Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

"Richard Backman, Annabelle" <> Tue, 14 January 2020 21:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B27FD120110 for <>; Tue, 14 Jan 2020 13:18:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id FD7ri8gx8ZsG for <>; Tue, 14 Jan 2020 13:17:59 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D77F3120889 for <>; Tue, 14 Jan 2020 13:17:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=amazon201209; t=1579036680; x=1610572680; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=KncKTotEdR1OK7MN/V/P537yJ5LBTGZQo2zPYX6OKfM=; b=NHoJdenDPf9woNargIONKbC3v3g340snJtpmlFfcUeBGd8s3p2tZf/pS rds03TpBHwrC50E6Oc3uYq0Cp1GLqj+b6vPWDycM8mnijcTkntX0qfRXC b0Zwrn7W6Ikkn5HF6bsucynDBXqBKdnj1fNGSh6O4/d46Wd4iXtD26SzN k=;
IronPort-SDR: E7tc9N3/xFZjzjG5JL2rBovSZLBCRwcxETCEvDDddjPy8BuQ2S1UVFrOV6TM8nkXaDJjClUav6 aWTr0kuDfG8w==
X-IronPort-AV: E=Sophos; i="5.70,320,1574121600"; d="scan'208,217"; a="10322954"
Received: from (HELO ([]) by with ESMTP; 14 Jan 2020 21:17:49 +0000
Received: from ( []) by (Postfix) with ESMTPS id 504BFA11D3; Tue, 14 Jan 2020 21:17:48 +0000 (UTC)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 14 Jan 2020 21:17:47 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 14 Jan 2020 21:17:47 +0000
Received: from ([]) by ([]) with mapi id 15.00.1367.000; Tue, 14 Jan 2020 21:17:47 +0000
From: "Richard Backman, Annabelle" <>
To: Aaron Parecki <>, Justin Richer <>
CC: "Richard Backman, Annabelle" <>, oauth <>, Mike Jones <>
Thread-Topic: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
Thread-Index: AQHVyoPR7PL9YO5H+k2gS2IKzXqhA6fqJP+A
Date: Tue, 14 Jan 2020 21:17:47 +0000
Message-ID: <>
References: <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_A5B3B18889D845B78CEBA68B907B931Camazoncom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 14 Jan 2020 21:18:02 -0000

The kid used by a service will change when it rotates keys (this is the main value of JWK Sets IMHO), so kid cannot be used as part of static metadata. You’d need to introduce a new field so you can assign a “logical key” identifier that remains the same across key rotations/versions.

There are several issues with trying to address this by augmenting JWK though:

  *   Existing deployments will ignore the logical key identifier, so there is no way to keep those keys from being used to sign fraudulent ID Tokens (for example).
  *   The JWK set becomes a shared resource that spans trust boundaries.

A solution based on separate jwks_uri metadata parameters solves both of these problems, and requires very little effort for ASes that don’t have this concern.

Annabelle Richard Backman
AWS Identity

From: OAuth <> on behalf of Aaron Parecki <>
Date: Monday, January 13, 2020 at 6:39 PM
To: Justin Richer <>
Cc: "Richard Backman, Annabelle" <>rg>, oauth <>rg>, Mike Jones <>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

Right now, Okta publishes two keys at the jwks_uri in order to be able to rotate keys periodically. During the token lifetime window during key rotation, the RSs can still find both the old and new key IDs in the set.

RSs are looking for a specific key ID when they do this, so it would be fine to include additional keys that are used for something other than access tokens since the RSs would just ignore them.

So an extension could say "use this key identified by kid" and that'd be a decent extension mechanism.

On Mon, Jan 13, 2020 at 6:26 PM Justin Richer <<>> wrote:
I would rather see extensions define a key ID than a new key set URI. Otherwise what’s the point of having more than one key in the set, with unique identifiers?

It would’ve been nice if JWK could’ve agreed on a URL-based addressing format for individual keys within the set, but that ship’s sailed.

 — Justin

On Jan 10, 2020, at 9:34 PM, Dick Hardt <<>> wrote:

I was not saying that there was anything special about keys, nor that we needed to change OAuth.

While using one key and controlling where it us used via access control works, it is not ideal.

OAuth could have had just one endpoint, and done access control for different roles -- but it did not. We enabled flexibility by separating the authorization endpoint and the token endpoint. The dynamic client registration extension defined a new endpoint, the registration endpoint.

I don't think we can change what has been deployed today -- but NEW extensions that use keys for new purposes SHOULD define their own URI.

On Fri, Jan 10, 2020 at 11:31 AM Neil Madden <<>> wrote:
Sure, but we know how to run resilient services. My point is that there’s nothing particularly special about cryptographic keys: if you want to control how they are used there is a whole range of normal access control methods you can apply to them without needing to change anything in OAuth.


On 10 Jan 2020, at 18:50, Dick Hardt <<>> wrote:
There are many other factors to resiliency than multiple instances.

On Fri, Jan 10, 2020 at 10:30 AM Neil Madden <<>> wrote:

> On 10 Jan 2020, at 17:22, Dick Hardt <<>> wrote:
> As to the suggestion of using a JWT-decryption-microservice, another goal would be increased resiliency of the components. If the JWT-decryption-microservice is unavailable, the whole system is unavailable. If there are separate keys, then a failure in one component does not fail the entire system.

Well you can run more than one instance - it’s a completely stateless service. You can also run a separate instance (or set of instances) per key if you like.


OAuth mailing list<>
Aaron Parecki<>