Notetakers:
Reykjavik Iceland
Feb 26-28 2025
https://oauth.secworkshop.events/osw2025
Waiting for shepherd writeups on browser-based and cross-device apps
PR metadata in RFC Editor's Queue
https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/
problem: enable the issuer of a token to communicate dynamic status for
longer lived tokens
similar to CRL, but more scalable and aimed at tokens
has been tested and interopped, various implementations
Security/privacy considerations notably updated since last IETF
big changes since last time:
Justin: Architecturally cleaner to seperate content/delivery format.
Probably fine to drop unsigned option. But do add security
considerations that it's expected to be in a secured container.
Aaron: My use case doesn't require a signed JWT but I'm not planning on
using it immediately; would be good to be able to expand it to these use
cases later
Brian: suggestion to keep unsigned option was to keep only the unsigned
option; if signed is needed then simplify to just signed
Hannes (chair hat off): Do we really need JOSE and CBOR? Wouldn't it be
simpler to have just one.
- paul: people are looking to use this in existing ecosystems that are
already based on JOSE/COSE; want to avoid bringing in more dependencies
Brian: why don't ISO/mDL define their own mechanisms?
- Hannes: we can't answer that
- Tobias: ISO already relies on IETF documents already, COSE is the
base of mDOC
Joseph: there's a lot of developers that have to develop across ISO mDL
and SD-JWT, it simplifies to keep things aligned
Hannes: Task for the chairs to reach out to ISO -- no we don't want to
do that
Brian: There's already an entire fork of things that are different. I
can see we're gonna keep it but it's odd
Tobias: mDOC is just as general purpose as SD-JWT, not just driving
licenses
Tony: we (ISO) did look at using other things, but this work was natural
to use
Justin: It's fine for a RFC to update an existing registry to add new
columns, just have to be approved by relevant experts. There are some
general purposes registries for hash algs etc already, would be better
to reuse rather than reinvent, having a lot of overlapping registries is
confusing / results in slightly dight be pmaren urevalues.
Hannes: do we want to add options? last slide we were removing options
for simplicity
Brian: building out options to support extensibility in this structure
seems like a bad idea, particularly you have a construct of making this
whole thing extensible at another layer. Don't do it.
Paul: the whole idea is that compression is really important. Compared
to CRL we include every issued credential. more about having "none" as
compression alg. Mifferent optimizations
joseph: problem with single nonce point is the same semantics for all
the nonces, shouldn't use the same thing for everything in oauth
hannes: and we aren't going to change dpop, it's in the past
pieter: not about expense, it's a risk decision and willing to pay the
price
hannes: also issue of who creates the signature. in dpop it's software,
in this it is very low level hardware
Justin: nonces exist in context, another disadvantage of a single nonce
endpoint is you lose that context. Specific protocol/crypto
mechanism/particular exchange. Yes, we're reinventing, but the context
gives the nonce a purpose/use.
hannes: will find a time slot, beginning of december
get attestation from backend to present with client frontend
changes since last ietf:
key attestation vs. client attestation
nonce fetching:
dpop optimization:
george: can we just have a common nonce solution?
paul: nonce endpoint was proposed here but rejected
george: it seems like we're leveraging nonce a lot to address
time/freshness aspects; having a generic way to do this would be good
instead of tweaking it every time
christian: it's reoccuring but there are different optimizations
joseph: problem with single nonce point is the same semantics for all
the nonces, shouldn't use the same thing for everything in oauth
hannes: and we aren't going to change dpop, it's in the past
pieter: not about expense, it's a risk decision and willing to pay the
price
hannes: also issue of who creates the signature. in dpop it's software,
in this it is very low level hardware
Justin: nonces exist in context, another disadvantage of a single nonce
endpoint is you lose that context. Specific protocol/crypto
mechanism/particular exchange. Yes, we're reinventing, but the context
gives the nonce a purpose/use.
hannes: sounds like we need to work more on this
goal is to look at transactions w/in multi-workload environment as a
whole instead of series of api invocations
updates from last time
discovery
hannes: what would be input to discovery?
george: that's a good question, i don't know how you'd do that without
binding it into some other document that's already known
arndt: ability to find correct transaction token server, do you imagine
that for the gateway or all the way through the domain?
george: it's relatively easy to define in some circumstances, but there
is an issue here; have come up with three likely models
1) embedded in AS or gateway
2) truly centralized, logical single entity, externalized from AS or
gateway
3) distributed set of services that form a logical single unit
hannes: should this be asked in WIMSE?
justin: drop a note to the WIMSE list
dean: related to token translation, bring the conversation there
joe: we want to update and include more on transaction and context.
quesiton on 3rd mechanism, would you see all distributed services as
equivalent?
george: generally thinking they're equivalent, it's a performance
mechanism. at the end of the day, transaction token service is
performing an authorization: can this client do something on this
transaction. if they perform slightly different functions, creates
question of whether they're different services. spec says there's one
logical service per trust domain. would that change?
batch processing:
we don't have atomic transactions
batch processes are different from the core use cases
hannes: have you looked at kerberos mechanism for dealing with
long-running batch jobs?
Yaron: this is even more of a WIMSE question. very much in the context
of how workloads are authenticated and authorized, suggest going to
WIMSE list. let's not have transaction tokens as access tokens, keep
them as context, but we need to have that discussion.
arndt: also to keep it out of scope. transaction tokens can be safely
forwarded, batch job means "allow-*", anything in the chain can act on
behalf of user
george: agree with concerns, would lean more towards special token. It's
weird for transaction token service to issue something that's not a
transaction token.
RAR:
Justin: authorization details lives at the top level of the transaction
token
George: what does top level mean?
Justin: I meant where George had said. But claim name & internal syntax
should come straight from RAR. Additional things transaction spec
defines for context adds valuable things RAR isn't talking about and
have them both along aside each other semantically makes sense.
George: If authz request came with RAR environment, and AS issues token
in context of RAR objects, in some cases RAR is in the access token and
can just be copied into transaction token. Exactly how we do that
depends on best practice, we don't have that kind of guidance for scopes
either.
Hannes: Does RAR syntax give a rich enough capability or do we need more
powerful policy languages like discussed at previous IETF.
Justin: If there's a place we can decide where policy languages fit
inside, we define a claim/place for it and transaction tokens can use
it.
no ID to present, goal is to figure out if there should be one
AS discovery always sends the same thing back
can be expanded via registry, always say "if omitted, default is..."
metadata chances CAN break existing integrations
AS metadata does not support migration
AS server metadata with a client hint
does not replace or deprecate RFC8414
some servers already accomodate this discovery mechanism, some started
giving errors
Justin: Seems like great idea. Emphasis on "seems". Lesson from past is
failure of webfinger, I wanted it to be real, but in practice getting a
dynamic service up at the root domain of a system (i.e. .well-known at
origin) is very difficult in a lot of systems on a lot of domains. In
practice in many deployments I was involved with web finger ignored all
the parameters & served a static document. It wouldn't hurt to do this
but I don't have high hopes for this really sticking in the system
because of those .well-known constrains.
Filip: So would be useful, but deployment often doesn't accomodate it?
Justin: Yes. Related issue of very strict path mapping to the static
files, something with a ? will often go to a 404. Just a lot of issues
with making this work on the deployment side. There are some
security/privacy consideration, but conceptually I don't see problems
but deployment I do.
Filip: Will that stop us defining the mechanism?
Justin: WG has great history of defining things that don't get deployed.
Web finger was fabulous and solved a key need but never took off. We can
still define it but we can't make people use it. We need to go in with
our eyes open, maybe we can't avoid them, maybe we can do better this
time.
Aaron: Agree with most of what Justin says. deployment issues around top
level domain can be challenging. In the scenarios where this is needed
the top level domain is under control of oauth anyway. For a sub-domain
under control of particular customer this is okay and works. As long as
it's not required it's probably fine. If this was required for
everything it'd be a problem but this is just an upgrade for certain
thing. Privacy issues similar to those being discussed in FedCM, but
probably this won't be used with FedCM.
Filip: Our discovery endpoint isn't being used with FedCM
Aaron: Yes, but there is an endpoint where FedCM fetches metadata, but
it's done without the cookie. In general a good idea and useful.
Arndt: dont' think we should do this to mitigate misbehaving clients.
it's not going to end and it adds chaos to the system if clients behave
differently. It's good for gradual rollout of changes.
George: dealt with trying to implement webfinger @ aol/aim, agree in
this context that AS often doesn't run at ETLD, usually a separate
domain. There's opportunity for some security principles. Had done
complicated thing between webfinger and UMA, some of those principles
could come back.
Mike Jones: observe that if you're using dynamic client registration,
you have to hit discovery first, there's a chicken and egg problem
Dick: echo conerns about dynamic clients, having recently implemented
activitypub. another approach would be a version, not a query string.
Filip: doesn't work with resolving based on identifier
Notetakers:
91 attendees
https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/
Arndt Gives an overview of the Identity Chaining draft
Kelly describes additional processing rules
Volunteers to review
Hope to do WGLC before next IETF
https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/
Aaron provides overview
George - critical elemant, all trust domains use the same IdP.
Why profile Identity and Authorization Chaining draft
Requested Token Type - defined in this spec
Implementation Status
Dean
George - still relying on client and AS to do its usual
enforcement and follow rules.
Justin - this is very powerful and should be carefull
positioned. Someone may see the machinery and abuse it.
Hannes - build on the chaining draft - will do working group
call for adoption depending on identity chaining draft.
https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/
Overview - mirrors authorization code flow. Leaves a gap for actual
authentication.
Draft has been adopted
Implementation
Hannes - we need reviewers for the draft
Pull request from Tim Cappalli
Dean: Is authentication included in this?
Justin: First 'blue arrow' is PAR. Redirect to web is
indistinguishable from a PAR response.
Aaron - made it more compatible with the PAR endpoint. There is
a reason to not beiong PAR. George - the PAR spec does not allow
for anything other than the redirect URI to be returned.
Aaron, George, Pieter was not comfortable overloading PAR
Justin proposes to update PAR RFC to support this.
Aaron - good next thing to explore. Will open an issue in
the github repo.
https://datatracker.ietf.org/doc/draft-parecki-oauth-client-id-metadata-document/
Neil Jenkins - prefer dynamic client registration. Not as big a
problem as may be suspected.
Filip Skokan RFC 7592 describes how a client can know it has
been registered
Aaron - alternative is to define a URL that acts as the client
ID and also points to all the metadata for the client. Build
management of data into the mechanism.
Implementation with FedCM possible
Mike Jones: Bigger discussion tha what we want athte mic - VC
Presentation just finished work on how to identify clients. They
chose a prefix mechanism. Could fit into federation as well. There
are cross-eco-system considerations
Matthiu Sieben - chose this solution as it solved practical problems
for them.
Filip Skokan - There is differences between how federation and this
porposal works, it may be distinguishable.
George - what's in the dynamic client registration spec is
different from what people are implementing. It's not a prblem
with DCR, doingit from a web client ceates additional
complexities.
Justin - agrees with the concern brought up. A seperate layer of
trust to convey. Came up in both DCR and OpenID Federation. DCR
was built to be extensible with authentication mechanisms.
Raises additional security concrns with URL abuse.
Implementation that exist or are planned.
https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/
Changes since last draft:
Various open issues, most already discussed
We have three meetings, is that still OK with people?
What can we do about it?
Justin: We should consider dividing the work in the working group into
other forums. We've gotten too big. IETF has successfully realigned work
in the past.
https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
Working Group Last Call
Looking ahead
https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
You can have a SD-JWT VC without any selectivve disclosure
Expresses VC's as SD-JWTs
Does not use the W3C Data Model
Brian shows a conceptual representation of how PID may be
represented.
Since IETF 120
Draft -05 published
Added new construct for finding the location of the claim in the
credential
Re-using the construct in multiple places
Aaron
Daniel Fett - yes there are good reason not to use JSON Path
or JSON Point
JSON Pointer - a little more appropriate
still need to use escaping,
Very important to be able to address all elements.
Justin Richer
Daniel Fett Response
Brian - can this be pulled out of DCQL and easily
referneced
Darrel
Hannes - what is the next steps here?
Brian: Lots of open issues that need triage
May need to re-think using of .wellknown
Remove DIDs and DID resolutions
A tale of two types
JWS/JWE/JWT
JWT became very popular - some criticism
Created a BCP for the common security pitfalls (RFC
8725)
Introduced explicit typing
Explicit typing recommendations +sd-jwt in June 2023
Verifiable Credentials is not a term owned by anyone -
first used by W3C
Will JSON-LD be a hard requirement - agreed it would not
if regualar JSON is used.
Brett Zendell
Brian - Net result - folks who wanted simlicity were
not interested in abstract transformation
algorithms.
Some people decided to pursue similar work in the IETF
Justin - is this like reinventing JSON Path?
July 2023 introduced at IETF 117
vc+ld+json+sd-jwt registered by W3C
Media types for multiple suffixes (because there are no
multiple suffixes)
Registered against the moral equivalent of working group
draft in the W3C
Now vc exists as aregistered media types
Options
JOSE and COSE can use their own data types - not in direct
violations, but increasingly unlikely.
Stay the course
The Dublin Proposal
Justin
Murray
Tim Cappalli
Mike Jone
Deb
Daniel
Darrell Miller
Pamela Dingle
Yogesh
Paul Bastian
(No draft at this point)
Existing one-time tokens
Use cases
Characeteristics
Try to reduce scope of the token/scopes
How to indicate that an access token is not enough.
Scheme parameter - if one is DPoP and one Bearer what to do?
Always refer to access token.
Issue simultaniously with other tokens
Introduce new claim "use" number of uses
How should introduction be used?
Privacy
Not re-inventing 3D Secure.
Mike Jones
Joseph Heenan
Pieter
Arndt
Justin
Yogesh
George
Aaron
Hannes