[OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Discussion:

Mike Jones

2017-07-04 19:43:51 UTC

The JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs. This is accomplished by including an explicit type for the JWT in the "typ" header parameter. For instance, the Security Event Token (SET) specification<http://self-issued.info/?p=1709> now uses the "application/secevent+jwt" content type to explicitly type SETs.

The specification is available at:

* https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01

An HTML-formatted version is also available at:

* http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html

-- Mike

P.S. This notice was also posted at http://self-issued.info/?p=1714 and as @selfissued<https://twitter.com/selfissued>.

Phil Hunt (IDM)

2017-07-04 19:58:05 UTC

Permalink

+1

Thanks Mike.

Phil

The JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs. This is accomplished by including an explicit type for the JWT in the âtypâ header parameter. For instance, the Security Event Token (SET) specification now uses the âapplication/secevent+jwtâ content type to explicitly type SETs.
https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
-- Mike
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

Brian Campbell

2017-07-17 09:53:06 UTC

Permalink

Could some more guidance be provided around how to use the explicit typing
with nested JWTs?

I'd imagine that the "typ" header should be in the header of the JWT that
is integrity protected by the issuer?

Post by Phil Hunt (IDM)
+1
Thanks Mike.
Phil
The JWT BCP draft has been updated to describe the use of explicit typing
of JWTs as one of the ways to prevent confusion among different kinds of
JWTs. This is accomplished by including an explicit type for the JWT in
the âtypâ header parameter. For instance, the Security Event Token (SET)
specification <http://self-issued.info/?p=1709> now uses the â
application/secevent+jwtâ content type to explicitly type SETs.
- https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
- http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
-- Mike
P.S. This notice was also posted at http://self-issued.info/?p=1714 and
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

--
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.*

Mike Jones

2017-07-17 09:55:18 UTC

Permalink

Good point. Iâd had that thought as well at one point but failed to express it in the draft. Will do.

-- Mike

From: Brian Campbell [mailto:***@pingidentity.com]
Sent: Monday, July 17, 2017 11:53 AM
To: Phil Hunt (IDM) <***@oracle.com>
Cc: Mike Jones <***@microsoft.com>; ***@ietf.org
Subject: Re: [OAUTH-WG] JSON Web Token Best Current Practices draft describing Explicit Typing

Could some more guidance be provided around how to use the explicit typing with nested JWTs?
I'd imagine that the "typ" header should be in the header of the JWT that is integrity protected by the issuer?

On Tue, Jul 4, 2017 at 9:58 PM, Phil Hunt (IDM) <***@oracle.com<mailto:***@oracle.com>> wrote:
+1

Thanks Mike.

Phil

On Jul 4, 2017, at 12:43 PM, Mike Jones <***@microsoft.com<mailto:***@microsoft.com>> wrote:
The JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs. This is accomplished by including an explicit type for the JWT in the âtypâ header parameter. For instance, the Security Event Token (SET) specification<http://self-issued.info/?p=1709> now uses the âapplication/secevent+jwtâ content type to explicitly type SETs.

The specification is available at:

* https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01

An HTML-formatted version is also available at:

* http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html

-- Mike

P.S. This notice was also posted at http://self-issued.info/?p=1714 and as @selfissued<https://twitter.com/selfissued>.
_______________________________________________
OAuth mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

Justin Richer

2017-07-18 16:33:54 UTC

Permalink

Mike et al,

Overall, this document has some really great advice for people who have chosen to use JWT in various situations. Itâs a needed draft and Iâd like to see it go forward. I have some suggestions on how it can be improved.

In this draft, Iâd like to see some more discussion about privacy and security issues around choosing JWTs to begin with. Namely, putting things like subject identifiers and scope/permission information into the JWT structure could potentially leak information about the end user to the client, if the JWT isnât encrypted, and to multiple RSâs, if the JWT is encrypted with a shared key. It basically amounts to âanyone who can read the JWT can see whatâs in itâ, which on the one hand is obvious, but on the other hand itâs not always considered by implementers. Since the audience of an access token JWT is the RS and not the client, and the token is opaque to the client, itâs easy to assume that the client *wonât* read the token. However, that doesnât mean that it *canât* read the token. Itâs a tradeoff in design space with other solutions.

Iâd also like to see a discussion on expiration and revocation of self-contained JWT access tokens. Again, this is targeting the decision space of whether or not a self-contained token is an appropriate solution in the first place. If Iâm issuing JWTs that are completely self-contained, I canât revoke them once theyâre on the wire. Yes, thatâs an acceptable risk to many and thatâs fine â but I would like this document to encourage that thought and discussion.

Thanks,
â Justin

The JWT BCP draft has been updated to describe the use of explicit typing of JWTs as one of the ways to prevent confusion among different kinds of JWTs. This is accomplished by including an explicit type for the JWT in the âtypâ header parameter. For instance, the Security Event Token (SET) specification <http://self-issued.info/?p=1709> now uses the âapplication/secevent+jwtâ content type to explicitly type SETs.
https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01 <https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01>
http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html <http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html>
-- Mike
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>

Dick Hardt

2017-07-19 10:52:55 UTC

Permalink

Thanks for the feedback Justin. Do you have any specific wording?

Post by Justin Richer
Mike et al,
Overall, this document has some really great advice for people who have
chosen to use JWT in various situations. Itâs a needed draft and Iâd like
to see it go forward. I have some suggestions on how it can be improved.
In this draft, Iâd like to see some more discussion about privacy and
security issues around choosing JWTs to begin with. Namely, putting things
like subject identifiers and scope/permission information into the JWT
structure could potentially leak information about the end user to the
client, if the JWT isnât encrypted, and to multiple RSâs, if the JWT is
encrypted with a shared key. It basically amounts to âanyone who can read
the JWT can see whatâs in itâ, which on the one hand is obvious, but on the
other hand itâs not always considered by implementers. Since the audience
of an access token JWT is the RS and not the client, and the token is
opaque to the client, itâs easy to assume that the client *wonât* read the
token. However, that doesnât mean that it *canât* read the token. Itâs a
tradeoff in design space with other solutions.
Iâd also like to see a discussion on expiration and revocation of
self-contained JWT access tokens. Again, this is targeting the decision
space of whether or not a self-contained token is an appropriate solution
in the first place. If Iâm issuing JWTs that are completely self-contained,
I canât revoke them once theyâre on the wire. Yes, thatâs an acceptable
risk to many and thatâs fine â but I would like this document to encourage
that thought and discussion.
Thanks,
â Justin
The JWT BCP draft has been updated to describe the use of explicit typing
of JWTs as one of the ways to prevent confusion among different kinds of
JWTs. This is accomplished by including an explicit type for the JWT in
the âtypâ header parameter. For instance, the Security Event Token (SET)
specification <http://self-issued.info/?p=1709> now uses the â
application/secevent+jwtâ content type to explicitly type SETs.
- https://tools.ietf.org/html/draft-sheffer-oauth-jwt-bcp-01
- http://self-issued.info/docs/draft-sheffer-oauth-jwt-bcp-01.html
-- Mike
P.S. This notice was also posted at http://self-issued.info/?p=1714 and
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

--
Subscribe to the HARDTWARE <http://hardtware.com/> mail list to learn about
projects I am working on!