[OAUTH-WG] Initial JSON Web Token Best Current Practices Draft

Mike Jones <Michael.Jones@microsoft.com> Sun, 04 June 2017 13:12 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0990129469 for <oauth@ietfa.amsl.com>; Sun, 4 Jun 2017 06:12:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.121
X-Spam-Level:
X-Spam-Status: No, score=-0.121 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KA_EtSBqZNn9 for <oauth@ietfa.amsl.com>; Sun, 4 Jun 2017 06:12:42 -0700 (PDT)
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0111.outbound.protection.outlook.com [104.47.37.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89DF129B29 for <oauth@ietf.org>; Sun, 4 Jun 2017 06:12:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sjTZMSXArsBBH86gWOe+PfUn+NggZxKjcbtxqwpof5c=; b=DSWzzFZBgLIU9qI4Qmvj/WGUkPC6Oo2pXn0kVLDsfsrRYKc+R7wNWf/H07f5Nl7fwu2Bi6fSD2CrBamlRDK6ZcByO7g10SUbWtJkNQO5xe7jo0QjchhBgDBKsyF7zhIoD5lEbWZlpULCh/RpONFuy7R89YNux6GEjX+pefIgQBI=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0471.namprd21.prod.outlook.com (10.172.121.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1178.0; Sun, 4 Jun 2017 13:12:39 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1178.000; Sun, 4 Jun 2017 13:12:38 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Initial JSON Web Token Best Current Practices Draft
Thread-Index: AdLdLiuU8v8bzUlIS+Ocr4mmEw/lEA==
Date: Sun, 4 Jun 2017 13:12:38 +0000
Message-ID: <CY4PR21MB0504E898E2414522D172663BF5F50@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Ref=https://api.informationprotection.azure.com/api/72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetBy=mbj@microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2017-06-04T06:12:36.1315142-07:00; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.93.167]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0471; 7:Uk2tYyKa9aDaYTtVyrlvRW6zIvdbL4SpS8EOWxaZpDB9tZZBZGqF2rBltthM7tSgZL0xm9ZBkalVEX8vUn8NBbBkrKEd7Z4P1lCyvta6C8LasodIx3NXxWJKaTzksKpqEnELWRE9rXwWT5n3rEwro0pRW8boSv1EuoPuksHYhpqVsvqiFJfRfEl8GwCWb4mywIvvCq5PzC2/BIpc5f2HmRDgVP59MZM4kaMJcmUrnykVWQBDFQNhtoRmoaxLaxFXb+kGGGLVKjy6Si3Dx+mp1pdhk1JELJFFYdFQMOdcbK9kYPyh7ZxR/l1Ee9pwH/TPLLI3dHTiBjW4/0N1IzRJ6okArB0DEopSSCsnemrkyHY=
x-ms-office365-filtering-correlation-id: 3b471776-f1f4-42ae-8c8a-08d4ab4b601d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:CY4PR21MB0471;
x-ms-traffictypediagnostic: CY4PR21MB0471:
x-microsoft-antispam-prvs: <CY4PR21MB0471F6FFC69CCE7D67D967ABF5F50@CY4PR21MB0471.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(20558992708506)(278428928389397)(192374486261705)(31418570063057)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123555025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0471; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0471;
x-forefront-prvs: 03283976A6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39400400002)(39410400002)(39850400002)(39450400003)(39860400002)(39840400002)(209900001)(2501003)(14454004)(5005710100001)(72206003)(5660300001)(74316002)(7736002)(7906003)(790700001)(25786009)(478600001)(10090500001)(10290500003)(53376002)(86362001)(3280700002)(66066001)(6916009)(2906002)(86612001)(7696004)(966005)(8990500004)(38730400002)(110136004)(556974002)(8676002)(81166006)(1730700003)(3660700001)(6506006)(33656002)(8936002)(77096006)(122556002)(54356999)(5640700003)(606005)(2351001)(3846002)(102836003)(50986999)(6436002)(99286003)(55016002)(6306002)(9686003)(54896002)(236005)(5630700001)(2900100001)(53936002)(189998001)(6116002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0471; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504E898E2414522D172663BF5F50CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jun 2017 13:12:38.6486 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0471
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/z6TAtefribdtzq7zreTziPlN138>
Subject: [OAUTH-WG] Initial JSON Web Token Best Current Practices Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jun 2017 13:12:45 -0000

JSON Web Tokens (JWTs) and the JSON Object Signing and Encryption (JOSE) functions underlying them are now being widely used in diverse sets of applications.  During IETF 98 in Chicago<https://ietf.org/meeting/98/>, we discussed reports of people implementing and using JOSE and JWTs insecurely, the causes of these problems, and ways to address them.  Part of this discussion was an invited JOSE/JWT Security Update<https://www.ietf.org/proceedings/98/slides/slides-98-oauth-sessb-jwt-security-update-00.pdf> presentation that I gave to two working groups, which included links to problem reports and describes mitigations.  Citing the widespread use of JWTs in new IETF applications, Security Area Director Kathleen Moriarty suggested during these discussions that a Best Current Practices (BCP) document be written for JSON Web Tokens (JWTs).

I'm happy to report that Yaron Sheffer, Dick Hardt, and myself have produced an initial draft of a JWT BCP.  Its abstract is:
JSON Web Tokens, also known as JWTs [RFC7519<https://tools.ietf.org/html/rfc7519>], are URL-safe JSON-based security tokens that contain a set of claims that can be signed and/or encrypted. JWTs are being widely used and deployed as a simple security token format in numerous protocols and applications, both in the area of digital identity, and in other application areas. The goal of this Best Current Practices document is to provide actionable guidance leading to secure implementation and deployment of JWTs.

In Section 2, we describe threats and vulnerabilities.  In Section 3, we describe best practices addressing those threats and vulnerabilities.  We believe that the best practices in Sections 3.1 through 3.8 are ready to apply today.  Section 3.9 (Use Mutually Exclusive Validation Rules for Different Kinds of JWTs) describes several possible best practices on that topic to serve as a starting point for a discussion on which of them we want to recommend under what circumstances.

We invite input from the OAuth Working Group and other interested parties on what best practices for JSON Web Tokens and the JOSE functions underlying them should be.  We look forward to hearing your thoughts and working on this specification together.

The specification is available at:

  *   https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-00

An HTML-formatted version is also available at:

  *   http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-00.html

                                                       -- Mike

P.S. This notice was also posted at http://self-issued.info/?p=1690 and as @selfissued<https://twitter.com/selfissued>.