IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP JWT claims

Brian Campbell <bcampbell@pingidentity.com> Mon, 27 June 2022 20:11 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D167C14F75F for <oauth@ietfa.amsl.com>; Mon, 27 Jun 2022 13:11:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A5zAMeqe4Ir0 for <oauth@ietfa.amsl.com>; Mon, 27 Jun 2022 13:11:23 -0700 (PDT)
Received: from mail-oa1-x36.google.com (mail-oa1-x36.google.com [IPv6:2001:4860:4864:20::36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D67B7C14F739 for <oauth@ietf.org>; Mon, 27 Jun 2022 13:11:23 -0700 (PDT)
Received: by mail-oa1-x36.google.com with SMTP id 586e51a60fabf-101bb9275bcso14318656fac.8 for <oauth@ietf.org>; Mon, 27 Jun 2022 13:11:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=F/Yp5zaTOXXT25eOM1a3W9+qr9NPnAZrTQcI93OAIZI=; b=GO4hr5S4ROekYJNfOxguZ5oKHtjU2oRS0XWsB1LvFGWC5z2LmUjgzfSOODMbWOblHc HdNnxEJksLN8lnoC23JP2DmordxWGvzFUwwCY/Rc9f05iuzROMzbBS1qW3kvm6HNAusU 3s20NaMKAhMKB5ThIdXIQB7Vym9gYX3iG6L1NyPEZuaOF3k77uXv66GLC8q0U+dqlowE x+jY56gFjewOkcegBzexxu+P9mQ3n2MXpoF3Z3vyeJ1HQ1tVecYOO8hAfuRuD2u5t2pw vCtEdA0f2uc9A8sHsaJNBDSzElZKH+M478a+MYEnDiAT30t8f15b9Ti0gKKUGFn7XC3r 6Hcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=F/Yp5zaTOXXT25eOM1a3W9+qr9NPnAZrTQcI93OAIZI=; b=qrjmeX5zj+vm2DGLedcgozUm+1f94NaSri9bZwcPOT8XJdCwiEh9h+/ngTg9P6JBkI GjGa7d+yyjO2ivQnIPzLy0bBvB9Qi0s0QmrzpDHDOXxbyypSasatBhCP9yDCEwzrP4cP 0AjrF7vcgwgBhjccchYOf/b59eL9ftjdjbLRKuwKe55gBGBedNE5FAmB/yqrj9Bp1P/y j5LrRAiGJnguui7hHjDprtwfWGKK2+MB0hYVuZadNbAKIr/g8UOE1VjdOcDXf9kKisDV nroBp1CjfZz9oTwkZwPwxtMJtWXiG2j0J25wxv4QA2B0nH73di1Ydr6RtyYRUneIcqXF YZdw==
X-Gm-Message-State: AJIora/4rluAZVIYazpsqU0Ulh9wtIxX7yufFRFRxDn6gCpccScQsCzc vfHbLTzBndiDbTRztLfjqXBemzTaCnw4u6tPbFLprfqpyuBqCm62/zTmRGoRsg2dNIdfTChxulG fW8bdDMxhd2pFkQ==
X-Google-Smtp-Source: AGRyM1smxZRixqc9rwSBRN6tEihV6LzZMM2qamA4WStKhGj+uRt0V7KynIp5yToKIgkZaFjMWHL7UX/YQrGU/olJGlU=
X-Received: by 2002:a05:6871:28c:b0:101:e7cc:fad0 with SMTP id i12-20020a056871028c00b00101e7ccfad0mr10598155oae.269.1656360682160; Mon, 27 Jun 2022 13:11:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-siSJZ-8OUFhHKdWY=ZT7r=6GaBAu8LWBs3J4BoqTCtqQ@mail.gmail.com> <86DAF05C-BB10-49AA-8B1B-E19E8A410624@forgerock.com> <CA+k3eCQnizWdFZgEhT8yO2eb0PSBDP+-d3Wp7p9EnYxF=HuZYQ@mail.gmail.com> <20220622025851.GF26442@kduck.mit.edu>
In-Reply-To: <20220622025851.GF26442@kduck.mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 27 Jun 2022 14:10:50 -0600
Message-ID: <CA+k3eCQZz41WCMR0PwYavJJ5=UN175niFZAUemgwfLWxmkSc_A@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Neil Madden <neil.madden@forgerock.com>, Warren Parad <wparad@rhosys.ch>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000149f1905e27386f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/guEDCdAzKO0GRLMiYo3VNU2l0TU>
Subject: Re: [OAUTH-WG] DPoP JWT claims
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jun 2022 20:11:27 -0000

Yes, the change controller for "nonce" is the OpenID Foundation's Connect
Working Group (called Artifact Binding Working Group for historical reasons
https://www.iana.org/assignments/jwt/jwt.xhtml). But I don't think there
would be any resistance to an update because it's all basically the same
people involved. Mike, who proposed continued use of nonce with a registry
update from an OIDC errata in the github thread linked previously, is a
co-chair of that OIDF WG. I was just asking/suggesting that the update come
from this DPoP draft so that it might happen more expediently (if at all)
because this OIDC errata version is slow in coming and I suspect the
registry update had been forgotten.




On Tue, Jun 21, 2022 at 8:59 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Thu, Jun 16, 2022 at 04:18:49PM -0600, Brian Campbell wrote:
> > I'm not sure the JWT claims registry has turned out to be exactly what
> was
> > envisioned. And, to your point, the utility of some of the registrations
> is
> > questionable. The issue of name conflicts vs reuse is more subtle than it
>
> > seems. And practically speaking the registry is kind of the only way to
> > legitimately get/use a short claim name (so called private claim names
> > aren't ideal and arguably not appropriate for a prospective spec).
>
> This is probably the main reason I'm still in favor of registering short
> claim names -- people are going to want to use them and it's better to have
> most things in the registry than to have completely independent siloed
> usage.
>
> > There was some sort of related discussion with an AD a while back
> >
> https://mailarchive.ietf.org/arch/msg/jwt-reg-review/O4rmJbMOZZFbi6mlVk6VHp-xUs8/
> > that basically resulted in "just go ahead and register stuff". At least
> > that was my takeaway.
>
> I think we both (at the time) thought that it's better to have (registered)
> claim names that reflect the specificity of expected usage.  We can't
> always have nice things, though (case in point: all the existing
> registrations), and we're not going to "keep the registry pure" in whatever
> sense by pushing back hard on new registrations.  So that's how we end up
> in practice with "go ahead and register stuff", though we can certainly ask
> people if they want a more-specific name.
>
> > FWIW there was also some discussion around those very questions with
> > respect to "nonce" (see
> > https://github.com/danielfett/draft-dpop/pull/81#discussion_r713354503
> and
> > maybe a few comments back) with some push-back on using it. But the
> outcome
> > was to go ahead with nonce but also update the registry via a OIDC
> errata.
> > Though I suspect that action got lost in the shuffle. Maybe DPoP should
> do
> > it?
>
> I do have some general unease about reusing the claim (name) for a
> different meaning/usage without updating the registry in some manner.
> Consult a current AD for an authoritative reference, but I expect that OIDC
> has some form of "change control" over the existing registration and would
> need to be involved in some form if this change is made.
>
> As another data point, over in draft-ietf-ace-oauth-authz I made people
> create a new "cnonce" claim instead of reusing the existing "nonce" (also
> as claimed by OIDC).
>
> -Ben
>
> > On Thu, Jun 16, 2022 at 3:33 PM Neil Madden <neil.madden@forgerock.com>
> > wrote:
> >
> > > Is that actually true? The DPoP spec itself is a case in point: it
> reuses
> > > the existing OIDC “nonce” claim but explicitly says that DPoP nonces
> are
> > > not like OIDC nonces (section 9):
> > >
> > > “ Developers should also take care to not
> > >
> > >    confuse DPoP nonces with the OpenID Connect [OpenID.Core <
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#ref-OpenID.Core>]
> ID Token
> > >    nonce.”
> > >
> > >
> > > The official IANA registration of “nonce” says:
> > >
> > >
> > > Value used to associate a Client session with an ID Token
> > >
> > >
> > > Does this matter? If not, does it matter if some other spec defines a
> “htm” claim with different meaning?
> > >
> > >
> > > On 16 Jun 2022, at 20:50, Dick Hardt <dick.hardt@gmail.com> wrote:
> > >
> > > 
> > > Registering the names provides clarity on use and avoids confusion on
> the
> > > meaning of a claim — ie two specs won’t have conflicting definitions of
> > > “htm”
> > >
> > > On Thu, Jun 16, 2022 at 10:20 AM Warren Parad <wparad=
> > > 40rhosys.ch@dmarc.ietf.org> wrote:
> > >
> > >> I think the registration really helps with discovery, especially as an
> > >> implementer. When you see or observe these claims in a JWT, you can
> google
> > >> them potentially returning no results. If you know about the IANA
> registry
> > >> you can find them, even if you don't know that the tokens have
> anything to
> > >> do with DPoP.
> > >>
> > >> On Thu, Jun 16, 2022 at 6:21 PM Neil Madden <
> neil.madden@forgerock.com>
> > >> wrote:
> > >>
> > >>> The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But
> do
> > >>> these claims actually make sense outside of a DPoP proof? Presumably
> the
> > >>> risk of naming collision within a DPoP proof is pretty small, so is
> there
> > >>> any benefit to registering them rather than just using them as
> private
> > >>> claims?
> > >>>
> > >>> (I guess I could ask the same question about lots of other entries in
> > >>> the current registry at IANA, many of which look completely
> app-specific to
> > >>> me).
> > >>>
> > >>> [1]:
> > >>>
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-12.7
> > >>>
> > >>>
> > >>> — Neil
> > >>> _______________________________________________
> > >>> OAuth mailing list
> > >>> OAuth@ietf.org
> > >>> https://www.ietf.org/mailman/listinfo/oauth
> > >>>
> > >> _______________________________________________
> > >> OAuth mailing list
> > >> OAuth@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/oauth
> > >>
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org
> > > https://www.ietf.org/mailman/listinfo/oauth
> > >
> >
> > --
> > _CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged
> > material for the sole use of the intended recipient(s). Any review, use,
> > distribution or disclosure by others is strictly prohibited.  If you
> have
> > received this communication in error, please notify the sender
> immediately
> > by e-mail and delete the message and any file attachments from your
> > computer. Thank you._
>
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email