IETF Logo Mail Archive

Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13

Denis <denis.ietf@free.fr> Tue, 14 April 2020 14:38 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 192BD3A083B for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2020 07:38:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.498
X-Spam-Level:
X-Spam-Status: No, score=-0.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.398, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UE-hIVuWwtTx for <oauth@ietfa.amsl.com>; Tue, 14 Apr 2020 07:38:14 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp11.smtpout.orange.fr [80.12.242.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C34393A0837 for <oauth@ietf.org>; Tue, 14 Apr 2020 07:38:13 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d22 with ME id SeeB2200h4FMSmm03eeBRT; Tue, 14 Apr 2020 16:38:12 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 14 Apr 2020 16:38:12 +0200
X-ME-IP: 86.238.65.197
To: oauth@ietf.org
References: <158628195716.9275.10690808358259357603@ietfa.amsl.com> <CAGL6epJ6W6AKptXw72cw2eaO+582_iYhKSK5h6BGBWeDJW9zNg@mail.gmail.com> <CAGL6epJc4CGDy9DwL3-BJh6MrELY3C-RUmcH716WN4k3Un11FA@mail.gmail.com> <361d7891-01be-8e22-7765-613e727b2bc1@free.fr> <CAD9ie-u4xaoRmNG3Sgj+cNWG4M8BzaM1YFF4Oy4Q2A6gdFWDhw@mail.gmail.com> <CAGBSGjpV=QNHPJfXXLcxHwYwHZrKXEQVjf3eJg+b8z=qpRAJcA@mail.gmail.com> <CAO_FVe67Ta_c1stGAH2b6mC_9FcfcZ_Vs6OdD4S4--vOac_y-g@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <a8c09693-bdfa-941b-acbb-4830b679e18f@free.fr>
Date: Tue, 14 Apr 2020 16:38:09 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <CAO_FVe67Ta_c1stGAH2b6mC_9FcfcZ_Vs6OdD4S4--vOac_y-g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------F3FA4650B46446CCED4B46F6"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rkE0Y-MCXh6VyceCnIAmLTTyz1E>
Subject: Re: [OAUTH-WG] Web Authorization Protocol (oauth) WG Virtual Meeting: 2020-04-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Apr 2020 14:38:17 -0000

Vittorio, one comment in line.
> It’s certainly possible to conceive ATs without subs, but I think the 
> profile would be way less useful for SDK developers.
> On the objections:
> The sub doesn’t have to be a user, if you look at the earlier 
> discussions the case in which the token has been issued for an 
> application via client creds (hence non user) has been debated at length.
> Knowing the subject does not necessarily lead to API being able to 
> collide and track users, given that the sub can be a PPID that is 
> different for every resource even if the authenticated subject was the 
> same.
>
> The sub is mandatory here because it was present in nearly every token 
> among the ones observed, and although one should not overindex on 
> those scenarios, I took that as strong indication that it is a 
> frequently used field and guaranteeing its presence facilitates 
> embedding in SDKs lots of downstream features, such as correlating 
> with locally stored attributes, which would otherwise left as exercise 
> to the reader. Per the points above, there are no obvious downsides in 
> requiring the presence of the sub and significant upsides. Again, the 
> AS is in full control of the sub content hence none of the privacy 
> concerns mentioned here are mandated by the sheer presence of the sub 
> claim.

> If you feel the privacy section should be stronger in warning an AS 
> against the possibility of collusion if global ide rockers 
> [identifiers] are used, I am happy to reword accordingly.

Text needs to added into the Privacy consideration section stating more 
than that.

Since RFC 7519 (4.1.2) states:

     The subject value MUST either be scoped to be *locally unique* in 
the context of the issuer *or* be *globally unique*.

the presence of the sub claim in a JWT allows (1) different resource 
servers to perform correlations of actions performed by the same subject
on these different resource servers and (2) a single resource server to 
perform inter-API correlations of actions performed by the same subject.
Since a single claim parameter is being used, it is not possible to have 
only one of the two previous cases.

Denis

>
> On Mon, Apr 13, 2020 at 10:16 Aaron Parecki <aaron@parecki.com 
> <mailto:aaron@parecki.com>> wrote:
>
>     This is a good point, I often use the hotel key analogy as well.
>     The room door is the RS, the key is the access token, the door
>     does not need to know who the user is in order to know if it’s
>     okay to unlock given a particular key.
>
>     If sub is required, then this profile is limited in use to cases
>     where user identifiers are part of the system, and there will be
>     situations in which it’s not appropriate to use this profile for
>     access tokens. If that’s okay, this should be clarified in the
>     overview section to describe when this profile should be used.
>
>     Aaron
>
>
>
>     On Mon, Apr 13, 2020 at 10:08 AM Dick Hardt <dick.hardt@gmail.com
>     <mailto:dick.hardt@gmail.com>> wrote:
>
>         Why does the "sub" need to be required?
>
>         An access token is to prove authorization. The RS may not need
>         "sub" to constrain fulfilling the client request.
>
>         For example, it the access token has the same properties as a
>         movie ticket, the RS does not need to have any identifier for
>         who purchased the movie ticket.
>
>         The privacy implication is the RS can correlate across API
>         calls to know it is the same subject.
>
>
>
>
>         On Mon, Apr 13, 2020 at 8:16 AM Denis <denis..ietf@free.fr
>         <mailto:denis.ietf@free.fr>> wrote:
>
>             Hello,
>
>             More on privacy about "JWT Profile for Access Tokens".
>
>             The current document REQUIRES the claim names *sub* and
>             *client_id*.
>
>               * sub  REQUIRED - as defined in section 4.1.2 of [RFC7519].
>               * client_id  REQUIRED - as defined in section 4.3 of
>                 [RFC8693]
>
>             *1) **sub  REQUIRED*
>
>             RFC 7519 states:
>
>                 4.1.2.  "sub" (Subject) Claim
>                    The "sub" (subject) claim identifies the principal
>                 that is the
>                    subject of the JWT.  The claims in a JWT are
>                 normally statements
>                    about the subject.  The subject value MUST either
>                 be scoped to**
>                 *be locally unique in the context of the issuer or be
>                 globally unique*.
>                    The processing of this claim is generally
>                 application specific.  The
>                    "sub" value is a case-sensitive string containing a
>                 StringOrURI
>                    value. *Use of this claim is OPTIONAL.*
>
>             If *sub *is *REQUIRED *for this profile, then this allows
>             all resource servers to link accesses made by the same
>             client on different servers.
>
>             *2) client_id  REQUIRED*
>
>             RFC 8693 states:
>
>                 4.3. "client_id" (Client Identifier) Claim
>                 The client_id claim carries the client identifier of
>                 the OAuth 2.0 [RFC 6749] client that requested the token.
>
>             RFC 6749 states:
>
>                 2.2.  Client Identifier
>                    The authorization server issues the registered
>                 client a client
>                    identifier -- a unique string representing the
>                 registration
>                    information provided by the client.  The client
>                 identifier is not a
>                    secret; it is exposed to the resource owner and
>                 MUST NOT be used
>                    alone for client authentication. *The client
>                 identifier is unique to**
>                 **   the authorization server.*
>
>             If *client_id* is REQUIRED for this profile, this also
>             allows all resource servers to link accesses made by the
>             same client on different servers.
>
>             *Both claim names should be OPTIONAL *to allow to support
>             the privacy principle of unlinkability.
>
>             Would both names remain *REQUIRED*, the Privacy
>             considerations section should mention that such a linkage
>             by different resource servers
>             will always be possible when using this profile.
>
>             Denis
>
>>             I have uploaded the second presentation for today's
>>             session, the JWT Profile for Access Tokens.
>>             https://datatracker.ietf.org/meeting/interim-2020-oauth-04/session/oauth
>>
>>
>>             Regards,
>>              Rifaat
>>
>
>             _______________________________________________
>             OAuth mailing list
>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>             https://www.ietf.org/mailman/listinfo/oauth
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>
>     -- 
>     ----
>     Aaron Parecki
>     aaronparecki.com <http://aaronparecki.com>
>     @aaronpk <http://twitter.com/aaronpk>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email