IETF Logo Mail Archive

Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

Mike Jones <Michael.Jones@microsoft.com> Thu, 23 July 2020 21:00 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D903A0DA5 for <oauth@ietfa.amsl.com>; Thu, 23 Jul 2020 14:00:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkYvZ0d0clTK for <oauth@ietfa.amsl.com>; Thu, 23 Jul 2020 14:00:41 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650090.outbound.protection.outlook.com [40.107.65.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EC2F3A0D9B for <oauth@ietf.org>; Thu, 23 Jul 2020 14:00:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IvvhTbZjwQEGyxvGvILgh8CkX20EJhMS6zDoVBpzWSJqmJdXHW0NeKmFaOOgpHExhGSf23JSiM7DXNRKhIJ4es97FGsS6PKeQhfF2Xz0g9XXhKd7KOruZKOSd4hjC2ewwJ5DAbE6nY9vcMcnNO6WtzmZd8lUOvS3xd+jHUYpanyjusWeP/sC98HnXeJWnrAN4YZybXueIFf/h3wDaX9hrF1XO839SrEgAVXrzZs8oD0aP//YKITVezGozPSiVUWcbdxrYiGjKTLZg6EEw/g4r0r7speqos5Dwf3NOnDAM/jioN9TJ87Q35FblhVcneFsC1TDSC0DhSb626j8DAPjRw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2otEfhfC0ebDiACil4YHa/Zz1ZBkB5/4S4Bx0poY9LQ=; b=EsXrNgeAm/zJxY3dTFnkbKc9Sjix5nV/hTywbRY93vbKZCOXmd4d7kuvAB/rXrSsC8XF2tUQq9fRG1CnpzBfKdrd00m6bsmhRXe+2ADgcCwzSpUdGu3/SPStjpJ3MGJx8+2kUKoWnYZjt2gZRmeEynF6avHQku2gUhp4DSym6sfg6HlWXcAI/KghsrmfyCnLWTfszUHCGYWXudkZDwxrU3LqxRIWM8nQWi0kg6SB/B4fCh7rjmBLpd958NnsmyQUR7eg73Yuh2cnOHGGD8QJNUcWBcaiQ/Jdi+MCZvl6FQaRMCCyA7W+i5mf+g5DPRWJBm5RId2fFihkwCQM2PB1+A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2otEfhfC0ebDiACil4YHa/Zz1ZBkB5/4S4Bx0poY9LQ=; b=SdSzybuPI0gJOijA+DAnrg05S8ZA+64bQen7sMJb/wIVuDEd13woKLlte6WpOouyVJtcPvb4ds+ug2nwYBrBcoqorGMiqGtzV1i6Ruuq4Wq/8Oq5DD5t6qb/jfUo+iSPUgU3HjB2JZh0LVcVO2E1Jh+lTQnYkXMJ3Lm1SSFkrkY=
Received: from CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23) by CH2PR00MB0746.namprd00.prod.outlook.com (2603:10b6:610:6e::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3258.0; Thu, 23 Jul 2020 21:00:39 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::e9ce:b982:5ae1:959d]) by CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::e9ce:b982:5ae1:959d%9]) with mapi id 15.20.3262.000; Thu, 23 Jul 2020 21:00:39 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, "dbaier@leastprivilege.com" <dbaier@leastprivilege.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
Thread-Index: AdZhNEVyqbCIsZVQRMy5mltQITeI6w==
Date: Thu, 23 Jul 2020 21:00:38 +0000
Message-ID: <CH2PR00MB067859A3F75C40D9C8D376CDF5760@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=876e6552-074b-4379-8769-e0c6158a8eac; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-07-23T20:51:38Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.89.111]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 4d82b666-e8e9-4e4f-b48c-08d82f4b743a
x-ms-traffictypediagnostic: CH2PR00MB0746:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <CH2PR00MB074624CC73B67255BB392A1AF5761@CH2PR00MB0746.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xuy4PWHzHdiNZkTD5L/xZxd9WLPAfVhCZaVy59HkgmK/gZOGydWZ6tTA7xM6aZ4UqFoZfCWq39zWmlbHlRYMazfzYXGq8tU0OMRd4JIsHE+wAFYR/kK8nNxu70cmRWaDt+uRFZMn7kwZDj260wkWKpoOfxn2Xmfim36pLajgkW+77RMRgRwkc2SbSKo2zfIy2L367ONNtoAUWPmwL2Uba6cDLZIEXOOY6x5ns6O4/iGfQLz+3FG454leEinLO7+xxp8Z3vWPWpNdbefQcI54Ajg5Hcq/Q8snWC/lCJWjTachJQjpHOQLpnlNoBwYjr62q8/EeSGUP2XM/VajMxJ2fM1RYtAJ4gqdzccsmrOBsoFB6txubhuVewIciJtWu8zhyDZO/jiBB0dB7wnYL32fIQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0678.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(346002)(396003)(136003)(366004)(376002)(53546011)(6506007)(7696005)(86362001)(66556008)(64756008)(66446008)(966005)(76116006)(66476007)(66946007)(10290500003)(52536014)(478600001)(4326008)(5660300002)(55016002)(110136005)(8990500004)(316002)(186003)(26005)(8676002)(83380400001)(71200400001)(166002)(8936002)(33656002)(9686003)(82950400001)(82960400001)(2906002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: JM++khrsZIwolAC1Qbn360/iqawf6YyYk4PEQzR67xeHfcNT33X8pdXbNwqs0cZqLsZ6dwTXyFQIBnqlZcoYmnRagR10uqbKCtfUFojEVMMfxjpeDohi5m+v0PIjySODtV8s2RSQG4BWgB5HuRCJ8RMu8yX3cxxeLEZ0slIIhyz5OuhPYARscL144l57WJP6zMUNiDKTcDe87j674Qs4NzmyjYSCFPiUDkEKGnte/3Ga34IUFCXfXmikmn7GlfcJNnRpFMzCT5h5zZk+CqRjfrWm2nlDZp3uWBn977jzb24CJ/kNtiED0a3uE0qanE+mWcOlT5BW+K9lT1KsWzzrqLUreJFDiBiUrNOjAUeBKrdR7CyeV1OcvBlSrL1+GUbSl92XBVh3z2JUHiBP7XOIZKLFlFqHn7fl07X0gm53uaXdfirU4fqSD8mDVwHYv7xp2DMyKKCMsr8o3ZBlp6T2UFWHa+CiK4A2ftHTU7fJ9DCRTQjJifAsrJhZ7KCTCQZiX5i5wwADZnHsPNKVAaR2r/lkLHaSW26kCrFvzKwhNs3LBEb0pi/JaVXQ6tyK+LE98BIrJe49iMQ8gfidTccgGf6iuXvxZnn7LU8whyPj2dLilQhIEZI750ZQy8qRH+VzqY0s+rDYscT/qgWe80J5xg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB067859A3F75C40D9C8D376CDF5760CH2PR00MB0678namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0678.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d82b666-e8e9-4e4f-b48c-08d82f4b743a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2020 21:00:39.0399 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 2KDmWHD1S3H4JqODuxsWBCy1HSNTx7uXVVZ4MlkFu2+U7s7syAl0XVo1QrlG6CdV6SlYscQRVcKbaqC8E4DTwg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0746
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dSBiukaiPoQOa8xMFm82nU2_ji4>
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 21:00:44 -0000

The “Use Explicit Typing<https://www.rfc-editor.org/rfc/rfc8725.html#section-3.11>” section of the JWT BCP explicitly says: “Explicit typing is RECOMMENDED for new uses of JWTs.”  It does not recommend trying to retrofit “typ” values for existing JWT uses, as that would often cause breaking changes to working ecosystems.  The Request Object was defined by OpenID Connect in 2004, so this is very much an existing use – not a new use.  (The OAuth JAR draft, like several other previous OAuth drafts, is bringing existing OpenID Connect functionality into the OAuth world – intentionally doing so in such a way as to not break existing usages.)

I agree with Brian’s assessment that the cost/benefit of adding a “typ” field to the Request Object doesn’t have a reasonable cost/benefit ratio.

                                                          -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell
Sent: Thursday, July 23, 2020 1:30 PM
To: dbaier@leastprivilege.com
Cc: oauth <oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT

In hindsight, yeah, having explicit JWT typing everywhere would be nice.. But retrofitting would be a very major undertaking, which I don't think could reasonably be justified considering cost–benefit.

I can't speak directly for the Jwsreq authors but I suspect considerations around backward/forward compatibility with OIDC's JWT request and even existing implementations of the Jwsreq draft that has been in draft forever came into play.

On Wed, Jul 22, 2020 at 11:38 PM Dominick Baier <dbaier@leastprivilege.com<mailto:dbaier@leastprivilege.com>> wrote:
Even more. Jwsreq should have it. But the authors decided against it.

———
Dominick Baier


On 23. July 2020 at 07:38:04, Dominick Baier (dbaier@leastprivilege.com<mailto:dbaier@leastprivilege.com>) wrote:
Good point.. Thanks, Brian.

We should retrofit typs everywhere..in hindsight.

———
Dominick Baier


On 22. July 2020 at 23:55:20, Brian Campbell (bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>) wrote:
Because it wouldn't actually prevent it in this case due to JWT assertion client authentication (a.k.a. private_key_jwt) having come about well before the JWT BCP and the established concept of using the 'typ' header to prevent cross-JWT confusion. Thus there's no validation rule regarding the 'typ' header defined in RFC 7523 for JWT client authentication. Explicitly typing the request object JWT doesn't do anything to prevent it from being used in the context of previously existing JWT applications like client auth.

On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier <dbaier@leastprivilege.com<mailto:dbaier@leastprivilege.com>> wrote:
Why not use a typ header as suggested by the JWT BCP?

———
Dominick Baier


On 22. July 2020 at 17:37:41, Brian Campbell (bcampbell=40pingidentity.com@dmarc.ietf.org<mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>) wrote:
The TL;DR here is a somewhat tentative suggestion that a brief security consideration be added to https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/<https://datatracker..ietf.org/doc/draft-ietf-oauth-jwsreq/> that prohibits the inclusion of a 'sub' claim containing the client id value in the request object JWT so as to prevent the request object JWT (which is exposed to the user agent) from being erroneously accepted as a valid JWT for client authentication.

Some more details and the discussion that led to this here email can be found at https://github.com/oauthstuff/draft-oauth-par/issues/41

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited...  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email