Internet-Draft | The XAuth Protocol | February 2020 |
Hardt | Expires 22 August 2020 | [Page] |
Client software often desires resources or identity claims that are independent of the client. This protocol allows a user and/or resource owner to delegate resource authorization and/or release of identity claims to a server. Client software can then request access to resources and/or identity claims by calling the server. The server acquires consent and authorization from the user and/or resource owner if required, and then returns to the client software the authorization and identity claims that were approved. This protocol can be extended to support alternative authorizations, claims, interactions, and client authentication mechanisms.¶
Source for this draft and an issue tracker can be found at https://github.com/dickhardt/hardt-xauth-protocol.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 22 August 2020.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
This protocol supports the widely deployed use cases supported by OAuth 2.0 [RFC6749] & [RFC6750], and OpenID Connect [OIDC], an extension of OAuth 2.0, as well as other extensions, and other use cases that are not supported, such as acquiring multiple access tokens at the same time, and updating the request during user interaction. This protocol also addresses many of the security issues in OAuth 2.0 by having parameters securely sent directly between parties, rather than via a browser redirection.¶
The technology landscape has changed since OAuth 2.0 was initially drafted. More interactions happen on mobile devices than PCs. Modern browsers now directly support asymetric cryptographic functions. Standards have emerged for signing and encrypting tokens with rich payloads (JOSE) that are widely deployed.¶
Additional use cases are now being served with extensions to OAuth 2.0: OpenID Connect added support for authentication and releasing identity claims; [RFC8252] added support for native apps; [RFC8628] added support for smart devices; and support for [browser_based_apps] is being worked on. There are numerous efforts on adding proof-of-possession to resource access.¶
This protocol simplifies the overall architectural model, takes advantage of today's technology landscape, provides support for all the widely deployed use cases, and offers numerous extension points.¶
While this protocol is not backwards compatible with OAuth 2.0, it strives to minimize the migration effort.¶
This protocol centers around a Grant, a representation of the collection of user identity claims and/or resource authorizations the Client is requesting, and the resulting identity claims and/or resource authorizations granted by the Grant Server.¶
[Editor: suggestions on how to improve this are welcome!]¶
[Editor: suggestions for other names than XAuth are welcome!]¶
The parties and their relationships to each other:¶
+--------+ +------------+ | User | | Resource | | | | Owner (RO) | +--------+ +------------+ | \ / | | \ / | | \ / | | \ / | +--------+ +---------------+ +------------+ | Client |---->| Grant | _ _ | Resource | | |<----| Server (GS) | | Server | | | +---------------+ | (RS) | | |-------------------------->| | | |<--------------------------| | +--------+ +------------+¶
Before any sequence, the Client needs to be manually or programmatically configured for the GS. See GS Options Section 5.9 for details on acquiring GS metadata.¶
[Editor: a plethora of sequences are included to illustrate all the different actions. Many of these could potentially be moved to a use case document in the future.]¶
The Client requests a Grant from the GS that requires User interaction:¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | | (2) | | |<--- Interaction Response ---(3)--| eval | | | | | | |--(4)--- Read Grant ------------->| | +------+ | | | | | User | | |--(5)--- Interaction Transfer --- | - - - | ------->| | | | | |<--(6)-->| | | | | | authN | | | | | |<--(7)-->| | | | | | authZ | | | |<--- Interaction Transfer ---(8)- | - - - | --------| | | | | | | | | |<--------- Grant Response ---(9)--| | +------+ | | | | +--------+ +-------+¶
Party A and Party B are both a Client and a GS, and each Client would like a Grant for the other GS. Party A starts off being the Client per Create Grant Section 3.1. Party B then includes a Reciprocal Request in its Grant Response. Party A then gets authorization from the User and returns a Grant URI to Party B. Party A and B swap roles, and Party B's Client obtains the Grant from Party A's GS.¶
Party A Party B +--------+ +--------+ | Client | | GS | ~ ~ ~ ~ ~ ~ Same as steps 1 - 8 of ~ ~ ~ ~ ~ ~ +------+ | | Create Grant above | | | User | | | | | | |<----- | - - - | -- Interaction Transfer ------- | | | | | | | | | | | |<------- Grant Response ---(1)---| | | | | | Reciprocal Grant Request | | | |<-(2)->| | | | | | AuthZ | |---(3)--- Update Grant --------->| | +------+ | | Reciprocal Grant Response | | | | | | | |<-- Empty Grant Response ---(4)--| | | | | | +--------+ (5) Swap Roles +--------+ | GS | | Client | | |<------------ Read Grant ---(6)--| | | | | | | |--(7)--- Grant Response -------->| | | | | | +--------+ +--------+¶
The User is at the GS, and wants to interact with a Registered Client. The GS can redirect the User to the Client:¶
+--------+ +-------+ +------+ | Client | | GS | | User | | | | |<--(1)-->| | | | | | | | | |<----- GS Initiation Redirect --- | - - - | --(2)---| | | (3) | | | | | | verify |--(4)--- Read Grant ------------->| | +------+ | | | | | |<--------- Grant Response --(5)---| | | | | | +--------+ +-------+¶
The Client requests an identity claim to determine who the User is. Once the Client learns who the User is, and the Client updates the Grant for additional identity claims which the GS prompts the User for and returns to the Client. Once those are received, the Client updates the Grant with the remaining identity claims required.¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | "interaction"."keep":true | | | | | | | |<--- Interaction Response ---(2)--| | | | | | | |--(3)--- Read Grant ------------->| | +------+ | | | | | User | | |--(4)--- Interaction Transfer --- | - - - | ------->| | | | | | | | | | | |<--(5)-->| | | | | | authN | | | |<--------- Grant Response ---(6)--| | | | | (7) | | | | | | eval |--(8)--- Update Grant ----------->| | | | | | "interaction"."keep":true | |<--(9)-->| | | | | | authZ | | | |<--------- Grant Response --(10)--| | | | | (11) | | | | | | eval |--(12)-- Update Grant ----------->| | | | | | "interaction"."keep":false | |<--(13)->| | | | | | authZ | | | | | | | | | |<--- Interaction Transfer --(14)- | - - - | --------| | | | | | | | | |<--------- Grant Response --(15)--| | +------+ | | | | +--------+ +-------+¶
The Client requests an identity claim to determine who the User is. Once the Client learns who the User is, and the Client knows it has all the identity claims and authorizations needed, the Client deletes the Grant which prompts the GS to transfer the interaction back to the Client.¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | "interaction"."keep":true | | | | | | | |<--- Interaction Response ---(2)--| | | | | | | |--(3)--- Read Grant ------------->| | +------+ | | | | | User | | |--(4)--- Interaction Transfer --- | - - - | ------->| | | | | | | | | | | |<--(5)-->| | | | | | authN | | | |<--------- Grant Response ---(6)--| | | | | (7) | | | | | | eval |--(8)--- Delete Grant ----------->| | | | | |<------- Delete Response ---------| | | | | | | | | | | |<--- Interaction Transfer ---(9)- | - - - | --------| | | | | | | | +--------+ +-------+ +------+¶
The Client wants to discover if the GS has a User with a given identifier. If not, it will abort the request and not transfer interaction to the GS.¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | "user"."exists":true | | | | | | | |<--- Interaction Response ---(2)--| | | | "user"."exists":false | | | | | | | |--(3)--- Delete Grant ----------->| | | |<------- Delete Response ---------| | | | | | +--------+ +-------+¶
The Client wants access to resources that require the GS to interact with the RO, which may not happen immediately, so the GS instructs the Client to wait and check back later.¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Create Grant ----------->| | | | | | | |<---------- Wait Response ---(2)--| | +------+ | (3) | | | | RO | | Wait | | |<--(4)-->| | | | | | authZ | | | |--(5)--- Read Grant ------------->| | +------+ | | | | | |<--------- Grant Response --(6)---| | | | | | +--------+ +-------+¶
The Client wants to acquire fresh identity claims and authorizations in the Grant. No User or RO interaction is required as no new consent or authorization is required.¶
+--------+ +-------+ | Client | | GS | | |--(1)--- Read Grant ------------->| | | | | | | |<--------- Grant Response --(2)---| | | | | | +--------+ +-------+¶
The Client has an access token and uses it to access resources at an RS. The access token expires, and the Client acquires a fresh access token from the GS.¶
+--------+ +----------+ | Client | | Resource | | |--(1)--- Access Resource --->| Server | | |<------- Resource Response --| (RS) | | | | | | |--(2)--- Access Resource --->| | | |<------- Error Response -----| | | | | | | | +----------+ +-------+ | | | GS | | |--(3)--- Refresh AuthZ ------------------->| | | |<------- AuthZ Response -------------------| | | | | | +--------+ +-------+¶
request | http verb | uri | response |
---|---|---|---|
Create Grant | POST | GS URI | interaction, wait, or grant |
Read Grant | GET | Grant URI | wait, or grant |
Update Grant | PUT | Grant URI | interaction, wait, or grant |
Delete Grant | DELETE | Grant URI | success |
Refresh AuthZ | GET | AuthZ URI | authorization |
Update AuthZ | PUT | AuthZ URI | authorization |
Delete AuthZ | DELETE | AuthZ URI | success |
GS Options | OPTIONS | GS URI | metadata |
Grant Options | OPTIONS | Grant URI | metadata |
AuthZ Options | OPTIONS | AuthZ URI | metadata |
[ Editor: is there value in an API for listing a Client's Grants? eg:]¶
List Grants GET GS URI JSON array of Grant URIs¶
[Editor: straw man for life cycles.]¶
Grant life Cycle¶
The Client MAY create, read, update, and delete Grants. A Grant persists until it has expired, is deleted, or another Grant is created for the same GS, Client, and User tuple.¶
At any point in time, there can only be one Grant for the GS, Client, and User tuple. When a Client creates a Grant at the same GS for the same User, the GS MUST invalidate a previous Grant for the Client at that GS for that User.¶
Authorization Life Cycle¶
Authorizations are OPTIONALLY included in a Grant Response "authorization" Object (Section 7.4.3), and are represented by an AuthZ URI. If an AuthZ URI is included, the Client MAY refresh, update, and delete Authorizations.¶
An Authorization will persist independent of the Grant, and persist until invalidated by the GS per GS policy, or deleted by the Client.¶
Client Authentication¶
All APIs except for GS Options require the Client to authenticate.¶
This document defines the JOSE Authentication mechanism in Section 10. Other mechanisms include [TBD].¶
The Client creates a Grant by doing an HTTP POST of a JSON [RFC8259] document to the GS URI.¶
The JSON document MUST include the following from the Request JSON Section 5.5:¶
and MAY include the following from Request JSON Section 5.5¶
The GS MUST respond with one of Grant Response Section 7.1, Interaction Response Section 7.2, Wait Response Section 7.3, or one of the following errors:¶
from Error Responses Section 9.¶
Following is a non-normative example where the Client wants to interact with the User with a popup and is requesting identity claims about the User and read access to the User's contacts:¶
Example 1 { "iat" : 15790460234, "uri" : "https://as.example/endpoint", "nonce" : "f6a60810-3d07-41ac-81e7-b958c0dd21e4", "client": { "display": { "name" : "SPA Display Name", "uri" : "https://spa.example/about" } }, "interaction": { "type" : "popup" }, "authorization": { "type" : "oauth_scope", "scope" : "read_contacts" }, "claims": { "oidc": { "id_token" : { "email" : { "essential" : true }, "email_verified" : { "essential" : true } }, "userinfo" : { "name" : { "essential" : true }, "picture" : null } } } }¶
Following is a non-normative example where the Client is requesting the GS to keep the interaction with the User after returning the ID Token so the Client can update the Grant, and is also asking if the user exists:¶
Example 2 { "iat" : 15790460234, "uri" : "https://as.example/endpoint", "nonce" : "5c9360a5-9065-4f7b-a330-5713909e06c6", "client": { "id" : "di3872h34dkJW" }, "interaction": { "keep" : true, "type" : "redirect", "redirect_uri" : "https://web.example/return" }, "user": { "identifiers": { "email" : "jane.doe@example.com" }, "exists" : true }, "claims" : { "oidc": { "id_token" : {} } } }¶
The Client reads a Grant by doing an HTTP GET of the corresponding Grant URI.¶
The GS MUST respond with one of Grant Response Section 7.1, Interaction Response Section 7.2, Wait Response Section 7.3, or one of the following errors:¶
The Client updates a Grant by doing an HTTP PUT of a JSON document to the corresponding Grant URI.¶
The JSON document MUST include the following from the Request JSON Section 5.5¶
and MAY include the following from Request JSON Section 5.5¶
The GS MUST respond with one of Grant Response Section 7.1, Interaction Response Section 7.2, Wait Response Section 7.3, or one of the following errors:¶
from Error Responses Section 9.¶
Following is a non-normative example where the Client made an "interaction"."keep":true request, and now wants to update the request with additional claims:¶
Example 3 { "iat" : 15790460234, "uri" : "https://as.example/endpoint/grant/example3", "claims": { "oidc": { "userinfo" : { "email" : { "essential" : true }, "name" : { "essential" : true }, "picture" : null } } } }¶
The Client deletes a Grant by doing an HTTP DELETE of the corresponding Grant URI.¶
The GS MUST respond with OK 200, or one of the following errors:¶
[Editor: do we want to reuse the JWT claims "iat", "jti", etc.? ]¶
The client object MUST contain either the id attribute for Registered Clients, or the display object for Dynamic Clients.¶
display - the display object contains the following attributes:¶
[Editor: a max length for the name?] [Editor: a max length for the URI?]¶
The name and uri will be displayed by the GS when prompting for authorization.¶
The interaction object contains the type of interaction the Client will provide the User. Other attributes¶
[Editor: do we want this to be an array of types the Client can support? This would only be the case if the GS is not able to support all types and negotiation is required. Is that required?]¶
[Editor: do we need max pixels or max chars for qrcode interaction? Either passed to GS, or max specified values here?]¶
[Editor: other possible interaction models could be a "webview", where the Client can display a web page, or just a "message", where the client can only display a text message]¶
[Editor: we may need to include interaction types for iOS and Android as the mobile OS APIs evolve.]¶
identifiers - REQUIRED if the exists attribute is present. The values MAY be used by the GS to improve the User experience. Contains one or more of the following identifiers for the User:¶
Includes one or more of the following:¶
oidc - an object that contains one or both of the following objects:¶
The contents of the userinfo and id_token objects are Claims as defined in [OIDC] Section 5.¶
[Editor: parameters for the Client to request it wants the Grant Response signed and/or encrypted?]¶
The Client updates an Authorization by doing an HTTP GET to the corresponding AuthZ URI.¶
The GS MUST respond with an Response JSON "authorization" object Section 7.4.3, or one of the following errors:¶
The Client updates an Authorization by doing an HTTP PUT to the corresponding AuthZ URI of the following JSON. All of the following MUST be included.¶
The GS MUST respond with an Response JSON "authorization" object Section 7.4.3, or one of the following errors:¶
The Client can get the metadata for the GS by doing an HTTP OPTIONS of the corresponding GS URI. This is the only API where the GS MAY respond to an unauthenticated request.¶
The GS MUST respond with the the following JSON document:¶
[Editor: this section is a work in progress]¶
authorization - an object containing the authorizations the Client may request from the GS, if any.¶
claims - an object containing the identity claims the Client may request from the GS, if any, and what public keys the claims will be signed with.¶
features - an object containing feature support¶
[Editor: keys used by Client to encrypt requests, or verify signed responses?]¶
[Editor: namespace metadata for extensions?]¶
or one of the following errors:¶
The Client can get the metadata for the Grant by doing an HTTP OPTIONS of the corresponding Grant URI.¶
The GS MUST respond with the the following JSON document:¶
or one of the following errors:¶
The Client can get the metadata for the AuthZ by doing an HTTP OPTIONS of the corresponding AuthZ URI.¶
The GS MUST respond with the the following JSON document:¶
or one of the following errors:¶
On receipt of a request, the GS MUST verify the following:¶
[Editor: In OAuth 2.0, all flows are initiated at the Client. If the AS wanted to initiate a flow, it redirected to the Client, that redirected back to the AS to initiate a flow.¶
Here is a proposal to support GS initiated: authentication; just-in-time (JIT) provisioning; and authorization]¶
initiation_uri A URI at the Client that contains no query or fragment. How the GS learns the Client initiation_uri is out of scope.¶
The GS creates a Grant and Grant URI, and redirects the User to the initiation_uri with the query parameter "grant" and the value of Grant URI.¶
See Section 3.3 for the sequence diagram.¶
The Grant Response MUST include the following from the Response JSON Section 7.4¶
and MAY include the following from the Response JSON Section 7.4¶
Example non-normative Grant Response JSON document for Example 1 in Section 3.1:¶
{ "iat" : 15790460234, "nonce" : "f6a60810-3d07-41ac-81e7-b958c0dd21e4", "uri" : "https://as.example/endpoint/grant/example1", "expires_in" : 300 "authorization": { "type" : "oauth_scope", "scope" : "read_contacts", "expires_in" : 3600, "mechanism" : "bearer", "token" : "eyJJ2D6.example.access.token.mZf9p" }, "claims": { "oidc": { "id_token" : "eyJhbUzI1N.example.id.token.YRw5DFdbW", "userinfo" : { "name" : "John Doe", "picture" : "https://photos.example/p/eyJzdkiO" } } } }¶
Example non-normative Grant Response JSON document for Example 2 in Section 3.1:¶
{ "iat" : 15790460234, "nonce" : "5c9360a5-9065-4f7b-a330-5713909e06c6", "uri" : "https://as.example/endpoint/grant/example2", "authorization": { "type" : "oauth_scope", "scope" : "read_calendar write_calendar", "expires_in" : 3600, "mechanism" : "jose", "token" : "eyJJ2D6.example.access.token.mZf9p" "certificate": { "x5u" : "https://as.example/cert/example2" }, "uri" : "https://as.example/endpoint/authz/example2" } }¶
The Interaction Response MUST include the following from the Response JSON Section 7.4¶
and MAY include the following from the Response JSON Section 7.4¶
A non-normative example of an Interaction Response follows:¶
{ "iat" : 15790460234, "nonce" : "0d1998d8-fbfa-4879-b942-85a88bff1f3b", "uri" : "https://as.example/endpoint/grant/example4", "interaction" : { "type" : "popup", "authorization_uri" : "https://as.example/popup/example4" }, "user": { "exists" : true } }¶
The Wait Response MUST include the following from the Response JSON Section 7.4¶
A non-normative example of Wait Response follows:¶
{ "iat" : 15790460234, "nonce" : "0d1998d8-fbfa-4879-b942-85a88bff1f3b", "uri" : "https://as.example/endpoint/grant/example5", "wait" : 300 }¶
Details of the JSON document:¶
If the GS wants the Client to start the interaction, the GS MUST return the interaction mechanism provided by the Client in the Grant Request, and include the required attributes in the interaction object:¶
[Editor: do we specify a maximum length for the display_uri and code so that a device knows the maximum it needs to support? A smart device may have limited screen real estate.]¶
The authorization_uri, qr_uri, and user_code MUST be unique and only match the associated Grant URI.¶
TBD: entropy and other security considerations for the authorization_uri, qr_uri, and the user_code.¶
See Interaction Types Section 7.4.7 for details.¶
The "authorization" object is a response to the Request "authorization" object Section 5.5.4, the Refresh Authorization Section 5.6, or the Update Authorization Section 5.7.¶
[Editor: any value in an expiry for the Authorization?]¶
A JSON array of authorization objects. Support for the authorizations object is OPTIONAL.¶
The claims object is a response to the Request "claims" object Section 5.5.4.¶
oidc¶
vc¶
The verified claims the user consented to be released. [Editor: details TBD]¶
The following MUST be included¶
client¶
One or more of the following objects from the Request JSON Section 5.5 are included:¶
If the GS wants the Client to initiate the interaction with the User, then the GS will return an Interaction Response. The Client will initiate the interaction with the User in one of the following ways:¶
A GS MUST support the "popup", "redirect", "qrcode", and "code" interaction types.¶
[Editor: is this too restrictive?]¶
[Editor: TBD - how response is signed and/or encrypted by the GS. Is there a generalized description, or is it mechanism specific?]¶
On receipt of a response, the Client MUST verify the following:¶
This document specifies three different mechanisms for the Client to access an RS ("bearer", "jose", and "jose+body"). The "bearer" mechanism is defined in {BearerToken}. The "jose" and "jose+body" mechanisms are proof-of-possession mechanisms and are defined in Section 10.2.2 and Section 10.2.3 respectively. Additional proof-of-possession mechanisms may be defined in other documents. The mechanism the Client is to use with an RS is the Response JSON "authorization"."mechanism" attribute Section 7.4.3.¶
How the Client authenticates to the GS and RS are independent of each other. One mechanism can be used to authenticate to the GS, and a different mechanism to authenticate to the RS.¶
Other documents that specify other Client authentication mechanisms will replace this section.¶
In the JOSE Authentication Mechanism, the Client authenticates by using its private key to sign a JSON document with JWS per [RFC7515] which results in a token using JOSE compact serialization.¶
[Editor: are there advantages to using JSON serialization in the body?]¶
Different instances of a Registered Clients MAY have different private keys, but certificates bind them to a public key the GS has for the Client ID. An instance of a Client will use the same private key for all signing.¶
The Client and the GS MUST both use HTTP/2 ([RFC7540]) or later, and TLS 1.3 ([RFC8446]) or later, when communicating with each other.¶
[Editor: too aggressive to mandate HTTP/2 and TLS 1.3?]¶
The token may be included in an HTTP header, or as the HTTP message body.¶
The following sections specify how the Client uses JOSE to authenticate to the GS and RS.¶
The Client authenticates to the GS by passing either a signed header parameter, or a signed message body. The following table shows the verb, uri and token location for each Client request to the GS:¶
request | http verb | uri | token in |
---|---|---|---|
Create Grant | POST | GS URI | body |
Read Grant | GET | Grant URI | header |
Update Grant | PUT | Grant URI | body |
Delete Grant | DELETE | Grant URI | success |
Refresh AuthZ | GET | AuthZ URI | body |
Update AuthZ | PUT | AuthZ URI | body |
Delete AuthZ | DELETE | AuthZ URI | header |
GS Options | OPTIONS | GS URI | header |
Grant Options | OPTIONS | Grant URI | header |
AuthZ Options | OPTIONS | AuthZ URI | header |
For requests with the token in the body, the Client uses the Request JSON as the payload in a JWS. The resulting token is sent with the content-type set to "application/jose".¶
A non-normative example (line breaks added to the body for readability):¶
POST /endpoint HTTP/2 Host: as.example Content-Type: application/jose Content-Length: 155 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyzdWIiOiIxMjM0NTY3ODkwIiwibmF tZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMe Jf36POk6yJV_adQssw5c¶
[Editor: make a real example token]¶
GS Verification¶
The GS MUST verify the token by:¶
[Editor: would examples help here so that implementors understand the full range of options, and how an instance can have its own asymetric key pair]¶
A non-normative example of a JOSE header for a Registered Client with a key identifier of "12":¶
{ "alg" : "ES256", "typ" : "JOSE", "kid" : "12" }¶
A non-normative example of a JOSE header for a Dynamic Client:¶
{ "alg" : "ES256", "typ" : "JOSE", "jwk" : { "kty" : "EC", "crv" : "P-256", "x" : "Kgl5DJSgLyV-G32osmLhFKxJ97FoMW0dZVEqDG-Cwo4", "y" : "GsL4mOM4x2e6iON8BHvRDQ6AgXAPnw0m0SfdlREV7i4" } }¶
In the "jose" mechanism Section 10.2.2, all Client requests to the RS include a proof-of-possession token in the HTTP authorization header. In the "jose+body" mechanism Section 10.2.3, the Client signs the JSON document in the request if the POST or PUT verbs are used, otherwise it is the same as the "jose" mechanism.¶
The GS provides the Client one or more JWS header parameters and values for a a certificate, or a reference to a certificate or certificate chain, that the RS can use to resolve the public key matching the private key being used by the Client.¶
A non-normative examples JOSE header:¶
{ "alg" : "ES256", "typ" : "JOSE", "x5u" : "https://as.example/cert/example2" }¶
[Editor: this enables Dynamic Clients to make proof-of-possession API calls the same as Registered Clients.]¶
The JWS payload MUST contain the following attributes:¶
iat - the time the token was created as a NumericDate.¶
jti - a unique identifier for the token per [RFC7519] section 4.1.7.¶
uri - the value of the RS URI being called.¶
verb - the HTTP verb being used in the call¶
token - the access token provided by the GS to the Client¶
The HTTP authorization header is set to the "jose" parameter followed by one or more white space characters, followed by the resulting token.¶
A non-normative example of a JWS payload and the HTTP request follows:¶
{ "iat" : 15790460234, "jti" : "f6d72254-4f23-417f-b55e-14ad323b1dc1", "uri" : "https://calendar.example/calendar", "verb" : "GET", "token" : "eyJJ2D6.example.access.token.mZf9pTSpA" } GET /calendar HTTP/2 Host: calendar.example Authorization: jose eyJhbG.example.jose.token.adks¶
[Editor: make a real example token]¶
RS Verification¶
The RS MUST verify the token by:¶
The "jose+body" mechanism can only be used if the content being sent to the RS is a JSON document.¶
Any requests not sending a message body will use the "jose" mechanism Section 10.2.2.¶
Requests sending a message body MUST have the following JWS payload:¶
iat - the time the token was created as a NumericDate.¶
jti - a unique identifier for the token per [RFC7519] section 4.1.7.¶
uri - the value of the RS URI being called.¶
verb - the HTTP verb being used in the call¶
token - the access token provided by the GS to the Client¶
body - the message body being sent to the RS¶
A non-normative example of a JWS payload and the HTTP request follows:¶
{ "iat" : 15790460234, "jti" : "f6d72254-4f23-417f-b55e-14ad323b1dc1", "uri" : "https://calendar.example/calendar", "verb" : "POST", "token" : "eyJJ2D6.example.access.token.mZf9pTSpA", "payload" : { "event" : { "title" : "meeting with joe", "start_date_utc" : "2020-02-21 11:00:00", "end_date_utc" : "2020-02-21 11:00:00" } } } POST /calendar HTTP/2 Host: calendar.example Content-Type: application/jose Content-Length: 155 eyJhbGciOi.example.jose+body.adasdQssw5c¶
[Editor: make a real example token]¶
RS Verification¶
The RS MUST verify the token by:¶
The RS has a public key for the GS that it uses to verify the certificate or certificate chain the Client includes in the JWS header.¶
[Editor: to be fleshed out]¶
The Client encrypts a request when ??? using the GS public key returned as the ??? attribute in GS Options Section 5.9.¶
[Editor: to be fleshed out]¶
The Client verifies a signed response ??? using the GS public key returned as the ??? attribute in GS Options Section 5.9.¶
[Editor: to be fleshed out]¶
The Client decrypts a response when ??? using the private key matching the public key included in the request as the ??? attribute in Section 5.5.¶
This standard can be extended in a number of areas:¶
Client Authentication Mechanisms¶
Grant¶
Top Level¶
"client" Object¶
"user" Object¶
"authorization" Object¶
"claims" Object¶
Interaction types¶
Continuous Authentication¶
[Editor: do we specify access token / handle introspection in this document, or leave that to an extension?]¶
[Editor: do we specify access token / handle revocation in this document, or leave that to an extension?]¶
Why is there only one mechanism for the Client to authenticate with the GS? Why not support other mechanisms?¶
Having choices requires implementers to understand which choice is preferable for them. Having one default mechanism in the document for the Client to authenticate simplifies most implementations. Deployments that have unique characteristics can select other mechanisms that are preferable in specific environments.¶
Why is the default Client authentication JOSE rather than MTLS?¶
MTLS cannot be used today by a Dynamic Client. MTLS requires the application to have access below what is typically the application layer, that is often not available on some platforms. JOSE is done at the application layer. Many GS deployments will be an application behind a proxy performing TLS, and there are risks in the proxy passing on the results of MTLS.¶
Why is the default Client authentication JOSE rather than HTTP signing?¶
There is currently no widely deployed open standard for HTTP signing. Additionally, HTTP signing requires passing all the relevant parts of the HTTP request to downstream services within an GS that may need to independently verify the Client identity.¶
What are the advantages of using JOSE for the Client to authenticate to the GS and a resource?¶
Both Registered Clients and Dynamic Clients can have a private key, eliminating the public Client issues in OAuth 2.0, as a Dynamic Client can create an ephemeral key pair. Using asymetric cryptography also allows each instance of a Registered Client to have its own private key if it can obtain a certificate binding its public key to the public key the GS has for the Client. Signed tokens can be passed to downstream components in a GS or RS to enable independent verification of the Client and its request. The GS Initiated Sequence Section 6 requires a URL safe parameter, and JOSE is URL safe.¶
Why does the GS not return parameters to the Client in the redirect url?¶
Passing parameters via a browser redirection is the source of many of the security risks in OAuth 2.0. It also presents a challenge for smart devices. In this protocol, the redirection from the Client to the GS is to enable the GS to interact with the User, and the redirection back to the Client is to hand back interaction control to the Client if the redirection was a full browser redirect. Unlike OAuth 2.0, the identity of the Client is independent of the URI the GS redirects to.¶
Why is there not a UserInfo endpoint as there is with OpenID Connect?¶
Since the Client can Read Grant at any time, it get the same functionality as the UserInfo endpoint, without the Client having to manage a separate access token and refresh token. If the Client would like additional claims, it can Update Grant, and the GS will let the Client know if an interaction is required to get any of the additional claims, which the Client can then start.¶
[Editor: is there some other reason to have the UserInfo endpoint?]¶
Why is there still a Client ID?¶
The GS needs an identifier to fetch the meta data associated with a Client such as the name and image to display to the User, and the policies on what a Client is allowed to do. The Client ID was used in OAuth 2.0 for the same purpose, which simplifies migration. Dynamic Clients do not have a Client ID.¶
Why have both claims and authorizations?¶
There are use cases for each that are independent: authenticating a user and providing claims vs granting access to a resource. A request for an authorization returns an access token which may have full CRUD capabilities, while a request for a claim returns the claim about the User - with no create, update or delete capabilities. While the UserInfo endpoint in OIDC may be thought of as a resource, separating the concepts and how they are requested keeps each of them simpler in the Editor's opinion. :)¶
Why specify HTTP/2 or later and TLS 1.3 or later for Client and GS communication in ?Section 10¶
Knowing the GS supports HTTP/2 enables a Client to set up a connection faster. HTTP/2 will be more efficient when Clients have large numbers of access tokens and are frequently refreshing them at the GS as there will be less network traffic. Mandating TLS 1.3 similarly improves the performance and security of Clients and GS when setting up a TLS connection.¶
Why do some of the JSON objects only have one child, such as the identifiers object in the user object in the Grant Request?¶
It is difficult to forecast future use cases. Having more resolution may mean the difference between a simple extension, and a convoluted extension.¶
Why is the "iss" included in the "oidc" identifier object? Would the "sub" not be enough for the GS to identify the User?¶
This decouples the GS from the OpenID Provider (OP). The GS identifier is the GS URI, which is the endpoint at the GS. The OP issuer identifier will likely not be the same as the GS URI. The GS may also provide claims from multiple OPs.¶
Why complicate things with "interaction"."keep"?¶
The common sequence has a back and forth between the Client and the GS, and the Client can update the Grant and have a new interaction. Keeping the interaction provides a more seamless user experience where the results from the first request determine subsequent requests. For example, a common pattern is to use a GS to authenticate the User at the Client, and to register the User at the Client using additional claims from the GS. The Client does not know a priori if the User is a new User, or a returning User. Asking a returning User to consent releasing claims they have already provided is a poor User experience, as is sending the User back to the GS. The Client requesting identity first enables the Client to get a response from the GS while the GS is still interacting with the User, so that the Client can request additional claims only if needed. Additionally, the claims a Client may want about a User may be dependent on some initial Claims. For example, if a User is in a particular country, additional or different Claims my be required by the Client.¶
There are also benefits for the GS. Today, a GS usually keeps track of which claims a Client has requested for a User. Storing this information for all Clients a User uses may be undesirable for a GS that does not want to have that information about the User. Keeping the interaction allows the Client to track what information it has about the User, and the GS can remain stateless.¶
Why is there a "jose+body" RS access mechanism method for the Client?Section 10.2.3¶
There are numerous use cases where the RS wants non-repudiation and providence of the contents of an API call. For example, the UGS Service Supplier Framework for Authentication and Authorization [UTM].¶
Why use URIs to instead of handles for the Grant and Authorization?¶
A URI is an identifier just like a handle that can contain GS information that is opaque to the Client - so it has all the features of a handle, plus it can be the URL that is resolved to manipulate a Grant or an Authorization. As the Grant URI and AuthZ URI are defined to start with the GS URI, the Client (and GS) can easily determine which GS a Grant or Authorization belong to. URIs also enable a RESTful interface to the GS functionality.¶
Why use the OPTIONS verb on the GS URI? Why not use a .well-known mechanism?¶
Having the GS URI endpoint respond to the metadata allows the GS to provide Client specific results using the same Client authentication used for other requests to the GS. It also reduces the risk of a mismatch between what the advertised metadata, and the actual metadata. A .well-known discovery mechanism may be defined to resolve from a hostname to the GS URI.¶
Why support UPDATE, DELETE, and OPTIONS verbs on the AuthZ URI?¶
Maybe there are no use cases for them [that the editor knows of], but the GS can not implement, and they are available if use cases come up.¶
Why list explicit interactions, instead of the Client and GS negotiating interaction capabilities?¶
The Client knows what interactions it is capable of, and prefers. Telling the GS the interaction allows the GS to know what interaction the User will have. Knowing how the Client will transition the interaction will enable the GS to provider a better User experience. For example, the GS may want to provide a short URL if it knows the Client will be showing a QR code vs a redirect, or have a different layout if it is a popup vs a redirect.¶
[Editor: are there use cases where the Client would want to provide a list of interaction types so the GS can select which one it can support? ]¶
This draft derives many of its concepts from Justin Richer's Transactional Authorization draft [TxAuth].¶
Additional thanks to Justin Richer and Annabelle Richard Backman for their strong critique of earlier drafts.¶
[ JOSE parameter for Authorization HTTP header ]¶
TBD¶
Changed Features¶
The major changes between this protocol and OAuth 2.0 and OpenID Connect are:¶
Preserved Features¶
New Features¶