[OAUTH-WG] [Technical Errata Reported] RFC7519 (5906)

RFC Errata System <rfc-editor@rfc-editor.org> Wed, 13 November 2019 22:28 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1494120119 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2019 14:28:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wm_zBm1LoKjO for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2019 14:28:07 -0800 (PST)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50AA612004E for <oauth@ietf.org>; Wed, 13 Nov 2019 14:28:07 -0800 (PST)
Received: by rfc-editor.org (Postfix, from userid 30) id 187A6F40705; Wed, 13 Nov 2019 14:28:01 -0800 (PST)
To: mbj@microsoft.com, ve7jtb@ve7jtb.com, n-sakimura@nri.co.jp, rdd@cert.org, kaduk@mit.edu, Hannes.Tschofenig@gmx.net, rifaat.ietf@gmail.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: ememisya@vt.edu, oauth@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20191113222801.187A6F40705@rfc-editor.org>
Date: Wed, 13 Nov 2019 14:28:01 -0800 (PST)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dqA3VFgRnG9LYJUUuDeMYLElv5U>
Subject: [OAUTH-WG] [Technical Errata Reported] RFC7519 (5906)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 22:28:09 -0000

The following errata report has been submitted for RFC7519,
"JSON Web Token (JWT)".

--------------------------------------
You may review the report below and at:
https://www.rfc-editor.org/errata/eid5906

--------------------------------------
Type: Technical
Reported by: Erdem Memisyazici <ememisya@vt.edu>

Section: 7.2

Original Text
-------------
   Finally, note that it is an application decision which algorithms may
   be used in a given context.  Even if a JWT can be successfully
   validated, unless the algorithms used in the JWT are acceptable to
   the application, it SHOULD reject the JWT.

Corrected Text
--------------
   Finally, note that it is an application decision which algorithms may
   be used in a given context.  Even if a JWT can be successfully
   validated, unless the algorithms used in the JWT are acceptable to
   the application, it MUST reject the JWT.

Notes
-----
A vulnerability exists in certain implementations in the wild where applications simply look for valid JWT tokens which includes the "none" algorithm (https://medium.com/swlh/hacking-json-web-tokens-jwts-9122efe91e4a).  A fairly popular library is auth0's java-jwt and at verification (https://github.com/auth0/java-jwt/blob/master/lib/src/main/java/com/auth0/jwt/JWTVerifier.java) quite reasonably you cannot initialize the class without an algorithm.  Given all capital SHOULD may be interpreted as a recommendation and as this RFC dictates the algorithm "none" MUST be implemented as a default algorithm under Section 8, one could argue JWTVerifier in the example doesn't have to verifyAlgorithm leading to the vulnerability pointed out in the first article while still complying by the specification.  There is no good reason why an algorithm unacceptable to the application must not be rejected as it does more harm than good and all popular library implementations interpret it as such.

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC7519 (draft-ietf-oauth-json-web-token-32)
--------------------------------------
Title               : JSON Web Token (JWT)
Publication Date    : May 2015
Author(s)           : M. Jones, J. Bradley, N. Sakimura
Category            : PROPOSED STANDARD
Source              : Web Authorization Protocol
Area                : Security
Stream              : IETF
Verifying Party     : IESG