Re: [OAUTH-WG] RS as a client guidance
Justin Richer <jricher@mit.edu> Thu, 20 August 2015 00:40 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7051A8A8A for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2015 17:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsuSaIxCUkmE for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2015 17:40:14 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45CA71A8A7E for <oauth@ietf.org>; Wed, 19 Aug 2015 17:40:14 -0700 (PDT)
X-AuditID: 12074424-f79b46d000001e7f-dd-55d521eca3d3
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 3A.86.07807.CE125D55; Wed, 19 Aug 2015 20:40:12 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t7K0eBUk032372; Wed, 19 Aug 2015 20:40:12 -0400
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7K0e6Cd025146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 19 Aug 2015 20:40:11 -0400
To: John Bradley <ve7jtb@ve7jtb.com>, Nat Sakimura <sakimura@gmail.com>
References: <CAOahYUzq1+=8UWUmu2ESpbFcLB1PJkBsNzPFAjrVOVCGRFjNvQ@mail.gmail.com> <CABzCy2CQo0rBF0X_bMV7JR=4HctzBJUv1T+4kwL-hBH=ARvd0Q@mail.gmail.com> <BY2PR03MB4423BA4B13A72CEAAEA5AC1F5670@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2B0ffjYpZ5y5zy1_-zY4yyaNSUZeuWj1nvj0aCSZUOwtQ@mail.gmail.com> <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <BY2PR03MB4428F2D1134837B21A592D9F5670@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2C3eg9nK-8GOi_DvjcFpvN64Nwbm4GTwJsQH-3XP1w50Q@mail.gmail.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <55D521DF.30306@mit.edu>
Date: Wed, 19 Aug 2015 20:39:59 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------030102080400080103090108"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHKsWRmVeSWpSXmKPExsUixG6novtG8WqowYSDGhYn375iszhzawWj xeq7f9kcmD12zrrL7rFkyU8mj9u3N7IEMEdx2aSk5mSWpRbp2yVwZVz48pGxYN5C5oof02+z NTB+P8/YxcjJISFgInGx+S6ULSZx4d56ti5GLg4hgcVMEq+e/WaFcDYyShye1wvl3GaS+PXv EgtIi7CAvsTG3Z3MILaIgLvE8md3mCCK1rNIPLy4EizBLCAr0XryEjuIzSagKjF9TQsTiM0r oCLxbe5VVhCbBSj+dG4rmC0qECPR82sDG0SNoMTJmU/AlnEK2ElMa77FAjEzTOL5lGtMExgF ZiEpm4UkBWGbSXRt7WKEsOUlmrfOZoaw1SRub7vKjiy+gJFtFaNsSm6Vbm5iZk5xarJucXJi Xl5qka65Xm5miV5qSukmRnA0uKjsYGw+pHSIUYCDUYmH94Lw1VAh1sSy4srcQ4ySHExKorxV nEAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrxnfl0JFeJNSaysSi3Kh0lJc7AoifNu+sEXIiSQ nliSmp2aWpBaBJOV4eBQkuB9owA0VLAoNT21Ii0zpwQhzcTBCTKcB2g4FzB5CPEWFyTmFmem Q+RPMSpKifNuAWkWAElklObB9cKS1StGcaBXhHkdQKp4gIkOrvsV0GAmoMGHJ1wEGVySiJCS amDU0pX4HvsrnKGsevHtI96MnjfyJxX9dnx9QHP7Tma1618nHl7352+ioPqRxEX3hDVuclxY 5idxOO79qosi83Y+XnvDNeWv5JpJWwsVT4r6WYVYPBRpK9sUNHmCunTu5C+ytTLNyddqgyJe cGcd/3+Mb7Vs3xehbyV3zjcUpi9QPtkYyM0kEdarxFKckWioxVxUnAgAKOuiijEDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/juW4Q43BvvG4Dxn8HQHA8zWhsNw>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] RS as a client guidance
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2015 00:40:19 -0000
Just want to clear up some history: "azp" did not come from any existing claims from Google or otherwise. I very clearly recall proposing that we name it "prn" for "presenter", and Mike told me not to be evil[1] because we had just changed "prn" (for "principal") in the ID token to "sub" in order to match the more generic JWT. John suggested "a-zed-p" in the same discussion. As such, it clearly was "authorized presenter" in the first take, then it got widened/shifted a little bit in the final definition for reasons I never quite followed (nor cared much about at the time). -- Justin [1] Being told "don't be evil" by a Microsoft employee remains one of my proudest achievements. On 8/19/2015 8:35 PM, John Bradley wrote: > It could, but I remain to be convinced that would be a good idea. > “azp” came from a existing Google claim, I am not attached to the name. > > John B. >> On Aug 19, 2015, at 9:29 PM, Nat Sakimura <sakimura@gmail.com >> <mailto:sakimura@gmail.com>> wrote: >> >> Well, the abstract meaning is the same, but the practical >> implications and interpretation can vary within the >> boundaries depending on the context. >> >> A jku is a URI of a cryptographical key, which can be a uri of a >> signing key or encryption key depending on the context. Similarly the >> azp in an ID Token and an Access Token can share the same abstract >> concept while the concrete meaning in that particular concept can vary. >> >> 2015年8月20日木曜日、Mike Jones<Michael.Jones@microsoft.com >> <mailto:Michael.Jones@microsoft.com>> さんは書きました: >> >> Let me second John’s point that we shouldn’t have two different >> definitions for “azp”. As I wrote in my friendly review of >> draft-sakimura-oauth-rjwtprof-04 at >> http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html, >> the claim “azp” has already been registered by OpenID Connect >> Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so >> cannot be re-registered. Given that I believe the intended >> semantics are the same, please cite the existing definition in >> rjwtprof, rather than repeating it or revising it. >> >> Thanks, >> >> -- Mike >> >> *From:*John Bradley [mailto:ve7jtb@ve7jtb.com >> <javascript:_e(%7B%7D,'cvml','ve7jtb@ve7jtb.com');>] >> *Sent:* Wednesday, August 19, 2015 11:05 AM >> *To:* Nat Sakimura >> *Cc:* Mike Jones; OAuth WG >> *Subject:* Re: [OAUTH-WG] RS as a client guidance >> >> Having two azp claims with slightly different definitions is not >> a good way to go, both access tokens and id_tokens are JWT. >> >> For better or worse the claim was defined for bearer tokens where >> it was only the identity of the requester that was able to be >> confirmed by the token endpoint. >> >> It supported a simple use case where a refresh token is used by >> client A to use as an assertion at AS B. >> >> In the simplest 3 party sase the requester of the token and the >> presenter of the token are the same. However in some situations >> they are not the same. >> >> The important thing was to allow the “aud” recipient of the token >> to be able to differentiate a token that it requested from a a >> token that a 3rd party requested and presented to it. >> >> The “azp” should probably be left as it is and not tied to proof >> of possession/ binding the token to the presenter. >> >> There was a lot of debate and back and forth on azp at the time, >> the main reason to include it was to warn normal Connect clients >> that JWT containing that azp claim need to have it’s value be >> them or someone they know and trust that can request assertions >> for them. That was because we knew that token containing that >> claim exist in the wild using that claim. >> >> https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should >> probably be using a different claim to reduce the confusion. >> >> John B. >> >> On Aug 19, 2015, at 3:17 AM, Nat Sakimura <sakimura@gmail.com >> <javascript:_e(%7B%7D,'cvml','sakimura@gmail.com');>> wrote: >> >> So, Mike, >> >> Authorized Presenter is a defined term in *_Sender >> Constrained JWT for OAuth 2.0_* >> >> ( >> https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ). >> It is used in the context of OAuth 2.0 Access Token, not a >> claim in ID Token of OpenID Connect. >> >> Nat >> >> 2015-08-19 11:44 GMT+09:00 Mike Jones >> <Michael.Jones@microsoft.com >> <javascript:_e(%7B%7D,'cvml','Michael.Jones@microsoft.com');>>: >> >> Just as a point of clarification, the definition of the “azp” >> claim is not “authorised presenter”. At least as defined by >> OpenID Connect, its definition is: >> >> azp >> >> OPTIONAL. Authorized party - the party to which the ID Token >> was issued. If present, it MUST contain the OAuth 2.0 Client >> ID of this party. This Claim is only needed when the ID Token >> has a single audience value and that audience is different >> than the authorized party. It MAY be included even when the >> authorized party is the same as the sole audience. The >> azpvalue is a case sensitive string containing a StringOrURI >> value. >> >> A reference to this definition is registered by OpenID >> Connect Core >> http://openid.net/specs/openid-connect-core-1_0.html in the >> IANA “JSON Web Token Claims” registry at >> http://www.iana.org/assignments/jwt/jwt.xhtml. >> >> -- Mike >> >> *From:*OAuth [mailto:oauth-bounces@ietf.org >> <javascript:_e(%7B%7D,'cvml','oauth-bounces@ietf.org');>] *On >> Behalf Of *Nat Sakimura >> *Sent:* Tuesday, August 18, 2015 7:37 PM >> *To:* Adam Lewis >> *Cc:* OAuth WG >> *Subject:* Re: [OAUTH-WG] RS as a client guidance >> >> It is not directly, but *_Sender Constrained JWT for OAuth 2.0_* >> >> ( >> https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-sakimura-oauth-rjwtprof-05&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DhL9%2bp5Ml32P6%2fdaAQHHkho1yCsbq2W0M4WNrwgo1zo%3d> >> ) >> >> talks about a model that allows it. >> >> In essence, it uses a structured access token that is sender >> constrained. >> >> It as a claim "azp" which stands for authorised presenter. >> >> To be used, the "client" has to present a proof that it is >> indeed the party pointed by "azp". >> >> In your case, the native mobile app obtains the structured >> access token >> >> with "azp":"the_RS". Since "azp" is not pointing to the >> mobile app, >> >> the mobile app cannot use it. >> >> The mobile app then ships it to the RS. >> >> The RS can now use it since the "azp" points to it. >> >> In general, shipping a bearer token around is a bad idea. >> >> If you want to do that, I think you should do so with a >> sender constrained token. >> >> Nat >> >> 2015-08-13 2:01 GMT+09:00 Adam Lewis >> <adam.lewis@motorolasolutions.com >> <javascript:_e(%7B%7D,'cvml','adam.lewis@motorolasolutions.com');>>: >> >> Hi, >> >> Are there any drafts that discuss the notion of an RS acting >> as a client? I'm considering the use case whereby a native >> mobile app obtains an access token and sends it to the RS, >> and then the RS uses it to access the UserInfo endpoint on an >> OP. >> >> It's a bearer token so no reason it wouldn't work, but >> obviously it is meant to be presented by the client and not >> the RS. Curious to understand the security implications of >> this, read on any thoughts given to this, or to know if it's >> an otherwise accepted practice. >> >> tx >> >> adam >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <javascript:_e(%7B%7D,'cvml','OAuth@ietf.org');> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=eM%2f2nMY4YEca%2fyZtl6K4f4pRceNCHt1sF7v9ufZ7qgk%3d> >> >> >> >> -- >> >> Nat Sakimura (=nat) >> >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fnat.sakimura.org%2f&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=2x5%2f9bLJnUcMdOFrYWIk4G0BIwp8ytDK2LNx2BQuTtk%3d> >> @_nat_en >> >> >> >> -- >> >> Nat Sakimura (=nat) >> >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> @_nat_en >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <javascript:_e(%7B%7D,'cvml','OAuth@ietf.org');> >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> -- >> Nat Sakimura (=nat) >> Chairman, OpenID Foundation >> http://nat.sakimura.org/ >> @_nat_en >> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] RS as a client guidance George Fletcher
- [OAUTH-WG] RS as a client guidance Adam Lewis
- Re: [OAUTH-WG] RS as a client guidance Nat Sakimura
- Re: [OAUTH-WG] RS as a client guidance Mike Jones
- Re: [OAUTH-WG] RS as a client guidance Nat Sakimura
- Re: [OAUTH-WG] RS as a client guidance Mike Jones
- Re: [OAUTH-WG] RS as a client guidance Nat Sakimura
- Re: [OAUTH-WG] RS as a client guidance Nat Sakimura
- Re: [OAUTH-WG] RS as a client guidance John Bradley
- Re: [OAUTH-WG] RS as a client guidance Mike Jones
- Re: [OAUTH-WG] RS as a client guidance Nat Sakimura
- Re: [OAUTH-WG] RS as a client guidance John Bradley
- Re: [OAUTH-WG] RS as a client guidance Justin Richer
- Re: [OAUTH-WG] RS as a client guidance John Bradley
- Re: [OAUTH-WG] RS as a client guidance Mike Jones
- Re: [OAUTH-WG] RS as a client guidance Nat Sakimura
- Re: [OAUTH-WG] RS as a client guidance Justin Richer
- Re: [OAUTH-WG] RS as a client guidance Kepeng Li