IETF Logo Mail Archive

Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences

Brian Campbell <bcampbell@pingidentity.com> Fri, 12 August 2016 22:31 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEE7812D744 for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2016 15:31:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W39HJ65kd_ct for <oauth@ietfa.amsl.com>; Fri, 12 Aug 2016 15:31:16 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEE0212B042 for <oauth@ietf.org>; Fri, 12 Aug 2016 15:31:15 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id f6so26317029ith.0 for <oauth@ietf.org>; Fri, 12 Aug 2016 15:31:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NRAvFfdu+AOVSONS5Ij0KyVihFGVq6gP8Hkf6E0Ms/E=; b=NzoTNqiSeGEAswsLXkKnDBZqotoHN2D+tb2pSNcwyuHO3w7jeBVwSdwuNgF6HcBGtg o7EF8dS3Mhoijc/UTimlC6zrzWxSxHM2nVT5oI14Cg0PdltZ2aR9FHfO6l/A3gGlOibg IjRGuI7xVCb6Q4XMWcFGkVJm864T4e8eE+Zjs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NRAvFfdu+AOVSONS5Ij0KyVihFGVq6gP8Hkf6E0Ms/E=; b=A5FEzvMQVjquedAV9IykyeEGqdVn7Q0ba15tAzHyyGmztOcHtIzJYw6k98OgF7M8kK jGMmU+64bwpMuYtn8AHUaCgun5PP+5CSOZMehHQpjEQbpYBC7VsyxUKfACYoEbeqk6Ze euAbcuEKWoqs7F2D5iMrR3BztzRh5k1Y/orTKoTxlnnneGXiEqH2m02nQGUt+tYc53v9 WfF3GYbL62DsPZae/XRz7wAu/BqLomGHOA9vttxO/u2pdpof2R4GsKDD8stoynT7HTBV 3YvkPfpBOsUFzM1VPw/gpawFlTfTNRNKJuALjGYkuKyrW+5Q3O73Rhtut24rGVypMDxd OajQ==
X-Gm-Message-State: AEkoouuOrTctL+rFezX9c1dBPh/epftE/d90Y8HvUIobDd1bwX/yEvgUdTgzARhrNjNzVHnA1Vn82DhoCqxVct2Y
X-Received: by 10.36.34.145 with SMTP id o139mr1487556ito.11.1471041075079; Fri, 12 Aug 2016 15:31:15 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.123.14 with HTTP; Fri, 12 Aug 2016 15:30:44 -0700 (PDT)
In-Reply-To: <6b6457e2-9cf1-9fdc-25f8-a0ee6be6976e@gmail.com>
References: <8472e581-1382-a364-a232-07ce6eeb0115@gmail.com> <852DC4F5-B9A0-4402-8550-6AB725546C63@ve7jtb.com> <9912591c-ce6c-b13c-e9f2-f0fb66b557d8@gmail.com> <6b6457e2-9cf1-9fdc-25f8-a0ee6be6976e@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 12 Aug 2016 16:30:44 -0600
Message-ID: <CA+k3eCQHiVv9vq6CWPK03UwfAyKWF251DNLdxQ4TiJrjmHVSTg@mail.gmail.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Content-Type: multipart/alternative; boundary="001a11406670bb0d710539e770e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iZmkG6ohv5NgA9F9-3b5SqVW7wU>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS JWT Access Tokens and resource audiences
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Aug 2016 22:31:18 -0000

Yeah, the client typically isn't the/an audience of an access token. The AT
is opaque to the client and the client never processes or validates it. So
aud would have the resource(s) and something else could carry the client
id.

FWIW, token exchange is looking to define and register "cid" as a JWT claim
for the client identifier:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-05#section-4.3

On Fri, Aug 12, 2016 at 4:13 AM, Sergey Beryozkin <sberyozkin@gmail.com>
wrote:

> Hi,
>
>
> After updating my earlier code (where 'client_id' was set as the standard
> JWT access token 'aud' property) to use 'aud' to represent the resource
> audiences I'm now thinking how to represent a 'client_id' in this token.
>
> For now if I'm using a 'client_id' claim, to be consistent with a standard
> token introspection response.
>
> The other thing is how to represent a name of the user who authorized the
> code grant which was exchanged for this token.
>
> Again I'm using a "username" claim, to be consistent with a standard token
> introspection response.
>
> Also thinking, what value if any a 'sub' claim in such a token should
> have. I'm setting it to a unique user identifier (similarly to IdToken).
>
> Any comments are welcome
>
> Sergey
>
>
> On 11/08/16 23:30, Sergey Beryozkin wrote:
>
>> Hi John
>> On 11/08/16 23:24, John Bradley wrote:
>>
>>> I think most people put the a resource URI in the aud.
>>>
>>> Connect uses the client ID as that is bit more stable than trying to
>>> use a redirect URI when there could be multiple ones.
>>> Given that a resource server doesn’t typically have a client_id the
>>> resource uri make a reasonable value.
>>>
>>> You could put it in resource if you like, but that is probably not
>>> what others are doing.
>>>
>> I was suspecting I might be on my own here yes :-)
>>
>>
>>> It may be time for a interoperable JWT access token profile of some sort.
>>>
>>
>> +1
>>
>> We keep getting close with some of the PoP stuff but only specify parts.
>>>
>>
>> Thanks, Sergey
>>
>>
>>> John B.
>>>
>>>> On Aug 11, 2016, at 6:16 PM, Sergey Beryozkin <sberyozkin@gmail.com>
>>>> wrote:
>>>>
>>>> Hi All
>>>>
>>>> Awhile back I was asking why would self-contained JWS JWT access
>>>> tokens would be used (as opposed to JWE JWTs), my concern was that
>>>> anyone with a JWT library can read this token's content - but as I
>>>> was explained that should not be a problem if such a JWS JWT token
>>>> contains non-sensitive information. Besides, in some cases, it gives
>>>> RS an option to validate this JWS JWT locally, without having to make
>>>> a remote validation call.
>>>>
>>>> So I've started experimenting and the immediate question I have is
>>>> this one: which claim should one use to represent a resource server
>>>> audience to get the most inter-operable RS level validation logic ?
>>>>
>>>> For example, a given RS may talk to different 3rd party authorization
>>>> servers, say AS1 (vendor1) and AS2 (vendor2), and either AS1 or AS2
>>>> JWS JWT tokens that this RS validates locally should ideally use the
>>>> same claim to represent a resource audience. RS validation logic is
>>>> written independently (without using AS1 or AS2 aware validation
>>>> libraries).
>>>>
>>>> We do expect such requirements coming in our deployments. AS1 &
>>>> independent validation logic is already in use. Just a matter of time
>>>> before AS2 is introduced.
>>>>
>>>> So JWT has a standard 'aud' claim - but I believe this should be a
>>>> 'clientId' of the client a token is issued to, similarly to the way
>>>> the 'aud' is treated in IdToken.
>>>>
>>>> So I've prototyped the code where JWT has these claims:
>>>>
>>>> "aud" = clientId
>>>> "resource" = 'http://myResourceServer'
>>>>
>>>> where 'resource' is borrowed from OAuth2 Resource Indicators draft
>>>> and represent a specific RS target address, the resource server
>>>> audience.
>>>>
>>>> Am I on the right path ? How would others do it when facing a task of
>>>> including a resource audience in a self-contained JWS JWT access token ?
>>>>
>>>> Many thanks, Sergey
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email