IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

"Richard Backman, Annabelle" <richanna@amazon.com> Tue, 17 December 2019 01:28 UTC

Return-Path: <prvs=247a88a9c=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D09A12095C; Mon, 16 Dec 2019 17:28:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.497
X-Spam-Level:
X-Spam-Status: No, score=-14.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a0lskAzPtfq3; Mon, 16 Dec 2019 17:28:43 -0800 (PST)
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F28A12090A; Mon, 16 Dec 2019 17:28:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1576546124; x=1608082124; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=AXs2Bruwa+MKBUCCvfLrGOE3eGOc4skKCTGY1WTIJKU=; b=tFP14bUfnBWflhajLygxLeiTJElzWs8tajCuVcUbfw3u1mnSj721TL9D vcst+5waXJ27kq9iZtVsnI2120uwfnlN3pEHmWvOyZj+dJcT1jylDIRiv DD0NgeBZEcghaF2UYLhCNxO5hh4g0deffGETxDPjCzWBH1Wdqus5nEpg7 0=;
IronPort-SDR: PjwYoq4NYyGQZXn8741ATCULaVZG8vuf7R5CBn6BClAusDN48DpZP+CXQc2hd2fdo7EQaYr4JO vuRNZ18h69Bg==
X-IronPort-AV: E=Sophos;i="5.69,323,1571702400"; d="scan'208,217";a="8854407"
Received: from iad6-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-2a-8549039f.us-west-2.amazon.com) ([10.124.125.2]) by smtp-border-fw-out-2101.iad2.amazon.com with ESMTP; 17 Dec 2019 01:28:39 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan2.pdx.amazon.com [10.170.41.162]) by email-inbound-relay-2a-8549039f.us-west-2.amazon.com (Postfix) with ESMTPS id 55036A1CB7; Tue, 17 Dec 2019 01:28:38 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 17 Dec 2019 01:28:37 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Tue, 17 Dec 2019 01:28:37 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Tue, 17 Dec 2019 01:28:37 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, IETF oauth WG <oauth@ietf.org>
CC: "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt
Thread-Index: AQHVtGMkx0ZM11MJ9UuFnmHDKBqGmae9XaMA///YXwA=
Date: Tue, 17 Dec 2019 01:28:37 +0000
Message-ID: <AE9BAC29-50B0-4DAD-B27D-02EC803537A9@amazon.com>
References: <157653653318.24509.15075582637514649078@ietfa.amsl.com> <CAO_FVe4jYtrCiGAFSKQo2UF2WDCu8Yf8ww9_biMoW4TJPQ2Qpw@mail.gmail.com>
In-Reply-To: <CAO_FVe4jYtrCiGAFSKQo2UF2WDCu8Yf8ww9_biMoW4TJPQ2Qpw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.205]
Content-Type: multipart/alternative; boundary="_000_AE9BAC2950B04DADB27D02EC803537A9amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vYLQqHYahSyPzvyeBRlYPnf2vs0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Dec 2019 01:28:46 -0000

1. Regarding AuthenticatedClient:
Does a mobile app that uses Dynamic Client Registration to establish a client secret count as an “authenticated client”? What if that registration included an assertion signed by a trusted entity (e.g., device management software) using a certificate that had been pushed to the device? Without some kind of NIST LoA-style definition of “authenticated”, a single Boolean “AuthenticatedClient” value is too ambiguous to be useful. However, I’m skeptical that we could find consensus on what that definition should be, and it may be better to define client analogs to `acr` and `amr` that provide standard ways of expressing client authentication details without getting prescriptive about what kind of authentication is “good enough.”

2. Regarding authentication session properties:
I’m confused by the definitions given for `auth_time`, `acr`, and `amr`. For `auth_time`, it says:

“…its value will either remain the same for all the JWT access tokens issued within that session or be updated to the time of latest authentication if reauthentication occurred mid-session…”

But the “For example” at the end of that definition implies that `auth_time` will not be updated. The definitions for `acr` and `amr` say the same, but also say that the “…same considerations presented for auth_time apply…” What’s the intention here: are they fixed, updated, or is it up to the deployment to decide?

I’d like to better understand the use case for putting these in the access token. If the RS is making authorization decisions based on these claims, that implies that the RS cannot rely on the AS to determine (e.g., from the requested scope) the required authentication method(s), freshness, etc. If the AS could be relied upon for this, then presumably it would not issue RTs and ATs for a scope without requiring the end user to meet the appropriate authentication requirements. If this is the case, then the RS must have a way to signal to the client (and then the AS) that a step-up authentication is required. Is there an existing mechanism through which they could do this? All I can come up with is cramming the information into the scope attribute of a WWW-Authenticate challenge, but that has the same scope opacity violation problem as described in this draft’s Security Considerations. Without a clear way to express the step-up requirements, this feels incomplete.

3. Regarding access tokens that are used to access different resource servers:
Reading between the lines, I *think* the intention is that a JWT access token that is intended to be used to access two different resources at two different RSes should look something like:

{
"aud": "https://generic-resource-indicator.example.com/",
"scope": "resource_foo resource_bar",
...
}

And the expectation is that each RS should recognize that generic audience. Is this correct? If so it seems to go against the spirit of resource indicators as indicating the target or location of a resource. It’s stretching that definition, at the very least.

But as I said, I’m reading between the lines here. If this is the intention, it should be clearly stated. Alternatively, remove (or change to a SHOULD) the requirement that multi-value `aud` claims must only contain aliases for the same resource indicator.

–
Annabelle Richard Backman
AWS Identity


From: OAuth <oauth-bounces@ietf.org> on behalf of Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Date: Monday, December 16, 2019 at 2:51 PM
To: IETF oauth WG <oauth@ietf.org>
Cc: "i-d-announce@ietf.org" <i-d-announce@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-03.txt

Dear all,
I finally found the time to push a new draft of the JWT profile for ATs. This version incorporates the feedback kindly provided by Brian and Aaron at IETF105.
Unfortunately I didn't have a chance to participate to IETF106, hence we didn't do much progress since then.
There are still two areas we didn't manage to reach consensus on:

1. Mechanisms for signaling whether the AT was obtained by a user or an application

This point was the subject of intense debate on the list leading to IETF105.
One insight that emerged from the IETF105 discussion was that the use case here is more about whether the AT has been obtained via a grant that authenticated the client (regardless of what specific grant was used) vs a public client grant- that information can be relevant to a resource as it determines whether the identity of the client can be used in authorization decisions (in the former case) or not (in the public client case). If that's the scenario we are truly after, a simple, possibly optional boolean claim (say AuthenticatedClient) would suffice.
Note for the people who didn't read the spec: I removed any reference to this already in draft-ietf-oauth-access-token-jwt-01. I think this is an important and useful info and standardizing it would be beneficial for middleware and SDK creators, but ultimately this is an interop profile hence if there's no strong desire to reach an agreement here, I am also OK with dropping the matter and not address this function in the spec.
To summarize, I have two questions here:
A. Do we believe it's worth it to formalize in the profile a mechanism to indicate whether the client th obtained the AT authenticated itself with the AS?
B. If yes, are you OK wiht an optional bool claim here?

2. Claims indicating session properties

This is one area where I am far more passionate about, as it represents a fundamental aspect that production systems (and in particular 1st party solutions) already rely on in the current proprietary JTW ATs.
The profile currently includes the claims auth_time, acr and amr - capturing the values of those properties at the time of the latest authentication the user performed in the session used to issue the current AT: at session creation, at auth step up time and so on.
Those are values that API need in order to make authorization decisions; in the case of 1st party APIs, the AT is the only artifact they ever receive hence there is no other way for an API to determine whether the caller performed say MFA in order to obtain the current AT.
Since the first draft, some people signaled concerns about the current mechanisms thru which those claims get their value. For example, it has been proposed to maintain the original values of auth_time, acr & amr and introduce additional claims to indicate changes (like stepup).
I am not clear on what cold go wrong with the current approach, hence I don't have an immediate grasp of how changes like the above would help.
If the people uncomfortable with the current proposal could detail their concern, we can brainstorm ways to make that info available to API in a safer way. To summarize:
A. Do you have concerns with the current auth_time, arm, acr proposal? Can you spell them out? (please read the relevant parts of the spec before chiming in :))
B. If yes, what can we do to make that info available to RSs in a way that makes you comfortable?


Thanks

V.

On Mon, Dec 16, 2019 at 2:49 PM <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote:

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
        Author          : Vittorio Bertocci
        Filename        : draft-ietf-oauth-access-token-jwt-03.txt
        Pages           : 16
        Date            : 2019-12-16

Abstract:
   This specification defines a profile for issuing OAuth 2.0 access
   tokens in JSON web token (JWT) format.  Authorization servers and
   resource servers from different vendors can leverage this profile to
   issue and consume access tokens in interoperable manner.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-03
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-03

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-access-token-jwt-03


Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email