z/DrBpUnNr3OxaQbeyh7mNETLUlD0nx/JLV84ZiLnrwi ssMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5B6FLB64S/vOdGSp96IvTocxea/ApiG0mk1AkK6Wwq8=; b=QHdhfr+P6/4Qku79nPPhfKofMFs72zqChbRt9jSPQ22/H9kUjJLU3PGiFMovZwVfO6 nXnqTCtihg/0Ie/6Foo9oPhlvKzk0siMvfk5STs39WEqP8zRcxwtmMu5r1zLyS84JOu0 7QK70cP6puzBj5HQ/O607sFoTGtUjFi0THKzO7NCtuSTNatrJjQ0EbVB3wTrXVOpacyc YzEaaCljN2SETkvDqqYFROXjdVEQZ1IDDloXJMBL8Xu5iR3PKUWztRi9TrF3C3M+3kQx 1zOtdb+ECJmdaZfPm3CbeQdSoxdmxd1kNg9msf+snVQ+RlqFuLGxoT1k3XTy4QHRvoOs G1qw==
X-Gm-Message-State: APjAAAUqBV+1+QxCKQgfGZuWCjWxId0ZhKZ7ZsqqCdYD3ezLVHSvxb1B +ddfuDUp4qF95aO5cEFKaTnfsF/HU22E2ERbBRDpeQ==
X-Google-Smtp-Source: APXvYqwMT5kbE5SOyAZveZq4JpHgaPzrqHSn3j12kyjEUj8zoyvjAvV8c80t+mX+u2TrFVh7/m7CjDqxi9jUIV6MlpQ=
X-Received: by 2002:ac2:51a1:: with SMTP id f1mr13017102lfk.129.1557179367461; Mon, 06 May 2019 14:49:27 -0700 (PDT)
MIME-Version: 1.0
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <CAHsNOKewL9xCFt6SsP4dz+W0CN_NUZaGMJahF7mSgos_Xbnhhw@mail.gmail.com> <CAO_FVe7c6jLRJ8mD7gw=a6NY3oZcgCh_b5dR8uRXa6Q2c2gmGg@mail.gmail.com> <CA+iA6uje229zrAos3c1TCuJEM+2vmVifNQ2FnKDuj2T4ET2SYA@mail.gmail.com> <a34edf0e-012a-ecc9-e547-3cdc61dca5a4@aol.com> <CA+iA6uh6Q901wEaqGSK7An0z0_iJTjCfvPVN44Qwpb=M_rDONg@mail.gmail.com> <239f40ab-da4d-03fe-4524-0b21a0bcc63e@aol.com> <SN6PR00MB0304BC3C7D438F8A5715B36DF5500@SN6PR00MB0304.namprd00.prod.outlook.com> <CA+iA6ugr+xPfeTFXK2gGBFX8Yw+zGArGfav=Ci5A3qNYUqB7rw@mail.gmail.com> <SN6PR00MB030459810B40D98370728BBAF5500@SN6PR00MB0304.namprd00.prod.outlook.com> <CA+iA6ug1NOpMcPsSr8o24CM3xWy-3z_pxiZhiyPeKxvScMACmg@mail.gmail.com> <CAO_FVe4AP5aWgXAAGj1QxPDFPjyfeaZGWd-b5azrz=ajuHuJdQ@mail.gmail.com> <3ec04cf7-e0ed-2b9a-20f7-a94dea4d559b@connect2id.com> <CAO_FVe6sLxbkk0tEjH5sb8k36q4_sJLU6HAgU05fAqOGaqo8MA@mail.gmail.com> <61adde0e-8709-5b88-8b64-ac8cc4549f51@connect2id.com> <CAO_FVe4HQKPvL5bdbAerHRU0TCiZKLJS9JgDrYkXNokri9oBaA@mail.gmail.com> <2C153797-C5AD-410D-A52E-B87DBA19DF99@okta.com> <CA+iA6uig=Pud6h8T=n9rY7vvkc97=80K-0JQOXhgv2mQBt3kPQ@mail.gmail.com>
In-Reply-To: <CA+iA6uig=Pud6h8T=n9rY7vvkc97=80K-0JQOXhgv2mQBt3kPQ@mail.gmail.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Mon, 06 May 2019 14:49:16 -0700
Message-ID: <CAO_FVe67X4mwCAUv=GHkBByaGKyb2JcMtna+UKNatxjfiGw5OQ@mail.gmail.com>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: IETF oauth WG <oauth@ietf.org>, Karl McGuinness <kmcguinness=40okta.com@dmarc.ietf.org>, Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000cb1c305883f13a2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/c2XOlkHZ0s9yIh2M_OJdeyph04s>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 21:49:32 -0000

See below, Hans- the sub doesn’t have to be global, it could be something
generated just for this particular RS. Or the AS might have its own recipe
for generating sub values that different from the recipe used to generate
client_ids. It would be much easier for an AS to emit a claim making this
explicit statement than to change sub and client_id assignment logic.

On Mon, May 6, 2019 at 13:49 Hans Zandbelt <hans.zandbelt@zmartzone.eu>
wrote:

> I may be missing something but I'd argue that by requiring and comparing
> both "sub" and "client_id" we achieve the same semantics without a
> new/additional claim (barring name spacing)
>
> Hans.
>
> On Mon, May 6, 2019 at 8:58 PM Karl McGuinness <kmcguinness=
> 40okta.com@dmarc.ietf.org> wrote:
>
>> Makes sense that we don’t want to further couple AS and RS with grant
>> types.  I’m OK if we want a dedicated claim to establish whether the token
>> is resource owner delegated  vs client acting as itself.
>>
>> Subject Type is already a concept in RISC.  Just making folks are aware
>> of prior art.
>>
>> https://openid.net/specs/oauth-event-types-1_0-01.html#rfc.section.2.2
>> https://openid.net/specs/openid-risc-profile-1_0.html#rfc.section.2.1
>>
>> -Karl
>>
>> On May 6, 2019, at 12:42 PM, Vittorio Bertocci <
>> Vittorio=40auth0.com@dmarc.ietf.org> wrote:
>>
>> *This message originated outside your organization.*
>> ------------------------------
>> Fair enough! What others think about it?
>> Exploring the approach: would we want a bool claim or an enumeration,
>> e.g. sub_type = [ resource_owner | client ] ?
>>
>>
>> On Mon, May 6, 2019 at 12:35 PM Vladimir Dzhuvinov <
>> vladimir@connect2id.com> wrote:
>>
>>> Hi Vittorio,
>>>
>>> On 06/05/2019 22:22, Vittorio Bertocci wrote:
>>> > It is true that the grant_type is a client side consideration. I did
>>> think
>>> > about the "client_id==sub" heuristic, but that's not always applicable:
>>> > many systems have their own rules for generating sub, and in case they
>>> want
>>> > to prevent tracking across RSes the sub might be generated ad-hoc for
>>> that
>>> > particular RS.
>>> > Would you prefer to have a dedicated claim that distinguish between
>>> user
>>> > and app tokens rather than reusing grant_type?
>>>
>>> A dedicated claim to flag client_id effectively == sub would be
>>> preferable, and much easier for RS developers to process.
>>>
>>> The AS is the authority and has all the knowledge to set / indicate this.
>>>
>>> I want to keep RS developers away from having to deal with grant types
>>> and having to make decisions whether client_id effectively == sub.
>>>
>>> Vladimir
>>>
>>>
>>> > On Mon, May 6, 2019 at 12:16 PM Vladimir Dzhuvinov <
>>> vladimir@connect2id.com>
>>> > wrote:
>>> >
>>> >> On 06/05/2019 20:32, Vittorio Bertocci wrote:
>>> >>> To that end, *Karl MCGuinness suggested that we include
>>> >>> grant_type as a return claim, which the RS could use to the same
>>> >> effect*. I
>>> >>> find the proposal very clever, and the people at IIW thought so as
>>> well.
>>> >>> What you think?
>>> >> The grant type is not something that the RS is really concerned with,
>>> or
>>> >> should be. Introducing this parameter in the access token will create
>>> an
>>> >> additional logical dependency, plus complexity - in the system of
>>> >> client, AS and RS as a whole, as well as for RS developers. The grant
>>> >> type, as a concept, is a matter between the client and AS, and IMO
>>> >> should stay that way.
>>> >>
>>> >> Clear language in the spec should suffice. For instance: "If the sub
>>> >> value matches the client_id value, then the subject is the client
>>> >> application".
>>> >>
>>> >> Vladimir
>>> >>
>>> >> --
>>> >> Vladimir Dzhuvinov
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> OAuth mailing list
>>> >> OAuth@ietf.org
>>> >> https://www.ietf.org/mailman/listinfo/oauth
>>> >>
>>> --
>>> Vladimir Dzhuvinov
>>>
>>>
>>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>>
>
> --
> hans.zandbelt@zmartzone.eu
> ZmartZone IAM - www.zmartzone.eu
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email