Re: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions
Justin Richer <jricher@mit.edu> Tue, 15 September 2015 20:42 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1720B1AD0A0 for <oauth@ietfa.amsl.com>; Tue, 15 Sep 2015 13:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNyotBCryTXG for <oauth@ietfa.amsl.com>; Tue, 15 Sep 2015 13:42:02 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EB371AD09D for <oauth@ietf.org>; Tue, 15 Sep 2015 13:42:02 -0700 (PDT)
X-AuditID: 1209190e-f79296d00000051c-4b-55f882991d0f
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 69.88.01308.99288F55; Tue, 15 Sep 2015 16:42:01 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t8FKg0Cl021757; Tue, 15 Sep 2015 16:42:00 -0400
Received: from [10.10.49.130] (173-14-170-177-NewEngland.hfc.comcastbusiness.net [173.14.170.177]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t8FKfxWP016248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 15 Sep 2015 16:42:00 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_4CFB6390-47C1-4DC9-A8E0-86996EF2A2DC"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <55F85EF5.5080609@aol.com>
Date: Tue, 15 Sep 2015 16:41:58 -0400
Message-Id: <15EEB79E-5003-4CC1-892D-96357CB0B89B@mit.edu>
References: <55F85EF5.5080609@aol.com>
To: George Fletcher <gffletch@aol.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprNKsWRmVeSWpSXmKPExsUixG6nrjuz6UeowYr3whZ3ulawW5x8+4rN gcnj/u6V7B5LlvxkCmCK4rJJSc3JLEst0rdL4MrYMWcNc8EW64oDPbdYGhjXG3YxcnBICJhI fOuQ6GLkBDLFJC7cW8/WxcjFISSwmElizrOXLBDORkaJFc8+MkI495kkfnasZgVpYRZIkHjy dQ0biM0roCfx6tZlsLiwgIfE7m3rmEBsNgFVielrWsBsTgF1iY53nWA1LEDxRYfus4BcwQwU bz/pAjHGSuJA50uwciEBNYlttx6BjRcBsptWrmGEuFRWYvfvR0wTGAVmIbliFpIrIOLaEssW vmaGsDUl9ncvZ8EU15Do/DaRdQEj2ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdY73czBK91JTS TYygcOeU5NvB+PWg0iFGAQ5GJR7eDZ3fQ4VYE8uKK3MPMUpyMCmJ8m6q/REqxJeUn1KZkVic EV9UmpNafIhRgoNZSYR3Yw1QjjclsbIqtSgfJiXNwaIkzrvpB1+IkEB6YklqdmpqQWoRTFaG g0NJgjegEahRsCg1PbUiLTOnBCHNxMEJMpwHaHgHSA1vcUFibnFmOkT+FKMux751d9YyCbHk 5eelSonzxoEUCYAUZZTmwc0Bpam1fKs2vmIUB3pLmHcBSBUPMMXBTXoFtIQJaIl76jeQJSWJ CCmpBsaiv8Gchidnc3HdP1Tw+6qOy21j85vHJavssv5t37PxyPWNM/60ZvHMObTjZ3FbhUuF yXa/zR+tW+TvVd1nvi+lXzXxjOlsk/1B93PyS2bHTnG7Eja5bs6V/0L76g75e9m3bspWbjZS nVvTW6S9bU7Q7xYRjvQ3GnU8kTYC377OsLC2WqobaaPEUpyRaKjFXFScCACCYaTQLgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/jNuaLb19Jy8Z486kiVMEhmSxkWs>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 20:42:05 -0000
That’s how we’ve implemented it, but I’ve seen others pass the JWS for the token directly using the assertion grant type. Personally I find that a little confusing, since it’s still the client making the swap, but maybe there’s something useful there anyway. It honestly feels a bit too much like WS-*, and one can hope that we’ve learned from the mistakes of the past by now. I think the difference may be who makes the JWS. If the client is making the JWS and using it to swap for a new token, then that’s a case for using client credentials and authenticating using the JWS. If the JWS is coming from a third party and being handed to the client, and the client’s using that as-is to swap for a new token, then that’s a case of using the JWS as an assertion directly to the AS and getting a token there. But I agree that it’s confusing that there are two similar mechanisms here. — Justin > On Sep 15, 2015, at 2:09 PM, George Fletcher <gffletch@aol.com> wrote: > > Hi, > > I just want to verify my reading of RFC 7523[1] for the use case where a client wants to get an access token for itself to use as authorization for future API calls. This is effectively exchanging a JWS for a "short lived" access token. > > My understanding of section 2.2 of RFC 7523, is that the 'client_assertion_type' and 'client_assertion' replace the default [OAuth2 (RFC 6749)] client authentication mechanism of client_id and client_secret. > > Therefore the correct way to implement this 2 legged flow is to use the OAuth2 (RFC 6749) client_credentials grant_type (Section 4.4) with the JWT Bearer defined client_assertion_type and client_assertion. > > This would look something like (line breaks added for readability) > > POST /token HTTP/1.1 > Host: server.example.com > Content-Type: application/x-www-form-urlencoded > > grant_type=client_credentials& > client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer& > client_assertion=<encoded JWS>& > scope="myscopes" > Is there a different industry standard for this use case? I'm checking as I find that multiple AS implementations do this differently:) > > Thanks, > George > [1] https://tools.ietf.org/html/rfc7523 <https://tools.ietf.org/html/rfc7523> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth2 2 legged flows with JWT client … George Fletcher
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… Justin Richer
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… Brian Campbell
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… George Fletcher