Re: [OAUTH-WG] draft-ietf-oauth-jwsreq-21

Nat Sakimura <sakimura@gmail.com> Tue, 09 June 2020 05:20 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF24F3A093C for <oauth@ietfa.amsl.com>; Mon, 8 Jun 2020 22:20:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PoIY_iihB_kL for <oauth@ietfa.amsl.com>; Mon, 8 Jun 2020 22:20:02 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27C4D3A0938 for <oauth@ietf.org>; Mon, 8 Jun 2020 22:20:02 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id r9so1531232wmh.2 for <oauth@ietf.org>; Mon, 08 Jun 2020 22:20:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nVKv2PKRA5D5jk/4m5P3dz73DwFlq8y8Na8cLmyM97A=; b=Grj9umYG/t8pqOlwFPdtRIZzmp5xyek+MIaSLKff2hfwBMou5wL8jmih6d1NM8c2kU JdBEv2OVeXh/rI0+X4rRHvtnwsBmhw0R0vQU68wUsf/65FD4AsmVYPiA5bLofxxmD7b8 /zcLxEA5xBGurM2mTAcjAlVRs0QlQbmq1fK5KWwRhKnJr//kjTuCt8g3EVFLnlCId/9a rSGkme5Leh15E00D934eYCGm2iTfFbwvlACxRSAVdi2qkcrV0nW1T4W1j/NAI+xJm38V ghFyXhtDCzi3oyUigW/foFnBvnQd6YCxErcJE5WrZmBS9hY1BzOST3pp9PFtuXAVMfq2 gi0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nVKv2PKRA5D5jk/4m5P3dz73DwFlq8y8Na8cLmyM97A=; b=C88cv2hrcWN3Md/Ax2GCMaNFaQcozSZzzBpQSsKFRgdm7qsI/8XDWOzfdZ6I3qjd0l Wx37RilVGgYL2d5dRQI6lEHim4jXgawXVOuoH0j0TOW6rU80SPqlX+GKdhg7hfkwzdF3 9u/NWTI7GyTrt6ldOvNjboeBQEF4ZL8UjhkxK5no5eMMqa318iY9b3LFNC06WBCrLWhc 1P4ps99lrsdbQG/YaHYW9mi4cBiZceu0K0d2bP5/l6aXXBhFpf07UxXiHLXJYa44CX+I zjvhykde7bAqIA4S1Lzkb8e45UXqSSCUPbeowdMNKsI58DKPAtnZrQfY2AqG1oCb9No+ oz2w==
X-Gm-Message-State: AOAM532GoSFAoPChHxWl6yVtBAjjfZqBHvmCt+YYqaMhOlITSWJ7eFhj NUr9qE1ZkOhGPpiZ4vkqmHHZ2lw3vDvttCztukk=
X-Google-Smtp-Source: ABdhPJxwIsESDTKohRhtY9mw/P78vGumn8FJeRDj+Wr8f4r6pSW6qeAhA2A/DmX7R5UdZvb268ih8O2d1Dh7P9gv2lM=
X-Received: by 2002:a05:600c:4152:: with SMTP id h18mr2207696wmm.189.1591680000287; Mon, 08 Jun 2020 22:20:00 -0700 (PDT)
MIME-Version: 1.0
References: <Mailbird-635821db-1f3a-4def-b157-a92bb7dddcdf@gmail.com>
In-Reply-To: <Mailbird-635821db-1f3a-4def-b157-a92bb7dddcdf@gmail.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 09 Jun 2020 14:19:49 +0900
Message-ID: <CABzCy2BCPoq5x_n--PKd=5bF2nK3aaRq1SZop69S15YBQUF9Tw@mail.gmail.com>
To: Brock Allen <brockallen@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000367e305a79fe17f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dL6eH24yTrpLk56aiYXewT5oLMs>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-jwsreq-21
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2020 05:20:04 -0000

Hi Brock,

Starting from the easy one: 3) has been addressed. It does not break the
existing OIDC implementation either as there is no requirements as to the
mime-type checking there.

Now, 2) will break all OIDC implementations. It is quite late to bring this
in and I and my colleagues did not find security benefit that balances such
breaking change.

I could add 1) as an optional claim though.

Best,

Nat Sakimura

On Thu, May 7, 2020 at 10:32 PM Brock Allen <brockallen@gmail.com> wrote:

> Perhaps quite late, but a few comments/questions related to this:
>
> 1) When decoded, all the JWT samples are missing the "typ" claim from the
> header, which I think should be "oauth.authz.req+jwt".
>
> 2) When validating the JAR if we are to validate the "typ" then this would
> be incompatible with OIDC's request object, I think?
>
> 3) When the JAR is passed by reference, then the HTTP response
> Content-Type of "application/oauth.authz.req+jwt" would also seem to break
> or be incompatible with OIDC's request object passed by reference?
>
> There might need to be clarification when mixing this w/ an OIDC OP
> implementation.
>
> TIA
>
> -Brock
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en