IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Dominick Baier <dbaier@leastprivilege.com> Mon, 25 March 2019 13:41 UTC

Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87801203EF for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 06:41:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kxqjUMBLkq9c for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 06:41:19 -0700 (PDT)
Received: from mail-qt1-x841.google.com (mail-qt1-x841.google.com [IPv6:2607:f8b0:4864:20::841]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68DEB120381 for <oauth@ietf.org>; Mon, 25 Mar 2019 06:41:19 -0700 (PDT)
Received: by mail-qt1-x841.google.com with SMTP id x12so10244813qts.7 for <oauth@ietf.org>; Mon, 25 Mar 2019 06:41:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=GcH7n9LZKhrjz9Za2YHT+z8RwOzynyCghKl0w9fiSBM=; b=ITFwxWfo0f4zqwUxiAuI2HWwBwZgMBbSnwAZyUw7uj/k6zs2nF6CZNKWrKosChKY7S 5H9FJtkHjY2azw5IAquRSoFLCTu8qPi5Iw4TIIRxO4+ErFks0AY/YhbRqyIv53GcqIIB mAdbRMCDgGaNk6ndCUslIj/bjSELvgsiIAZ+vpqDjmMjyyQAXUNHP+qEkbdY3ktR4wtB DsMyCZYYP/l+J1/2Wt9l9Zg/7shiRuaJWV842Y2GeO7v3C0N2e175xXRC22w10CjRyIY Unj8EZr0FPgN8C2+AItICq7sbNP6yKpNuszyU6fDBlinZEid3Fo6q+BP/zm2rASxp/XI i09w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=GcH7n9LZKhrjz9Za2YHT+z8RwOzynyCghKl0w9fiSBM=; b=Y8M6Itk8JH9Stpv6RInGjxsa3yFiqYl9zIeAq0ZcQRSaY/0uP6mu3KevOblBSHtQI/ 4CzpKpajsGk6dkOP8o98nSG28vBuzmsDEqInsUM/M5GBxFiPNt3kulZVYbaJ5LZHJsFS iQPsazUZtGaoBZ/zWVVnK2kK+gsKMj1QvztYwcTt0JXVRPnkq+UgUbq8396fqEAldCPb +FqHfVzSjt3uxi7suLzPpU+7wPo4BfJmnb3Pojz1hGkJs2ucfaMEjqAex317uh6pI5h8 GhKNapF+QH7OT/ruRIB6M9biAZn4loB4GyuHiZa5x352LnLzuTUp+N6dc3Ej9roBf1JR PtFg==
X-Gm-Message-State: APjAAAWGSUD2Verw34UQnczClStjhCLSGQ1PSiJXriM3u8+vJFxePIe2 c1VVt6b/kKFfDgX31MQ9cnI1i4SjKjKSl0dwdi2Y
X-Google-Smtp-Source: APXvYqxdY6NqIFOT1JUKfyjLynD8668O86lZZKV8rfD/rUjfWiercySuyEP1SxPPEIzRvaL3qFVNrrItCPXh6NA6KvU=
X-Received: by 2002:a0c:d155:: with SMTP id c21mr20291096qvh.64.1553521278424; Mon, 25 Mar 2019 06:41:18 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Mon, 25 Mar 2019 06:41:17 -0700
From: Dominick Baier <dbaier@leastprivilege.com>
In-Reply-To: <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com>
MIME-Version: 1.0
Date: Mon, 25 Mar 2019 06:41:17 -0700
Message-ID: <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com>
To: Nov Matake <matake@gmail.com>, vittorio@auth0.com
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f3ad7f0584eb5b0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/d7lznaqEAtyy5yLGa2zUoqk3X-E>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 13:41:23 -0000

IMHO the sub claim should always refer to the user - and nothing else.

OIDC says:

"Subject - Identifier for the End-User at the Issuer."

client_id should be used to identify clients.

cheers
Dominick

On 25. March 2019 at 05:13:03, Nov Matake (matake@gmail.com) wrote:

Hi Vittorio,

Thanks for the good starting point of standardizing JWT-ized AT.

One feedback.
The “sub” claim can include 2 types of identifier, end-user and client, in
this spec.
It requires those 2 types of identifiers to be unique each other in the IdP
context.

I prefer omitting “sub” claim in 2-legged context, so that no such
constraint needed.

thanks

nov

On Mar 25, 2019, at 8:29, Vittorio Bertocci <
vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:

Dear all,
I just submitted a draft describing a JWT profile for OAuth 2.0 access
tokens. You can find it in
https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.
I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting
remotely). I look forward for your comments!

Here's just a bit of backstory, in case you are interested in how this doc
came to be. The trajectory it followed is somewhat unusual.

   - Despite OAuth2 not requiring any specific format for ATs, through the
   years I have come across multiple proprietary solution using JWT for their
   access token. The intent and scenarios addressed by those solutions are
   mostly the same across vendors, but the syntax and interpretations in the
   implementations are different enough to prevent developers from reusing
   code and skills when moving from product to product.
   - I asked several individuals from key products and services to share
   with me concrete examples of their JWT access tokens (THANK YOU Dominick
   Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel Dobalian
   (Microsoft), Karl Guinness (Okta) for the tokens and explanations!).
   I studied and compared all those instances, identifying commonalities
   and differences.
   - I put together a presentation summarizing my findings and suggesting a
   rough interoperable profile (slides:
   https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx
   <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>
   ) - got early feedback from Filip Skokan on it. Thx Filip!
   - The presentation was followed up by 1.5 hours of unconference
   discussion, which was incredibly valuable to get tight-loop feedback and
   incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov,
   Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there and
   contributed generously to the discussion. Thank you!!!
   Note: if you were at OSW2019, participated in the discussion and didn't
   get credited in the draft, my apologies: please send me a note and I'll
   make things right at the next update.
   - On my flight back I did my best to incorporate all the ideas and
   feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat,
   Hannes and above all Brian were all super helpful in negotiating the
   mysterious syntax of the RFC format and submission process.

I was blown away by the availability, involvement and willingness to invest
time to get things right that everyone demonstrated in the process. This is
an amazing community.
V.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email