IETF Logo Mail Archive

Re: [OAUTH-WG] Standardising JWT access token type determination

Warren Parad <wparad@rhosys.ch> Wed, 17 January 2024 09:50 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37E3BC14F5FB for <oauth@ietfa.amsl.com>; Wed, 17 Jan 2024 01:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8dIV2AxdS8wm for <oauth@ietfa.amsl.com>; Wed, 17 Jan 2024 01:50:54 -0800 (PST)
Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FEA9C14F5F1 for <oauth@ietf.org>; Wed, 17 Jan 2024 01:50:53 -0800 (PST)
Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-557678c50feso2755792a12.0 for <oauth@ietf.org>; Wed, 17 Jan 2024 01:50:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; t=1705485051; x=1706089851; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=8RSI37bxHzK/zU1hHoQ0Z8x351URXC4F0Hgrr91u7Vg=; b=X0m+8le3POBLaRL4TpeSvoaiCSr/2KyxJjZ38Pj0dDLICOWBsfbHbVyPZFNxi8MaTL 637Yd7rCI5gKn1WwnTH2+tDf5vPB9ByRCbisWitg5dhO2Zs+fUUxHpRqUm1RZM9RmRVu E87h6G+Aiyy1bvKAO8iMVRC+wRRgjsKyY4G2RVWBO1lpQShMBQGFflONkIH6nnrD8Ptr euwByJ15aMC2rXNsWWdIX5/vT5SpBmEKnPDSGjqDmWdeDu4IzuQiXLpdxt1i+lJ69htb U7OY1yYbsgVYg49fC2c8sNu+nfYurWBvKGZOCMK2mUsIQfaeWuJjN3Mz2rfINpER6SZ8 WslA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705485051; x=1706089851; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=8RSI37bxHzK/zU1hHoQ0Z8x351URXC4F0Hgrr91u7Vg=; b=a6rbEzxctd5QaR8yDMTzgAwce+s5f46qAbPT/cJ/bpc2IYevqQq64esjwSS805yQW+ WIEJVDPMY1pI9fwHz1GYBu5oSGmF7Eq+0vseT4XWXNwwrB48XRg4PEEbrvxZxz1g40Ww Wo9F7MiB4xcvN0LwqITPJXk4OGso8S/2aPyGE6+CEE7NatqL5xc7KLJkijIj6vkMzWWG 94PmP+RYVkfN/i+DNn8wHHWVEHCH4INpWgEMvzbXvAhaxgxpHs4hJrpzgiPnI1sxOxfU pgYjZAwqXI7n4wRGNpARyMc43KtMMoA1iGsLRJaRnrXRveLJ0kkjvcN0Wh/Se1VGiNf4 M75w==
X-Gm-Message-State: AOJu0YzUvDLWGK0+LNveGB6LTDJnWInEDb5eU5nCFy5PclisidYLanhC eqAM9TpWF/vuEnDCVYIKWNU59fDTJ3rB6FiCbLZfcLPZ9LBSHuDIVho64wXkzw==
X-Google-Smtp-Source: AGHT+IFofVH5PnW7jEgATCiJ4ygZN3PCRZhe4yhZlKl3rnY9H0NmWutkNKNPm7sOw/Vd6DgVYxIEKSGuZjKskGc1SwE=
X-Received: by 2002:a05:6402:22d3:b0:559:c036:8456 with SMTP id dm19-20020a05640222d300b00559c0368456mr1834403edb.4.1705485051027; Wed, 17 Jan 2024 01:50:51 -0800 (PST)
MIME-Version: 1.0
References: <CADo1+pUHvk6uK0pveDKbfxFDwDBkvmFbUEb=n_1pAsFfJ37Gmw@mail.gmail.com> <CAFfym_cZFPDX6w0SyNJVUXS53E80mFc9dTz8KaRr=c1JQMq5zg@mail.gmail.com> <CADo1+pVCaCRW+y7tEkxBrbtWYnZEkGyooWDE8xSuxmDf3ursEg@mail.gmail.com> <CAJot-L1Syx+CrjsHHT1LeydjYex+2F8ru=pDWcjda8J8S4FxyA@mail.gmail.com> <CADo1+pUWnzRWbRsw2oBSr_xfd9oruyL6fWn5pWs5+Zs5GitFZw@mail.gmail.com>
In-Reply-To: <CADo1+pUWnzRWbRsw2oBSr_xfd9oruyL6fWn5pWs5+Zs5GitFZw@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 17 Jan 2024 10:50:39 +0100
Message-ID: <CAJot-L3_gp7afbHMcz1KENyX+c1kDepJbmCUiv1Lkh84vm8=QQ@mail.gmail.com>
To: Akila Amarasinghe <akilaa=40wso2.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>, openid-gain-poc@lists.openid.net, Lalaji Sureshika <lalaji@wso2.com>
Content-Type: multipart/related; boundary="000000000000a31a7a060f212e3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oCSYxiLLvb3EMriV8wMvEy9XPpI>
Subject: Re: [OAUTH-WG] Standardising JWT access token type determination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 09:50:58 -0000

It is not limited to OIDC, it is not OIDC specific. The RFC just includes
what to do if you also want to be OIDC compliant, since open ID already
specified a definition for the acr claim prior, but as the RFC title
indicates, this is for OAuth.

On Wed, Jan 17, 2024 at 10:46 AM Akila Amarasinghe <akilaa=
40wso2.com@dmarc.ietf.org> wrote:

> Hi Warren,
>
> Please correct me if I am wrong. As I understood, the "acr" claim is only
> returned with the ID token, which is OIDC-specific.
>
> Also, how about the point #2 I explained above?
>
> Thanks,
> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
> (M)+94719799034 *| *(E)akilaa@wso2.com
> (B) medium.com/@akilaamarasinghe
>
> <http://wso2.com/signature>
>
>
> On Wed, Jan 17, 2024 at 1:28 PM Warren Parad <wparad=
> 40rhosys.ch@dmarc.ietf.org> wrote:
>
>> > I'm afraid that claim is specific to OIDC
>>
>> Where exactly do you see that?
>>
>> On Wed, Jan 17, 2024, 05:12 Akila Amarasinghe <akilaa=
>> 40wso2.com@dmarc.ietf.org> wrote:
>>
>>> Hi Warren and all,
>>>
>>> I believe this will get you exactly what you are looking for,
>>>
>>> I did some digging into the "acr" claim you mentioned in your last
>>> email. I'm afraid that claim is specific to OIDC. Open Banking and Identity
>>> providers may not use OIDC always. For my requirement, there should be a
>>> way to distinguish the token type for both OIDC and non-OIDC providers. Is
>>> there any other way that supports both of the above scenarios?
>>>
>>>
>>>
>>>> without attempting to utilize existing claims in a way that wasn't
>>>> intended. While I definitely wouldn't recommend putting the
>>>> *grant-type* in the property, but rather the *depth of security that
>>>> the grant-type represents*, you are of course free to interpret the
>>>> spec how you wish.
>>>>
>>> Regarding #2 (Adding a custom claim to the access token), let me
>>> *correct* what I mentioned in the first email. *The custom claim won't
>>> contain the grant type itself in plain text*. It will contain some sort
>>> of string pre-defined by the authorization server which is determined based
>>> on the grant type. For instance, if the token request is with the
>>> "authorization code" grant type, the claim will contain something like
>>> "APPLICATION_USER". And if the grant type of the token request is "client
>>> credentials", the claim will contain the value "APPLICATION".  So we can
>>> use this claim to distinguish the token type.
>>>
>>> Is the above recommended by the authors of IETF?
>>>
>>> Thanks,
>>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>>> (M)+94719799034 *| *(E)akilaa@wso2.com
>>> (B) medium.com/@akilaamarasinghe
>>>
>>> <http://wso2.com/signature>
>>>
>>>
>>> On Fri, Jan 12, 2024 at 3:49 PM Danuta Kusik-Wieland <
>>> kusikdanuta@gmail.com> wrote:
>>>
>>>> Witam.Nie jestem informatykiem.Prubowałam stworzyć witrynę niestety
>>>> jest problem z tolkenem.Wiem o tym ale nie wiem jak to zmienić.Jeżeli masz
>>>> dobry pomysł proszę napraw to bo ja nie potrafię.Pozdrawiam Danuta
>>>> Kusik-Wieland
>>>>
>>>> pt., 12 sty 2024, 09:48 użytkownik Akila Amarasinghe <akilaa=
>>>> 40wso2.com@dmarc.ietf.org> napisał:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I am researching a standard way to distinguish the token grant type
>>>>> (client credentials of authorization code) by inspecting the content of the
>>>>> self-contained JWT token.
>>>>>
>>>>> I expect to build a discussion within the Oauth/OpenID community
>>>>> around the need to identify the grant type in which a JWT access token is
>>>>> issued.
>>>>>
>>>>> In the context of Open Banking, regulators around the world enforce
>>>>> the API resource access validation specifying which type of access token
>>>>> should be used to access the API resources. This is becoming a general
>>>>> enforcement and the Open Banking solution providers are searching for a
>>>>> standard way to distinguish the access token type by checking the content
>>>>> of the JWT token.
>>>>>
>>>>> I researched this and please find my findings below,
>>>>>
>>>>> 1. *"sub" claim is a potential way to distinguish the token type*
>>>>>
>>>>> In rfc9068 <https://datatracker.ietf.org/doc/html/rfc9068> specification,
>>>>> it is mentioned that the "sub" claim should contain the client ID of the
>>>>> authorization server if the resource owner is not involved during
>>>>> authorization (see the screenshot below).
>>>>>
>>>>> [image: Screenshot 2024-01-12 at 12.15.42 PM.png]
>>>>>
>>>>> We had discussions about using this claim to validate the token type
>>>>> (auth code or client credentials), but it seems this is not a standard way
>>>>> to do this since there can be client impersonation attacks. However, it is
>>>>> very rare for an actual authorization code access token to have the same
>>>>> client ID in the "sub" claim as the client exists in the authorization
>>>>> server.
>>>>>
>>>>> 2. *Add a custom claim to the access token*
>>>>> Another option is to add a custom claim to determine the token type.
>>>>> This will be set after determining the grant type of the token request and
>>>>> will be contained in the JWT access token when issued by the authorization
>>>>> server. This is a reliable way to identify the token type because the
>>>>> authorization server determines the grant type by inspecting the request
>>>>> sent into it. Therefore, making it more reliable. This custom claim will
>>>>> contain from which grant type the access token is obtained.
>>>>>
>>>>> 3. *Validating the "azp" claim in the token*
>>>>> This is not applicable generally because this claim is optional and is
>>>>> only used in OpenID connect. The applications that don't use ID tokens
>>>>> cannot use this claim.
>>>>>
>>>>> We seek the help of the OAuth/OpenID community to build up a
>>>>> discussion on this and find a standard way to do the token type
>>>>> determination using the JWT token. It could be one of the above scenarios.
>>>>>
>>>>> The feedback from the Oauth/OpenID community is highly appreciated.
>>>>>
>>>>> Thanks,
>>>>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>>>>> (M)+94719799034 *| *(E)akilaa@wso2.com
>>>>> (B) medium.com/@akilaamarasinghe
>>>>>
>>>>> <http://wso2.com/signature>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>

v2.46.0 | Report a Bug | By Email | System Status