IETF Logo Mail Archive

Re: [OAUTH-WG] RS as a client guidance

Justin Richer <jricher@mit.edu> Thu, 20 August 2015 00:40 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7051A8A8A for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2015 17:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VsuSaIxCUkmE for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2015 17:40:14 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45CA71A8A7E for <oauth@ietf.org>; Wed, 19 Aug 2015 17:40:14 -0700 (PDT)
X-AuditID: 12074424-f79b46d000001e7f-dd-55d521eca3d3
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 3A.86.07807.CE125D55; Wed, 19 Aug 2015 20:40:12 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t7K0eBUk032372; Wed, 19 Aug 2015 20:40:12 -0400
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t7K0e6Cd025146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 19 Aug 2015 20:40:11 -0400
To: John Bradley <ve7jtb@ve7jtb.com>, Nat Sakimura <sakimura@gmail.com>
References: <CAOahYUzq1+=8UWUmu2ESpbFcLB1PJkBsNzPFAjrVOVCGRFjNvQ@mail.gmail.com> <CABzCy2CQo0rBF0X_bMV7JR=4HctzBJUv1T+4kwL-hBH=ARvd0Q@mail.gmail.com> <BY2PR03MB4423BA4B13A72CEAAEA5AC1F5670@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2B0ffjYpZ5y5zy1_-zY4yyaNSUZeuWj1nvj0aCSZUOwtQ@mail.gmail.com> <19CF9674-3BE3-4910-B0AB-EC3E02D9607A@ve7jtb.com> <BY2PR03MB4428F2D1134837B21A592D9F5670@BY2PR03MB442.namprd03.prod.outlook.com> <CABzCy2C3eg9nK-8GOi_DvjcFpvN64Nwbm4GTwJsQH-3XP1w50Q@mail.gmail.com> <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <55D521DF.30306@mit.edu>
Date: Wed, 19 Aug 2015 20:39:59 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <82F8B7FD-CB63-4367-B841-6433C50C3726@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------030102080400080103090108"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHKsWRmVeSWpSXmKPExsUixG6novtG8WqowYSDGhYn375iszhzawWj xeq7f9kcmD12zrrL7rFkyU8mj9u3N7IEMEdx2aSk5mSWpRbp2yVwZVz48pGxYN5C5oof02+z NTB+P8/YxcjJISFgInGx+S6ULSZx4d56ti5GLg4hgcVMEq+e/WaFcDYyShye1wvl3GaS+PXv EgtIi7CAvsTG3Z3MILaIgLvE8md3mCCK1rNIPLy4EizBLCAr0XryEjuIzSagKjF9TQsTiM0r oCLxbe5VVhCbBSj+dG4rmC0qECPR82sDG0SNoMTJmU/AlnEK2ElMa77FAjEzTOL5lGtMExgF ZiEpm4UkBWGbSXRt7WKEsOUlmrfOZoaw1SRub7vKjiy+gJFtFaNsSm6Vbm5iZk5xarJucXJi Xl5qka65Xm5miV5qSukmRnA0uKjsYGw+pHSIUYCDUYmH94Lw1VAh1sSy4srcQ4ySHExKorxV nEAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrxnfl0JFeJNSaysSi3Kh0lJc7AoifNu+sEXIiSQ nliSmp2aWpBaBJOV4eBQkuB9owA0VLAoNT21Ii0zpwQhzcTBCTKcB2g4FzB5CPEWFyTmFmem Q+RPMSpKifNuAWkWAElklObB9cKS1StGcaBXhHkdQKp4gIkOrvsV0GAmoMGHJ1wEGVySiJCS amDU0pX4HvsrnKGsevHtI96MnjfyJxX9dnx9QHP7Tma1618nHl7352+ioPqRxEX3hDVuclxY 5idxOO79qosi83Y+XnvDNeWv5JpJWwsVT4r6WYVYPBRpK9sUNHmCunTu5C+ytTLNyddqgyJe cGcd/3+Mb7Vs3xehbyV3zjcUpi9QPtkYyM0kEdarxFKckWioxVxUnAgAKOuiijEDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/juW4Q43BvvG4Dxn8HQHA8zWhsNw>
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] RS as a client guidance
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2015 00:40:19 -0000

Just want to clear up some history: "azp" did not come from any existing 
claims from Google or otherwise. I very clearly recall proposing that we 
name it "prn" for "presenter", and Mike told me not to be evil[1] 
because we had just changed "prn" (for "principal") in the ID token to 
"sub" in order to match the more generic JWT. John suggested "a-zed-p" 
in the same discussion. As such, it clearly was "authorized presenter" 
in the first take, then it got widened/shifted a little bit in the final 
definition for reasons I never quite followed (nor cared much about at 
the time).

  -- Justin

[1] Being told "don't be evil" by a Microsoft employee remains one of my 
proudest achievements.

On 8/19/2015 8:35 PM, John Bradley wrote:
> It could, but I remain to be convinced that would be a good idea.   
> “azp” came from a existing Google claim, I am not attached to the name.
>
> John B.
>> On Aug 19, 2015, at 9:29 PM, Nat Sakimura <sakimura@gmail.com 
>> <mailto:sakimura@gmail.com>> wrote:
>>
>> Well, the abstract meaning is the same, but the practical 
>> implications and interpretation can vary within the 
>> boundaries depending on the context.
>>
>> A jku is a URI of a cryptographical key, which can be a uri of a 
>> signing key or encryption key depending on the context. Similarly the 
>> azp in an ID Token and an Access Token can share the same abstract 
>> concept while the concrete meaning in that particular concept can vary.
>>
>> 2015年8月20日木曜日、Mike Jones<Michael.Jones@microsoft.com 
>> <mailto:Michael.Jones@microsoft.com>> さんは書きました:
>>
>>     Let me second John’s point that we shouldn’t have two different
>>     definitions for “azp”.  As I wrote in my friendly review of
>>     draft-sakimura-oauth-rjwtprof-04 at
>>     http://www.ietf.org/mail-archive/web/oauth/current/msg14679.html,
>>     the claim “azp” has already been registered by OpenID Connect
>>     Core at http://www.iana.org/assignments/jwt/jwt.xhtml and so
>>     cannot be re-registered.  Given that I believe the intended
>>     semantics are the same, please cite the existing definition in
>>     rjwtprof, rather than repeating it or revising it.
>>
>>     Thanks,
>>
>>     -- Mike
>>
>>     *From:*John Bradley [mailto:ve7jtb@ve7jtb.com
>>     <javascript:_e(%7B%7D,'cvml','ve7jtb@ve7jtb.com');>]
>>     *Sent:* Wednesday, August 19, 2015 11:05 AM
>>     *To:* Nat Sakimura
>>     *Cc:* Mike Jones; OAuth WG
>>     *Subject:* Re: [OAUTH-WG] RS as a client guidance
>>
>>     Having two azp claims with slightly different definitions is not
>>     a good way to go,  both access tokens and id_tokens are JWT.
>>
>>     For better or worse the claim was defined for bearer tokens where
>>     it was only the identity of the requester that was able to be
>>     confirmed by the token endpoint.
>>
>>     It supported a simple use case where a refresh token is used by
>>     client A to use as an assertion at AS B.
>>
>>     In the simplest 3 party sase the requester of the token and the
>>     presenter of the token are the same.  However in some situations
>>     they are not the same.
>>
>>     The important thing was to allow the “aud” recipient of the token
>>     to be able to differentiate a token that it requested from a a
>>     token that a 3rd party requested and presented to it.
>>
>>     The “azp” should probably be left as it is and not tied to proof
>>     of possession/ binding the token to the presenter.
>>
>>     There was a lot of debate and back and forth on azp at the time,
>>     the main reason to include it was to warn normal Connect clients
>>     that JWT containing that azp claim need to have it’s value be
>>     them or someone they know and trust that can request assertions
>>     for them.  That was because we knew that token containing that
>>     claim exist in the wild using that claim.
>>
>>         https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 should
>>         probably be using a different claim to reduce the confusion.
>>
>>     John B.
>>
>>         On Aug 19, 2015, at 3:17 AM, Nat Sakimura <sakimura@gmail.com
>>         <javascript:_e(%7B%7D,'cvml','sakimura@gmail.com');>> wrote:
>>
>>         So, Mike,
>>
>>         Authorized Presenter is a defined term in *_Sender
>>         Constrained JWT for OAuth 2.0_*
>>
>>         (
>>         https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05 ).
>>         It is used in the context of OAuth 2.0 Access Token, not a
>>         claim in ID Token of OpenID Connect.
>>
>>         Nat
>>
>>         2015-08-19 11:44 GMT+09:00 Mike Jones
>>         <Michael.Jones@microsoft.com
>>         <javascript:_e(%7B%7D,'cvml','Michael.Jones@microsoft.com');>>:
>>
>>         Just as a point of clarification, the definition of the “azp”
>>         claim is not “authorised presenter”.  At least as defined by
>>         OpenID Connect, its definition is:
>>
>>         azp
>>
>>         OPTIONAL. Authorized party - the party to which the ID Token
>>         was issued. If present, it MUST contain the OAuth 2.0 Client
>>         ID of this party. This Claim is only needed when the ID Token
>>         has a single audience value and that audience is different
>>         than the authorized party. It MAY be included even when the
>>         authorized party is the same as the sole audience. The
>>         azpvalue is a case sensitive string containing a StringOrURI
>>         value.
>>
>>         A reference to this definition is registered by OpenID
>>         Connect Core
>>         http://openid.net/specs/openid-connect-core-1_0.html in the
>>         IANA “JSON Web Token Claims” registry at
>>         http://www.iana.org/assignments/jwt/jwt.xhtml.
>>
>>         -- Mike
>>
>>         *From:*OAuth [mailto:oauth-bounces@ietf.org
>>         <javascript:_e(%7B%7D,'cvml','oauth-bounces@ietf.org');>] *On
>>         Behalf Of *Nat Sakimura
>>         *Sent:* Tuesday, August 18, 2015 7:37 PM
>>         *To:* Adam Lewis
>>         *Cc:* OAuth WG
>>         *Subject:* Re: [OAUTH-WG] RS as a client guidance
>>
>>         It is not directly, but *_Sender Constrained JWT for OAuth 2.0_*
>>
>>         (
>>         https://tools.ietf.org/html/draft-sakimura-oauth-rjwtprof-05
>>         <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-sakimura-oauth-rjwtprof-05&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=DhL9%2bp5Ml32P6%2fdaAQHHkho1yCsbq2W0M4WNrwgo1zo%3d>
>>         )
>>
>>         talks about a model that allows it.
>>
>>         In essence, it uses a structured access token that is sender
>>         constrained.
>>
>>         It as a claim "azp" which stands for authorised presenter.
>>
>>         To be used, the "client" has to present a proof that it is
>>         indeed the party pointed by "azp".
>>
>>         In your case, the native mobile app obtains the structured
>>         access token
>>
>>         with "azp":"the_RS". Since "azp" is not pointing to the
>>         mobile app,
>>
>>         the mobile app cannot use it.
>>
>>         The mobile app then ships it to the RS.
>>
>>         The RS can now use it since the "azp" points to it.
>>
>>         In general, shipping a bearer token around is a bad idea.
>>
>>         If you want to do that, I think you should do so with a
>>         sender constrained token.
>>
>>         Nat
>>
>>         2015-08-13 2:01 GMT+09:00 Adam Lewis
>>         <adam.lewis@motorolasolutions.com
>>         <javascript:_e(%7B%7D,'cvml','adam.lewis@motorolasolutions.com');>>:
>>
>>         Hi,
>>
>>         Are there any drafts that discuss the notion of an RS acting
>>         as a client? I'm considering the use case whereby a native
>>         mobile app obtains an access token and sends it to the RS,
>>         and then the RS uses it to access the UserInfo endpoint on an
>>         OP.
>>
>>         It's a bearer token so no reason it wouldn't work, but
>>         obviously it is meant to be presented by the client and not
>>         the RS.  Curious to understand the security implications of
>>         this, read on any thoughts given to this, or to know if it's
>>         an otherwise accepted practice.
>>
>>         tx
>>
>>         adam
>>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <javascript:_e(%7B%7D,'cvml','OAuth@ietf.org');>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>         <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=eM%2f2nMY4YEca%2fyZtl6K4f4pRceNCHt1sF7v9ufZ7qgk%3d>
>>
>>
>>
>>         -- 
>>
>>         Nat Sakimura (=nat)
>>
>>         Chairman, OpenID Foundation
>>         http://nat.sakimura.org/
>>         <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fnat.sakimura.org%2f&data=01%7c01%7cMichael.Jones%40microsoft.com%7cdac2bd4946594ba7f4ff08d2a83f23cf%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=2x5%2f9bLJnUcMdOFrYWIk4G0BIwp8ytDK2LNx2BQuTtk%3d>
>>         @_nat_en
>>
>>
>>
>>         -- 
>>
>>         Nat Sakimura (=nat)
>>
>>         Chairman, OpenID Foundation
>>         http://nat.sakimura.org/
>>         @_nat_en
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <javascript:_e(%7B%7D,'cvml','OAuth@ietf.org');>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> -- 
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email