Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Mike Jones <Michael.Jones@microsoft.com> Fri, 25 April 2014 16:38 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0F11A0584 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 09:38:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.589
X-Spam-Level:
X-Spam-Status: No, score=0.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FR_TEST_BASE64_BAD=3.189, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXXUYWT_t4q3 for <oauth@ietfa.amsl.com>; Fri, 25 Apr 2014 09:38:41 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0207.outbound.protection.outlook.com [207.46.163.207]) by ietfa.amsl.com (Postfix) with ESMTP id 287201A063C for <oauth@ietf.org>; Fri, 25 Apr 2014 09:38:41 -0700 (PDT)
Received: from BL2PR03CA017.namprd03.prod.outlook.com (10.141.66.25) by SN2PR03MB029.namprd03.prod.outlook.com (10.255.175.39) with Microsoft SMTP Server (TLS) id 15.0.921.12; Fri, 25 Apr 2014 16:38:27 +0000
Received: from BN1BFFO11FD012.protection.gbl (2a01:111:f400:7c10::1:160) by BL2PR03CA017.outlook.office365.com (2a01:111:e400:c1b::25) with Microsoft SMTP Server (TLS) id 15.0.929.12 via Frontend Transport; Fri, 25 Apr 2014 16:38:26 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD012.mail.protection.outlook.com (10.58.144.75) with Microsoft SMTP Server (TLS) id 15.0.929.8 via Frontend Transport; Fri, 25 Apr 2014 16:38:26 +0000
Received: from TK5EX14MBXC288.redmond.corp.microsoft.com ([169.254.3.63]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0181.007; Fri, 25 Apr 2014 16:37:53 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
Thread-Index: AQHPYHPsqQW6K7XM2UikgyZnVh8GF5siN60AgAAO7ICAABvwAIAAIeyQ
Date: Fri, 25 Apr 2014 16:37:52 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739439A195D48@TK5EX14MBXC288.redmond.corp.microsoft.com>
References: <535A3AF4.4060506@gmx.net> <5E2E0F9B-AB61-43AA-B182-E776C97C83FE@adobe.com> <535A5819.2030805@gmx.net> <CA+k3eCTRwPB-BNAoSkzsPCYjP-tuynLLxxHMJcvA4kDFj3aRLQ@mail.gmail.com>
In-Reply-To: <CA+k3eCTRwPB-BNAoSkzsPCYjP-tuynLLxxHMJcvA4kDFj3aRLQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.34]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739439A195D48TK5EX14MBXC288r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10009001)(438001)(199002)(189002)(24454002)(53754006)(51694002)(377454003)(479174003)(51704005)(16601075003)(46102001)(84326002)(4396001)(19300405004)(31966008)(86612001)(74502001)(86362001)(81342001)(16236675002)(71186001)(76176999)(50986999)(33656001)(14971765001)(74662001)(81542001)(99396002)(2009001)(15202345003)(15395725003)(85852003)(512874002)(84676001)(80976001)(6806004)(97736001)(87936001)(83072002)(55846006)(92726001)(19273905006)(80022001)(79102001)(92566001)(2656002)(20776003)(77982001)(19580395003)(15975445006)(575784001)(76482001)(44976005)(19580405001)(66066001)(54356999)(83322001); DIR:OUT; SFP:1101; SCL:1; SRVR:SN2PR03MB029; H:mail.microsoft.com; FPR:FE6DF1E6.9AF65139.8FEFF1D7.8AFB6042.207CA; MLV:sfv; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 0192E812EC
Received-SPF: Pass (: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=; client-ip=131.107.125.37; helo=mail.microsoft.com;
X-OriginatorOrg: microsoft.onmicrosoft.com
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/eaHC4crxXoMQ4ML46UAZYA6w3wc
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Apr 2014 16:38:44 -0000

I’m not sure how octal came up, as the examples all use JSON notation, which is decimal.  (The word octet is a standard word for a value containing 8 bits, and has nothing to do with octal.)

Hannes, we use JSON notation in the examples, rather than hexadecimal intentionally, as the specs are based on JSON.

Some of the examples intentionally include whitespace, including CRLFs, to demonstrate that the JSON need not be canonicalized in any way before use in a JWT.  The actual bytes of the JSON representation are included so there’s no ambiguity about the actual values used in the examples.  We do already have explicit text talking about this in the spec.  Bullet 1 of http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19#section-7 says:
   1.  Create a JWT Claims Set containing the desired claims.  Note that
       white space is explicitly allowed in the representation and no
       canonicalization need be performed before encoding.

While we could add other examples, doing so is beyond the scope of the immediate mission to validate the existing examples, Hannes.  There’s lots of examples in the underlying JOSE specs, so it’s not clear that we really need to add additional ones at this time.  (If this suggestion comes up again during IESG review, we could do that, but I don’t think it’s necessary at this point to move the spec to IESG review.)

                                                            -- Mike

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Friday, April 25, 2014 7:22 AM
To: Hannes Tschofenig
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-json-web-token-19 - Examples

Note that the draft is showing an *octet sequence* with each individual octet being shown as decimal value. It doesn't state anything about using octal, the base-8 number system. Those octets also show unambiguously what is being base64url encoded (including the line endings via "13, 10") - no matter how the unencoded headers or bodies are shown in the draft, there's going to be potential confusion about what white space and line breaks is or is not to be included in the encoding and serialization so giving the octet sequence alleviates that. It's maybe also worth noting that the JOSE suite of specs all use the same notation and text in their examples.
If we were to add another example as was suggested, it should probably use a shared secret with a little more entropy as '12345' isn't strictly compliant with the normative requirements in JWA for HS256. http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-3.2 states that a 'key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used.'


On Fri, Apr 25, 2014 at 6:42 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote:
Hi Antonio

good to see that others have run into the same issue before.

I wonder why the carriage return and the line feed had been inserted.

We either need some text to explain this in the example or to use an
example that does not use carriage returns or line feeds.

Ciao
Hannes

On 04/25/2014 01:48 PM, Antonio Sanso wrote:
> hi Hannes.
>
>
> On Apr 25, 2014, at 12:37 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net<mailto:hannes.tschofenig@gmx.net>> wrote:
>
>> Hi all,
>>
>> As a document shepherd I have to verify the entire document and this
>> includes the examples as well.
>>
>> Section 3.1:
>>
>> You write:
>>
>> "
>>   The following octet sequence is the UTF-8 representation of the JWT
>>   Header/JWS Header above:
>>
>>   [123, 34, 116, 121, 112, 34, 58, 34, 74, 87, 84, 34, 44, 13, 10, 32,
>>   34, 97, 108, 103, 34, 58, 34, 72, 83, 50, 53, 54, 34, 125]
>> "
>>
>> The values IMHO are represented in Decimal code point rather than Octal
>> UTF-8 bytes, as stated above.
>> See the following online tool to see the difference:
>> http://www.ltg.ed.ac.uk/~richard/utf-8.cgi?input=%22&mode=char
>>
>> Note that you could also show a hex encoding instead (e.g., via
>> http://ostermiller.org/calc/encode.html) Hixie's decoder would then
>> produce the correct decoding. Here is the link to his software:
>> http://software.hixie.ch/utilities/cgi/unicode-decoder/utf8-decoder
>> (Note that this program seems to have flaws for most other options.)
>>
>> When do a Base64URL encoding of
>>
>> {"typ":"JWT","alg":"HS256"}
>>
>> then I get
>>
>> eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9
>>
>> but your spec says:
>>
>> eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9
>>
>> Same with {"iss":"joe","exp":1300819380,"http://example.com/is_root":true}.
>>
>> My result:
>> eyJpc3MiOiJqb2UiLCJleHAiOjEzMDA4MTkzODAsImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>>
>> Your result:
>> eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ
>
> see http://www.ietf.org/mail-archive/web/oauth/current/msg11599.html
>
> regards
>
> antonio
>
>>
>> Note: I am using this online tool for Base64URL encoding:
>> http://kjur.github.io/jsjws/tool_b64uenc.html.
>> Interestingly, when I dump the data into http://jwt.io/ then I get a
>> correct decoding. It might well be that the kjur.github.io<http://kjur.github.io> has a flaw.
>>
>> Just wanted to check what tool you have used to create these encodings.
>>
>>
>> Section 6.1:
>>
>> The example in Section 6.1 is the same as in 3.1. Maybe it would be
>> useful to show something different here.
>>
>> The example in Appendix A.1 is more sophisticated since it demonstrates
>> encryption. To verify it I would need to have a library that supports
>> JWE and RSAES-PKCS1-V1_5 and AES_128_CBC_HMAC_SHA_256. Which library
>> have you been using?
>>
>> I was wondering whether it would make sense to add two other examples,
>> namely for integrity protection. One example showing an HMAC-based keyed
>> message digest and another one using a digital signature.
>>
>> Here is a simple example to add that almost all JWT libraries seem to be
>> able to create and verify:
>>
>> Header:
>> {"alg":"HS256","typ":"JWT"}
>>
>> I use the HS256 algorithm with a shared secret '12345'.
>>
>> Body:
>>
>> {"iss":"https://as.example.com","sub":"mailto:john@example.com<mailto:john@example.com>","nbf":1398420753,"exp":1398424353,"iat":1398420753}
>>
>> jwt.encode({"iss":"https://as.example.com","sub":"mailto:john@example.com<mailto:john@example.com>","nbf":1398420753,"exp":1398424353,"iat":1398420753},"12345",
>> "HS256")
>>
>> I used http://www.onlineconversion.com/unix_time.htm to create the
>> date/time values:
>> "nbf":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
>> "exp":1398424353 --> Fri, 25 Apr 2014 11:12:33 GMT
>> "iat":1398420753 --> Fri, 25 Apr 2014 10:12:33 GMT
>>
>> Here is the output created with https://github.com/progrium/pyjwt/ and
>> verified with http://jwt.io/:
>> eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2FzLmV4YW1wbGUuY29tIiwiaWF0IjoxMzk4NDIwNzUzLCJzdWIiOiJtYWlsdG86am9obkBleGFtcGxlLmNvbSIsImV4cCI6MTM5ODQyNDM1MywibmJmIjoxMzk4NDIwNzUzfQ.0gfRUIley70bMP7hN6sMWkHwHezdrv2E1LAVcNdTsq4
>>
>> Ciao
>> Hannes
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth