IETF Logo Mail Archive

Re: [OAUTH-WG] Standardising JWT access token type determination

Warren Parad <wparad@rhosys.ch> Wed, 17 January 2024 07:58 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC65C14F714 for <oauth@ietfa.amsl.com>; Tue, 16 Jan 2024 23:58:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9njhLUNV2TAj for <oauth@ietfa.amsl.com>; Tue, 16 Jan 2024 23:58:06 -0800 (PST)
Received: from mail-ej1-x630.google.com (mail-ej1-x630.google.com [IPv6:2a00:1450:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E894C14F713 for <oauth@ietf.org>; Tue, 16 Jan 2024 23:58:05 -0800 (PST)
Received: by mail-ej1-x630.google.com with SMTP id a640c23a62f3a-a2eb3f55e8bso14133766b.0 for <oauth@ietf.org>; Tue, 16 Jan 2024 23:58:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; t=1705478283; x=1706083083; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=l2QRKCFHu1NgHvqX4GU/2JHpXAF0W/2pMKXsBVG6Ikg=; b=gUNQ3226GYNy4yQSSSQugRDHCfsvAcreEcUDkevSiXQpPGY1zqLAqeXGNaWxODSLON Y9rGFBSEamYDniLEIlRohn5K6zCG2rmeHPZfUI8VjQ2U6DQM6jKrXYKCi262cgNfEy7N dtrlTj2xTPyzoSZxLYtABVmQEZKLLenK6qXXgdEo0jv4HtefwA5v8WxZ/knTpFYBL+vx Jp8HUg3sSJ59Hggz4bWTtN0hZJShe2htdn0kYj1cOFg5RZp1huw+fmLWR/FO54AxG/a7 9pGNbp4LQTLtt9JQXBl5d8nn82iuDPZjcPgvc4F0ho1t+F8aIEbg2W0INORIjByEQLBr 7/kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705478283; x=1706083083; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=l2QRKCFHu1NgHvqX4GU/2JHpXAF0W/2pMKXsBVG6Ikg=; b=LzPQ9eysVhV9hJ+kOykk2uK3ac1QrEsZVs1uKwpN4bWGzQ+rnZDlxnIlB758akbi9i U5pA35MrIyLX9qAd6VLFepkG3oqA9g75+D5gz1s4ytZ4BGh/gAs5k1hBnyQXcjai8yi/ VvR69fPfXPSdOFc+6Wfru1MtJUsjjGpmURwg8ioz+pqEf6pSrPE7JjhuaYL3vTkzPyup HjXGyjn5KRiRUnZl/DF3fTcLTcrpEIiijLTa8bCL4STvB8Qzsuj+inf9CbQUZjmBDX+U SsWh5jZ3EvvKsJzJVl+a9wrb8WwmLR3FX2ML4jqKzTHjOuFHHKPalUMUePFJbxXNGVmY apGQ==
X-Gm-Message-State: AOJu0YwBYrIHrH9oPR+1dNNXGwbARdC8277LGk5wzNDt67kQTvXBtkU0 mBgtsyMtUBqF3rSCGjS1JwAWUhBiIUpRL1/Cm2QINlHByDhsQ/RzzhZymaLU1g==
X-Google-Smtp-Source: AGHT+IFUEryUgr/MGgHEKq6pRWcyezKElRSWy0TbbdM4U63RFJSgU1sTAwtrP7Pd38gvjpLCA4zT6845CYrbEhctQgA=
X-Received: by 2002:a17:906:e24f:b0:a2e:9ff8:218d with SMTP id gq15-20020a170906e24f00b00a2e9ff8218dmr1727375ejb.3.1705478282649; Tue, 16 Jan 2024 23:58:02 -0800 (PST)
MIME-Version: 1.0
References: <CADo1+pUHvk6uK0pveDKbfxFDwDBkvmFbUEb=n_1pAsFfJ37Gmw@mail.gmail.com> <CAFfym_cZFPDX6w0SyNJVUXS53E80mFc9dTz8KaRr=c1JQMq5zg@mail.gmail.com> <CADo1+pVCaCRW+y7tEkxBrbtWYnZEkGyooWDE8xSuxmDf3ursEg@mail.gmail.com>
In-Reply-To: <CADo1+pVCaCRW+y7tEkxBrbtWYnZEkGyooWDE8xSuxmDf3ursEg@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 17 Jan 2024 08:57:51 +0100
Message-ID: <CAJot-L1Syx+CrjsHHT1LeydjYex+2F8ru=pDWcjda8J8S4FxyA@mail.gmail.com>
To: Akila Amarasinghe <akilaa=40wso2.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>, openid-gain-poc@lists.openid.net, Lalaji Sureshika <lalaji@wso2.com>
Content-Type: multipart/related; boundary="000000000000363856060f1f9bf6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yMWpMHWtKizkah1663YTTZlgmJc>
Subject: Re: [OAUTH-WG] Standardising JWT access token type determination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 07:58:10 -0000

> I'm afraid that claim is specific to OIDC

Where exactly do you see that?

On Wed, Jan 17, 2024, 05:12 Akila Amarasinghe <akilaa=
40wso2.com@dmarc.ietf.org> wrote:

> Hi Warren and all,
>
> I believe this will get you exactly what you are looking for,
>
> I did some digging into the "acr" claim you mentioned in your last email.
> I'm afraid that claim is specific to OIDC. Open Banking and Identity
> providers may not use OIDC always. For my requirement, there should be a
> way to distinguish the token type for both OIDC and non-OIDC providers. Is
> there any other way that supports both of the above scenarios?
>
>
>
>> without attempting to utilize existing claims in a way that wasn't
>> intended. While I definitely wouldn't recommend putting the *grant-type* in
>> the property, but rather the *depth of security that the grant-type
>> represents*, you are of course free to interpret the spec how you wish.
>>
> Regarding #2 (Adding a custom claim to the access token), let me *correct*
> what I mentioned in the first email. *The custom claim won't contain the
> grant type itself in plain text*. It will contain some sort of string
> pre-defined by the authorization server which is determined based on the
> grant type. For instance, if the token request is with the "authorization
> code" grant type, the claim will contain something like "APPLICATION_USER".
> And if the grant type of the token request is "client credentials", the
> claim will contain the value "APPLICATION".  So we can use this claim to
> distinguish the token type.
>
> Is the above recommended by the authors of IETF?
>
> Thanks,
> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
> (M)+94719799034 *| *(E)akilaa@wso2.com
> (B) medium.com/@akilaamarasinghe
>
> <http://wso2.com/signature>
>
>
> On Fri, Jan 12, 2024 at 3:49 PM Danuta Kusik-Wieland <
> kusikdanuta@gmail.com> wrote:
>
>> Witam.Nie jestem informatykiem.Prubowałam stworzyć witrynę niestety jest
>> problem z tolkenem.Wiem o tym ale nie wiem jak to zmienić.Jeżeli masz dobry
>> pomysł proszę napraw to bo ja nie potrafię.Pozdrawiam Danuta Kusik-Wieland
>>
>> pt., 12 sty 2024, 09:48 użytkownik Akila Amarasinghe <akilaa=
>> 40wso2.com@dmarc.ietf.org> napisał:
>>
>>> Hi all,
>>>
>>> I am researching a standard way to distinguish the token grant type
>>> (client credentials of authorization code) by inspecting the content of the
>>> self-contained JWT token.
>>>
>>> I expect to build a discussion within the Oauth/OpenID community around
>>> the need to identify the grant type in which a JWT access token is issued.
>>>
>>> In the context of Open Banking, regulators around the world enforce the
>>> API resource access validation specifying which type of access token should
>>> be used to access the API resources. This is becoming a general enforcement
>>> and the Open Banking solution providers are searching for a standard way to
>>> distinguish the access token type by checking the content of the JWT token.
>>>
>>> I researched this and please find my findings below,
>>>
>>> 1. *"sub" claim is a potential way to distinguish the token type*
>>>
>>> In rfc9068 <https://datatracker.ietf.org/doc/html/rfc9068> specification,
>>> it is mentioned that the "sub" claim should contain the client ID of the
>>> authorization server if the resource owner is not involved during
>>> authorization (see the screenshot below).
>>>
>>> [image: Screenshot 2024-01-12 at 12.15.42 PM.png]
>>>
>>> We had discussions about using this claim to validate the token type
>>> (auth code or client credentials), but it seems this is not a standard way
>>> to do this since there can be client impersonation attacks. However, it is
>>> very rare for an actual authorization code access token to have the same
>>> client ID in the "sub" claim as the client exists in the authorization
>>> server.
>>>
>>> 2. *Add a custom claim to the access token*
>>> Another option is to add a custom claim to determine the token type.
>>> This will be set after determining the grant type of the token request and
>>> will be contained in the JWT access token when issued by the authorization
>>> server. This is a reliable way to identify the token type because the
>>> authorization server determines the grant type by inspecting the request
>>> sent into it. Therefore, making it more reliable. This custom claim will
>>> contain from which grant type the access token is obtained.
>>>
>>> 3. *Validating the "azp" claim in the token*
>>> This is not applicable generally because this claim is optional and is
>>> only used in OpenID connect. The applications that don't use ID tokens
>>> cannot use this claim.
>>>
>>> We seek the help of the OAuth/OpenID community to build up a discussion
>>> on this and find a standard way to do the token type determination using
>>> the JWT token. It could be one of the above scenarios.
>>>
>>> The feedback from the Oauth/OpenID community is highly appreciated.
>>>
>>> Thanks,
>>> *Akila Amarasinghe **| **Software Engineer | WSO2 LLC*
>>> (M)+94719799034 *| *(E)akilaa@wso2.com
>>> (B) medium.com/@akilaamarasinghe
>>>
>>> <http://wso2.com/signature>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>

v2.46.0 | Report a Bug | By Email | System Status