IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

<donald.coffin@reminetworks.com> Mon, 25 March 2019 17:05 UTC

Return-Path: <donald.coffin@reminetworks.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B54B512051F for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 10:05:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=reminetworks.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CIpZj7RI5_WY for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 10:05:06 -0700 (PDT)
Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com [69.89.23.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 076111204E0 for <oauth@ietf.org>; Mon, 25 Mar 2019 10:05:01 -0700 (PDT)
Received: from cmgw14.unifiedlayer.com (unknown [10.9.0.14]) by gproxy4.mail.unifiedlayer.com (Postfix) with ESMTP id 3B038175A8A for <oauth@ietf.org>; Mon, 25 Mar 2019 10:51:04 -0600 (MDT)
Received: from host125.hostmonster.com ([74.220.207.125]) by cmsmtp with ESMTP id 8SoRhRTALXFO58SoRh7Fm1; Mon, 25 Mar 2019 10:51:04 -0600
X-Authority-Reason: nr=8
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=reminetworks.com; s=default; h=Content-Type:MIME-Version:Message-ID:Date: Subject:In-Reply-To:References:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=IXIdvs5dvMOjBltI8EZzMt9WMcN0xs/4PNIgUxSEFUc=; b=d9zmiDV7cZHKBJ5/XVw4fAyov ZAO8L+m758+Ke2W523oRGwdIGAnIk2IX5N0ZOPp+3eJ1P6Kk3PDARsROG0SqErB3l3K5tyK1huWZP iuE8+IbTC0zoWCsrU2/4Bp2n+M;
Received: from 162-206-229-38.lightspeed.tukrga.sbcglobal.net ([162.206.229.38]:54685 helo=DESKTOPLIOIB6R) by host125.hostmonster.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.91) (envelope-from <donald.coffin@reminetworks.com>) id 1h8SoR-000pnH-Ka; Mon, 25 Mar 2019 10:51:03 -0600
From: donald.coffin@reminetworks.com
To: 'Dominick Baier' <dbaier@leastprivilege.com>, 'Hans Zandbelt' <hans.zandbelt@zmartzone.eu>
Cc: 'IETF oauth WG' <oauth@ietf.org>, 'Nov Matake' <matake@gmail.com>, vittorio@auth0.com
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com> <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com>
In-Reply-To: <CAO7Ng+vGC5ByU1wZrbNWvaZ+QuDByhJ8huw8UXVxfOCWQpaH1w@mail.gmail.com>
Date: Mon, 25 Mar 2019 12:51:02 -0400
Message-ID: <025601d4e32a$ef918510$ceb48f30$@reminetworks.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0257_01D4E309.68816BB0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQIwgA4L/thS5xrVIYxSuUg+/ebS0QJruZ5xAx7kx8ICRKR1QgIl3tkUpRWrU/A=
Content-Language: en-us
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host125.hostmonster.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - reminetworks.com
X-BWhitelist: no
X-Source-IP: 162.206.229.38
X-Source-L: No
X-Exim-ID: 1h8SoR-000pnH-Ka
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: 162-206-229-38.lightspeed.tukrga.sbcglobal.net (DESKTOPLIOIB6R) [162.206.229.38]:54685
X-Source-Auth: donald.coffin@reminetworks.com
X-Email-Count: 5
X-Source-Cap: cmVtaW5ldHc7cmVtaW5ldHc7aG9zdDEyNS5ob3N0bW9uc3Rlci5jb20=
X-Local-Domain: yes
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jl0gF3TpbUCF4Bz772eiSu8yTnI>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 17:05:15 -0000

Dominick,

 

While you assumption of how OIDC and OAuth are used may apply to Federated solutions, the North American Energy Standards Board (NAESB) Energy Service Provider Interface (ESPI) REQ.21, which defines the data transmission standard for Energy utilities (electricity, gas, and water) to use in providing consumer’s and Third Party applications information about their customer’s energy consumption only allows OAuth 2.0 opaque ATs.

The Green Button Alliance, is reviewing how to update the standard to utilize the various IETF standards associated with OIDC this coming year, but currently the standard does NOT support a mixture of OIDC and OAuth.  I am very happy to see the IETF attempting to standardize the content and usage of JWT based OAuth ATs.

 

Best regards,

Don

Donald F. Coffin

Founder/CTO

 

REMI Networks

2335 Dunwoody Xing #E

Dunwoody, GA 30338-8221

 

Phone:      (949) 636-8571

Email:       donald.coffin@reminetworks.com <mailto:donald.coffin@reminetworks.com> 

 

From: Dominick Baier <dbaier@leastprivilege.com> 
Sent: March 25, 2019 10:39 AM
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: IETF oauth WG <oauth@ietf.org>; Nov Matake <matake@gmail.com>; vittorio@auth0.com
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

 

Yes I know - and I think in hindsight it was a mistake to use the same claim type for multiple semantics.

 

All the “this is OIDC not OAuth” arguments are making things more complicated than they need to be - in my experience almost no-one (that I know) does OIDC only - nor OAuth only. They always combine it..

 

In reality this leads to potential security problems - this spec has the potential to rectify the situation.

 

Dominick

 

On 25. March 2019 at 14:58:56, Hans Zandbelt (hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu> ) wrote:

Without agreeing or disagreeing: OIDC does not apply here since it is not OAuth and an access token is not an id_token.

The JWT spec says in https://tools.ietf.org/html/rfc7519#section-4.1.2:

 

"The "sub" (subject) claim identifies the principal that is the

   subject of the JWT.  The claims in a JWT are normally statements

   about the subject.  The subject value MUST either be scoped to be

   locally unique in the context of the issuer or be globally unique.

   The processing of this claim is generally application specific"

 

which kind of spells "client" in case of the client credentials grant but I also do worry about Resource Servers thinking/acting only in terms of users

 

Hans.

 

On Mon, Mar 25, 2019 at 2:41 PM Dominick Baier <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com> > wrote:

IMHO the sub claim should always refer to the user - and nothing else.

 

OIDC says:

 

"Subject - Identifier for the End-User at the Issuer."

 

client_id should be used to identify clients.

 

cheers

Dominick

 

On 25.. March 2019 at 05:13:03, Nov Matake (matake@gmail.com <mailto:matake@gmail.com> ) wrote:

Hi Vittorio, 

 

Thanks for the good starting point of standardizing JWT-ized AT.

 

One feedback.

The “sub” claim can include 2 types of identifier, end-user and client, in this spec.

It requires those 2 types of identifiers to be unique each other in the IdP context.

 

I prefer omitting “sub” claim in 2-legged context, so that no such constraint needed.

 

thanks

 

nov





On Mar 25, 2019, at 8:29, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org <mailto:vittorio.bertocci=40auth0.com@dmarc.ietf.org> > wrote:

 

Dear all, 

I just submitted a draft describing a JWT profile for OAuth 2.0 access tokens. You can find it in https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/.

I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting remotely). I look forward for your comments!

 

Here's just a bit of backstory, in case you are interested in how this doc came to be. The trajectory it followed is somewhat unusual.

*	Despite OAuth2 not requiring any specific format for ATs, through the years I have come across multiple proprietary solution using JWT for their access token. The intent and scenarios addressed by those solutions are mostly the same across vendors, but the syntax and interpretations in the implementations are different enough to prevent developers from reusing code and skills when moving from product to product.
*	I asked several individuals from key products and services to share with me concrete examples of their JWT access tokens (THANK YOU Dominick Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel Dobalian (Microsoft), Karl Guinness (Okta) for the tokens and explanations!).
I studied and compared all those instances, identifying commonalities and differences. 
*	I put together a presentation summarizing my findings and suggesting a rough interoperable profile (slides: https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx>  ) - got early feedback from Filip Skokan on it. Thx Filip!
*	The presentation was followed up by 1.5 hours of unconference discussion, which was incredibly valuable to get tight-loop feedback and incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov, Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there and contributed generously to the discussion. Thank you!!!
Note: if you were at OSW2019, participated in the discussion and didn't get credited in the draft, my apologies: please send me a note and I'll make things right at the next update.
*	On my flight back I did my best to incorporate all the ideas and feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat, Hannes and above all Brian were all super helpful in negotiating the mysterious syntax of the RFC format and submission process.

I was blown away by the availability, involvement and willingness to invest time to get things right that everyone demonstrated in the process. This is an amazing community. 

V.

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth




 

--

hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu> 

ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu>

v2.23.0 | Report a Bug | By Email