[OAUTH-WG] New WG doc -- Update to JSON Web Token Best Current Practices

Dick Hardt <dick.hardt@gmail.com> Thu, 16 January 2025 15:45 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B8E2C14CEE4 for <oauth@ietfa.amsl.com>; Thu, 16 Jan 2025 07:45:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K6r80kx1dunA for <oauth@ietfa.amsl.com>; Thu, 16 Jan 2025 07:45:51 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFAAAC14F70C for <oauth@ietf.org>; Thu, 16 Jan 2025 07:45:51 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-e549a71dd3dso2028347276.0 for <oauth@ietf.org>; Thu, 16 Jan 2025 07:45:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737042350; x=1737647150; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:mime-version:from:to:cc :subject:date:message-id:reply-to; bh=mLbQNI/2LZFl5wfzWQXHpqU104vqkizYs9stfvlQ8d4=; b=WoCYtMkT+aZDExocEM/uYdluyDjkbFd8Hd3X+svtom1ltJEdmPsRD4xJkpZdIT0lWa PTmFKkxfSQQwuLY6MzulDAbjDx+YGeu1JAHAnSX6t7Ml1cbTiwyUkwS6DC6ah9ZDozHQ mTQ7PXAH6cSwFOl1lmgoAmzN0BZFEtHkJCH+quol2hVlKglb1rhwO5LHYVOvbStePxCw E5Trc4h16tG06dwhWjUyC9dvjBvXy2ia2dMNU0DH0cpgKCoZo5dzPGXDuFOPYi15KIPy Yh+cYgpRiYrLOtvL2bXLS8WdT+TpeTXuIimEOsCWugbcjNhRCRnYORllUBHhxKTn2iAv NlHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737042350; x=1737647150; h=cc:to:subject:message-id:date:from:reply-to:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mLbQNI/2LZFl5wfzWQXHpqU104vqkizYs9stfvlQ8d4=; b=SQC7EIanyQHFvUpKivHsfa9YRrzVH8d/iX4ZQnsJlYDYGBMVGhihbETFe15HDbYlUL GXNAiF42Jk2Uty8MMIl/dlntWEYtyFKQmUmU8krBmYY5fe2RnICFpwYNQ4M8rBonxM2P QPDkcDNKxDTyYailTchk6uzZs/Td3gu4kXiSdmmMuJW80uBVCfuU3NFJHgChB0F/9n1t WViZ/iS49iW58zbCfMdf5ViTDR+TqGpz0oeAl/8c2JN3Paq4/XYTUKiJ9aHktIkoGu/M SPw/+MQ7tTI0aKGZK+du5sK/FzsBR8TjLDDuX/eq8gErENVidUd/AmqzhTElvo9/IzOk oLvQ==
X-Gm-Message-State: AOJu0Yxnfje6b6zLKfu6U6x9uXL56eTkGtvle/07VCZMDwq6gEhAIvp8 stdetFUG6jO4CfiWJ9FzaygO4SlkaPRza9HyObB3MB/wtmKSYh8lPgKbG7eqjFmRqv6s4nbn+fI JK06c6asdW392bwO5mNnAYlzwUJczoQ==
X-Gm-Gg: ASbGncs9LGVz5Vfo064M/EUAs9OqQ9BX2HqfaZLspyWwlILmu1pOIYH0jjNwGz/0eJl 5A4qVdUkXDKtJ94YFnii1KQrQwTYaMvp/REGEbQ==
X-Google-Smtp-Source: AGHT+IGBRLNE/Il2MhQVAPxRP4/iQOqH9mV+VbQ+LqR4gn+VLKmwn1LYTJEo9PaCr8DDCwYrBzta1TdaosMcQIfRwaU=
X-Received: by 2002:a25:6043:0:b0:e53:e563:92e with SMTP id 3f1490d57ef6-e54ee16389fmr18398853276.18.1737042350367; Thu, 16 Jan 2025 07:45:50 -0800 (PST)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 16 Jan 2025 15:45:14 +0000
X-Gm-Features: AbW1kvZShBi2jl1uNv_gagWiTK2B6OVJYhCv-wmN3n0BfK9TacnvSWLrBq2ed3g
Message-ID: <CAD9ie-uzhkXcKQ3+_zhZv6qPPttA6y7pZr0LZg1_LTFr1Jf81w@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000040eebd062bd4b0c8"
Message-ID-Hash: Z7J3QHX2PYYVIWPDIUDECYCTN3HPJ56E
X-Message-ID-Hash: Z7J3QHX2PYYVIWPDIUDECYCTN3HPJ56E
X-MailFrom: dick.hardt@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Yaron Sheffer <yaronf.ietf@gmail.com>, Hannes Tschofenig <hannes.tschofenig@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: Dick.Hardt@gmail.com
Subject: [OAUTH-WG] New WG doc -- Update to JSON Web Token Best Current Practices
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kH82fejTEH6jWb82cvlfvuEvWd0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Mike, Yaron, and myself received an email reporting a number of
vulnerabilities in JWT libraries (see below), and a number of suggested
mitigations Yaron has filed in his repo as issues:

https://github.com/yaronf/draft-sheffer-oauth-rfc8725bis/issues


This has prompted us to start a new draft for a revised JWT BCP.

Yaron has published an ID that is the current state of RFC8725

https://datatracker.ietf.org/doc/draft-sheffer-oauth-rfc8725bis/


that we would like to propose be adopted by the WG. We would discuss the
mitigations listed and add to the document as agreed upon, and will solicit
any additional best current practices that have been developed since the
publication of 8725.

/Dick

Reference:
[1]: https://nvd.nist.gov/vuln/detail/cve-2024-5037
[2]: https://github.com/kubernetes/kubernetes/pull/123540

Language
Library
Vulnerability Type
CVE Number
Python
python-jose
Compression Dos
CVE-2024-29370
jwcrypto
Billion Hashes Attack
CVE-2023-6681
Compression Dos
CVE-2024-28102
C
latchset/jose
Billion Hashes Attack
CVE-2023-50967
Java
jjwt
Billion Hashes Attack
CVE-2024-39960
jose4j
Billion Hashes Attack
CVE-2023-51775
Compression DoS
CVE-2024-29371
nimbus-jose-jwt
Billion Hashes Attack
CVE-2023-52428
C#
jose-jwt
Sign/Encrypt Confusion
CVE-2024-24238
Compression DoS
CVE-2024-27663
JavaScript
jose
Compression DoS
CVE-2024-28176
node-jose
Billion Hashes Attack
CVE-2024-39960
Go
jose2go
Billion Hashes Attack
CVE-2023-50658
Compression DoS
CVE-2024-28122
go-jose
Compression DoS
CVE-2024-28180
jwx
Billion Hashes Attack
CVE-2023-49290
Compression DoS
CVE-2024-28122
Ruby
json-jwt
Sign/Encrypt Confusion
CVE-2023-51774