Markdown Version | Recording 1 | Recording 2 | Recording 3

Session Date/Time: 19 Mar 2024 23:30

# oauth

## Summary

The OAuth working group meeting covered several key topics including Selective Disclosure for JWT (SDJOT), Protected Resource Metadata, Browser-Based Apps, Transaction Tokens, Identity Chaining, and a new draft on Identity Assertion Authorization Grant. Discussions revolved around draft specifications, open issues, and potential next steps, including working group last calls for some drafts.

## Key Discussion Points

*   **SDJOT (Selective Disclosure for JWT):**
    *   Discussion on redesigning the JWS JSON serialization.
    *   Debate around separating the token and presentation formats based on the presence or absence of key binding.
    *   Clarifying algorithms to accommodate recursive redaction.
    *   Reference to RFC 4086 for salt entropy considerations.
    *   Concerns about making claims controlling the validity of the jot itself selective disclosable.
    *   Handling of duplicate digest values and unused disclosures.
*   **Protected Resource Metadata:**
    *   Switched from concatenating `.well-known` to the end of the URL to inserting it in the middle before the path.
    *   Changed the WWW-Authenticate header to return the URL for metadata instead of the resource identifier.
    *   Discussion on whether the draft is ready for Working Group Last Call
*   **Browser-Based Apps:**
    *   Restructuring of the draft to focus on threats to JavaScript apps and patterns for building apps.
    *   Discussion of different attack vectors and the consequences related to different app patterns.
    *   Suggestions to improve the clarity and readability of the text.
    *   Discussion on whether the draft is ready for Working Group Last Call.
*   **Transaction Tokens:**
    *   Discussion on how to manage authorization and transaction immutability within a trust domain.
    *   Moved back to using a standard "sub" claim instead of the "sub_id" from the "set" structure.
    *   Logic added for including the requesting workload when requesting replacement transaction tokens.
    *   Discussion on passing transaction tokens between servers, with options including a new HTTP header.
    *   Discussion on the usage of transaction tokens in long-running batch requests.
    *   Discussion about separating transaction tokens from JWT constructs and the relation to whimsy.
    *   Concerns about downscoping of scopes, for replacement transaction tokens.
*   **Identity Chaining:**
    *   Overview of identity and authorization chaining across domains using token exchange and assertion framework.
    *   Specific steps for identity and authorization training.
    *   Concerns of how to handle Sender Constraints
    *   Claims transcription from one domain to another.
*   **Identity Assertion Authorization Grant:**
    *   Use case involves brokering API access between applications with a single sign-on relationship.
    *   Uses token exchange and the JWT Authorization Grant (RFC 7523).
    *   Explicitly uses identity tokens obtained through a single sign-on flow.
    *   Profile is necessary to ensure interoperability between parties, since the identity training draft is vague.
    *   Discussions on center constraining
    *   Discussion on whether it's based on the identity training spec

## Decisions and Action Items

*   **Protected Resource Metadata:** Start a working group last call.
*   **Browser-Based Apps:** Start a working group last call.
*   **Transaction Tokens:** Request for Wimsey Group to review this document.
*   **Identity Chaining:**
    *   Explore adding sender constraining mechanisms (DeepPop, M TLS).
    *   Determine how the AS knows when to generate a JWT authorization grant.
*   **SDJOT:** Richard to review changes.
*   **Identity Assertion Authorization Grant:** Explicitly define the parameters of token exchange in the spec, to ensure that everyone is on the same page.
*   **SDJOT:** Productive input needed on Richard's PR.

## Next Steps

*   Working group last calls for Protected Resource Metadata and Browser-Based Apps.
*   Further discussions and refinements on SDJOT, Transaction Tokens, and Identity Chaining drafts based on received feedback.
*   Continue the development of the Identity Assertion Authorization Grant and monitor the implementation efforts.

Session Date/Time: 20 Mar 2024 23:30

oauth

Summary

This OAuth working group meeting covered several key topics including updates on the SD-JWT VC draft, token status lists, attestation-based client authentication, a nonce endpoint proposal, status attestation proposals, and a presentation on JSON fine-grained access. Discussions focused on design considerations, security implications, and the relationship between different specifications and use cases.

Key Discussion Points

• SD-JWT VC:
  • Recent updates and future directions, including a proposal for combining SD-JWT with W3C VCDM to address requirements from the EU Digital Identity Wallet.
  • Ensuring the specification meets the needs of use cases beyond the EU.
• Token Status List:
  • Updates and design considerations, including the reuse of the status claim for other mechanisms and the addition of a time-to-live claim for caching information.
  • Discussions around where the status object should be located (header vs. payload).
  • Privacy implications and potential mitigations against malicious issuers.
  • Whether to include a comparison with other revocation mechanisms (CRL, etc.) and if these mechanisms should be combined into one draft.
• Attestation-Based Client Authentication:
  • Proposals for using the depop for the proof-of-possession syntax.
  • Discussion on moving attestation information into HTTP headers and concerns regarding squigglies in JOTs.
  • Question of whether the Deepop key and client instance key needs to be different and if so what impact that might have.
  • Concerns and counterpoints about client attestation and authentication.
• Nonce Endpoint:
  • Proposal for a RESTful endpoint for issuing nonces and its potential applications in OAuth 2 and other protocols.
  • Concerns regarding context and potential over-abstraction of the concept of a nonce.
  • Discussion on generating high-quality nonces and provisioning by error.
• Status Attestation:
  • Proposal to enhance the OAuth status mechanism with status attestations to provide dynamic state, and its relationship to the status list draft.
  • Privacy and security considerations, including offline presentation use cases.
  • Concerns that the new mechanism will further fragment standardisation of revocation mechanisms.
• JSON Fine-Grained Access:
  • Presentation of the JSON Fine-Grained Access Control method.
  • Relationship to other existing specifications (RAV).

Decisions and Action Items

• Token Status List:
  • Nick volunteered to review the updated draft.
  • Authors to address the identified open issues and privacy concerns on the mailing list.
• Intermeeting:
  • Run a Doodle poll to find the most convenient date for a meeting that includes the WG, Federate Credential Management API group and other interested parties.

Next Steps

• SD-JWT VC: Daniel, Oliver and Brian to involve the WG in design decisions.
• Token Status List: Authors to address open issues and privacy concerns raised during the meeting and continue discussion on the mailing list.
• Attestation-Based Client Authentication: Authors to take into account WG feedback on the use of DPOP and splitting out the mechanisms into headers.
• Nonce Endpoint: Continue discussions with interested parties regarding specific use cases and potential improvements to the proposal.
• Status Attestation: Encourage the group to read the documentation and get involved in discussions about the design approach on the mailing list.
• JSON Fine-Grained Access: Author to consider feedback and related specifications when revising the proposal.

Session Date/Time: 22 Mar 2024 05:00

OAuth Working Group - IETF 119

Summary

This meeting covered several topics, including the Trust Device Flow BCP, OAuth 2.1, a profile of OAuth RAR using Cedar policy language, and updates on the Authorization Challenge Endpoint and Global Token Verification drafts. A new draft idea on Signed JWK Sets was also introduced. The discussions focused on clarifying specifications, addressing implementation challenges, and seeking feedback on the proposed drafts.

Key Discussion Points

• Trust Device Flow BCP: Reviewers are needed. Focus is on mitigating attacks in unauthenticated channels by establishing proximity checks.

• OAuth 2.1: Discussed restricting characters in client IDs and secrets. Strong agreement against the restriction due to backward compatibility issues and existing practices. Further discussion is required on encoding. HTTP working group review is desired.

• SEDAR Profile for RAVR: Discussed the applicability of using Cedar for OAuth RAR. Key concerns raised about the relevance of exposing the policy language to the client and its potential use cases. The group generally advised that profiles for access tokens might be a more natural fit, potentially using JWT.

• Authorization Challenge Endpoint: Progress update. The draft proposes a new endpoint for native apps needing to authorize in web views, avoiding the need for workarounds and proprietary mechanisms. More reviewers are needed to look over it.

• Global Token Verification: Progress update. The draft defines a lightweight endpoint for revoking tokens based on external signals. Discussed whether it should be profile of SSF or not.

• Signed JWK Sets: A new concept was introduced to enable validation of JWT issuers using web PKI certificates without requiring TLS. Useful for offline scenarios.

Decisions and Action Items

• Trust Device Flow BCP: Issue working group last call, incorporating typo fixes if time allows. The following people volunteered as reviewers: Monty, Dean, Roy, Rolf, Mike, Brian, Richard, Angeli.
• OAuth 2.1: Continue discussion on GitHub and the mailing list regarding character encoding in client IDs and secrets (issue #128). Schedule a virtual interim meeting in June to discuss and finalize open issues.
• Authorization Challenge Endpoint: Seek more reviewers and initiate a call for adoption on the mailing list.
• Global Token Verification: Cast on the list/people that have lined up for implementation work to indicate on why they think this is really useful work.
• Signed JWK Sets: Further discussion on the mailing list.
• Michael and Yaron to schedule intermeeting in June.

Next Steps

• Trust Device Flow BCP: Implement working group last call.
• OAuth 2.1: Address the outstanding issues, schedule inter meeting, prepare a new draft by the July meeting, and aim for a working group last call by the November meeting.
• SEDAR Profile for RAVR: Re-evaluate the profiling approach, potentially focusing on access token profiles instead of RAR, and consider using JWT as the base format. Examples need to be non-open banking oriented.
• Authorization Challenge Endpoint: Recruit more reviewers and initiate a call for adoption on the mailing list.
• Global Token Verification: Gather feedback from implementers.
• Signed JWK Sets: Seek community feedback on the mailing list and GitHub.