IETF Logo Mail Archive

Re: [OAUTH-WG] Privacy considerations regarding RAR and authorization_details in AT JWT

Justin Richer <jricher@mit.edu> Wed, 21 December 2022 14:30 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34CB8C14CF14 for <oauth@ietfa.amsl.com>; Wed, 21 Dec 2022 06:30:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rcv9y5Vtbkej for <oauth@ietfa.amsl.com>; Wed, 21 Dec 2022 06:30:20 -0800 (PST)
Received: from outgoing-exchange-5.mit.edu (outgoing-exchange-5.mit.edu [18.9.28.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5A3C14CF0B for <oauth@ietf.org>; Wed, 21 Dec 2022 06:30:20 -0800 (PST)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-5.mit.edu (8.14.7/8.12.4) with ESMTP id 2BLEUGUH006586; Wed, 21 Dec 2022 09:30:17 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1671633017; bh=iYGjXmjFW0BAazvcNA4W6X3JLKgzba8j4waFroJWqxY=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=A79ierfdtmvv/+R8fCYn0VpdekGRoUbqGK+9tnDFU1eTXwR3FlKkrv7bx1zPTDvGh ailRFtEW+AGJiiZXc2tF6q6qY6HK3uBTzfFhCnKGV3xAsg9yb8s2mqm8mte4f6b96z 2Y1EXbGXNiq040YXr0s71fdJYdzzhoV8M0Y0wp2hltK1WGPDR0++c/kRh5Vy2m1ryO lLiEtaN//2iTXtM0NPA6flKwvfsEfKnScg6c6v3yI/3a72gmz87J8GyYWicweoKFxq 0F9ORszRFVazDVjdVdFOS9EIhx7gYy8igYX/EGtQeb+mTl58ymXznu72poe7ZGXlZx RDNHAXX/IVG8w==
Received: from w92expo23.exchange.mit.edu (18.7.74.77) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Wed, 21 Dec 2022 09:30:03 -0500
Received: from oc11exhyb6.exchange.mit.edu (18.9.1.111) by w92expo23.exchange.mit.edu (18.7.74.77) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Wed, 21 Dec 2022 09:30:16 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.101) by oc11exhyb6.exchange.mit.edu (18.9.1.111) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Wed, 21 Dec 2022 09:30:16 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ghpsw65tiUMsiF9yGaHUG6PsV8k0co+bM9dEGlgdQdzVag96HcgGTA1AKCCuQcal3VN/kcFcZ7QV0mmueI700kgiFMvjAqd/v3cUnlknvsYDAPmPIQ74M4fcDZDeOl44/zXphfSE1fZ0eBhFPqI80Q/ubzgEaFVWxbiS9ILCMxWM6fFSaq00TDnYdvzA67FsBns69DC/Ebt1qNDHFEORX1f41iVLsGHyz00f3Im6bCjrALqEBC3XW/qMARzAK4xu3N24We6ArLJuKPt3yyblgKc7wSRClDnTf3qxVm8+vwOs/LOgmEaMQaez21d2tIISQFJRNgM0M1iz9/Tsgg5++w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iYGjXmjFW0BAazvcNA4W6X3JLKgzba8j4waFroJWqxY=; b=BBt3iLkDCecD2PV5l9iF3wvuyyWpuAfd3U06jpJT+A9UpNSRpcNRL1tfsnBer7ir/lQWkU7s3EPEo6eCR4hwz8IMESJmDAuRH49YpFqJMxrHzjuMNHPslddwuKaX3PIoKwdytbP6nM2uODBh4l865jaeSokOg4F7mqgZADnCHKaUwdK85V+HmGfo9s1DjGoPqZqLYhpNgwGdw1D+SqmvQ34JT8BvRkeMyC3iu8LxPDfdLS+WpTBr2rEIjzp+HuMc5PfTHG+1FIT8V2BJSRIhQiIoBrn9r3E2JVbOigrJCBMCIiNeoT5sVRzQ30pmmJzghRFaPmfKTiN+g2ryPuOjEQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by DM5PR01MB2491.prod.exchangelabs.com (2603:10b6:3:3f::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5924.11; Wed, 21 Dec 2022 14:30:15 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::62:d23d:3d8d:88d3]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::62:d23d:3d8d:88d3%5]) with mapi id 15.20.5924.016; Wed, 21 Dec 2022 14:30:15 +0000
From: Justin Richer <jricher@mit.edu>
To: Kai Lehmann <kai.lehmann=401und1.de@dmarc.ietf.org>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Privacy considerations regarding RAR and authorization_details in AT JWT
Thread-Index: AQHZE4BNeGzZp16CbU2PDr9lDYRcPq54ankA
Date: Wed, 21 Dec 2022 14:30:15 +0000
Message-ID: <6553B701-B3CA-4DEF-8A39-BB302379517D@mit.edu>
References: <C01EEF4D-C9E8-4085-8417-26340D5D8E05@1und1.de>
In-Reply-To: <C01EEF4D-C9E8-4085-8417-26340D5D8E05@1und1.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|DM5PR01MB2491:EE_
x-ms-office365-filtering-correlation-id: 46dac6e3-51d3-4bb7-b1b3-08dae35fe06c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: N+ZJHLPMWyG8IKLPah2EyLH+oQPFXWlrC/A5oO3L6XTYotY/eV81Q4wkdm6maCODG8VF179Ik+6kQkdurnKmM7AbEB0f9yRsDrc2pz5O2LC9I4PDUsWUvtKs8SkvAcvztkG0Eeet2PjdzbS+zXi973e8U48BovGSbLiYb/G0PW0CBEaTP/7g/gjkpi+mLZWhr45pJ1qgiM1TL210dAP4BjVnkuymto8CSsveCgx8/l7Ld2IQVtpoVrSMHSWf3SjAGQ11g6z1aXiCWyhOqE6pU7Uyq5dP5Zy+Nl+CZr6zB8RlnwopbZoipSBA0imwRNyHKgsiD2IpQr6k6rEhD0ajBu+GIeAPmS7VG8kXuVKYPWFiEo38YThqRdIRM2i5cW+a8N7YUgoViKbgOb6OCp1ukaapqCSg0BJX19wZ+/ZG8qjZM7iHpghNIE2VSBiSHMM5BTU4wdSgj1b6ihLTh0mxhohl8HeKa5jrMVwT4voNQGeusNU7n2XstvePltw44BBHqgUVa4j6Mr9kqqM5gA/llixZ9zyGN0xFPTfBOuIPfhT4XEav5hcj7+N/KVOYGWGgSfSzUJurI+ixOro7jK5gDU6279v/q9r17aYwqA2CBFLOyBds0EdwGgDdYbGfQbyNexuC4GT9Wqssng5Ryk+dfc+RCWWZaHIJV0meZXS232yF2JMg9s9LHWyS8+s+VqiptSSI7pgnteIctrtq64m4bYHRiEy5zgrwt3QdCji09/r8uXgx2R8eSad1Dh4LNV0RJOK2tgGG4bpLRbCJfsvTvQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230022)(4636009)(366004)(39860400002)(136003)(346002)(396003)(376002)(451199015)(86362001)(83380400001)(38100700002)(122000001)(2906002)(38070700005)(5660300002)(8936002)(41300700001)(4326008)(75432002)(6506007)(478600001)(966005)(6486002)(53546011)(2616005)(6512007)(26005)(91956017)(66946007)(186003)(76116006)(66476007)(64756008)(71200400001)(786003)(316002)(66446008)(8676002)(66556008)(66899015)(36756003)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: mdBNX65RKSlG/a58BAB1l3vVP7z91+cdObw+FjRYTJ+D7rmQFJTQThYdyM5aA1TbbYEf08cq84+sZXEpoWslXLqmfl8AupJtYM5iJr8UYHlaWbRQsNcUh3b/ldtTQenJepdmrUj3qk0Kd2xjE/ux/KD5JB/mOXAfmNuMhTOLA8vH+qMm5FXgLBBOGp4UdF3uRH6gpAcCNDEdrfaCDGHF/C0gLrQfzjiXx9sdpijyeLuhnpO6Xm48B4wzURg4t2cQeU2a0fhsFUAagO0+a4GjLwoh9DdsysuzWbk5fL8+AfDnVDoYlACE3Ymb/UTYX4tK7EfJn9yCKLIVpvufRbEoe9iiJxTjsDUBsK8RULFA4P6CVTxG8ozE32o5hTxuYDGV9rLo/c6Q7xNRatXpaSmblIAGEtMfcrC9FEbBy0JA22eKi+dwjETiaI58wdQG73DpfPlA2bqPdq/cs3zrrbv/nZC3ovF28w4CcUqO4f2oltX9qYB0VF7VlOelNXinW5gKGZkPrVQBB5oPvrHvVY+1oc1flYI9nXEE10UUG+u9/km+SktSicubqw8dtHInXZW9hL2FKRwVveuDAaOahO6+iuvqBJqd6dP0mOmaS8sBpqMiDEuDsgxjNRP0FmiLIjH40ylehwp0zGOqBbLXjIHzslsDWYMFIy6vDRHGC4MRcBUbM8HpxznON8KK8/a81wlf/Nz61pXUtZ8j1yeniTRHJJ1rp9k+mJ4Vs/Bol/wEzGOUmCiSWuIKLJ00YKfXvSHnno0F58MTjzQ3Bs3KYyDuGXDsL0AU3dOaQSzAiNaUnzUGZK87kA0U040av2CCkIYItTknHVIFF+kiajYoJUtlmQpt4IIEfQ2B6J563gzF14wPWCWsqaon0StC1JYOTenYpBrcRzfU/G4KZEdrwlKdP7Su4YmuqiWFoltr4LbrD45jVAqOKzeGV2StTKVsPAs2aYXqPydhPAq+zhbabQxDsS8q3CjN/iVFUjm2mkgKMTDFHan2diRaykx6ekRl8k7lOOvFKhbXWX8PN2PYPPuE1jiXjPpdv1znPdjJYFEqVFNDRWB+zhTu+qpXxj0YndhatvImdyk2GH6kmc3/oiNSxkpTqCxFOf3SqdNw+HiqmqBBhvL1sBjkBn03bTSAsxxDdHpEHF5PO8MD+wcnLu20dMlKvb6iNDzFVEBK3N+9f3cfRP6wTOl5XHqpz4fBMZPYAjGUB3Z06MyxusdoRBYPnHFh9xhg5QU0oICSLvvnYxoGFHeS8cDHHyUFSERHn8OPzXGQsxWPV+K2wunR6yPvHc0auSCo8i22X1xZx9396Ap6wuobTR4tw4PTKOobzaF2F+TJ2/LLTglilZibXwW5pK3YaV0YaCy66MaMblllNkgreFCuhXgMNtvNagBPYIGYgJL4LvZgmUiBc5y3CFKH0xy1aSFOmNHDV0lsLkkdD5S2avbhGb1pumqtRzLSbS5by8fgNNtjWmVL0kuxmJhp4FNAsNTv3EblRO52FQGhtJKUL6y3sUuJCRGVUWt1mybTR2OEFen7eHvScnHVi5z67EBFw/iGXEO26y7zyusx5Q1ZokSNQCnWhygG9INP6nG/
Content-Type: text/plain; charset="utf-8"
Content-ID: <6F60A985D2E3E74C9360057C1EF54969@prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 46dac6e3-51d3-4bb7-b1b3-08dae35fe06c
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Dec 2022 14:30:15.2652 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yyVoAggqD/YlGi8Qg+GZSsHcUFb3Fdpx9arZbSSNoBp1iBuVozXC+aPr2MHfrNcM
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR01MB2491
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rlrEA8vBFhjAnz-jphHcpcpeDzY>
Subject: Re: [OAUTH-WG] Privacy considerations regarding RAR and authorization_details in AT JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Dec 2022 14:30:26 -0000

Hi Kai,

Both of those approaches are common approaches for preventing the leakage of private information in JWTs, and neither is specific to the RAR specification. The use of RAR objects does make it easier to have more specific detail, but that detail could have easily been leaked through a scope or any other custom claim in a JWT. The important thing for RAR is to point out the RAR object as a :source: of that kind of data and call out the desired effect of mitigation (ie, limiting to the intended audience of the token). General mechanisms for reaching that mitigation, such as introspection and multi-target encryption, aren’t really for RAR to define since they aren’t specific to RAR in the slightest.

In the end, you’ve drawn exactly the right conclusions from the text that we would hope an implementor would draw from reading this text. As such, to me, that means the text is doing its job. If we can make that clearer, and help more people reach that same conclusion more quickly, the editors would love any hint on what you think we might be able to do.

Thank you,
 — Justin

> On Dec 19, 2022, at 3:02 AM, Kai Lehmann <kai.lehmann=401und1.de@dmarc.ietf.org> wrote:
> 
> Hi,
> 
> In the privacy considerations section of the RAR specification (https://www.ietf.org/archive/id/draft-ietf-oauth-rar-21.html#name-privacy-considerationsit) it is stated:
> 
> 
> “The AS needs to take into consideration the privacy implications when
> sharing authorization_details with the client or resource servers.
> The AS should share this data with those parties on a "need to know"
> basis as determined by local policy.“
> 
> The proposed standard recommends to embedd the authorization_details in the JWT-based Access Token "filtered to the specific audience".
> 
> I assume audience restricted ATs are meant here.
> 
> My concern is that there can be multiple RS which the client intents to use the AT for. Even with audience restricted ATs, it may be the case that personal information being part of the authorization_details should only be visible to one of the AS and not the others. I don't really see how the Authorization Server is able to craft ATs which can be used for all of the given audience while only one or some ought to be able to read the authorization_details. Even if the AS is able to enforce a policy to allow only one audience with the authorization request, it does not prevent the client from accidentally misusing the issued AT with another RS for which it was not intended and thus leaking personal information to that RS.
> 
> I think that in order to prevent authorization_details to be accessible by multiple RS, Token Introspection should still be used to validate JWT-based ATs and only include the authorization_details in the Token introspection response which the RS need to know.
> 
> Another approach would be to have an authorization_details section encrypted asymmetrically for each audience separately so that each RS can only extract the authorization_details it needs. That could mean JWTs inside of JWTs.
> 
> I think it would help to add more details to the privacy considerations or even describe how exactly this can be achieved.
> 
> Best regards,
> Kai
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email