IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Karl McGuinness <kmcguinness@okta.com> Mon, 06 May 2019 19:57 UTC

Return-Path: <kmcguinness@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68523120115 for <oauth@ietfa.amsl.com>; Mon, 6 May 2019 12:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=okta.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ON9tPGQxuPQm for <oauth@ietfa.amsl.com>; Mon, 6 May 2019 12:57:48 -0700 (PDT)
Received: from us-smtp-delivery-163.mimecast.com (us-smtp-delivery-163.mimecast.com [63.128.21.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BEDC1200E6 for <oauth@ietf.org>; Mon, 6 May 2019 12:57:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; s=mimecast20140813; t=1557172666; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FKunJx6rWHGADkw8iB4q2Q97n4syu8ZWSm+ZCohniJo=; b=iKGZoRe6Xu/K5y1ZScMvfdOhgEvzppTi2iHU3P5C4VuldGD0psgs37DY2JsrznKPIJFcoD NEN7I9XmdYiQcSGEATkmmTfkK93+hpe34XoLTKfB0Lo9pBE8iUM3JoFzvaPrEx77hzSznW M84aRSyfeCBto8IKEl/y7Il5cRD0HK0=
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01lp2056.outbound.protection.outlook.com [104.47.32.56]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-290-e-ISAKRjNGWIzNyNA0DiRQ-1; Mon, 06 May 2019 15:57:43 -0400
Received: from DM6PR05MB4137.namprd05.prod.outlook.com (20.176.72.22) by DM6PR05MB4156.namprd05.prod.outlook.com (20.176.72.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1878.11; Mon, 6 May 2019 19:57:36 +0000
Received: from DM6PR05MB4137.namprd05.prod.outlook.com ([fe80::ec6f:9ef8:4de8:41ec]) by DM6PR05MB4137.namprd05.prod.outlook.com ([fe80::ec6f:9ef8:4de8:41ec%6]) with mapi id 15.20.1878.019; Mon, 6 May 2019 19:57:36 +0000
From: Karl McGuinness <kmcguinness@okta.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
CC: Vladimir Dzhuvinov <vladimir@connect2id.com>, IETF oauth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
Thread-Index: AQHVBDG8PhxmatP/sk61BqZNupXK46Zef3cqgAAEC4A=
Date: Mon, 06 May 2019 19:57:36 +0000
Message-ID: <2C153797-C5AD-410D-A52E-B87DBA19DF99@okta.com>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <CAHsNOKewL9xCFt6SsP4dz+W0CN_NUZaGMJahF7mSgos_Xbnhhw@mail.gmail.com> <CAO_FVe7c6jLRJ8mD7gw=a6NY3oZcgCh_b5dR8uRXa6Q2c2gmGg@mail.gmail.com> <CA+iA6uje229zrAos3c1TCuJEM+2vmVifNQ2FnKDuj2T4ET2SYA@mail.gmail.com> <a34edf0e-012a-ecc9-e547-3cdc61dca5a4@aol.com> <CA+iA6uh6Q901wEaqGSK7An0z0_iJTjCfvPVN44Qwpb=M_rDONg@mail.gmail.com> <239f40ab-da4d-03fe-4524-0b21a0bcc63e@aol.com> <SN6PR00MB0304BC3C7D438F8A5715B36DF5500@SN6PR00MB0304.namprd00.prod.outlook.com> <CA+iA6ugr+xPfeTFXK2gGBFX8Yw+zGArGfav=Ci5A3qNYUqB7rw@mail.gmail.com> <SN6PR00MB030459810B40D98370728BBAF5500@SN6PR00MB0304.namprd00.prod.outlook.com> <CA+iA6ug1NOpMcPsSr8o24CM3xWy-3z_pxiZhiyPeKxvScMACmg@mail.gmail.com> <CAO_FVe4AP5aWgXAAGj1QxPDFPjyfeaZGWd-b5azrz=ajuHuJdQ@mail.gmail.com> <3ec04cf7-e0ed-2b9a-20f7-a94dea4d559b@connect2id.com> <CAO_FVe6sLxbkk0tEjH5sb8k36q4_sJLU6HAgU05fAqOGaqo8MA@mail.gmail.com> <61adde0e-8709-5b88-8b64-ac8cc4549f51@connect2id.com> <CAO_FVe4HQKPvL5bdbAerHRU0TCiZKLJS9JgDrYkXNokri9oBaA@mail.gmail.com>
In-Reply-To: <CAO_FVe4HQKPvL5bdbAerHRU0TCiZKLJS9JgDrYkXNokri9oBaA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [73.162.34.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f5b3edc7-eb79-4147-3329-08d6d25d160a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:DM6PR05MB4156;
x-ms-traffictypediagnostic: DM6PR05MB4156:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM6PR05MB415672EDE3F2BF9683E4ED39DF300@DM6PR05MB4156.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0029F17A3F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(396003)(39860400002)(136003)(366004)(189003)(199004)(6116002)(3846002)(6506007)(53546011)(478600001)(99286004)(81156014)(102836004)(76176011)(316002)(91956017)(66446008)(76116006)(5660300002)(66946007)(73956011)(33656002)(26005)(229853002)(66556008)(64756008)(66476007)(186003)(6306002)(71200400001)(14444005)(256004)(54896002)(83716004)(6512007)(6486002)(6436002)(14454004)(966005)(71190400001)(236005)(606006)(7736002)(68736007)(11346002)(54906003)(486006)(2906002)(8936002)(66066001)(8676002)(81166006)(476003)(2616005)(446003)(82746002)(86362001)(36756003)(561944003)(25786009)(4326008)(6246003)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4156; H:DM6PR05MB4137.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: kP4HFMe3Sy4QYCa/YAH2OJNTsqEc9VlQwzFTtG8vc2PGORAW+naXdvCtY+Xktb8QMKL/XydRERxbdREkQFE3NPPdERLk2vZID6qTB7WQlTa5uDmCrGm+PZHUS/3l1LloLvGKS5tcIL6jRvu6Rk6aXZhM0ICwkbEVt5tgfJvm+uOyQSY7cVzZvLVW24N+rqxcf1fQNzlxVAQGBExbUbNJybDtb0zyKUp/+2twKSyKjGeEGJT9ESv0cxwPTCP92UvVcIcnrfHwMxP49ESxZ3H/7X0SvXlMG8wNiYkPzMFYfp6j2Pu4cxDvIQX3Lw7H2LZDskilfq8U37ejfY/omxwlZtPUoAuWHVxlQ+JrBkRrxZtrvR2CA8ANkxAFYEeXsr9TX0arJCyxE9h4PlJS42wPrKexJByLU1sYDjLk5mSbI00=
MIME-Version: 1.0
X-OriginatorOrg: okta.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f5b3edc7-eb79-4147-3329-08d6d25d160a
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2019 19:57:36.1533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f1f9fcc4-c616-4261-8a82-855dc9cb8486
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4156
X-MC-Unique: e-ISAKRjNGWIzNyNA0DiRQ-1
X-Mimecast-Spam-Score: 0
Content-Type: multipart/alternative; boundary="_000_2C153797C5AD410DA52EB87DBA19DF99oktacom_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hkH7MlLmBALVlUKg7-fwJ-uBoPY>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2019 19:57:53 -0000

Makes sense that we don’t want to further couple AS and RS with grant types.  I’m OK if we want a dedicated claim to establish whether the token is resource owner delegated  vs client acting as itself.

Subject Type is already a concept in RISC.  Just making folks are aware of prior art.

https://openid.net/specs/oauth-event-types-1_0-01.html#rfc.section.2.2
https://openid.net/specs/openid-risc-profile-1_0.html#rfc.section.2.1

-Karl

On May 6, 2019, at 12:42 PM, Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org<mailto:Vittorio=40auth0.com@dmarc.ietf.org>> wrote:

This message originated outside your organization.
________________________________
Fair enough! What others think about it?
Exploring the approach: would we want a bool claim or an enumeration, e.g. sub_type = [ resource_owner | client ] ?


On Mon, May 6, 2019 at 12:35 PM Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote:
Hi Vittorio,

On 06/05/2019 22:22, Vittorio Bertocci wrote:
> It is true that the grant_type is a client side consideration. I did think
> about the "client_id==sub" heuristic, but that's not always applicable:
> many systems have their own rules for generating sub, and in case they want
> to prevent tracking across RSes the sub might be generated ad-hoc for that
> particular RS.
> Would you prefer to have a dedicated claim that distinguish between user
> and app tokens rather than reusing grant_type?

A dedicated claim to flag client_id effectively == sub would be
preferable, and much easier for RS developers to process.

The AS is the authority and has all the knowledge to set / indicate this.

I want to keep RS developers away from having to deal with grant types
and having to make decisions whether client_id effectively == sub.

Vladimir


> On Mon, May 6, 2019 at 12:16 PM Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>>
> wrote:
>
>> On 06/05/2019 20:32, Vittorio Bertocci wrote:
>>> To that end, *Karl MCGuinness suggested that we include
>>> grant_type as a return claim, which the RS could use to the same
>> effect*. I
>>> find the proposal very clever, and the people at IIW thought so as well.
>>> What you think?
>> The grant type is not something that the RS is really concerned with, or
>> should be. Introducing this parameter in the access token will create an
>> additional logical dependency, plus complexity - in the system of
>> client, AS and RS as a whole, as well as for RS developers. The grant
>> type, as a concept, is a matter between the client and AS, and IMO
>> should stay that way.
>>
>> Clear language in the spec should suffice. For instance: "If the sub
>> value matches the client_id value, then the subject is the client
>> application".
>>
>> Vladimir
>>
>> --
>> Vladimir Dzhuvinov
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org<mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
>>
--
Vladimir Dzhuvinov


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email