[OAUTH-WG] JSON Web Token Best Current Practices is now RFC 8725 and BCP 225

Mike Jones <Michael.Jones@microsoft.com> Wed, 19 February 2020 23:07 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27F1E120145 for <oauth@ietfa.amsl.com>; Wed, 19 Feb 2020 15:07:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tDk9V7j2gabt for <oauth@ietfa.amsl.com>; Wed, 19 Feb 2020 15:07:24 -0800 (PST)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650126.outbound.protection.outlook.com [40.107.65.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8DB5120052 for <oauth@ietf.org>; Wed, 19 Feb 2020 15:07:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f3rEg9IIWKSICfj8eDrPfjiLeSIp5Wlv5mmzoSGpPPHLKXNU8MjCICKyFnp3ry+ULwg1u1t8idvgVHOVMnsIYdrxBq/rtY0dgiVpDeYSiweKaoroVZZhLOJaY8xaiQDvPMzol/5O/daUrLPCQEjhnawvf3qw6dJGTXdSGyktVZYtlYQwaMd1i4RB45UNnmb/aVOIgvi/oqrpu/hikVBSusDLqvv8Pg88Zi0ZsExyXX6zBac0DlyAFz8SgE6PaeIgbd8O1+kALV5vsE58tug4V4z1pg16GXL/EGc9ngHtAQtYHhr3yjF3cZimu9bxr2A/+QmmXt4k5113ukiyO0NefA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ShxaeR1DMmRhoHE/bljJ8tF7RsBsenmCuEpHy0v5rh0=; b=k8GeBMXs7v3WLQdW8cqnIgpLKxHRPSBgGSSkLvtR8BJVEO8SfQfIuKBRMV1iG6uFpSiezbQ/wNLYNmNYNeAo0AQrNCn5Kn1uG7VKkXjPcs7XeyjbzwkmXQMdb7U5lBbLl42p8z67yalYfeMOZ10pZUIiG6Pge4qgrDN7qYIDm/EjkpZkn754YOMU75zKSVm7hHrTKadxe31T2CPsqAXrclp+ck1eA/S2luM5Z/duOgXKvtsTwKDJLgO6jF3SHHRx1IlMWBc4LlLj9L5kgKt7yZdgnkKGxmKse9FU27kl364VVyafMs5Z8ul/pH/TsafnS1uVLQoxi+5Gac2x9HuA4A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ShxaeR1DMmRhoHE/bljJ8tF7RsBsenmCuEpHy0v5rh0=; b=BwdFlmiLMouhYblGRh+bBwo04X1SthSoMmU4kwHlq/FwTZlGnDwGlk7tsOduY5vdtJzen7obASCpL7kaXuHYshhRMv8N0e08KIIb/e9LwQm86Y1eC1S1Qwy7yBcG9oYkFZLtm/GXJo7mAAw/mFk/QBGBpnVfqzlrDLerz7MvaMM=
Received: from CH2PR00MB0679.namprd00.prod.outlook.com (20.180.16.71) by CH2PR00MB0794.namprd00.prod.outlook.com (10.186.139.137) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2787.0; Wed, 19 Feb 2020 23:07:15 +0000
Received: from CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::d59d:b91e:2881:7949]) by CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::d59d:b91e:2881:7949%9]) with mapi id 15.20.2791.000; Wed, 19 Feb 2020 23:07:15 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: JSON Web Token Best Current Practices is now RFC 8725 and BCP 225
Thread-Index: AdXh3kerUbblBe/NT3OcwcZBoSQuOw==
Date: Wed, 19 Feb 2020 23:07:15 +0000
Message-ID: <CH2PR00MB0679CAD5DE171630CDFA8AEEF5100@CH2PR00MB0679.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=536dcd2c-24da-4de2-80d1-00004d332cee; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-02-12T19:51:45Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.83.137]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 2e96cea2-68eb-42b5-5335-08d7b590762c
x-ms-traffictypediagnostic: CH2PR00MB0794:
x-microsoft-antispam-prvs: <CH2PR00MB0794306F8E04A96FA9F43D33F5100@CH2PR00MB0794.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0318501FAE
x-forefront-antispam-report: SFV:NSPM; SFS:(10001)(10019020)(4636009)(396003)(346002)(376002)(136003)(366004)(39860400002)(199004)(189003)(81156014)(8936002)(81166006)(8676002)(71200400001)(33656002)(7696005)(6916009)(86362001)(316002)(966005)(478600001)(21615005)(10290500003)(8990500004)(55016002)(9686003)(5660300002)(52536014)(64756008)(66446008)(26005)(186003)(2906002)(76116006)(66946007)(6506007)(66476007)(66556008)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CH2PR00MB0794; H:CH2PR00MB0679.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ylQOdqNuYyMcmO5lmJlwNnXMaxVPrle2pAmRPpgUWBJqf1AkpBP0+nNpVxJxikzqii9muIEDVm9SbcE8mDSGgR1U3DMd3a9sTm+XCNXFgS3PH671B1Ts4LS635YL+G03XWel42gzxuzCI6qk0EVBy4luftZzx1mSCnMtxMNQOW8QxrM1WvbR4UDRKxjh35bDYE3rFlsUP55K3S2TMQooa0aQ+5MpteTd+nydL8ZG+Ki4JkB7pfVkIIns+kRFo3PiJgArcswb9EkNssNPZ1Zogl7QwpdtK/1NK2LEYtEO0htRmtqZnI1VFPyy1OYuoUFewl/gREMAe8L8knoin2r/ojWoOG/NNh5oe70rL9oyIYdrlDl05ZE6G0Ll6eXaRgcPRtMMjuXcv0G+Kd1kpo1LDGD7dWOHebyuNcBtH9aKBL+kjg8r9nHX3JAijYeZanCjuq1zlAVDK/5zJy0Ivn9JavdCnKLka72VcyB+FRylHOJIi5bU3kfEeDgBdVuO7+5vODVrB8nqLhekmBeTR15y5I4hqFxaInvVYs5eMz6DpVEu+x+hHdB8r0vkjZEtzQ4buPjoQdfPzIc/c39CFuPVryFIsB8ZdMXRCu9dihWTihcPedxd67Zog1uTiR992OZ5VUZwlA6GvCpmCgF1MNCzKw==
x-ms-exchange-antispam-messagedata: j6kl9S1/TNspYecbfWVOQCXzsTB+3k/nbJiPjXfIX3jNWHicLLaL7+BFE7WU92a1KKeHHsTpX5ci1RQNRhRNv4ZIDH80H7Oy1+dcYwcTAEgMT4n9NQrH9PVbspznhEDlHXXOF3zS2CAxhtcDl0CNnw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB0679CAD5DE171630CDFA8AEEF5100CH2PR00MB0679namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2e96cea2-68eb-42b5-5335-08d7b590762c
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Feb 2020 23:07:15.8330 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EeyLRCstDSGdOkabqgxQ6BSWsSlOW268quf02eJsOujJGOeg7eC7iAQzgpJaIelwE+Xj+dz40VEmvVTxgFkuvQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0794
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cd-JJswIFgTQeyWV7tvpbjQ-Ez4>
Subject: [OAUTH-WG] JSON Web Token Best Current Practices is now RFC 8725 and BCP 225
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 23:07:27 -0000

The OAuth 2.0 Token Exchange specification  is now RFC 8725<https://www.rfc-editor.org/rfc/rfc8725.html> and BCP 225<https://www.rfc-editor.org/info/bcp225>25>.  The abstract of the specification is:

JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity and in other application areas. This Best Current Practices document updates RFC 7519 to provide actionable guidance leading to secure implementation and deployment of JWTs.

The JSON Web Token (JWT) specification [RFC 7519<https://tools.ietf.org/html/rfc7519>] was approved in May 2015<https://self-issued.info/?p=1387>, almost five years ago, and has been in production use since at least 2013.  This Best Current Practices<https://tools.ietf.org/html/rfc1818> specification contains a compendium of lessons learned from real JWT deployments and implementations over that period.  It describes pitfalls and how to avoid them as well as new recommended practices that enable proactively avoiding problems that could otherwise arise.  Importantly, the BCP introduces no breaking changes to the JWT specification and does not require changes to existing deployments.

The BCP came about as JWTs were starting to be used in new families of protocols and applications, both in the IETF and by others.  For instance, JWTs are being used by the IETF STIR working group to enable verification of the calling party's authorization to use a particular telephone number for an incoming call, providing verified Caller ID<https://self-issued.info/?p=2045> to help combat fraudulent and unwanted telephone calls.  The advice in the BCP can be used by new JWT profiles and applications to take advantage of what's been learned since we created the JSON Web Token (JWT) specification over a half decade ago.

                                                       -- Mike

P.S.  This notice was also posted at https://self-issued.info/?p=2052 and as @selfissued<https://twitter.com/selfissued>.