IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Brian Campbell <bcampbell@pingidentity.com> Wed, 25 March 2020 18:21 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C9513A0C96 for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 11:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UoYT1Q2KWkT for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 11:21:10 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB8DA3A0C36 for <oauth@ietf.org>; Wed, 25 Mar 2020 11:21:09 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id v16so3523085ljk.13 for <oauth@ietf.org>; Wed, 25 Mar 2020 11:21:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ToDoGkMkyXnigea4xXxUA3aMPzWvyTVwYrHOEqtQ0zQ=; b=fZA1hDK22c7tW6BqNfMbHqdAk86do6mv7QLLZLouFjv8s7ENQcw5FTcILS7/45/1OG OoZnhp5H0p7qAkisPpzxJICyrBeK2x7/fiCdMMsXAUDtEFK6eNusGLRinxxg9854blsV JcGmvzDUTXu4l2/SeLujtkbVTlE7XJFg+53RjvaOci31hYT62pf0w2thhygHsCANY4Q0 Vr0wzhRHqzmVd/ftfP08PhUMqHqja53NkFwZRRC10qEixXdpo2gyWjB7FP4ehYpD63/I MvZEqtwLDEISh0WJV1oGnw5z6Z1LNKM2R4NTbxGh3PjyNlEK0gwPcCTg648/cj4P05H2 pJpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ToDoGkMkyXnigea4xXxUA3aMPzWvyTVwYrHOEqtQ0zQ=; b=GRh2cra8wqWeFwMFmhb2eQXihXRU7GDjv85Cmbd1G6qmNs7NwtzgajTXqgqnZ5EFSi GykhUlEnRTUzIhzeILpEayEHPOGe7qIdM6vGeRrU6QnwigM47ofPyuvPMxPkQnxTCMD/ DULtylLXxg1Tpf9F0rVOx90rqFPF44g1Qw0hhLuKCvzjzJ37jJSRpWJxqqgGK/mVvVGu Uw0v34wIFu6qExzSCKRK5nacBxQRvsff5BLxTvgyQNwk0axsyJNtWONYvIjRp+H4b8ss XnWQyujc/5dPZ0ASwXloCDC1PNAvZT+aHnbSn7mmhhT8GDjmErdYZx7DmuiOZxNWTov+ XYpw==
X-Gm-Message-State: AGi0PubD5dV7pNk1lbhfYc0589XuvlbBOFatSubpiJ89KWHXx7lO1soR Row6DB9cC4YArN1SGAJJsuoVopXEmZ1ef9Ue/sYN/Ry0WX89J0lWyiKP1pTHdo4tavGnLZmtcrx dkKxwD1e9hYJvBQ==
X-Google-Smtp-Source: APiQypLNQuob1RxRyy97HAE1mjUbWrc2bijDAPVpEWl+FOKZ7L29Ad5HjGtQme/fQ3kHJEyYp8EqaUVc1TM4s6PIf5E=
X-Received: by 2002:a2e:b8c1:: with SMTP id s1mr2870833ljp.0.1585160466325; Wed, 25 Mar 2020 11:21:06 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com> <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr> <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com> <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com> <52f18114-4f8e-da86-5735-4c4e8f8d2db5@aol.com> <BL0PR08MB5394CA3CB524E95EA87CD6B6AEF10@BL0PR08MB5394.namprd08.prod.outlook.com> <74da4cc3-359c-c08a-0ae5-54c8ca309f32@aol.com> <D080BE8B-BD0D-4F63-9F33-BA23C2FB42DD@amazon.com> <DM6PR08MB5402639817677AD59898CD65AECE0@DM6PR08MB5402.namprd08.prod.outlook.com> <CA+k3eCS29X28CBXGiUtDAV8nceTcpfJ4Jr_x=E3x8_9crOqsOQ@mail.gmail.com> <13b6801d602c0$02ebea00$08c3be00$@auth0.com> <CA+k3eCSTKNMchR_20z7VRi1XS+kkzi3+8ey_+hB7bK-onRv2Bg@mail.gmail.com> <a0842eb4-582b-59ab-855d-8e48828e92ee@aol.com>
In-Reply-To: <a0842eb4-582b-59ab-855d-8e48828e92ee@aol.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 25 Mar 2020 12:20:39 -0600
Message-ID: <CA+k3eCQdQggPrVatvT2COrtEw2E4F2TTp_3uU6iSk1AsXeRwMg@mail.gmail.com>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082d70d05a1b1ee30"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dodOBHlgzQ54VphRT-tYj1QutJI>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 18:21:16 -0000

I don't think you are missing anything, George (except that, to be
pedantic, `kid` is a header rather than a claim).

The question gave me pause, however, and makes me think that maybe the
draft, with the aim of improved interoperability, should have some more
explicit text about the use of the 'kid' header in a JWT AT and how it
references the verification key in the content at the jwks_uri.





On Wed, Mar 25, 2020 at 11:54 AM George Fletcher <gffletch=
40aol.com@dmarc.ietf.org> wrote:

> Can we not use the 'kid' claim to inform the RS as to which key is being
> used? What am I missing?
>
> On 3/25/20 1:51 PM, Brian Campbell wrote:
>
> I think, even without that statement in the draft, that ASes already have
> license to use different keys if they so choose. And maybe I'm not creative
> enough but I can't think of what problematic assumptions RSes might make
> that would prevented by it. So perhaps just removing that whole sentence,
> "An authorization server MAY elect to use different keys to sign id_tokens
> and JWT access tokens."? Just a thought anyway.
>
> On Wed, Mar 25, 2020 at 10:11 AM <vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:
>
>
> Thank you for the perspective- I guessed something similar (“there would
> be no way for the RS to know what key is used for what").
>
> As stated below, the intent wasn’t to prevent substitution/confusion, but
> mostly to give ASes license to use different keys if they choose to (for
> the reasons listed below, or any other reason they might have) and a
> headsup to RSes so that they don’t make assumptions.
>
>
>
> *From:* Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> <bcampbell=40pingidentity.com@dmarc.ietf.org>
> *Sent:* Wednesday, March 25, 2020 8:48 AM
> *To:* Vittorio Bertocci <vittorio.bertocci@auth0.com> <vittorio.bertocci@auth0.com>
> *Cc:* Richard Backman, Annabelle <richanna@amazon.com> <richanna@amazon.com>; oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth
> 2.0 Access Tokens"
>
>
>
> I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's
> comment was an assumption that signing ATs and ID Tokens with different
> keys would be done to prevent token substitution/confusion. And there's not
> really a practical way to achieve that with the mechanics of the jwks_uri..
>
>
>
> On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:
>
> *>§4 p3: The only practical way for the AS to sign ATs and ID Tokens with
> different keys is to publish the keys in two different JWK sets. This only
> way to do this today is by publishing separate OAuth 2.0 authorization
> server metadata and OIDC Discovery metadata files, where the JWK set in the
> former applies to access tokens and the JWK set in the latter applies to ID
> Tokens.*
>
> Hmm, I don’t follow. The OIDC jwks_uri can contain multiple keys, and they
> all can be used for signing. What prevents the AS to use one key from that
> list for IDtokens and another for ATs? Separate discovery docs shouldn’t be
> necessary. Sure, there would be no way for the RS to know what key is used
> for what- but similar mechanisms are already in place today for handling
> signing key rotation: e.g. the discovery doc lists the current key and the
> future key, but uses only the current- and the RS has no way of
> distinguishing between the two. The situation here can be analogous, any
> key in the discovery doc should be considered valid by the RS, and in fact
> there’s no requirement about selecting specific keys in the validation
> section. That doesn’t mean this is useless, an AS might elect to use
> different keys for its own purposes (eg separation of concerns for
> forensics, different strengths, different lifecycles, and so on).
>
>
>
>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited...
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
<https://www.pingidentity.com>[image: Ping Identity]
<https://www.pingidentity.com>
Brian Campbell
Distinguished Engineer
bcampbell@pingidentity.com
w: +1 720.317.2061
c: +1 303.918.9415
Connect with us: [image: Glassdoor logo]
<https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>
[image:
LinkedIn logo] <https://www.linkedin.com/company/21870> [image: twitter
logo] <https://twitter.com/pingidentity> [image: facebook logo]
<https://www.facebook.com/pingidentitypage> [image: youtube logo]
<https://www.youtube.com/user/PingIdentityTV> [image: Blog logo]
<https://www.pingidentity.com/en/blog.html>
<https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ>
<https://www.pingidentity.com/en/events/d/identify-2019.html>
<https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/Misc/en/3464-consumersurvey-execsummary.pdf>
<https://www.pingidentity.com/en/events/e/rsa.html>
<https://www.pingidentity.com/en/events/e/rsa.html>
<https://www.pingidentity.com/en/lp/e/enabling-work-from-home-with-MFA.html>
*If you’re not a current customer, click here
<https://www.pingidentity.com/en/lp/e/work-from-home-sso-mfa.html?utm_source=Email&utm_campaign=WF-COVID19-New-EMSIG>
for
a more relevant offer.*

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email