Re: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer assertions
Brian Campbell <bcampbell@pingidentity.com> Tue, 04 March 2014 15:41 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 43F621A0085 for <oauth@ietfa.amsl.com>; Tue, 4 Mar 2014 07:41:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.913
X-Spam-Level:
X-Spam-Status: No, score=-2.913 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-2.3, SPF_SOFTFAIL=0.665] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyFeJbPtZzYD for <oauth@ietfa.amsl.com>; Tue, 4 Mar 2014 07:41:18 -0800 (PST)
Received: from na3sys009aog109.obsmtp.com (na3sys009aog109.obsmtp.com [74.125.149.201]) by ietfa.amsl.com (Postfix) with ESMTP id E86251A005E for <oauth@ietf.org>; Tue, 4 Mar 2014 07:41:17 -0800 (PST)
Received: from mail-ie0-f169.google.com ([209.85.223.169]) (using TLSv1) by na3sys009aob109.postini.com ([74.125.148.12]) with SMTP ID DSNKUxX0GnmFfiF3simIQPguxwvXjdtbfT3X@postini.com; Tue, 04 Mar 2014 07:41:15 PST
Received: by mail-ie0-f169.google.com with SMTP id to1so1513198ieb.14 for <oauth@ietf.org>; Tue, 04 Mar 2014 07:41:14 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=KBf+gCYSxN6GszX1/Sx2ZS2weQ33U0p06LP73Xigxw4=; b=fcdytuo2qmjwzCoKlA7pbRIzR2ySlF1pB8u+13HJeL2sFyk2+NtKofgaCsnOAUMlH9 mkKrheYbrwlWI5Gytx0HXu+M+C5umZg++KrmQz8jbbcr/1hfF0a0KnlN+ovC5q3XZ60h Xnv/DcaxwixHIFg0zmajPhOMSPi1sVLa95kycKyiCGcN+HnscUt6nhK8tGfhvOMSiuxl fwRB1XQG/ITMIACv6RXWk2Ib3HQHZAqtbSrZzmatH6DnCQdv4ckAvIXFSyJA/MRMaPzP jcM9AZGqLACPPjHaVFLK9a57HA0qR/hEBNrufsr9WSHXtP5w246YT+olKnLY84TdvnfQ Ii2Q==
X-Gm-Message-State: ALoCoQnQqPDNDkGAe5344igRJxS+HANqOx9lZnZf+tmqNlsgBKKO7oMV7vm8i6V0hVO39zc9ha24Tm1PIZMOcoK4Dk7D+wK0W7r3Rc6/9TO02zeHaIBdBXXUhRPJ+6l2EUAQ3s62JxZOUz9hk3Fp7Kh9z26UdxHYdQ==
X-Received: by 10.50.182.170 with SMTP id ef10mr4066534igc.9.1393947674406; Tue, 04 Mar 2014 07:41:14 -0800 (PST)
X-Received: by 10.50.182.170 with SMTP id ef10mr4066518igc.9.1393947674195; Tue, 04 Mar 2014 07:41:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.240.201 with HTTP; Tue, 4 Mar 2014 07:40:44 -0800 (PST)
In-Reply-To: <CAExnpZB_Wd4jvC9vvu2VbrtdzvRRTdZv54sLYGt9CTJeVR_RAQ@mail.gmail.com>
References: <CAExnpZB_Wd4jvC9vvu2VbrtdzvRRTdZv54sLYGt9CTJeVR_RAQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 04 Mar 2014 15:40:44 +0000
Message-ID: <CA+k3eCRonrF5X6ApbpfzRmvtQU9b4BnbZHKBgyDYPY+h0H5tdw@mail.gmail.com>
To: Jared Hanson <jaredhanson@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/kj8qcFAcX6UI9UJSc8iMMKfHcRc
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Correct use of jku claims in JWT/JWS bearer assertions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Mar 2014 15:41:21 -0000
I might be suffering from a touch of confirmation bias but I think
this underscores what I was trying to say near the end of the JOSE
session in Vancouver during the "key finding algorithm" discussion.
Namely that finding a key is not the same as trusting a key and that
I'm concerned that explaining how to find a key might lead to
implementations that blindly trust whatever key is found.
Looking again at the drafts, I found some guidance/precautionary text
in JWS and JWT (there might be more I missed), which I've copied with
references below. I think that's all there is and I don't know if it's
really sufficient. Nor do I know if either WG could agree on saying
much more specific. That's probably not exactly what you were looking
for, Jared, but was what I could dig up. Maybe some more discussion
will be catalyzed.
The newish Notes on Key Selection appendix in JWS [0] has this cautionary text:
4. Make trust decisions about the keys. Signatures made with keys
not meeting the application's trust criteria would not be
accepted. Such criteria might include, but is not limited to the
source of the key, whether the TLS certificate validates for keys
retrieved from URLs, whether a key in an X.509 certificate is
backed by a valid certificate chain, and other information known
by the application.
And the last paragraph of the Security Considerations in JWT [1],
which I think was just recently added in -18, also has some words of
caution:
"The contents of a JWT cannot be relied upon in a trust decision
unless its contents have been cryptographically secured and bound to
the context necessary for the trust decision. In particular, the
key(s) used to sign and/or encrypt the JWT will typically need to
verifiably be under the control of the party identified as the issuer
of the JWT."
[0] http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-23#appendix-D
[1] http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-18#section-11
On Wed, Feb 12, 2014 at 6:26 PM, Jared Hanson <jaredhanson@gmail.com> wrote:
> I'm wondering if there is any guidance on including "jku", "jwk", "x5u", and
> "x5c"
> claims in a JWT/JWS used as a bearer assertion for authentication.
>
> Specifically, in the case of service-to-service authentication, where the
> "iss" is
> set to the service acting as a client, say "https://client.example.net/"
> making a
> request to "https://api.example.com/", and the assertion is signed using
> client.example.net's private key.
>
> In this situation, api.example.com authenticates the assertion by finding
> the
> corresponding public key (possibly in a JWK set, the location of which can
> be
> obtained by something like OpenID Provider Configuration [1]).
>
> It is clear that any claims in the assertion are self-asserted until
> validated,
> including both the "iss" and any keys or URLs to keys. Thus, when a service
> validates the assertion, it *must not* use the values of "jku", etc to
> validate
> the signature. Instead it should use some trusted channel to obtain the
> keys
> directly from the issuer.
>
> If this were not done, a malicious entity could freely generate assertions
> claiming to be client.example.net, using any private key and including a
> malicious
> reference to its own public key using a "jku" set to
> "https://malicious.com/jwks.json"
>
> This security consideration is not called out anywhere that I've noticed,
> which
> I've seen leading to insecure implementations and/or bad examples. For
> example,
> this example on Gluu's wiki: http://ox.gluu.org/doku.php?id=oxauth:jwt is
> blindly
> using the value of "jku" to fetch the key used to validate the signature,
> without
> any way to validate that the URL itself belongs to the issuer.
>
> I'm raising this point hoping that guidance can be clarified and included in
> the
> specification.
>
> Thanks,
> Jared Hanson
>
> PS. I separately sent this same message to the JOSE list, and later figured
> it was equally relevant to OAuth, if not more so.
>
> [1] http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
>
> --
> Jared Hanson <http://jaredhanson.net/>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
- [OAUTH-WG] Correct use of jku claims in JWT/JWS b… Jared Hanson
- Re: [OAUTH-WG] Correct use of jku claims in JWT/J… Brian Campbell
- Re: [OAUTH-WG] Correct use of jku claims in JWT/J… Mike Jones