Presentation is loading. Please wait.

Presentation is loading. Please wait.

JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02

Published byBambang Sumadi Modified over 4 years ago

Similar presentations

Presentation on theme: "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02"— Presentation transcript:

1 JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02
Vittorio Bertocci IETF 105 July the 26th

2 Agenda JWT profile for OAuth Access Tokens recap
Changes and open issues

3 Recap

4 Why a JWT profile for OAuth2 ATs?
Most providers already issue ATs as JWTs The tokens contain ~ the same entities, but different syntax No guidance led/leads to questionable choices Common antipattern: clients sending their idtoken to APIs

5 JWT profile for AT in a nutshell
A claims layout for the entities most commonly included in existing JWT ATs Clear relationship between resource references, scopes and token content Token validation guidance Detailed security and privacy considerations Previous presentations on the topic: OSW _a_jwt_profile_for_ats.pptx IETF104 jwt-profile-for-access-token-00

6 JWT Access Token Layout - Minimal
Smallest possible JWT AT when scopes are requested {"typ":"at+jwt","alg":"RS256","kid":"RjEwOwOA"} { "iss": " "sub": " 5ba552d67", "aud": " "exp": , "client_id": "s6BhdRkqt3_", "scope": "read send " }

7 Changes and open issues

8 00->01/2 main changes Changed definitions source for iss, exp, aud, sub, iat (OIDC->7519) Added introspection as source of claim types, explicit reference to arbitrary attributes Expended privacy sections Added reminder that clients should not peek into ATs IANA registration template for at+JWT, SCIM claims Auth_time updates Removed note on subject type Removed note on federated IdPs

9 Discussion Distinguishing between user and app tokens
Auth_time behavior Authenticated encryption

10 Distinguishing between user and app ATs
Approached discussed No sub for app tokens Have a “grant_type” claim [sub == client_id] => app token “subject_type” claim

11 Auth_time (amr, acr) Doubts about complexity, ambiguity

12 Authenticated encryption
Should we recommend it despite the current specs being only symmetric?

13 Appendix

14 JWT Access token layout
claim name original definition function iss REQUIRED 7519 validation exp aud iat OPTIONAL auth_time OpenID.Core sub identity <identity claims> OpenID.Core, Introspection, etc scope when scope is present in the request, REQUIRED token exchange authorization groups, roles, entitlements SCIM Core 7643 client_id context jti acr, amr

15 Requesting JWT Access Tokens
Any existing grant returning an access token can return a JWT access token If a request contains resource, its value must be reflected in aud No multi-value resource admitted in reqs for JWT access tokens (scope confusion) Without resource in the req, the authorization server either Infers the resource indicator from scope and assign it to aud All scope strings must refer to the same resource Or assigns a default value If a request contains scope, the resulting JWT access token must feature a scope claim Whether to include identity claims, non-delegation claims or custom claims is an agreement between authorization server and resource server The client has no say on the matter

16 roles, groups, entitlements
Claims idtoken Auth0 Azure AD PingIdentity IdentityServer AWS OKTA Profile Validation iss aud exp iat nonce auth_time nbf jti [aud] iad Identity sub lots <any> name preferred_username oid ipaddr unique_name uid [sub] username cid Authorization N/A scope roles scp groups memberOf roles, groups, entitlements Context/misc azp acr amr gty aio app_displayname appid idp tid uti ver xms_tcdt --- azpacr idpid client_id token_use Idtoken validation:

Download ppt "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens-02"

Similar presentations

Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;

© 2014 The MITRE Corporation. All rights reserved. Mark Russell OAuth and OpenID Connect Risks and Vulnerabilities 12/3/2014 Approved for Public Release;
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.

Today, global enterprises run on Windows Server Active Directory 90% of US enterprises and 70% of international corporations use Active Directory.
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten

OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control Maarten
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
Key Management with the Voltage Data Protection Server Luther Martin IEEE P1619.3 May 7, 2007.

Key Management with the Voltage Data Protection Server Luther Martin IEEE P May 7, 2007.
IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.

IT Unity Webinar Series September 2015 Using Azure Active Directory to Secure Your Apps.
The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.

The Internet Identity Layer OpenID Connect Update for HIT Standards Committee’s Privacy and Security Workgroup Wednesday, March 12th from 10:00-2:45 PM.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.

(Azure+O365) Identity Presenter Name Position or role Microsoft Azure.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

Similar presentations

Ads by Google