Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 17 September 2020 10:23 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FE3F3A0E90 for <oauth@ietfa.amsl.com>; Thu, 17 Sep 2020 03:23:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.136
X-Spam-Level:
X-Spam-Status: No, score=0.136 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, LONGWORDS=2.035, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jx2iRt5l; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=jx2iRt5l
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hxtCkLVC8ODk for <oauth@ietfa.amsl.com>; Thu, 17 Sep 2020 03:23:30 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50063.outbound.protection.outlook.com [40.107.5.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00BD03A0E91 for <oauth@ietf.org>; Thu, 17 Sep 2020 03:23:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q5nPBHabi3dRR4x/WUb2NilfClBquwscUKUYwooYAmo=; b=jx2iRt5l7CCDV1w5dPW77QYehQrYL2SN7jxiAJKWun3zqVyWA8GN4ssBCRPwNOMZl7dD8l3XSkp7sQ0bUC8iKKBVuJlNmo8pBpv59+oMvqo3A6xTNVeV4Wf/vlXtpijEwnTc58mN2vvId3vRnPQOMeEPvoMx1cVHEXKt9jBTuNU=
Received: from AM5PR04CA0018.eurprd04.prod.outlook.com (2603:10a6:206:1::31) by VE1PR08MB4654.eurprd08.prod.outlook.com (2603:10a6:802:a4::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13; Thu, 17 Sep 2020 10:23:25 +0000
Received: from AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com (2603:10a6:206:1:cafe::fb) by AM5PR04CA0018.outlook.office365.com (2603:10a6:206:1::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13 via Frontend Transport; Thu, 17 Sep 2020 10:23:25 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT023.mail.protection.outlook.com (10.152.16.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.15 via Frontend Transport; Thu, 17 Sep 2020 10:23:25 +0000
Received: ("Tessian outbound 7fc8f57bdedc:v64"); Thu, 17 Sep 2020 10:23:25 +0000
X-CR-MTA-TID: 64aa7808
Received: from 48d52e1b6b44.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id E855FE64-E4A5-433F-8697-CF7ED59501CA.1; Thu, 17 Sep 2020 10:23:20 +0000
Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 48d52e1b6b44.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 17 Sep 2020 10:23:20 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nt6dMx0Q4Y3Y5F3zFKO1YGN98lKQJ56XUPpjgL6dVeP8EDRVhOO2AfkrFchIqIlAMUwnJixyCcJl18dyMlktoWnX/ppI7Mx/6K8kaWpkWdkja7p9pwU/xg/p1dYSN1OKM73SMn+LxuhrNax909tfNLfQ3FtspjpuRx2yPvWDwahYSMWRyT6R0zyLqpL00tkGot2MyuufgUiepWzbT/NS4FhysKXx4YkBbs4rGQhzLoyNwqt9KTocIlCeIGw3dq7P1Nu2w+riRY+w/XHFq0OeLTNiIs8Bj8IFDRe+fuOO9LRSeUAZ9Tsl4SwGCjTxm8YnlDe/4whhIQ6VUAClh5fpCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q5nPBHabi3dRR4x/WUb2NilfClBquwscUKUYwooYAmo=; b=Nx+OApQWxkjxiRsuwgNI70iJWSyXYLvaWeddX//cLM0Wh2QqRH1DDpBK1zsk6dfoA4ISRFWaonasWDbbQWvWHVr1sPaLxjLdttlzenBmiKZ3S2o2XkG/tQQSkHXIM/kXvugHucDImodNRkcjx9sebhzWx9T1LouUtmaWUMEdf+LcIoLpVNWukFNjA4Ad/dW+RnSkAYi+vCmNAXm7GIhVgXGUC+SUrHIGIoMzKZM4RTo6JOsgV3wsMbULehuZCCKQ3D7uRborm6l7LLi5EnuqJG5ATsERRs6tW+UYVwj0AFP6bRrcvt+P1GFMP4jX6ce1OhIuQTBjwYwWAN/iEfX0LA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Q5nPBHabi3dRR4x/WUb2NilfClBquwscUKUYwooYAmo=; b=jx2iRt5l7CCDV1w5dPW77QYehQrYL2SN7jxiAJKWun3zqVyWA8GN4ssBCRPwNOMZl7dD8l3XSkp7sQ0bUC8iKKBVuJlNmo8pBpv59+oMvqo3A6xTNVeV4Wf/vlXtpijEwnTc58mN2vvId3vRnPQOMeEPvoMx1cVHEXKt9jBTuNU=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB4578.eurprd08.prod.outlook.com (2603:10a6:208:100::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13; Thu, 17 Sep 2020 10:23:18 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860%6]) with mapi id 15.20.3391.015; Thu, 17 Sep 2020 10:23:18 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07
Thread-Index: AdaFqTZyItsUYvipQzq4nnXtxdB+SAHLWkGQ
Date: Thu, 17 Sep 2020 10:23:18 +0000
Message-ID: <AM0PR08MB37162DC4E0C7B79FA1686E93FA3E0@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <AM0PR08MB371667F70B227C3EFA4C3ECAFA290@AM0PR08MB3716.eurprd08.prod.outlook.com> <MWHPR19MB150114DA8A0E213A7B8D5EDCAE200@MWHPR19MB1501.namprd19.prod.outlook.com>
In-Reply-To: <MWHPR19MB150114DA8A0E213A7B8D5EDCAE200@MWHPR19MB1501.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: F34782894734934D966AA75B19DE29DD.0
x-checkrecipientchecked: true
Authentication-Results-Original: auth0.com; dkim=none (message not signed) header.d=none;auth0.com; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.122.149]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: c520d7f7-4e90-4fe6-c2e4-08d85af3b637
x-ms-traffictypediagnostic: AM0PR08MB4578:|VE1PR08MB4654:
X-Microsoft-Antispam-PRVS: <VE1PR08MB46540F8F91DE1E8848A1DC6CFA3E0@VE1PR08MB4654.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:6790;OLM:6790;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: EZ7dmcBPVL/JVY59PuDZdKhMZ8wxnbq4/zX2OWPreTf0vy2eC8Fk9Kit+tVAREP1GmHfcJmtzRWLVU2cPfHfoc8anDxqpBzG+pCryE0VkI3qMPh31P19qOo9xawiH3SKlttEk7s4fReTrYHmyIDLo0RlcarHqf/1YFiGPidCNaIoKg33/cbogB3GMWtOu+NvVErRrsV5a5GWS7+YuQfP4xwqBxhFxHMto9DZc3D0Wz8A4BE+0Pz2hdQWVMmlaqhi483WaHUMrP/SbKGgRvOhYO8LjYb1OkZOIwMN5I79Ccc5kUuhLLRHyZhR3LsU0JASXEd5s2YF+kIRL0VAYTejlfxrcr60PyCKeYP54hlrdnYlsD/mqgNoIz4e0tt5V3kYyQ1dLz+ufXddxfcQej8e5A==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(136003)(396003)(366004)(346002)(376002)(2906002)(26005)(53546011)(83380400001)(8936002)(110136005)(55016002)(6506007)(316002)(33656002)(166002)(478600001)(7696005)(186003)(71200400001)(86362001)(30864003)(9326002)(5660300002)(66946007)(52536014)(64756008)(66446008)(9686003)(76116006)(66476007)(66556008)(8676002)(559001)(579004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: BMvNnq592azl0dflxlVGGqJr/PD6NbAb4c1LeblsGLWcl91Hg9vmL3NbMkvdQ7Eb1rAM3eyWA7Mmy58yOLfZkNRedoHYQCiv5dpqml3+RkqsMUFYkO5uhB+CS8JDltcjmyc0eUIWjg5GA8kPlrKlA79wvVMXnc9TbDFh1vA8ga2gDpS2NREIHyPDCSwowkerBWsxS3Omq9MY2hL/hpeZ2ympS8iX+M7maOJokw68SKV2do3sf2cQam3NYp0eylbgrDM2U9K717shs4fGDHzob7Gh91R6N1boC6ee868CY7WTbPmxY9XT9fSb8wvDHd0EIZmHRE2iV8ABHn0ECMGIu2TzKHYcgSdDZyKAGywJ7yCMBF9nEQ4RtZ8xOwCtAMPNij/zrmImkxUR76vnDt9gmoZSAlFJVdNTUxN1G4H3j5jsG9MmlC0L8EOnHnqMOGv9dWI//Fmggeh8uHQi7HznMXqQ0cUvzUJxbl/3BPEkfQV0wbmT9EjcWBQJk0ygCSiNoOxKfwueCEK8lxVD/BGw5LRPk9h/4NW0SBmqVva8RCm66nPNehU7ZqLjcCyTEAALSQAKM4/hfS1G6K0o6MDH3te1KR2fxyzIph+5Ha/yecJbFhKA0jeBm66kDg9BBihOjH8z7xRi8P0FxFax5HJxqA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB37162DC4E0C7B79FA1686E93FA3E0AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4578
Original-Authentication-Results: auth0.com; dkim=none (message not signed) header.d=none;auth0.com; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 0aa706a1-1706-4af0-dafd-08d85af3b219
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: N95mqxNEzoBKSndXpjQrtuTodB8qrvEm+hkpSPbxms5W0rWJABezx0uPMAX+44uYlA5rgRV98gaMPoF6DReINVFzHLDEBihiSzDYCNLaFSxAiXeeceOPBd7KgvX1zv05q1U8bQ/woBtmj0gyRUrHLjQJpIPTHxeoZ93AlMHc8LIz4P1//6WCM1JBiX5512CROgTsQggc7e4OPUHtG9ratWfj+mKGmr5ZLH9WWAxmbpZJhp4b7phVvIwYPesgW2bsC++l6ccxCG7oUQ7E+o+Dwj9N4vp+bCuOTLusljB7n9HWz1wclB7JnPMzpsuVHnCZmNjtiW+Z7lpXvoXW8+xLAy1qqXgUpnaEoTLYzDv+ryEh2PQgLosMjCPeasm3M+Yl8lYM9apnxSZQ+8IXHCnR2tbn8D/UnxJXqJlZuDqL9bK3wdYIxVi6Jw0GYZq/NlP/K6iwGMO7w9FzGsYGFSZDkH++aukl1qDU/IyM/dGV130=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(396003)(136003)(39860400002)(376002)(346002)(46966005)(9326002)(478600001)(33656002)(70206006)(70586007)(316002)(8936002)(36906005)(166002)(52536014)(53546011)(2906002)(6506007)(47076004)(82740400003)(356005)(8676002)(7696005)(5660300002)(55016002)(110136005)(9686003)(82310400003)(83380400001)(336012)(30864003)(26005)(86362001)(186003)(81166007)(559001)(579004); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Sep 2020 10:23:25.2806 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c520d7f7-4e90-4fe6-c2e4-08d85af3b637
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4654
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qr8e5hJG17yE5Wy4hcJh61rTmX0>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2020 10:23:35 -0000

Hi Vittorio,

Thanks for the draft update.

Responses to  your questions are below:

From: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Sent: Tuesday, September 15, 2020 8:59 AM
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Thank you Hannes for the thorough review, and thanks in advance for the writeup!

I applied most of the changes you suggested, and submitted a new draft.
Comments on questions and suggestions I didn't understand below:


  *   Question: If you refer to RFC 6750 and then list the steps are you just repeating the steps from RFC 6750 or are you augmenting them?
6750 doesn't offer an explicit list of validation steps, given the format agnostic approach followed by Core, tho some can be inferred here and there. The validation steps defined here are closer to the ones OIDC core lists for id_token validation, but aren't exactly the same- besides the typ header step and aud value considerations, which are unique to this spec, the discussion led to some other important differences from the OIDC list (no ordering in the steps, no auth_time, acr, azp considerations etc) that warrant listing the validation steps explicitly.

[Hannes] Thanks. This answers my question. No further action needed on this issue.


  *   The phrase "leaking keys" is probably not the best term to describe what follows afterwards in the text.
Can you expand on what aspect makes the term misaligned with the following text? The main difference seems to be that later on the verb used is "compromise", but that's more due to the fact that there's an active agent in the sentence (the attacker) while the preceding phrase lacks one. If I were to use "compromise" instead of leak I'd need to make it passive, which seems a bit weird. I am happy to change it, but I wanted to understand the point better first.

Here is the entire paragraph:

"
   Authorization servers should not rely on the use of different keys
   for signing OpenID Connect ID Tokens and JWT tokens as a method to
   safeguard against the consequences of leaking specific keys.  Given
   that resource servers have no way of knowing what key should be used
   to validate JWT access tokens in particular, they have to accept
   signatures performed with any of the keys published in AS metadata or
   OpenID Connect discovery: consequently, an attacker just needs to
   compromise any key among the ones published to be able to generate
   and sign JWTs that will be accepted as valid by the resource server.
"

Let us consider two cases here, namely the symmetric key case and the asymmetric key case.

In both cases it is common practice to use different keys for different purposes. In this case we are even talking about the use of keys for different recipients. ID Tokens are created by the AS for use by the OAuth Client while access tokens are consumed by the resource server.

For the symmetric key case, one of the two parties can leak the key. Who do you assume leaks the key here?
For the asymmetric key case, leaking the public key does not have a security impact. Are you concerned that the private key is compromised on the AS? There is, however, additionally the question about the compromise of the trust anchor.


You are saying that resource servers have no way of knowing what key to use to validate the access token. This is not correct because there is a dedicated field for that purpose: From RFC 7515:

"The "kid" (key ID) Header Parameter is a hint indicating which key was used to secure the JWS."

Why is this statement true "they have to accept signatures performed with any of the keys published in AS metadata or OpenID Connect discovery"

In general, it is bad if the private key got compromised. This will allow an adversary to create access tokens. The question is therefore: if this happens, how can you revoke the keys.
Using different keys for different purposes with different recipients is a common practice.




  *   This RFC 2119 language is not really enforceable in terms of interoperability.
I'd like to understand this better. The thing I am trying to express here is an absolute prohibition, as stated by 2119. The fact that it is unenforceable and potentially inconsequential doesn't make it acceptable, hence the language seems to be appropriate.
       I didn't take out the MUST NOT yet as we clarify the point further. I did however apply all your edits to that section, as they do make things clearer. Thanks!

Here is the sentence again:

"
The client MUST NOT inspect the content of
   the access token
"

I fully understand that you are trying to prohibit the OAuth client to look at the access token.
Normally, RFC 2119 language is used to inform how implementations should behave. This behavior can then be tested. How do you want to test whether a client did or did not look at the token as an outside observer?

I am not as passionate about this paragraph as others in the group because I have a pragmatic approach: it will not make a difference whether the MUST NOT is capitalized or not.



  *   The first sentence is a repetition of the previous paragraph. I would suggest to delete the first sentence in this paragraph and to move the second sentence to the previous paragraph
The second sentence isn't really a repetition IMO- rather, it is a specialization. Whereas the first paragraph talks about the client, the sentence you singled out talks about the end user. Those are closely correlated, but not the same. There are scenarios where the end user doesn't have access to the tokens, but the client app does.

You are right. I would restructure the paragraphs as follows:



   As JWT access tokens carry information by value, it now becomes

   possible for requestors and receivers clients and potentially

   even end users to directly peek inside the

   token claims collection.



   The client MUST NOT inspect the content of

   the access token: the authorization server and the resource server

   might decide to change token format at any time (for example by

   switching from this profile to opaque tokens) hence any logic in the

   client relying on the ability to read the access token content would

   break without recourse.  The OAuth 2.0 framework assumes that access

   tokens are treated as opaque by clients.  Administrators of

   authorization servers should also take into account that the content

   of an access token is visible to the client.  Whenever client access

   to the access token content presents privacy issues for a given

   scenario, the authorization server should take explicit steps to

   prevent it.



   In scenarios in which JWT access tokens are accessible to the end

   user, it should be evaluated whether the information can be accessed

   without privacy violations (for example, if an end user would simply

   access his or her own personal information) or if steps must be taken

   to enforce confidentiality.



   Possible measures to prevent leakage of information to clients and end

   Users include: encrypting the access token, encrypting the sensitive

   claims, omitting the sensitive claims or not using this profile, falling

   back on opaque access tokens.

The reason for the restructuring is the following:


  *   The counter-measures are applicable to end users and clients looking at the tokens - not just end users.
  *   The first sentence talks about clients and end users and not just about clients.

I hope this makes sense.

Ciao
Hannes

From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> on behalf of Hannes Tschofenig <Hannes.Tschofenig@arm.com<mailto:Hannes.Tschofenig@arm.com>>
Date: Monday, September 7, 2020 at 23:29
To: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] draft-ietf-oauth-access-token-jwt-07

Hi Victorio, Hi all,

I am doing my shepherd write-up for draft-ietf-oauth-access-token-jwt-07. Reading through the draft I have a few minor suggestions:

Section 2:

I would delete this sentence "JWT access tokens are regular JWTs complying with the requirements described in this section."

Reason: You pretty much make the same statement on the previous page (see terminology section).

Section 2.1

s/asymmetric algorithms/asymmetric cryptography
(same replacement in Section 4)

s/   This specification registers the "application/at+jwt" media type,
   which can be used to indicate that the content is an access token./This specification registers the "application/at+jwt" media type,
   which can be used to indicate that the content is a JWT access token.

Use capitalized "Section" when a section number is indicated, such as in Section 2.2.

Section 2.2

s/""aud"/"aud"

2.2.1

s/   auth_time  OPTIONAL - as defined in section 2 of [OpenID.Core]./   auth_time  OPTIONAL - as defined in Section 2 of [OpenID.Core].
s/   acr, amr  OPTIONAL - as defined in section 2 of [OpenID.Core]./   acr, amr  OPTIONAL - as defined in Section 2 of [OpenID.Core].


s/Please see/See

s/For example:/For example,

Section 4

You write:

"Authorization servers SHOULD implement OAuth 2.0 Authorization Server Metadata [RFC8414] ... "

Are you sure you mean "implement" and not "use"? The paragraph gives me the impression that you talk about "ASs using RFC 8414"


s/Please see section Section 5 for further guidance on security implications./Please see Section 5 for further guidance on security implications.

This sentence sounds strange to me:
"
   When invoked as described in OAuth 2.0 Bearer Token Usage [RFC6750],
   resource servers receiving a JWT access token MUST validate it in the
   following manner.
"

How about:
"
   Resource servers receiving a JWT access token MUST validate it in the
   following manner.
"

Question: If you refer to RFC 6750 and then list the steps are you just repeating the steps from RFC 6750 or are you augmenting them?


You write:

"
If the JWT access token includes authorization claims as described in
   the authorization claims section, the resource server SHOULD use them
   in combination with any other contextual information available to
   determine whether the current call should be authorized or rejected.
"

Include a reference to the authorization claims section


s/ For more
   details on cross-JWT confusion please refer to 2.8 of [RFC8725]./ For more
   details on cross-JWT confusion please refer to Section 2.8 of [RFC8725].


You write:

"
   Authorization servers should not rely on the use of different keys
   for signing OpenID Connect ID Tokens and JWT tokens as a method to
   safeguard against the consequences of leaking specific keys.
"

The phrase "leaking keys" is probably not the best term to describe what follows afterwards in the text.

You write:

"
The client MUST NOT inspect the content of
   the access token
"

This RFC 2119 language is not really enforceable in terms of interoperability. Maybe you could rephrase a bit. Something like the following would work:

"
   Authorization server and the resource server
   might decide to change token format at any time (for example by
   switching from this profile to opaque tokens). Hence, any logic in the
   client relying on the ability to read the access token content would
   break without recourse. The OAuth 2.0 framework assumes that access tokens
   are treated opaque by clients.

   Administrators of authorization servers should also take into account that
   the content of an access token is visible to the client. Whenever client
   access to the access token content presents privacy issues for a
   given scenario, the authorization server should take explicit steps
   to prevent it.
"


You wrote:

"

   In scenarios in which JWT access tokens are accessible to the end
   user, it should be evaluated whether the information can be accessed
   without privacy violations (for example, if an end user would simply
   access his or her own personal information) or if steps must be taken
   to enforce confidentiality.  Possible measures include: encrypting
   the access token, encrypting the sensitive claims, omitting the
   sensitive claims or not using this profile, falling back on opaque
   access tokens.
"

The first sentence is a repetition of the previous paragraph. I would suggest to delete
the first sentence in this paragraph and to move the second sentence to the previous paragraph.

You wrote:

"
   This profile mandates the presence of the "sub" claim in every JWT
   access token, making it possible for resource servers to rely on that
   information for performing tasks such as correlating incoming
   requests with data stored locally for the authenticated principal.
   Although the ability to correlate requests might be required by
   design in many scenarios, there are scenarios where the authorization
   server might want to prevent correlation to preserve the desired
   level of privacy.  Authorization servers should choose how to assign
   "sub" values according to the level of privacy required by each
   situation.  For instance: if a solution requires preventing tracking
   principal activities across multiple resource servers, the
   authorization server should ensure that JWT access tokens meant for
   different resource servers have distinct "sub" values tht cannot be
   correlated in the event of resource servers collusion.  Similarly: if
   a solution requires preventing a resource server from correlating the
   principal's activity within the resource itself, the authorization
   server should assign different "sub" values for every JWT access
   token issued.  In turn, the client should obtain a new JWT access
   token for every call to the resource server, to ensure that the
   resource server receives different "sub" and "jti" values at every
   call, thus preventing correlation between distinct requests.
"

The above paragraph suggests that there are different levels of privacy. What you are
talking about in the text is unlinkability and identification. Ways to deal with such
privacy threats are described in Section 6 of RFC 6973.

Hence, I would suggest to slightly rephrase the paragraph to something like:

"
   This profile mandates the presence of the "sub" claim in every JWT
   access token, making it possible for resource servers to rely on that
   information for correlating incoming
   requests with data stored locally for the authenticated principal.
   Although the ability to correlate requests might be required by
   design in many scenarios, there are scenarios where the authorization
   server might want to prevent correlation. The "sub" claim should be
   populated by the authorization servers according to a privacy impact
   assessment. For instance, if a solution requires preventing tracking
   principal activities across multiple resource servers, the
   authorization server should ensure that JWT access tokens meant for
   different resource servers have distinct "sub" values that cannot be
   correlated in the event of resource servers collusion.  Similarly, if
   a solution requires preventing a resource server from correlating the
   principal's activity within the resource itself, the authorization
   server should assign different "sub" values for every JWT access
   token issued.  In turn, the client should obtain a new JWT access
   token for every call to the resource server, to ensure that the
   resource server receives different "sub" and "jti" values at every
   call, thus preventing correlation between distinct requests.
"


Section 7.2

s/   Section Section 2.2.3.1 of this specification refers to the
   attributes "roles", "groups", "entitlements" defined in [RFC7643] to
   express authorization information in JWT access tokens.
/   Section 2.2.3.1 of this specification refers to the
   attributes "roles", "groups", "entitlements" defined in [RFC7643] to
   express authorization information in JWT access tokens.


References

RFC 7519 has to be a normative reference:

   [RFC7519]  Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
              (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
              <https://www.rfc-editor.org/info/rfc7519>.

RFC 7644 is an unused reference:

   [RFC7644]  Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E.,
              and C. Mortimore, "System for Cross-domain Identity
              Management: Protocol", RFC 7644, DOI 10.17487/RFC7644,
              September 2015, <https://www.rfc-editor.org/info/rfc7644>.

The same is true for RFC 3986:

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <https://www.rfc-editor.org/info/rfc3986>.


Ciao
Hannes

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.