Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

"Manger, James" <James.H.Manger@team.telstra.com> Wed, 13 May 2020 00:35 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46C943A0CC0 for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 17:35:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.995
X-Spam-Level:
X-Spam-Status: No, score=-1.995 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=team.telstra.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u2mL9oaHO9XF for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 17:35:05 -0700 (PDT)
Received: from ipxano.tcif.telstra.com.au (ipxano.tcif.telstra.com.au [203.35.82.200]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41C923A0CB4 for <oauth@ietf.org>; Tue, 12 May 2020 17:35:04 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.73,385,1583154000"; d="scan'208,217";a="364136051"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipoani.tcif.telstra.com.au with ESMTP; 13 May 2020 10:35:02 +1000
Received: from wsapp5863.srv.dir.telstra.com ([10.75.131.32]) by ipcbni.tcif.telstra.com.au with ESMTP; 13 May 2020 10:35:02 +1000
Received: from wsapp5584.srv.dir.telstra.com (10.75.131.20) by wsapp5863.srv.dir.telstra.com (10.75.131.32) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 13 May 2020 10:35:01 +1000
Received: from AUS01-ME1-obe.outbound.protection.outlook.com (10.172.229.125) by wsapp5584.srv.dir.telstra.com (10.75.131.20) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Wed, 13 May 2020 10:35:01 +1000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QCpOkjSk8gEBxMx5BpZ2EHGo44TazRKkJw0cSgc9Hy0S0+5j6bMreGggg4VE8urQ5Mvqxg1ILJRCCPMHDAqAXURJWQ7AR/DmvWqqAblBv2o8YnHG1aau+xb8pHo1Yw2iun4tenVuA/+T70E9r2ExQlj34xqBbny2qWkxrm9O/A4+RgLD+KGwcm6flTAeQMyFkxu6OsJcZscZmZn5Xl1nlLaFUTHX2vYnsq91F2PL81hy06gP8DYbFSS0riS464Vf0FzDHcQjctrEhcHzD8ootePOT83hXS8tG9sMRXnhVL805kVxY32pGrQH3/qGwX0dSN33LAy7y9jZ3vd3DigZIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h12VQVyDx2peqSA0y9hzHYHVaXzrWN1kCBdQ8rNGWhI=; b=CG/GNqZLBxBRekj3mNTwTdkyUex7V3eZP5kpILNnkUq+6nZum7Q7rDlMdkGdQhXngBmL+W98dIzUAGTo1H7MpzZ4qsAb0u7Q9gWQRXPb9UVQAKqWc36mjqNAeBqrPcN+/hk+h0nFcRJb6yv+Jve6HCuYH3sZai+ywqULssYtILGWReeVAntNrYAk6gOt5f+5O9bqsmrN0+X8Flq+tTRgtspJmDJD+3na6TGFHInDFcnzxTAZT/ew6QdWcEgaIItyp78ymPxdFxhez9iG59FSHqAg9CCqML6nC0Dw5Bvm+JRhznFMwqlJB+OdV4T14VFSxSU1OVQk3/jYRQNNuSTrOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=h12VQVyDx2peqSA0y9hzHYHVaXzrWN1kCBdQ8rNGWhI=; b=DlS70ovaPi8rZl56CuWCtx9wKJa1SYTjYB4UyGKPGPNnl+YGU8AakJZgZ7GxvZSRdyrJJEnaEBCPbX5x7PdH2l0F0BCvwXH82Vv9oFPyzmIDKZKklFDQyxoM4/K5k8wLnEIjG5H2vtux2eAdD46ab7qp5kkB0z3PUgB/VMLhPrM=
Received: from MEXPR01MB1702.ausprd01.prod.outlook.com (2603:10c6:200:16::7) by MEXPR01MB0647.ausprd01.prod.outlook.com (2603:10c6:200:1::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.27; Wed, 13 May 2020 00:34:59 +0000
Received: from MEXPR01MB1702.ausprd01.prod.outlook.com ([fe80::4d7:1b54:6ee:bb6a]) by MEXPR01MB1702.ausprd01.prod.outlook.com ([fe80::4d7:1b54:6ee:bb6a%3]) with mapi id 15.20.3000.016; Wed, 13 May 2020 00:34:59 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Denis <denis.ietf@free.fr>, Vittorio Bertocci <vittorio.bertocci@auth0.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
Thread-Index: AQHWE1gGZMyrQ8qcS0qZND1RXU6Qz6iQWrGAgAAd5wCAAQopAIAGCOCAgABNT4CABzkQAIAD6DkAgAAPooCAALboAIAAL3MAgAAoywCAAEcSAIAABu/QgAAnUoCAALHBcA==
Date: Wed, 13 May 2020 00:34:59 +0000
Message-ID: <MEXPR01MB17029BA84DD7161D89D8D1B6E5BF0@MEXPR01MB1702.ausprd01.prod.outlook.com>
References: <CAGL6epKuHTqLrZEjm0goKV+3jaPfTkN_JSLc0jfQyPqNzeP3aA@mail.gmail.com> <125f32d3-dd3b-3add-1172-391acd831cde@free.fr> <MWHPR19MB150159025ECBAD75B6DDE1DFAEAD0@MWHPR19MB1501.namprd19.prod.outlook.com> <79748d92-c084-c6f9-20b1-163cb5760d11@free.fr> <20200504055923.GH27494@kduck.mit.edu> <7ebcabb3-3160-37dd-2dac-407744084c33@free.fr> <20200509005408.GA27494@kduck.mit.edu> <22f844b4-966d-936d-df7c-ef7b8788b0aa@free.fr> <CAMVRk+Ln4xo_3pC6ALf0rp3+7gHyvO1zV=+NsA2pW4AZJ=1JAw@mail.gmail.com> <MWHPR19MB1501B1F305C170BCA0FD01F6AEBE0@MWHPR19MB1501.namprd19.prod.outlook.com> <CA4B872F-C0A1-4011-9221-B27CB45C41AB@gmail.com> <MWHPR19MB15018666981170A2DAA7B0D7AEBE0@MWHPR19MB1501.namprd19.prod.outlook.com> <0c7942f8-f94b-f0a9-cec1-cfa9803d4db6@free.fr> <MEXPR01MB1702E09FD7E18BF36B05A05DE5BE0@MEXPR01MB1702.ausprd01.prod.outlook.com> <c8f80b73-3713-afd6-f5ec-5b604c3c72cf@free.fr>
In-Reply-To: <c8f80b73-3713-afd6-f5ec-5b604c3c72cf@free.fr>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.1.100.23
dlp-reaction: no-action
authentication-results: free.fr; dkim=none (message not signed) header.d=none;free.fr; dmarc=none action=none header.from=team.telstra.com;
x-originating-ip: [144.132.40.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 314baf6a-7f0d-435d-e94f-08d7f6d577e6
x-ms-traffictypediagnostic: MEXPR01MB0647:
x-microsoft-antispam-prvs: <MEXPR01MB0647D50291672CA9C5643975E5BF0@MEXPR01MB0647.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0402872DA1
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: mx184ge0KH+4lECxOGcsfZje4m4tgrZlxNSoyFEK0aTXs+fO8652ZivextpXESD7lqNt+eoXdGHnf9aYDN6l4giddtjPTzaCXv8S683zA1lOTNUanKrkoX9g86WXPpD2zb7+FjsTRsEHRQTJ2V6W0vusSUFpOdDZ9BRp3a3pF+yYRs1qP7I0tNB+C8DqxQ0TU7pPMVIGgHMAOuN11/Rze7RmuzJoUzZttcf2WN89M5Q9uHF+glctFhrJhjJQZnTZZA1EEvoxlSx9yJXz6jALGCNCnTZAjh6KRS0XmS/BT1UlJt12ebNZfjYZTUwJCxtwlBxP8KlAggb8XZ7jtB7KQ1mi5RJ4zMC3jqs7CxhSkb2sxhCuQYhmPVZ/aCL6bouJ+jepZP/LF+EIsMlL3OBNkL4+CnHR3Z7lZ7EI44ErpYnI7Y8LNfXy/gVNIAXM7Q3o9kaiH2iYsfgD/gJzz1rejJCJJlU2N7GheIavx9b6BpFJZFApJjXBOcj/FgJAFungJLp/oELTxYESgsA/ai1WChz/5fQiYUX8NV7vvVe7ErW23sxJq5iY50Cxf/242in4
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MEXPR01MB1702.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(346002)(366004)(39860400002)(396003)(136003)(33430700001)(76116006)(478600001)(53546011)(33656002)(186003)(6506007)(55016002)(7696005)(5660300002)(71200400001)(8676002)(2906002)(86362001)(8936002)(26005)(110136005)(52536014)(9686003)(4326008)(64756008)(66946007)(66476007)(33440700001)(316002)(66446008)(66556008)(15866825006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: M/T38ozYq3HC08CaGoYkhVjSaluUDq1WTDNhXx9h/0DfRWdZTeEPBs1LHAGXmAqAGiRXvcJUe6tta7r0jxZvmMGWmL5S563gX3B2/+V1Nzahl0YxiydPfjz0RfMk2WYjQOeZhbfHRP+vQCYwM/AKLuid0IuhHo6JNSvTBF4N/+JnihacBJxI+iMFsFny/pD7+ul9H1LUoQ3puYlJLadj9XHLDtwIzS36jWBldgMa/CLeouBoM9cZfWKDSTv+2W9g4UQKyvIExMNvV9xrFO54dkhirGKGGAEgKWt3bpUzL90iYU6kQRUKYG0h/HGNuM0z7+a98sBijdM0BiEaCeM3kgn4Ly7m1uvXlpXe3UZLL33E+DhuxienTODkyGaKNnAsVgh2j+KTnKvZth0sMAJHkWSDDA1oDTnVJ4ldzm4krSVDmrOkMZNy45CYpC1wRNBk3URL0wP9XhRyyr0opiH1kw6otln+jH6FrAwF4g89rJg=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MEXPR01MB17029BA84DD7161D89D8D1B6E5BF0MEXPR01MB1702ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 314baf6a-7f0d-435d-e94f-08d7f6d577e6
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2020 00:34:59.5173 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QKQ0arq7AuFzbGkWLjq5oMGarWnCFAK1CHioQnzw3IQABVTbIS5U+4t+v3epJ7ZrRQm0Rxplb5d+bKh/pPG34u5ZOrhq6TTy77ZUQ8vJmYM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB0647
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/do6cQcVAno-B37e1qdNGWsqeAA4>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 00:35:08 -0000

That text is a worse suggestion. It hopelessly confuses "end-user" and "client".

The idea behind the text is only relevant to a client that is written to call a resource server and is registered with an authorization server, but thinks that the details those two exchange (via access tokens) at the client's instigation are sometimes fine, yet at other times are a privacy violation that they aren't trying to hide. It is theoretically conceivable that there is a niche where that is possible, which shows how flexible OAuth is.

I think the main message of this thread is that an access-token really should be explicitly made opaque (by being a reference, or an encrypted JWT) to avoid the privacy risk that details intended to be shared between an Authorization Server and Resource Server are leaked to a Client.

End-users with privacy concerns (which is all of us) should carefully choose the Authorization Servers we deal with. Here is an alternative suggestion as an OAuth privacy consideration.

"OAuth is used to convey information established at an Authorization Server to a Resource Server. Only those two parties - and not the End-User nor the Client - can be sure of knowing the extent of that information. More End-User control would require a different style of protocol than OAuth, such as self-sovereign identity."

--
James Manger

From: Denis <denis.ietf@free.fr>
Sent: Tuesday, 12 May 2020 10:40 PM
To: Manger, James <James.H.Manger@team.telstra.com>om>; Vittorio Bertocci <vittorio.bertocci@auth0.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

[External Email] This email was sent from outside the organisation - be cautious, particularly with links and attachments.
Hi James,

You wrote: "Because your client has violated a MUST in the best practices". It seems that you are already taking your wish as granted.
However, this is exactly the point we are discussing.

You wrote: "The end-user has to trust the Authorization Server (they sign-in there)". The end-user does not trust the AS for everything,
but only with respect to some activities. Please remember a definition of trust present in ISO/IEC 13888-1. 3.59.
trust : relationship between two elements, a set of activities and a security policy in which element x trusts element y
if and only if x has confidence that y will behave in a well defined way (with respect to the activities) that does not violate
the given security policy.
You wrote: "The access-token might be a JWT with minimal claims". Yes indeed, however the end-user may not know it.

You wrote  "a client to do that inspection as standard behaviour". No, token inspection is not a standard behaviour.
It happens if, and only if, the end-user has some privacy concerns. Please reconsider the text proposal which does make
that point:
   There are however cases, where the access token content presents privacy issues for a given scenario. In such cases,
   the end-user would like to know which attributes have been placed in a token before forwarding it to a resource server.
   If these attributes do not correspond to the expectations of the end-user or if the format of the access token is not understandable
   by the client, then the client SHOULD NOT forward the access token to the resource server.

Denis

That text is an poor suggestion, Denis.

> end-user will usually have no knowledge of the attributes which correspond to the scope

The OAuth model is that the Authorization Server is responsible for informing the end-user about what is going on. That's why they display consent pages showing what will be disclosed, often giving the end-user control over this.

> the end-user would like to know which attributes have been placed in a token ...
> ... if the format of the access token is not understandable by the client, then the client SHOULD NOT forward

A major point of OAuth is to protect end-users from clients. The end-user has to trust the Authorization Server (they sign-in there), but that can lessen the trust required in clients.

A client that inspects an access-token in the hope of preventing an Authorization Server from disclosing too much to a Resource Server is kidding itself (and kidding the end-user). The access-token might be a JWT with minimal claims, then the RS calls the AS's token-inspection API and gets back squillions of claims.

So, by all means, do some auditing of Authorization Servers, Resource Servers, and the tokens they exchange to improve your confidence that they are behaving as they say. But if you write a client to do that inspection as standard behaviour then don't call it OAuth-compliant. It will break when the Authorization Server choses to change its token format. Because your client has violated a MUST in the best practices it will be clear where the responsibility for broken interop lies. And the rest of the ecosystem can hope that such clients are not prevalent enough to harm ongoing evolution of the rest of the system.

--
James Manger

From: OAuth <oauth-bounces@ietf.org><mailto:oauth-bounces@ietf.org> On Behalf Of Denis
Sent: Tuesday, 12 May 2020 7:55 PM
To: Vittorio Bertocci <vittorio.bertocci@auth0.com><mailto:vittorio.bertocci@auth0.com>
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
...
This being stated, hereafter is a full text proposal replacement for the first paragraph (12 lines)
of the Privacy Considerations section (section 6):

    As indicated in RFC 6750, the "scope" value is intended for programmatic use and is not meant to be displayed to end-users.
   This means that, even when the client uses the scope parameter, the end-user will usually have no knowledge of the attributes
   which correspond to the scope (or to a missing scope parameter).

   RFC 6749 mentions that the string [access token] is usually opaque to the client. Hence, the client will not necessarily be able
   to inspect the content of the access token. As an example, an authorization server and a resource server might decide to change
   the access token format at any time.

   There are however cases, where the access token content presents privacy issues for a given scenario. In such cases,
   the end-user would like to know which attributes have been placed in a token before forwarding it to a resource server.
   If these attributes do not correspond to the expectations of the end-user or if the format of the access token is not understandable
   by the client, then the client SHOULD NOT forward the access token to the resource server.
Denis