Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject issue

Thanks Hannes,

I'll update that text to reference RFC 6973 and also to indicate a specific
value which could be used for the anonymous user. And I'll publish new
drafts here soon(ish).

On Mon, Apr 28, 2014 at 2:49 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Hi all,
>
> your text proposal sounds reasonable and it might, as suggested,
> indicate what value to put in there for the anonymous user (such as
> 'anonymous'). Saying explicitly what implementers should be doing helps
> interoperability.
>
> Mentioning the pseudonym is also a good idea since in some cases
> anonymity can be too strong and pseudonymity is what is desired. For the
> terminology you could reference RFC 6973.
>
> Ciao
> Hannes
>
> PS: A note to various folks in this email thread: We have not discussed
> this issue before. As I mentioned in my original email we had only
> discussed a related issue regarding client authentication. Antonio's
> email lead me to think about the authorization grant, which is obviously
> a different story (which only happens to be in the same document because
> of the document structure we came up with).
>
> On 04/25/2014 09:57 PM, Brian Campbell wrote:
> > I absolutely agree with always requiring both issuer and subject and
> > that doing so keeps the specs simpler and is likely to improve
> > interoperability.
> >
> > However, without changing that, perhaps some of the text in the
> > document(s) could be improved a bit. Here's a rough proposal:
> >
> > Change the text of the second bullet in
> > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-5.2 to
> >
> > "The assertion MUST contain a Subject. The Subject typically identifies
> > an authorized accessor for which the access token is being requested
> > (i.e. the resource owner, or an authorized delegate) but, in some cases,
> > may be a pseudonym or other value denoting an anonymous user. When the
> > client is acting on behalf of itself, the Subject MUST be the value of
> > the client's client_id."
> >
> > And also change
> > http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1to
> >
> > "When a client is accessing resources on behalf of an anonymous user, a
> > mutually agreed upon Subject identifier indicating anonymity is used.
> > The Subject value might be an agreed upon static value indicating an
> > anonymous user or an opaque persistent or transient pseudonym for the
> > user may also be utilized. The authorization may be based upon
> > additional criteria, such as additional attributes or claims provided in
> > the assertion. For example, a client may present an assertion from a
> > trusted issuer asserting that the bearer is over 18 via an included
> > claim. In this case, no additional information about the user's identity
> > is included, yet all the data needed to issue an access token is
> present."
> >
> > And maybe also change the subject text in SAML and JWT (item #2 in
> > http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-08#section-3 and
> > http://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-19#section-3)
> > to read a little more like the new proposed text above for section 5.2
> > of the Assertion Framework draft.
> >
> > Would that sit any better with you, Hannes? Thoughts from others in the
> WG?
> >
> >
> > On Fri, Apr 25, 2014 at 1:08 PM, John Bradley <ve7jtb@ve7jtb.com
> > <mailto:ve7jtb@ve7jtb.com>> wrote:
> >
> >     Agreed.
> >
> >     On Apr 25, 2014, at 3:07 PM, Mike Jones <Michael.Jones@microsoft.com
> >     <mailto:Michael.Jones@microsoft.com>> wrote:
> >
> >>     I agree.  We’d already discussed this pretty extensively and
> >>     reached the conclusion that always requiring both an issuer and a
> >>     subject both kept the specs simpler and was likely to improve
> >>     interoperability.____
> >>
> >>     It’s entirely up to the application profile what the contents of
> >>     the issuer and the subject fields are and so I don’t think we need
> >>     to further specify their contents beyond what’s already in the
> >>     specs.____
> >>
> >>                                                                 --
> >>     Mike____
> >>
> >>     *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian
> >>     Campbell
> >>     *Sent:* Friday, April 25, 2014 10:17 AM
> >>     *To:* Hannes Tschofenig
> >>     *Cc:* oauth@ietf.org <mailto:oauth@ietf.org>
> >>     *Subject:* Re: [OAUTH-WG] draft-ietf-oauth-jwt-bearer-08 & subject
> >>     issue____
> >>     __ __
> >>
> >>     I believe, from the thread referenced earlier and prior discussion
> >>     and draft text, that the WG has reached (rough) consensus to
> >>     require the subject claim. So text that says "Subject element MUST
> >>     NOT be included" isn't workable.____
> >>
> >>     It seems what's needed here is some better explanation of how, in
> >>     cases that need it, the value of the subject can be populated
> >>     without using a PII type value. A simple static value like
> >>     "ANONYMOUS-SUBJECT" could be used. Or, more likely, some kind of
> >>     pairwise persistent pseudonymous identifier would be utilized,
> >>     which would not directly identify the subject but would allow the
> >>     relying party to recognize the same subject on subsequent
> >>     transactions. A transient pseudonym might also be appropriate in
> >>     some cases. And any of those approaches could be used with or
> >>     without additional claims (like age > 18 or membership in some
> >>     group) that get used to make an authorization decision. ____
> >>
> >>     I wasn't sure exactly how to articulate all that in text for the
> >>     draft(s) but that's more of what I was asking for when I asked if
> >>     you could propose some text.____
> >>
> >>
> >>
> >>
> >>     ____
> >>
> >>     __ __
> >>
> >>     On Thu, Apr 24, 2014 at 6:48 AM, Hannes Tschofenig
> >>     <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>>
> >>     wrote:____
> >>     Hi Brian,
> >>
> >>     Thanks for pointing to the assertion framework document.
> >>     Re-reading the
> >>     text it appears that we have listed the case that in Section 6.3.1
> but
> >>     have forgotten to cover it elsewhere in the document.
> >>
> >>
> >>     In Section 6.3.1 we say:
> >>
> >>     "
> >>
> >>     6.3.1.  Client Acting on Behalf of an Anonymous User
> >>
> >>        When a client is accessing resources on behalf of an anonymous
> >>     user,
> >>        the Subject indicates to the Authorization Server that the
> >>     client is
> >>        acting on-behalf of an anonymous user as defined by the
> >>     Authorization
> >>        Server.  It is implied that authorization is based upon
> additional
> >>        criteria, such as additional attributes or claims provided in the
> >>        assertion.  For example, a client may present an assertion from a
> >>        trusted issuer asserting that the bearer is over 18 via an
> included
> >>        claim.
> >>
> >>     *****
> >>         In this case, no additional information about the user's
> >>        identity is included, yet all the data needed to issue an access
> >>        token is present.
> >>     *****
> >>     "
> >>     (I marked the relevant part with '***')
> >>
> >>
> >>     In Section 5.2, however, we say:
> >>
> >>
> >>        o  The assertion MUST contain a Subject.  The Subject identifies
> an
> >>           authorized accessor for which the access token is being
> >>     requested
> >>           (typically the resource owner, or an authorized delegate).
>  When
> >>           the client is acting on behalf of itself, the Subject MUST
> >>     be the
> >>           value of the client's "client_id".
> >>
> >>
> >>     What we should have done in Section 5.2 is to expand the cases
> inline
> >>     with what we have written in Section 6.
> >>
> >>     Here is my proposed text:
> >>
> >>     "
> >>     o  The assertion MUST contain a Subject.  The Subject identifies an
> >>     authorized accessor for which the access token is being
> requested____
> >>
> >>     (typically the resource owner, or an authorized delegate).
> >>
> >>     ____
> >>
> >>     When the client is acting on behalf of itself, as described in
> Section
> >>     6.1 and Section 6.2, the Subject MUST be the value of the client's
> >>     "client_id".
> >>
> >>     When the client is acting on behalf of an user, as described in
> >>     Section
> >>     6.3, the Subject element MUST be included in the assertion and
> >>     identifies an authorized accessor for which the access token is
> being
> >>     requested.
> >>
> >>     When the client is acting on behalf of an anonymous user, as
> described
> >>     in Section 6.3.1, the Subject element MUST NOT be included in the
> >>     assertion. Other elements within the assertion will, however,
> provide
> >>     enough information for the authorization server to make an
> >>     authorization
> >>     decision.
> >>     "
> >>
> >>     Does this make sense to you?
> >>
> >>     Ciao
> >>     Hannes____
> >>
> >>
> >>     On 04/24/2014 02:30 PM, Brian Campbell wrote:
> >>     > There is some discussion of that case in the assertion framework
> >>     > document at
> >>     >
> http://tools.ietf.org/html/draft-ietf-oauth-assertions-15#section-6.3.1
> >>     >
> >>     > Do you feel that more is needed? If so, can you propose some text?
> >>     >
> >>     >
> >>     > On Thu, Apr 24, 2014 at 1:09 AM, Hannes Tschofenig____
> >>     > <hannes.tschofenig@gmx.net
> >>     <mailto:hannes.tschofenig@gmx.net> <mailto:
> hannes.tschofenig@gmx.net
> >>     <mailto:hannes.tschofenig@gmx.net>>> wrote:
> >>     >
> >>     >     Hi Brian,
> >>     >
> >>     >     I read through the thread and the Google case is a bit
> >>     different since
> >>     >     they are using the client authentication part of the JWT
> >>     bearer spec.
> >>     >     There I don't see the privacy concerns either.
> >>     >
> >>     >     I am, however, focused on the authorization grant where the
> >>     subject is
> >>     >     in most cases the resource owner.
> >>     >
> >>     >     It is possible to put garbage into the subject element when
> >>     privacy
> >>     >     protection is needed for the resource owner case but that
> >>     would need to
> >>     >     be described in the document; currently it is not there.
> >>     >
> >>     >     Ciao
> >>     >     Hannes
> >>     >
> >>     >
> >>     >     On 04/24/2014 12:37 AM, Brian Campbell wrote:
> >>     >     > That thread that Antonio started which you reference went
> >>     on for some
> >>     >     > time
> >>     >     >
> >>     >
> >>     (
> http://www.ietf.org/mail-archive/web/oauth/current/threads.html#12520)
> >>     >     > and seems to have reached consensus that the spec didn't
> need
> >>     >     normative
> >>     >     > change and that such privacy cases or other cases which
> didn't
> >>     >     > explicitly need a subject identifier would be more
> >>     appropriately dealt
> >>     >     > with in application logic:
> >>     >
> >>     > http://www.ietf.org/mail-archive/web/oauth/current/msg12538.html
> >>     >     >
> >>     >     >
> >>     >     >
> >>     >     >
> >>     >     > On Wed, Apr 23, 2014 at 2:39 AM, Hannes Tschofenig
> >>     >     > <hannes.tschofenig@gmx.net
> >>     <mailto:hannes.tschofenig@gmx.net> <mailto:
> hannes.tschofenig@gmx.net
> >>     <mailto:hannes.tschofenig@gmx.net>>____
> >>     >     <mailto:hannes.tschofenig@gmx.net
> >>     <mailto:hannes.tschofenig@gmx.net>____
> >>     >     <mailto:hannes.tschofenig@gmx.net
> >>     <mailto:hannes.tschofenig@gmx.net>>>> wrote:
> >>     >     >
> >>     >     >     Hi all,
> >>     >     >
> >>     >     >     in preparing the shepherd write-up for
> >>     >     draft-ietf-oauth-jwt-bearer-08 I
> >>     >     >     had to review our recent email conversations and the
> issue
> >>     >     raised by
> >>     >     >     Antonio in
> >>     >     >
> >>     >
> >>       http://www.ietf.org/mail-archive/web/oauth/current/msg12520.htmlbelong
> >>     >     >     to it.
> >>     >     >
> >>     >     >     The issue was that Section 3 of
> >>     draft-ietf-oauth-jwt-bearer-08
> >>     >     says:
> >>     >     >     "
> >>     >     >        2.   The JWT MUST contain a "sub" (subject) claim
> >>     >     identifying the
> >>     >     >             principal that is the subject of the JWT.  Two
> >>     cases
> >>     >     need to be
> >>     >     >             differentiated:
> >>     >     >
> >>     >     >             A.  For the authorization grant, the subject
> >>     SHOULD
> >>     >     identify an
> >>     >     >                 authorized accessor for whom the access
> >>     token is being
> >>     >     >                 requested (typically the resource owner, or
> an
> >>     >     authorized
> >>     >     >                 delegate).
> >>     >     >
> >>     >     >             B.  For client authentication, the subject
> >>     MUST be the
> >>     >     >                 "client_id" of the OAuth client.
> >>     >     >     "
> >>     >     >
> >>     >     >     Antonio pointed to the current Google API to
> >>     illustrate that
> >>     >     the subject
> >>     >     >     is not always needed. Here is the Google API
> >>     documentation:
> >>     >     >
> >>       https://developers.google.com/accounts/docs/OAuth2ServiceAccount
> >>     >     >
> >>     >     >     The Google API used the client authentication part
> (rather
> >>     >     than the
> >>     >     >     authorization grant), in my understanding.
> >>     >     >
> >>     >     >     I still believe that the subject field has to be
> >>     included for
> >>     >     client
> >>     >     >     authentication but I am not so sure anymore about the
> >>     >     authorization
> >>     >     >     grant since I could very well imagine cases where the
> >>     subject
> >>     >     is not
> >>     >     >     needed for authorization decisions but also for
> >>     privacy reasons.
> >>     >     >
> >>     >     >     I would therefore suggest to change the text as follows:
> >>     >     >
> >>     >     >     "
> >>     >     >        2.   The JWT contains a "sub" (subject) claim
> >>     identifying the
> >>     >     >             principal that is the subject of the JWT.  Two
> >>     cases
> >>     >     need to be
> >>     >     >             differentiated:
> >>     >     >
> >>     >     >             A.  For the authorization grant, the subject
> >>     claim MAY
> >>     >     >                 be included. If it is included it MUST
> >>     identify the
> >>     >     >                 authorized accessor for whom the access
> >>     token is being
> >>     >     >                 requested (typically the resource owner, or
> an
> >>     >     authorized
> >>     >     >                 delegate). Reasons for not including the
> >>     subject claim
> >>     >     >                 in the JWT are identity hiding (i.e.,
> privacy
> >>     >     protection
> >>     >     >                 of the identifier of the subject) and
> >>     cases where
> >>     >     >                 the identifier of the subject is
> >>     irrelevant for making
> >>     >     >                 an authorization decision by the resource
> >>     server.
> >>     >     >
> >>     >     >             B.  For client authentication, the subject
> >>     MUST be the
> >>     >     >                 included in the JWT and the value MUST be
> >>     populated
> >>     >     >                 with the "client_id" of the OAuth client.
> >>     >     >     "
> >>     >     >
> >>     >     >     What do you guys think?
> >>     >     >
> >>     >     >     Ciao
> >>     >     >     Hannes
> >>     >     >
> >>     >     >
> >>     >     >     _______________________________________________
> >>     >     >     OAuth mailing list____
> >>
> >>     >     >     OAuth@ietf.org
> >>     <mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org
> >>     <mailto:OAuth@ietf.org>> <mailto:OAuth@ietf.org
> >>     <mailto:OAuth@ietf.org>
> >>     >     <mailto:OAuth@ietf.org <mailto:OAuth@ietf.org>>>
> >>     >     >     https://www.ietf.org/mailman/listinfo/oauth
> >>     >     >
> >>     >     >
> >>     >
> >>     >____
> >>
> >>     __ __
> >>     _______________________________________________
> >>     OAuth mailing list
> >>     OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>     https://www.ietf.org/mailman/listinfo/oauth
> >
> >
>
>