Re: [secdir] Secdir Review of draft-ietf-oauth-jwt-bearer-10

Mike Jones <> Mon, 06 October 2014 07:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 468141A1B81; Mon, 6 Oct 2014 00:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id nD6I3F_PUvLu; Mon, 6 Oct 2014 00:55:22 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::1:732]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A59121A1B7E; Mon, 6 Oct 2014 00:55:21 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1044.10; Mon, 6 Oct 2014 07:54:57 +0000
Received: from (2a01:111:f400:7c10::114) by (2a01:111:e400:1414::33) with Microsoft SMTP Server (TLS) id 15.0.1044.10 via Frontend Transport; Mon, 6 Oct 2014 07:54:57 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1039.16 via Frontend Transport; Mon, 6 Oct 2014 07:54:56 +0000
Received: from ([]) by ([]) with mapi id 14.03.0210.003; Mon, 6 Oct 2014 07:54:24 +0000
From: Mike Jones <>
To: Radia Perlman <>, "" <>, The IESG <>, "" <>
Thread-Topic: Secdir Review of draft-ietf-oauth-jwt-bearer-10
Thread-Index: AQHP3D+wgXfaR8YiJ0mShlpRYjLXaJwijqng
Date: Mon, 06 Oct 2014 07:54:24 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(6009001)(438002)(51704005)(43784003)(199003)(377454003)(189002)(85806002)(2656002)(87936001)(20776003)(85852003)(33656002)(86362001)(26826002)(21056001)(23676002)(31966008)(95666004)(104016003)(55846006)(86612001)(85306004)(107046002)(66066001)(4396001)(19580405001)(69596002)(50986999)(46102003)(44976005)(68736004)(80022003)(120916001)(76482002)(99396003)(84676001)(47776003)(2501002)(92726001)(64706001)(76176999)(10300001)(6806004)(106116001)(92566001)(97736003)(50466002)(77096002)(106466001)(230783001)(54356999)(81156004)(19580395003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1204;; FPR:; MLV:ovrnspm; PTR:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1204;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 03569407CC
Received-SPF: Pass ( domain of designates as permitted sender); client-ip=;;
Authentication-Results: spf=pass (sender IP is;
Cc: "" <>
Subject: Re: [secdir] Secdir Review of draft-ietf-oauth-jwt-bearer-10
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 06 Oct 2014 07:55:24 -0000

Thanks for your review, Radia.  I've added the working group to the thread so that they're aware of your comments.

> From: Radia Perlman [] 
> Sent: Monday, September 29, 2014 4:46 PM
> To:; The IESG;
> Subject: Secdir Review of draft-ietf-oauth-jwt-bearer-10
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> This document is one of a set of documents specifying how to use JSON formatted OAuth bearer tokens in the context of HTTP requests.
> It specifies two contexts in which these JSON tokens can be used: as Authorization Grants or for Client Authentication. It specifies the to-be-IANA-registered parameters used to specify that the type of token presented is a JSON token (within the HTTP header). It also specifies the checks to be done to validate that the JSON token is valid (though I would expect this information would also be specified in the JSON token specification itself).

You're right that some of the validation rules are in draft-ietf-oauth-json-web-token, which defines the basic JWT token format, however this specification adds some additional validation rules because it requires that some fields be present that are optional in the JWT spec, and it specifies that they be used in a particular way.

> There are security considerations and privacy considerations sections, but they are very light.  That is because it refers to draft-ietf-oauth-assertions-17, which has a more complete security considerations section.  I guess it's appropriate to have more detailed security considerations there, since all this specification adds is some labels.  

Yes, this was the intent.  Most of the security considerations are independent of the token type.

> Would it make sense to merge this document with the other specs, rather than having this be so redundant with the others?

No, because while there's semantic commonality, the syntax of the SAML profile and the JWT profile are different.  Merging them would make it much harder to read because it would be full of conditionals depending upon which token format was being described.

> Some details:
> On page 3 para 2, it says “The format and processing rules for the JWT defined in this specification are intentionally similar, though not identical, to those in the closely related SAML 2.0 Profile for OAuth.” It would be good if they specified what the differences are, and why they couldn't be identical.

That's a fair point.  I'll look into this with the other editors and the working group.  The following comments in the JWT profile spec record SAML features used for which no equivalent JWT feature exists.  This might be good material to put into an appendix.

  <!-- No equivalent to SubjectConfirmation Method "urn:oasis:names:tc:SAML:2.0:cm:bearer at present -->
  <!-- No equivalent to SubjectConfirmationData Recipient at present -->
  <!-- No equivalent to SubjectConfirmationData Address at present -->
  <!-- No equivalent to AuthnStatement at present -->

> Some background guidance on when you would want to use a token for client authentication vs. when you would want to use one for an authorization grant would be useful. In practice, the distinction between the two is subtle. It is common for a token to contain the caller’s identity as well as group memberships and perhaps roles. I suspect the reality is that the client has to figure out which protocol slot the server wants to get the token in and provide it there, where service designers make the decision more or less arbitrarily.

This guidance really belongs in the generic assertions specification draft-ietf-oauth-assertions.  I'll plan on reviewing that spec with the other editors and the working group to see whether the guidance provided there needs to be improved.

> Page 6 item 4: “The authorization server MAY reject JWTs with an “expiration” claim that is unreasonably far in the future.” This is saying that the validator of the token might choose to reject tokens that are long lived. It’s not clear what the user of this spec can do with this information. It calls for some out-of-band communication between the token issuer and the token validator on what is an acceptable expiration period. Unless the protocol has some way of reporting this back so that the caller can get a shorter-lived token, it seems like a fragile design.

What you write is true, but it' also a consequence of the fact that applications are free to impose additional requirements on the usage of this specification, provided their usage is still conforming.  I believe that the text above should be modified to begin "Note that ..." to make it clear that this is informative, and not normative text.

> Radia

				Thanks again,
				-- Mike