Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

[Nikos Fotiou <fotiou@aueb.gr>]

Just a general comment, OIDC has been designed for a specific reason (“identity layer on top of the OAuth 2.0”) whereas JWT access tokens are used for more applications. Since the goal of this specification is to “provide a standardized and interoperable profile as an alternative to the proprietary JWT access tokens layout”,  I feel it is restrictive.

 

Best,

Nikos 

 

From: Vittorio Bertocci <Vittorio@auth0.com> 
Sent: Tuesday, March 24, 2020 7:57 PM
To: Nikos Fotiou <fotiou@aueb.gr>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

 

Hi Nikos,

thanks for taking the time to review and write down your feedback!

Inline

 

- In Section 2.2 why nbf claim (https://tools..ietf.org/html/rfc7519#section-4.1.5) <https://tools.ietf.org/html/rfc7519#section-4.1.5)>  is not considered? I can imagine some interesting applications of this claim.  

The validation rules are partly following the ones defined in OpenID Connect, given that a lot of in market deployments reuse some low level JWT validation components.

 

  - In the same section, it is not clear why some claims are required, especially exp, sub, and client_id. The last two claims are not even used during token validation. 

 Being this an interop profile, it reflects the information commonly found in many existing JWT based access tokens solutions in the wild. Both sub and client_id provide information that proved to be useful to RSes and SDKs/middlewares, hence guaranteeing their presence will help creating reusable libraries with broader applicability. The AS has ready access to that info, and there are no obvious security reasons for omitting them. Also, sub and exp are both required in OIDC, and clientID is available via aud (also required) - hence requiring their presence helps developers to reuse existing validation logic to at least some extent.

 

  - RFC7519 specifies that, in the general case, the aud claim is an array of StringOrURI values. In this draft it is not clear if this still the case, or here aud is a simple string (e.g., in page 5 it is stated: the resource indicated in the aud claim, rather than the resource*s*).  

For simplicity, and above all for avoiding ambiguity in evaluating to what resource the granted scopes should be applied to, the idea would be to restrict to a single string.

 

  - In the token validation procedure, i.e., Section 4, is there any reason why the resource server first checks the aud claim, then the signature, and finally the exp claim? Given the fact that Error responses are not specified, returning something like “invalid aud claim” even for tokens with invalid signature may result in privacy/security attacks. 

 The sequence of those checks follows https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation.  As OIDC doesn't define error responses nor call this aspect out in the security considerations, I largely relied on this being mainstream.

 

  - IMHO The token validation procedure it too bound to the particular discovery mechanisms mentioned at the beginning of this section. E.g., Step 2 mentions a “registration” process, and Step 3 mentions and an “Issuer Identifier” which must much the iss claim. Moreover, I think it should be explicitly mentioned that the resource server “must validate that the JWT access token has been singed with a signing key that corresponds to the authorization server included in the iss claim”    

As per the other points, the language follows closely OIDC. 

The step does contain the phrase "The resource server MUST use the keys provided by the authorization server." Do you feel the language should be more explicit? The document doesn't specify any other mechanism for acquiring keys, hence it shouldn't be too ambiguous... but we can always tighten it up.

 

 

On Mon, Mar 23, 2020 at 6:32 PM Nikos Fotiou <fotiou@aueb.gr <mailto:fotiou@aueb.gr> > wrote:

Hi all,

 

Allow me some comments and forgive me if some of them are naïve.

- In Section 2.2 why nbf claim (https://tools..ietf.org/html/rfc7519#section-4.1.5) <https://tools.ietf.org/html/rfc7519#section-4.1.5)>  is not considered? I can imagine some interesting applications of this claim.

- In the same section, it is not clear why some claims are required, especially exp, sub, and client_id. The last two claims are not even used during token validation.

- RFC7519 specifies that, in the general case, the aud claim is an array of StringOrURI values. In this draft it is not clear if this still the case, or here aud is a simple string (e.g., in page 5 it is stated: the resource indicated in the aud claim, rather than the resource*s*).

- In the token validation procedure, i.e., Section 4, is there any reason why the resource server first checks the aud claim, then the signature, and finally the exp claim? Given the fact that Error responses are not specified, returning something like “invalid aud claim” even for tokens with invalid signature may result in privacy/security attacks.

- IMHO The token validation procedure it too bound to the particular discovery mechanisms mentioned at the beginning of this section. E.g., Step 2 mentions a “registration” process, and Step 3 mentions and an “Issuer Identifier” which must much the iss claim. Moreover, I think it should be explicitly mentioned that the resource server “must validate that the JWT access token has been singed with a signing key that corresponds to the authorization server included in the iss claim”  

 

 

Best,

Nikos

 

From: OAuth <oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> > On Behalf Of Hannes Tschofenig
Sent: Monday, March 23, 2020 11:18 PM
To: oauth <oauth@ietf.org <mailto:oauth@ietf.org> >
Subject: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

 

Hi all,

 

this is a working group last call for "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens".

 

Here is the document:

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04 

 

Please send you comments to the OAuth mailing list by April 6, 2020.

 

Ciao

Hannes & Rifaat

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. 

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth