IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

Brian Campbell <bcampbell@pingidentity.com> Wed, 25 March 2020 15:48 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A533A0983 for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 08:48:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZ82IchVi-XG for <oauth@ietfa.amsl.com>; Wed, 25 Mar 2020 08:48:06 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82D663A0A0C for <oauth@ietf.org>; Wed, 25 Mar 2020 08:48:05 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id w1so2988087ljh.5 for <oauth@ietf.org>; Wed, 25 Mar 2020 08:48:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JW7gL6EcFIZV6DQC3hDoT/47rYUn6ucB629H9XSSAIY=; b=T9yP1+Xpl7XINpH3F2Px4bpdOVYzXsasGHLXQtzQBXfae6+YCc8uhZZW43PXnFzNLy H0pYFh+oW+6H9C3td8Eru0U90zG3mPao/vWChY+HcoV+A7X/uz26ZaNZy5N2pTixM8j2 mhGVzoc2smx8ixvAeiDvbkjjBQJvYHUJKTBWZsSf4xq3sn+RNGQ0WQv296RcaRB4RPag S09kFpqnJzWH/LqJPJNpG7J1ww3XSnMPB3RZke/2Y2qP5lVHWNX3iYW+l33ND+rPPt+8 Zm/0YMaLZ5j96RUAudQRrfSXstwawGfsHhMAedFp2G6ZNIMREAqyHen2dxR0IJT8jtTp YHow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JW7gL6EcFIZV6DQC3hDoT/47rYUn6ucB629H9XSSAIY=; b=Gtzt8io0FZ0V10pdjtVBUy+1Yn8SkdSNnRdb7+f8pOHsgBwt6jfdQ6bBDNljc7AoG8 f7hnPWWavpUE0LL96zQnNyxqH11lethD29YhIT9F1iLiL14F2zZTrLQWZNqv6xPjT98g 6Kk5IXw7M+PdjvL8GRMXuzNO80kYxS/PfMzJZ2oQql15ePs4PsdXlYH4iDKQ5XEF+GSC 3UeyL1Q0rkJsZDhi3hcVXdfPkj+4E1xtR5/jdFiYobdKlbAeGNOyHI6YlpLzzOOXH1wp CIxXVz9NDir2EJ89p9hXbSsIfIPmPYa679uqyBKEkuVNOjclPGrXYMpiwXDwQw1d9Xzd d+3Q==
X-Gm-Message-State: AGi0PuZojYdKpAox0EXeSmSM3JCcZ7uw2s4QgHImO40xXMa4omhC9fNL 2yawkkbX7t/h6CFBdHek+WJl6qQv0UeglAsCwlbgyeGerYqfQd0g33WWEo6IYcFNoEhbv23DHH/ qxuHCA3ZWAugNow==
X-Google-Smtp-Source: APiQypLwtTmaKDYFZbYiaY9smpiUpGReskVPP9Ekl5Cmwh5bEf140VGrcSfaiSxgab8Zovrv0hc9S4qYrN3xSXP+eSY=
X-Received: by 2002:a2e:8644:: with SMTP id i4mr2515294ljj.20.1585151282226; Wed, 25 Mar 2020 08:48:02 -0700 (PDT)
MIME-Version: 1.0
References: <AM0PR08MB37160B8A021052198699CD17FAF00@AM0PR08MB3716.eurprd08.prod.outlook.com> <01ec01d6017c$162eb2e0$428c18a0$@aueb.gr> <CAHdPCmMzRn8iYG025Vq0sQNzgZTOkQJuMJwttDgjMDLESpjptw@mail.gmail.com> <CAO_FVe5UXY4Jxd3LdG6zyXJ8B8nFKYevcHQTVJEAFSdW0ku9tg@mail.gmail.com> <52f18114-4f8e-da86-5735-4c4e8f8d2db5@aol.com> <BL0PR08MB5394CA3CB524E95EA87CD6B6AEF10@BL0PR08MB5394.namprd08.prod.outlook.com> <74da4cc3-359c-c08a-0ae5-54c8ca309f32@aol.com> <D080BE8B-BD0D-4F63-9F33-BA23C2FB42DD@amazon.com> <DM6PR08MB5402639817677AD59898CD65AECE0@DM6PR08MB5402.namprd08.prod.outlook.com>
In-Reply-To: <DM6PR08MB5402639817677AD59898CD65AECE0@DM6PR08MB5402.namprd08.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 25 Mar 2020 09:47:35 -0600
Message-ID: <CA+k3eCS29X28CBXGiUtDAV8nceTcpfJ4Jr_x=E3x8_9crOqsOQ@mail.gmail.com>
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017bda905a1afcb92"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/i4scGZ8RvG46oVNsGorN0QIVWYk>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Mar 2020 15:48:08 -0000

I'm gonna go out on a limb and guess/suggest that implicit in Annabelle's
comment was an assumption that signing ATs and ID Tokens with different
keys would be done to prevent token substitution/confusion. And there's not
really a practical way to achieve that with the mechanics of the jwks_uri.

On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci <vittorio.bertocci=
40auth0.com@dmarc.ietf.org> wrote:

> *>§4 p3: The only practical way for the AS to sign ATs and ID Tokens with
> different keys is to publish the keys in two different JWK sets. This only
> way to do this today is by publishing separate OAuth 2.0 authorization
> server metadata and OIDC Discovery metadata files, where the JWK set in the
> former applies to access tokens and the JWK set in the latter applies to ID
> Tokens.*
>
> Hmm, I don’t follow. The OIDC jwks_uri can contain multiple keys, and they
> all can be used for signing. What prevents the AS to use one key from that
> list for IDtokens and another for ATs? Separate discovery docs shouldn’t be
> necessary. Sure, there would be no way for the RS to know what key is used
> for what- but similar mechanisms are already in place today for handling
> signing key rotation: e.g. the discovery doc lists the current key and the
> future key, but uses only the current- and the RS has no way of
> distinguishing between the two. The situation here can be analogous, any
> key in the discovery doc should be considered valid by the RS, and in fact
> there’s no requirement about selecting specific keys in the validation
> section. That doesn’t mean this is useless, an AS might elect to use
> different keys for its own purposes (eg separation of concerns for
> forensics, different strengths, different lifecycles, and so on).
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email