IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens

"Schanzenbach, Martin" <martin.schanzenbach@aisec.fraunhofer.de> Sat, 13 April 2019 16:29 UTC

Return-Path: <martin.schanzenbach@aisec.fraunhofer.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EA731207D6 for <oauth@ietfa.amsl.com>; Sat, 13 Apr 2019 09:29:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lp2PFuj51GRP for <oauth@ietfa.amsl.com>; Sat, 13 Apr 2019 09:29:35 -0700 (PDT)
Received: from mail-edgeS23.fraunhofer.de (mail-edges23.fraunhofer.de [153.97.7.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BA5F1207D4 for <oauth@ietf.org>; Sat, 13 Apr 2019 09:29:34 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2FgAACbDbJc/xoBYJlmGgEBAQEBAgEBAQEHAgEBAQGBZYFiBSpochIoCox/jBYlfog7jyOBZwsFGAsMhD4ChXcjOBMBAwEBCgEBAQECAgJpHAyCeDEcPgEBAQEBAVACRCwBAQEDAQEBG1ECAgcFBwQCAQgRBAEBAS4hBgsdCAEBBA4FDoMUAYFpAw0OAQ+tGIVHgjYNghEKBoEygUyIX4ECHYFYPiZrJwwTghc1PoIaRwEBgS4BEgEmJQyDA4ImA4pUKodOhnWMOzYDBAICgSpbgnmCFIh6R4NJGoIIKoVxgzuJFZNYjFGBZiINWHFxRQoFJQFVHYEmKYMuAQKHXIU/PwEBMQGOIQ0XB4EEgSEBAQ
X-IPAS-Result: A2FgAACbDbJc/xoBYJlmGgEBAQEBAgEBAQEHAgEBAQGBZYFiBSpochIoCox/jBYlfog7jyOBZwsFGAsMhD4ChXcjOBMBAwEBCgEBAQECAgJpHAyCeDEcPgEBAQEBAVACRCwBAQEDAQEBG1ECAgcFBwQCAQgRBAEBAS4hBgsdCAEBBA4FDoMUAYFpAw0OAQ+tGIVHgjYNghEKBoEygUyIX4ECHYFYPiZrJwwTghc1PoIaRwEBgS4BEgEmJQyDA4ImA4pUKodOhnWMOzYDBAICgSpbgnmCFIh6R4NJGoIIKoVxgzuJFZNYjFGBZiINWHFxRQoFJQFVHYEmKYMuAQKHXIU/PwEBMQGOIQ0XB4EEgSEBAQ
X-IronPort-AV: E=Sophos;i="5.60,345,1549926000"; d="asc'?scan'208";a="10341973"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeS23.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Apr 2019 18:29:29 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BVAABMDbJcfRBhWMBmGgEBAQEBAgEBAQEHAgEBAQGBZYFiBYESgQQoCox/jBYlfog7jyOBZwsFGAuESgKGGTgTAQMBAQoBAgECFAEBFjojDIVKAQEBAwEBARtRAgIHBQcEAgEIEQQBAQEuIQYLHQgBAQQOBQ6DFAGBaQMNDw+tF4VHgjYNghEKBoEygUyIX4ECgXU+JmsnDBOCFzU+ghpHAQGBLgESASYlDIMDgiYDilQqh06GdYw7NgMEAgKBKluCeYIUiHpHg0kagggqhXGDO4kVk1iMUYFmIA5YcXFFCgUlAVUdgSYpgy4BAodchT8/AQIwAY4hDRcHgQSBIQEB
X-IronPort-AV: E=Sophos;i="5.60,345,1549926000"; d="asc'?scan'208";a="40623957"
Received: from fgdemucivp01ltm.xch.fraunhofer.de (HELO FGDEMUCIMP11EXC.ads.fraunhofer.de) ([192.88.97.16]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/AES256-SHA; 13 Apr 2019 18:29:28 +0200
Received: from FGDEMUCIMP02EXC.ads.fraunhofer.de ([10.80.232.41]) by FGDEMUCIMP11EXC.ads.fraunhofer.de ([10.80.232.42]) with mapi id 14.03.0435.000; Sat, 13 Apr 2019 18:29:28 +0200
From: "Schanzenbach, Martin" <martin.schanzenbach@aisec.fraunhofer.de>
To: Sascha Preibisch <saschapreibisch@gmail.com>
CC: IETF oauth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
Thread-Index: AdTuLScSpXb+JyqRQxyWjNeRvoJpaABYNsSgAAUTZqAABFDkgACUbkKA
Date: Sat, 13 Apr 2019 16:29:27 +0000
Message-ID: <47065036-68B7-4A21-864D-2D7DE23EF08F@aisec.fraunhofer.de>
References: <AM6PR08MB36861CE2351D6922D5F8F91FFA2C0@AM6PR08MB3686.eurprd08.prod.outlook.com> <MW2PR00MB0396F840F48EFC98A28C61BCA62E0@MW2PR00MB0396.namprd00.prod.outlook.com> <TYAPR01MB44130A50284A47FC923B0AA3F92E0@TYAPR01MB4413.jpnprd01.prod.outlook.com> <CAP=vD9tCqoy9BtXEx5u2fzLji8_XN=pnO7QFmO-mczRQb_FPzQ@mail.gmail.com>
In-Reply-To: <CAP=vD9tCqoy9BtXEx5u2fzLji8_XN=pnO7QFmO-mczRQb_FPzQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.80.233.50]
x-tm-as-product-ver: SMEX-11.0.0.4179-8.200.1013-24546.004
x-tm-as-result: No--39.349500-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: multipart/signed; boundary="Apple-Mail=_0536A2FC-CA74-486A-92AD-AE40574FF9E2"; protocol="application/pgp-signature"; micalg="pgp-sha256"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/l8x20Q0mCqIbc9fr3jlbGEajrMM>
Subject: Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Apr 2019 16:29:39 -0000


> On 10. Apr 2019, at 19:39, Sascha Preibisch <saschapreibisch@gmail.com> wrote:
> 
> I am late in the game, but not too late I hope.
> 
> I would like to see 'aud' be the requesting client_id. For identifying the the target resource, a 'resource' claim should be introduced. I am also suggesting to not introduce 'typ: at+jwt'. It is simply a jwt and the validation process will show if it is an access_token or not.

"aud = client_id" would mean that, by definition, the JWT must not be presented to any other entity than the client. This makes only sense for the ID Token in OIDC I think.  OTOH, defining a JWT which can be presented by the client to the RS is the whole point of this draft.
Also, the reason why it makes sense to introduce a new type is that an OIDC ID Token _could_ be mistaken for an AT (which it isn't).
IMO it might even make sense to encourage the OIDC spec to change to jwt+id or something by extending the JWT spec.

I also support the adoption.

> 
> Last but not least, 'aud' (as resource identifier) should not be required. Requiring that, and the requested resource in the the token request, will require existing clients to be updated. Introducing jwt access_token should be transparent to clients.
> 
> Thanks,
> Sascha
> 
> 
> On Wed., Apr. 10, 2019, 06:41 n-sakimura, <n-sakimura@nri.co.jp> wrote:
> +1
> 
> For that matter, explicit typing is good and I am a bit ambivalent on the use of `sub`.
> 
> Also, I need to add the 4th consideration: Although the current privacy consideration is stating about the encryption, it is in relation to the end user exposure. In fact, the by-value access token when involving some PII is by definition leaking information and violating the data minimization principle. This should be clearly delineated. My gut feeling is that it should be encrypted unless it is certain that it does not include sensitive PII as judging whether a claim may form a PII is too hard for an average developer..
> 
> -----Original Message-----
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Anthony Nadalin
> Sent: Wednesday, April 10, 2019 8:12 PM
> To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>; oauth@ietf.org
> Subject: Re: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
> 
> I support adoption of this draft as a working group document with the following caveats:
> 
> 1. These are not to be used as ID Tokens/authentication tokens 2. The privacy issues must be addressed 3. Needs to be extensible, much like ID-Token, can't be 100% fixed
> 
> 
> -----Original Message-----
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Hannes Tschofenig
> Sent: Monday, April 8, 2019 10:07 AM
> To: oauth@ietf.org
> Subject: [OAUTH-WG] Call for adoption: JWT Usage in OAuth2 Access Tokens
> 
> Hi all,
> 
> this is the call for adoption of the 'JWT Usage in OAuth2 Access Tokens'  document following the positive feedback at the last IETF meeting in Prague.
> 
> Here is the document:
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-bertocci-oauth-access-token-jwt-00&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616347061&amp;sdata=ePmwaD%2FHCRZhRx%2FwZbb3U72%2FhBalPoFPKtQ67QTxIRw%3D&amp;reserved=0
> 
> Please let us know by April 22nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group.
> 
> Ciao
> Hannes & Rifaat
> 
> IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&amp;data=02%7C01%7Ctonynad%40microsoft.com%7Ca3d9527e05364fa8578b08d6bc44b170%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636903400616357060&amp;sdata=zcxw1IR3kNbuZ9u58OOJDv9pLb7cUCooDtlIUH7tS%2Fw%3D&amp;reserved=0
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


Martin Schanzenbach
Fraunhofer AISEC
Department Service & Application Security
Parkring 4, 85748 Garching near Munich (Germany)
Tel: +49 89 3229986-193
martin.schanzenbach@aisec.fraunhofer.de
GPG: 6665201EA9257CC68FDE77E884335131EA3DABF0

v2.23.0 | Report a Bug | By Email