Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
Denis <denis.ietf@free.fr> Tue, 14 April 2020 14:38 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 192BD3A083B for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2020 07:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level:
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UE-hIVuWwtTx for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2020 07:38:14 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp11.smtpout.orange.fr [80.12.242.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C34393A0837 for <oauth@ietf.org>; Tue, 14 Apr 2020 07:38:13 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d22 with ME id SeeB2200h4FMSmm03eeBRT; Tue, 14 Apr 2020 16:38:12 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 14 Apr 2020 16:38:12 +0200
X-ME-IP: 86.238.65.197
To: oauth@ietf.org
References: <158628195716.9275.10690808358259357603@ietfa.amsl.com> <CAGL6epJ6W6AKptXw72cw2eaO+582_iYhKSK5h6BGBWeDJW9zNg@mail.gmail.com> <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com> <361d7891-01be-8e22-7765-613e727b2bc1@free.fr> <CAD9ie-u4xaoRmNG3Sgj+cNWG4M8BzaM1YFF4Oy4Q2A6gdFWDhw@mail.gmail.com> <CAGBSGjpV=QNHPJfXXLcxHwYwHZrKXEQVjf3eJg+b8z=qpRAJcA@mail.gmail.com> <CAO_FVe67Ta_c1stGAH2b6mC_9FcfcZ_Vs6OdD4S4--vOac_y-g@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <a8c09693-bdfa-941b-acbb-4830b679e18f@free.fr>
Date: Tue, 14 Apr 2020 16:38:09 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <CAO_FVe67Ta_c1stGAH2b6mC_9FcfcZ_Vs6OdD4S4--vOac_y-g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------F3FA4650B46446CCED4B46F6"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rkE0Y-MCXh6VyceCnIAmLTTyz1E>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 14:38:17 -0000
Vittorio, one comment in line. > It’s certainly possible to conceive ATs without subs, but I think the > profile would be way less useful for SDK developers. > On the objections: > The sub doesn’t have to be a user, if you look at the earlier > discussions the case in which the token has been issued for an > application via client creds (hence non user) has been debated at length. > Knowing the subject does not necessarily lead to API being able to > collide and track users, given that the sub can be a PPID that is > different for every resource even if the authenticated subject was the > same. > > The sub is mandatory here because it was present in nearly every token > among the ones observed, and although one should not overindex on > those scenarios, I took that as strong indication that it is a > frequently used field and guaranteeing its presence facilitates > embedding in SDKs lots of downstream features, such as correlating > with locally stored attributes, which would otherwise left as exercise > to the reader. Per the points above, there are no obvious downsides in > requiring the presence of the sub and significant upsides. Again, the > AS is in full control of the sub content hence none of the privacy > concerns mentioned here are mandated by the sheer presence of the sub > claim. > If you feel the privacy section should be stronger in warning an AS > against the possibility of collusion if global ide rockers > [identifiers] are used, I am happy to reword accordingly. Text needs to added into the Privacy consideration section stating more than that. Since RFC 7519 (4.1.2) states: The subject value MUST either be scoped to be *locally unique* in the context of the issuer *or* be *globally unique*. the presence of the sub claim in a JWT allows (1) different resource servers to perform correlations of actions performed by the same subject on these different resource servers and (2) a single resource server to perform inter-API correlations of actions performed by the same subject. Since a single claim parameter is being used, it is not possible to have only one of the two previous cases. Denis > > On Mon, Apr 13, 2020 at 10:16 Aaron Parecki <aaron@parecki.com > <mailto:aaron@parecki.com>> wrote: > > This is a good point, I often use the hotel key analogy as well. > The room door is the RS, the key is the access token, the door > does not need to know who the user is in order to know if it’s > okay to unlock given a particular key. > > If sub is required, then this profile is limited in use to cases > where user identifiers are part of the system, and there will be > situations in which it’s not appropriate to use this profile for > access tokens. If that’s okay, this should be clarified in the > overview section to describe when this profile should be used. > > Aaron > > > > On Mon, Apr 13, 2020 at 10:08 AM Dick Hardt <dick.hardt@gmail.com > <mailto:dick.hardt@gmail.com>> wrote: > > Why does the "sub" need to be required? > > An access token is to prove authorization. The RS may not need > "sub" to constrain fulfilling the client request. > > For example, it the access token has the same properties as a > movie ticket, the RS does not need to have any identifier for > who purchased the movie ticket. > > The privacy implication is the RS can correlate across API > calls to know it is the same subject. > > > > > On Mon, Apr 13, 2020 at 8:16 AM Denis <denis..ietf@free.fr > <mailto:denis.ietf@free.fr>> wrote: > > Hello, > > More on privacy about "JWT Profile for Access Tokens". > > The current document REQUIRES the claim names *sub* and > *client_id*. > > * sub REQUIRED - as defined in section 4.1.2 of [RFC7519]. > * client_id REQUIRED - as defined in section 4.3 of > [RFC8693] > > *1) **sub REQUIRED* > > RFC 7519 states: > > 4.1.2. "sub" (Subject) Claim > The "sub" (subject) claim identifies the principal > that is the > subject of the JWT. The claims in a JWT are > normally statements > about the subject. The subject value MUST either > be scoped to** > *be locally unique in the context of the issuer or be > globally unique*. > The processing of this claim is generally > application specific. The > "sub" value is a case-sensitive string containing a > StringOrURI > value. *Use of this claim is OPTIONAL.* > > If *sub *is *REQUIRED *for this profile, then this allows > all resource servers to link accesses made by the same > client on different servers. > > *2) client_id REQUIRED* > > RFC 8693 states: > > 4.3. "client_id" (Client Identifier) Claim > The client_id claim carries the client identifier of > the OAuth 2.0 [RFC 6749] client that requested the token. > > RFC 6749 states: > > 2.2. Client Identifier > The authorization server issues the registered > client a client > identifier -- a unique string representing the > registration > information provided by the client. The client > identifier is not a > secret; it is exposed to the resource owner and > MUST NOT be used > alone for client authentication. *The client > identifier is unique to** > ** the authorization server.* > > If *client_id* is REQUIRED for this profile, this also > allows all resource servers to link accesses made by the > same client on different servers. > > *Both claim names should be OPTIONAL *to allow to support > the privacy principle of unlinkability. > > Would both names remain *REQUIRED*, the Privacy > considerations section should mention that such a linkage > by different resource servers > will always be possible when using this profile. > > Denis > >> I have uploaded the second presentation for today's >> session, the JWT Profile for Access Tokens. >> https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth >> >> >> Regards, >> Rifaat >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > -- > ---- > Aaron Parecki > aaronparecki.com <http://aaronparecki.com> > @aaronpk <http://twitter.com/aaronpk> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Web Authorization Protocol (oauth) WG … IESG Secretary
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Dick Hardt
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Aaron Parecki
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Dick Hardt
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… George Fletcher
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Denis
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… George Fletcher
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Manger, James
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Vittorio Bertocci
- Re: [OAUTH-WG] Web Authorization Protocol (oauth)… Rifaat Shekh-Yusef