IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

Nov Matake <matake@gmail.com> Mon, 25 March 2019 04:12 UTC

Return-Path: <matake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3D93120264 for <oauth@ietfa.amsl.com>; Sun, 24 Mar 2019 21:12:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KwmgTJu_s5ib for <oauth@ietfa.amsl.com>; Sun, 24 Mar 2019 21:12:50 -0700 (PDT)
Received: from mail-pf1-x42a.google.com (mail-pf1-x42a.google.com [IPv6:2607:f8b0:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DEFC1202DB for <oauth@ietf.org>; Sun, 24 Mar 2019 21:12:50 -0700 (PDT)
Received: by mail-pf1-x42a.google.com with SMTP id i17so5421542pfo.6 for <oauth@ietf.org>; Sun, 24 Mar 2019 21:12:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=3DmGs3ZCgVZ/elL/BoJq0I3bKlRTfhmW0UtZMCQwHJc=; b=YLg0pXucZ6RNTWYPLsJTlm91UJCm/rx0XYWmWvJZ76HOv0R72snBQ7yngYmbtSwcRg J7dECon8i//C0bKWmAjz5xLAmThf8KBcADaOjxCtfEDwjGNkP0TxFwonBDxj7tsRfKOP 4+MUrnAPFsAqHdHHdyYeQBhe1crzapxxCi96knm2CCtC+0IeQz6399xu7PyB+Hi4X0b6 eQBowWoPjq9rnYxieaHcLxzJAZ64+2qslTjCF0XCvjjKPTlG1zOxgVAxuFHhe14SseYK TTnGzFZsQx3sY+AW25HUboBibStlkmhiOLam43ZzBsSSf9yk+Q+DXLHk6Kdtq65ZLrLX xHww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=3DmGs3ZCgVZ/elL/BoJq0I3bKlRTfhmW0UtZMCQwHJc=; b=iQkJfNwpjlFIo5s4283e7lsc888JOpk1/sKt9FzvyeKjVuQSmE5w7oB604dch+DOPY ZUBbJdfb+LYHQls0CfdxNXYLFL+nCSRld9HOq3bx1b905QBnDAANhNeAcuyymYh44AWc TLSFRgK/mJPamFF1PClld622tUJSWeKx3Ik5xtc632qg15xuxB82wuk4Ef4obKL+I+ta h6YKAFraVIxFLq7FZ7U0mOpB/sjlb5MM1I+FvJ8E84XYGSzOjevqTC+aKKqSBr2qKTds LT1xAAKo28/RVoDCckD54nTvMDkjHMnCKfGkpVbph9s2hSGJWyPDMeTQI2NZKpsHZW81 FpzA==
X-Gm-Message-State: APjAAAUZLKSjpw8pWv5/WlQnMPJjvGhS88wEmpj3TxmZRFeSUyrrwsZJ udIEyvB6+k8WAuiEX9cf1Co=
X-Google-Smtp-Source: APXvYqxygOs+V39CtkGhub2RiIT3xLkgWrwOd3Csnvy+3TkNeLgryrU9vqVEdVci5EKFmpvFPAAzdw==
X-Received: by 2002:a63:4e64:: with SMTP id o36mr20788529pgl.213.1553487169981; Sun, 24 Mar 2019 21:12:49 -0700 (PDT)
Received: from [192.168.202.202] (122x208x203x30.ap122.ftth.ucom.ne.jp. [122.208.203.30]) by smtp.gmail.com with ESMTPSA id j14sm18616612pfe.12.2019.03.24.21.12.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Mar 2019 21:12:49 -0700 (PDT)
From: Nov Matake <matake@gmail.com>
Message-Id: <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F64DD402-3087-44CE-9562-58376EDBE0AC"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Mon, 25 Mar 2019 13:12:45 +0900
In-Reply-To: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com>
Cc: IETF oauth WG <oauth@ietf.org>
To: Vittorio@auth0.com
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jm8pzWzgMg8rDEYEfBtMxbCpOWQ>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 04:12:53 -0000

Hi Vittorio,

Thanks for the good starting point of standardizing JWT-ized AT.

One feedback.
The “sub” claim can include 2 types of identifier, end-user and client, in this spec.
It requires those 2 types of identifiers to be unique each other in the IdP context.

I prefer omitting “sub” claim in 2-legged context, so that no such constraint needed.

thanks

nov

> On Mar 25, 2019, at 8:29, Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:
> 
> Dear all,
> I just submitted a draft describing a JWT profile for OAuth 2.0 access tokens. You can find it in https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/ <https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/>.
> I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting remotely). I look forward for your comments!
> 
> Here's just a bit of backstory, in case you are interested in how this doc came to be. The trajectory it followed is somewhat unusual.
> Despite OAuth2 not requiring any specific format for ATs, through the years I have come across multiple proprietary solution using JWT for their access token. The intent and scenarios addressed by those solutions are mostly the same across vendors, but the syntax and interpretations in the implementations are different enough to prevent developers from reusing code and skills when moving from product to product.
> I asked several individuals from key products and services to share with me concrete examples of their JWT access tokens (THANK YOU Dominick Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel Dobalian (Microsoft), Karl Guinness (Okta) for the tokens and explanations!). 
> I studied and compared all those instances, identifying commonalities and differences. 
> I put together a presentation summarizing my findings and suggesting a rough interoperable profile (slides: https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx> ) - got early feedback from Filip Skokan on it. Thx Filip!
> The presentation was followed up by 1.5 hours of unconference discussion, which was incredibly valuable to get tight-loop feedback and incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov, Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there and contributed generously to the discussion. Thank you!!!
> Note: if you were at OSW2019, participated in the discussion and didn't get credited in the draft, my apologies: please send me a note and I'll make things right at the next update.
> On my flight back I did my best to incorporate all the ideas and feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat, Hannes and above all Brian were all super helpful in negotiating the mysterious syntax of the RFC format and submission process.
> I was blown away by the availability, involvement and willingness to invest time to get things right that everyone demonstrated in the process. This is an amazing community. 
> V.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email