Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
Vittorio Bertocci <Vittorio@auth0.com> Mon, 13 April 2020 20:40 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3B923A1DD4 for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 13:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4MOMuL646H8 for <oauth@ietfa.amsl.com>; Mon, 13 Apr 2020 13:40:29 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6AA53A1DD2 for <oauth@ietf.org>; Mon, 13 Apr 2020 13:40:28 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id z12so9844503ilb.10 for <oauth@ietf.org>; Mon, 13 Apr 2020 13:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Lg3Yh6hHAzBea7gWxiO2UbT9yGR/WkqUdMzsXuk8CWA=; b=rKLn8xCpg+WcfLTIP+MvbojUM9yQNB01KeuwygjbYTSSj/URsDXxn9sDYy+CNBE30y YFkApagXPNTxrZTETUzB0zxP4PLw0V+oyIVr2NBCvpzEccYZOitsLxb1Fo41baVsIe0/ TZgYQi7MeveBh/9cLEj4ZZ7QxtqYZ222CGzekK4NyzKFWNAf91l0thjCKgDaYqop5153 7yyc01STpEciwmEROrcaHKb1ZcviFxWfUtYOd57d5V4V7AXTmEifOvc/QFCawWT/Yj0p zYGlBOowckHjyXu+qSuYmJ2rE9r/6sIbaOX/aGMKHmxOH/Ge9sgg4XBdoU60/s8zKXsv v5lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Lg3Yh6hHAzBea7gWxiO2UbT9yGR/WkqUdMzsXuk8CWA=; b=ekYTkZVkSA3VDJN3gnEyzlrnAv5eUvCavhTKhKrGYkU1r7W8xm3j12sPuNptTfVBXp /3iooaY9FVh5m5GcM2opRTVYan1cIqstI+qOq9YSZAHW9RPrN9hGUH6EcmYbS9xpp8jD Q7DVIEUSiKfUeaKb6/qUzoWClVcgyyTz+/6LCxuOvIMDE8rfb+eGjsycpRegVHtNBhZ2 I/NUXOt4atECvSAJColAxSl61btLUQxNokhGumVMMK2LWkGKjK1NTUc9Lh7+CzfxVR7l chVxahdQis8M4cXYm/HNUF5Qac25PYInMpbJIBWVw+RcLhnwjgfhtRin1qhz6TZhmuA1 PVrg==
X-Gm-Message-State: AGi0PuabZuNEWJg0dk1yD2as/AEuuCh5wAI7ionxxxmBtaOsAI6v5Ylu q0uNcmO4w41lxDGfWVbcC+6mL7dPxWbF2c003pWenw==
X-Google-Smtp-Source: APiQypLE99UzM/nC1XS+SGwCtn0WUBOxsCnXd1GjOruj8BBCIj8D50yZl9/x3/LNzSjXc2rIcjvzy+df4vOlAawRnCo=
X-Received: by 2002:a92:901:: with SMTP id y1mr10119448ilg.260.1586810427995; Mon, 13 Apr 2020 13:40:27 -0700 (PDT)
MIME-Version: 1.0
References: <158628195716.9275.10690808358259357603@ietfa.amsl.com> <CAGL6epJ6W6AKptXw72cw2eaO+582_iYhKSK5h6BGBWeDJW9zNg@mail.gmail.com> <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com> <361d7891-01be-8e22-7765-613e727b2bc1@free.fr> <CAD9ie-u4xaoRmNG3Sgj+cNWG4M8BzaM1YFF4Oy4Q2A6gdFWDhw@mail.gmail.com> <CAGBSGjpV=QNHPJfXXLcxHwYwHZrKXEQVjf3eJg+b8z=qpRAJcA@mail.gmail.com> <CAO_FVe67Ta_c1stGAH2b6mC_9FcfcZ_Vs6OdD4S4--vOac_y-g@mail.gmail.com>
In-Reply-To: <CAO_FVe67Ta_c1stGAH2b6mC_9FcfcZ_Vs6OdD4S4--vOac_y-g@mail.gmail.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Mon, 13 Apr 2020 13:40:17 -0700
Message-ID: <CAO_FVe7hZH+83=OzU3b-c_b1XkCKbbKe+EVQ5vs++HO31orWkg@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e30e5e05a3321707"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nHLuA_HxDOsHjOWxXRE77Y57nCw>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2020 20:40:32 -0000
“Ide rockers” is iPhone autocorrect jargon for “identifiers”, of course :P On Mon, Apr 13, 2020 at 13:13 Vittorio Bertocci <Vittorio@auth0.com> wrote: > It’s certainly possible to conceive ATs without subs, but I think the > profile would be way less useful for SDK developers. > On the objections: > The sub doesn’t have to be a user, if you look at the earlier discussions > the case in which the token has been issued for an application via client > creds (hence non user) has been debated at length. > Knowing the subject does not necessarily lead to API being able to collide > and track users, given that the sub can be a PPID that is different for > every resource even if the authenticated subject was the same. > > The sub is mandatory here because it was present in nearly every token > among the ones observed, and although one should not overindex on those > scenarios, I took that as strong indication that it is a frequently used > field and guaranteeing its presence facilitates embedding in SDKs lots of > downstream features, such as correlating with locally stored attributes, > which would otherwise left as exercise to the reader. Per the points above, > there are no obvious downsides in requiring the presence of the sub and > significant upsides. Again, the AS is in full control of the sub content > hence none of the privacy concerns mentioned here are mandated by the sheer > presence of the sub claim. If you feel the privacy section should be > stronger in warning an AS against the possibility of collusion if global > ide rockers are used, I am happy to reword accordingly > > On Mon, Apr 13, 2020 at 10:16 Aaron Parecki <aaron@parecki.com> wrote: > >> This is a good point, I often use the hotel key analogy as well. The room >> door is the RS, the key is the access token, the door does not need to know >> who the user is in order to know if it’s okay to unlock given a particular >> key. >> >> If sub is required, then this profile is limited in use to cases where >> user identifiers are part of the system, and there will be situations in >> which it’s not appropriate to use this profile for access tokens. If that’s >> okay, this should be clarified in the overview section to describe when >> this profile should be used. >> >> Aaron >> >> >> >> On Mon, Apr 13, 2020 at 10:08 AM Dick Hardt <dick.hardt@gmail.com> wrote: >> >>> Why does the "sub" need to be required? >>> >>> An access token is to prove authorization. The RS may not need "sub" to >>> constrain fulfilling the client request. >>> >>> For example, it the access token has the same properties as a movie >>> ticket, the RS does not need to have any identifier for who purchased the >>> movie ticket. >>> >>> The privacy implication is the RS can correlate across API calls to know >>> it is the same subject. >>> >>> >>> >>> >>> On Mon, Apr 13, 2020 at 8:16 AM Denis <denis..ietf@free.fr >>> <denis.ietf@free.fr>> wrote: >>> >>>> Hello, >>>> >>>> More on privacy about "JWT Profile for Access Tokens". >>>> >>>> The current document REQUIRES the claim names *sub* and *client_id*. >>>> >>>> - sub REQUIRED - as defined in section 4.1.2 of [RFC7519]. >>>> - client_id REQUIRED - as defined in section 4.3 of [RFC8693] >>>> >>>> *1) **sub REQUIRED* >>>> >>>> RFC 7519 states: >>>> >>>> 4.1.2. "sub" (Subject) Claim >>>> The "sub" (subject) claim identifies the principal that is the >>>> subject of the JWT. The claims in a JWT are normally statements >>>> about the subject. The subject value MUST either be scoped to >>>> *be locally unique in the context of the issuer or be globally >>>> unique*. >>>> The processing of this claim is generally application specific. The >>>> "sub" value is a case-sensitive string containing a StringOrURI >>>> value. *Use of this claim is OPTIONAL.* >>>> >>>> If *sub *is *REQUIRED *for this profile, then this allows all resource >>>> servers to link accesses made by the same client on different servers. >>>> >>>> *2) client_id REQUIRED* >>>> >>>> RFC 8693 states: >>>> >>>> 4.3. "client_id" (Client Identifier) Claim >>>> The client_id claim carries the client identifier of the OAuth 2.0 [RFC >>>> 6749] client that requested the token. >>>> >>>> RFC 6749 states: >>>> >>>> 2.2. Client Identifier >>>> The authorization server issues the registered client a client >>>> identifier -- a unique string representing the registration >>>> information provided by the client. The client identifier is not a >>>> secret; it is exposed to the resource owner and MUST NOT be used >>>> alone for client authentication. *The client identifier is unique >>>> to* >>>> * the authorization server.* >>>> >>>> If *client_id* is REQUIRED for this profile, this also allows all >>>> resource servers to link accesses made by the same client on different >>>> servers. >>>> >>>> *Both claim names should be OPTIONAL *to allow to support the privacy >>>> principle of unlinkability. >>>> >>>> Would both names remain *REQUIRED*, the Privacy considerations section >>>> should mention that such a linkage by different resource servers >>>> will always be possible when using this profile. >>>> >>>> Denis >>>> >>>> I have uploaded the second presentation for today's session, the JWT >>>> Profile for Access Tokens. >>>> https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth >>>> >>>> >>>> Regards, >>>> Rifaat >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> -- >> ---- >> Aaron Parecki >> aaronparecki.com >> @aaronpk <http://twitter.com/aaronpk> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Web Authorization Protocol (oauth) WG … IESG Secretary
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Dick Hardt
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Aaron Parecki
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Dick Hardt
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… George Fletcher
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… George Fletcher
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Manger, James
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef