Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
Pedro Igor Silva <psilva@redhat.com> Mon, 25 March 2019 14:14 UTC
Return-Path: <psilva@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C913F12040E for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 07:14:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DpYpzGeNpvPj for <oauth@ietfa.amsl.com>; Mon, 25 Mar 2019 07:14:42 -0700 (PDT)
Received: from mail-vs1-f53.google.com (mail-vs1-f53.google.com [209.85.217.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB3DA120407 for <oauth@ietf.org>; Mon, 25 Mar 2019 07:14:41 -0700 (PDT)
Received: by mail-vs1-f53.google.com with SMTP id i207so5438549vsd.10 for <oauth@ietf.org>; Mon, 25 Mar 2019 07:14:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=movWJn8bEjFd4qT3SyKWHuuL1bFlw3Z5xgR3J3s2fMI=; b=KhT5d6PZqO8RXDYrYtPg0vhuddDsZnqXofBE7DrqHjxTL7Jl1RcFvWNqerfhBwUtoX faTxap9infWs4lvSq5gE5trRrxZ655GhLWtRraR3WFbAnO7BirPpYN4zD1c2bLzzquQS 2R5mS4rW5PQy0lJAt3aVMAoLeE4k2KV1qF7RcjnQxfZVBNxKv/i5CBbacORnnSRZkCq3 lT9bjZRgjGt0cFUt2ojYsM8jUTi+vs8zCyM4DKlK2iaOClOUlbGOff/TWNxSlO41JHA4 iuQAa0ivjTjCF27ZXcz/YhE/3hMk1x1ljaXhKJYntDAUbUNvIsc/Paue//hGPfKV+Cbu 42uA==
X-Gm-Message-State: APjAAAXugcx8KP1TbLNIpVmek/daFkq6MqBzAdyp01l9FVKrz70K9n7M +mTqVZofzVKRVcTTRBeHtdY39ehbdOOfDDXDZKM3huIPfys=
X-Google-Smtp-Source: APXvYqyVsGt7M8wWvilfzfZWTiXnZ+g7kHnyyYAs3rgdg+ewHRmjT6FmfLxCFbk+SFUxmUKf3nPADEI0YPvvI60NG8c=
X-Received: by 2002:a67:dc8b:: with SMTP id g11mr14821829vsk.88.1553523280561; Mon, 25 Mar 2019 07:14:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <B755AE4D-2D10-4380-AC12-4B7A8F53B812@gmail.com> <CAO7Ng+siADYHEhr8gryPZ_6c50uQ3XxDM5inAFwgG+Xa0bnwfg@mail.gmail.com> <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com>
In-Reply-To: <CA+iA6uhHOSmiSG_vxvad_g2ufi57OS4TxdvoO20g+7vm7rNZiA@mail.gmail.com>
From: Pedro Igor Silva <psilva@redhat.com>
Date: Mon, 25 Mar 2019 15:14:29 +0100
Message-ID: <CAJrcDBfLDRTaP9qGPg05rocGmHJ5BoWi4anYKg6h-TgWq+kGnA@mail.gmail.com>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: Dominick Baier <dbaier@leastprivilege.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000049f8150584ebd310"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vWfh7b58vxQnr_zTNFV9RZcpovs>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 14:14:46 -0000
Nice work Vittorio. I think the "sub" claim can also be used to reference the client (depending on the implementation may not necessarily map to the client_id). It might eventually reference the same entity as the client_id. In addition to the "sub" claim, does it make sense to explicitly have the "preferred_username" claim (section 5.1 of OpenID.Core) as OPTIONAL in Section 2.2 Data Structure ? Isn't this claim a quite common piece of information processed by resource servers? Regards. Pedro Igor On Mon, Mar 25, 2019 at 2:59 PM Hans Zandbelt <hans.zandbelt@zmartzone.eu> wrote: > Without agreeing or disagreeing: OIDC does not apply here since it is not > OAuth and an access token is not an id_token. > The JWT spec says in https://tools.ietf.org/html/rfc7519#section-4.1.2: > > "The "sub" (subject) claim identifies the principal that is the > subject of the JWT. The claims in a JWT are normally statements > about the subject. The subject value MUST either be scoped to be > locally unique in the context of the issuer or be globally unique. > The processing of this claim is generally application specific" > > which kind of spells "client" in case of the client credentials grant but > I also do worry about Resource Servers thinking/acting only in terms of > users > > Hans. > > On Mon, Mar 25, 2019 at 2:41 PM Dominick Baier <dbaier@leastprivilege.com> > wrote: > >> IMHO the sub claim should always refer to the user - and nothing else. >> >> OIDC says: >> >> "Subject - Identifier for the End-User at the Issuer." >> >> client_id should be used to identify clients. >> >> cheers >> Dominick >> >> On 25.. March 2019 at 05:13:03, Nov Matake (matake@gmail.com) wrote: >> >> Hi Vittorio, >> >> Thanks for the good starting point of standardizing JWT-ized AT. >> >> One feedback. >> The “sub” claim can include 2 types of identifier, end-user and client, >> in this spec. >> It requires those 2 types of identifiers to be unique each other in the >> IdP context. >> >> I prefer omitting “sub” claim in 2-legged context, so that no such >> constraint needed. >> >> thanks >> >> nov >> >> On Mar 25, 2019, at 8:29, Vittorio Bertocci < >> vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote: >> >> Dear all, >> I just submitted a draft describing a JWT profile for OAuth 2.0 access >> tokens. You can find it in >> https://datatracker.ietf.org/doc/draft-bertocci-oauth-access-token-jwt/. >> I have a slot to discuss this tomorrow at IETF 104 (I'll be presenting >> remotely). I look forward for your comments! >> >> Here's just a bit of backstory, in case you are interested in how this >> doc came to be. The trajectory it followed is somewhat unusual. >> >> - Despite OAuth2 not requiring any specific format for ATs, through >> the years I have come across multiple proprietary solution using JWT for >> their access token. The intent and scenarios addressed by those solutions >> are mostly the same across vendors, but the syntax and interpretations in >> the implementations are different enough to prevent developers from reusing >> code and skills when moving from product to product. >> - I asked several individuals from key products and services to share >> with me concrete examples of their JWT access tokens (THANK YOU Dominick >> Baier (IdentityServer), Brian Campbell (PingIdentity), Daniel >> Dobalian (Microsoft), Karl Guinness (Okta) for the tokens and explanations! >> ). >> I studied and compared all those instances, identifying commonalities >> and differences. >> - I put together a presentation summarizing my findings and >> suggesting a rough interoperable profile (slides: >> https://sec.uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx >> <https://sec..uni-stuttgart.de/_media/events/osw2019/slides/bertocci_-_a_jwt_profile_for_ats.pptx> >> ) - got early feedback from Filip Skokan on it. Thx Filip! >> - The presentation was followed up by 1.5 hours of unconference >> discussion, which was incredibly valuable to get tight-loop feedback and >> incorporate new ideas. John Bradley, Brian Campbell Vladimir Dzhuvinov, >> Torsten Lodderstedt, Nat Sakimura, Hannes Tschofenig were all there >> and contributed generously to the discussion. Thank you!!! >> Note: if you were at OSW2019, participated in the discussion and >> didn't get credited in the draft, my apologies: please send me a note and >> I'll make things right at the next update. >> - On my flight back I did my best to incorporate all the ideas and >> feedback in a draft, which will be discussed at IETF104 tomorrow. Rifaat, >> Hannes and above all Brian were all super helpful in negotiating the >> mysterious syntax of the RFC format and submission process. >> >> I was blown away by the availability, involvement and willingness to >> invest time to get things right that everyone demonstrated in the process. >> This is an amazing community. >> V. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Pedro Igor Silva
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… CARLIER Bertrand
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… donald.coffin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Nov Matake
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Rob Otto
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Steinar Noem
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dave Tonge
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… David Waite
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Dominick Baier
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Schanzenbach, Martin
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Mike Jones
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Binningsbø
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Brian Campbell
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Karl McGuinness
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] OAuth security topics Hannes Tschofenig
- [OAUTH-WG] Off Topic: oauth-bounces Neil Madden
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Hans Zandbelt
- Re: [OAUTH-WG] Off Topic: oauth-bounces Benjamin Kaduk
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Neil Madden
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth security topics Torsten Lodderstedt
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… George Fletcher
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-bertocci-oauth-access-token-… Vittorio Bertocci
- Re: [OAUTH-WG] OAuth security topics Neil Madden