| draft-ietf-oauth-jwt-bearer-09.txt | draft-ietf-oauth-jwt-bearer-10.txt | |||
|---|---|---|---|---|
| OAuth Working Group M. Jones | OAuth Working Group M. Jones | |||
| Internet-Draft Microsoft | Internet-Draft Microsoft | |||
| Intended status: Standards Track B. Campbell | Intended status: Standards Track B. Campbell | |||
| Expires: October 30, 2014 Ping Identity | Expires: January 24, 2015 Ping Identity | |||
| C. Mortimore | C. Mortimore | |||
| Salesforce | Salesforce | |||
| April 28, 2014 | July 23, 2014 | |||
| JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and | JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and | |||
| Authorization Grants | Authorization Grants | |||
| draft-ietf-oauth-jwt-bearer-09 | draft-ietf-oauth-jwt-bearer-10 | |||
| Abstract | Abstract | |||
| This specification defines the use of a JSON Web Token (JWT) Bearer | This specification defines the use of a JSON Web Token (JWT) Bearer | |||
| Token as a means for requesting an OAuth 2.0 access token as well as | Token as a means for requesting an OAuth 2.0 access token as well as | |||
| for use as a means of client authentication. | for use as a means of client authentication. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 36 | skipping to change at page 1, line 36 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 30, 2014. | This Internet-Draft will expire on January 24, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 | 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | 2. HTTP Parameter Bindings for Transporting Assertions . . . . . 4 | |||
| 2.1. Using JWTs as Authorization Grants . . . . . . . . . . . 4 | 2.1. Using JWTs as Authorization Grants . . . . . . . . . . . 4 | |||
| 2.2. Using JWTs for Client Authentication . . . . . . . . . . 5 | 2.2. Using JWTs for Client Authentication . . . . . . . . . . 5 | |||
| 3. JWT Format and Processing Requirements . . . . . . . . . . . 5 | 3. JWT Format and Processing Requirements . . . . . . . . . . . 5 | |||
| 3.1. Authorization Grant Processing . . . . . . . . . . . . . 7 | 3.1. Authorization Grant Processing . . . . . . . . . . . . . 7 | |||
| 3.2. Client Authentication Processing . . . . . . . . . . . . 7 | 3.2. Client Authentication Processing . . . . . . . . . . . . 8 | |||
| 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 8 | 4. Authorization Grant Example . . . . . . . . . . . . . . . . . 8 | |||
| 5. Interoperability Considerations . . . . . . . . . . . . . . . 9 | 5. Interoperability Considerations . . . . . . . . . . . . . . . 9 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 | 7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 7.1. Sub-Namespace Registration of urn:ietf:params:oauth | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| :grant-type:jwt-bearer . . . . . . . . . . . . . . . . . 9 | 8.1. Sub-Namespace Registration of urn:ietf:params:oauth | |||
| 7.2. Sub-Namespace Registration of urn:ietf:params:oauth | :grant-type:jwt-bearer . . . . . . . . . . . . . . . . . 10 | |||
| 8.2. Sub-Namespace Registration of urn:ietf:params:oauth | ||||
| :client-assertion-type:jwt-bearer . . . . . . . . . . . . 10 | :client-assertion-type:jwt-bearer . . . . . . . . . . . . 10 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 10 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 11 | 9.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 11 | Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12 | |||
| Appendix B. Document History . . . . . . . . . . . . . . . . . . 11 | Appendix B. Document History . . . . . . . . . . . . . . . . . . 12 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Token (JWT) [JWT] is a JavaScript Object Notation (JSON) | JSON Web Token (JWT) [JWT] is a JavaScript Object Notation (JSON) | |||
| [RFC7159] based security token encoding that enables identity and | [RFC7159] based security token encoding that enables identity and | |||
| security information to be shared across security domains. A | security information to be shared across security domains. A | |||
| security token is generally issued by an identity provider and | security token is generally issued by an identity provider and | |||
| consumed by a relying party that relies on its content to identify | consumed by a relying party that relies on its content to identify | |||
| the token's subject for security related purposes. | the token's subject for security related purposes. | |||
| skipping to change at page 3, line 12 | skipping to change at page 3, line 13 | |||
| are defined to support a wide range of client types and user | are defined to support a wide range of client types and user | |||
| experiences. OAuth also allows for the definition of new extension | experiences. OAuth also allows for the definition of new extension | |||
| grant types to support additional clients or to provide a bridge | grant types to support additional clients or to provide a bridge | |||
| between OAuth and other trust frameworks. Finally, OAuth allows the | between OAuth and other trust frameworks. Finally, OAuth allows the | |||
| definition of additional authentication mechanisms to be used by | definition of additional authentication mechanisms to be used by | |||
| clients when interacting with the authorization server. | clients when interacting with the authorization server. | |||
| The Assertion Framework for OAuth 2.0 Client Authentication and | The Assertion Framework for OAuth 2.0 Client Authentication and | |||
| Authorization Grants [I-D.ietf-oauth-assertions] specification is an | Authorization Grants [I-D.ietf-oauth-assertions] specification is an | |||
| abstract extension to OAuth 2.0 that provides a general framework for | abstract extension to OAuth 2.0 that provides a general framework for | |||
| the use of Assertions (a.k.a. Security Tokens) as client credentials | the use of Assertions (a.k.a. Security Tokens) as client credentials | |||
| and/or authorization grants with OAuth 2.0. This specification | and/or authorization grants with OAuth 2.0. This specification | |||
| profiles the Assertion Framework for OAuth 2.0 Client Authentication | profiles the Assertion Framework for OAuth 2.0 Client Authentication | |||
| and Authorization Grants [I-D.ietf-oauth-assertions] specification to | and Authorization Grants [I-D.ietf-oauth-assertions] specification to | |||
| define an extension grant type that uses a JSON Web Token (JWT) | define an extension grant type that uses a JSON Web Token (JWT) | |||
| Bearer Token to request an OAuth 2.0 access token as well as for use | Bearer Token to request an OAuth 2.0 access token as well as for use | |||
| as client credentials. The format and processing rules for the JWT | as client credentials. The format and processing rules for the JWT | |||
| defined in this specification are intentionally similar, though not | defined in this specification are intentionally similar, though not | |||
| identical, to those in the closely related SAML 2.0 Profile for OAuth | identical, to those in the closely related SAML 2.0 Profile for OAuth | |||
| 2.0 Client Authentication and Authorization Grants | 2.0 Client Authentication and Authorization Grants | |||
| [I-D.ietf-oauth-saml2-bearer] specification. | [I-D.ietf-oauth-saml2-bearer] specification. | |||
| skipping to change at page 9, line 36 | skipping to change at page 10, line 5 | |||
| for OAuth 2.0 Client Authentication and Authorization Grants | for OAuth 2.0 Client Authentication and Authorization Grants | |||
| [I-D.ietf-oauth-assertions], The OAuth 2.0 Authorization Framework | [I-D.ietf-oauth-assertions], The OAuth 2.0 Authorization Framework | |||
| [RFC6749], and the JSON Web Token (JWT) [JWT] specifications are all | [RFC6749], and the JSON Web Token (JWT) [JWT] specifications are all | |||
| applicable to this document. | applicable to this document. | |||
| The specification does not mandate replay protection for the JWT | The specification does not mandate replay protection for the JWT | |||
| usage for either the authorization grant or for client | usage for either the authorization grant or for client | |||
| authentication. It is an optional feature, which implementations may | authentication. It is an optional feature, which implementations may | |||
| employ at their own discretion. | employ at their own discretion. | |||
| 7. IANA Considerations | 7. Privacy Considerations | |||
| 7.1. Sub-Namespace Registration of urn:ietf:params:oauth:grant-type | A JWT may contain privacy-sensitive information and, to prevent | |||
| :jwt-bearer | disclosure of such information to unintended parties, should only be | |||
| transmitted over encrypted channels, such as TLS. In cases where it | ||||
| is desirable to prevent disclosure of certain information the client, | ||||
| the JWT should be be encrypted to the authorization server. | ||||
| Deployments should determine the minimum amount of information | ||||
| necessary to complete the exchange and include only such claims in | ||||
| the JWT. In some cases, the "sub" (subject) claim can be a value | ||||
| representing an anonymous or pseudonymous user, as described in | ||||
| Section 6.3.1 of the Assertion Framework for OAuth 2.0 Client | ||||
| Authentication and Authorization Grants [I-D.ietf-oauth-assertions]. | ||||
| 8. IANA Considerations | ||||
| 8.1. Sub-Namespace Registration of urn:ietf:params:oauth:grant- | ||||
| type:jwt-bearer | ||||
| This specification registers the value "grant-type:jwt-bearer" in the | This specification registers the value "grant-type:jwt-bearer" in the | |||
| IANA urn:ietf:params:oauth registry established in An IETF URN Sub- | IANA urn:ietf:params:oauth registry established in An IETF URN Sub- | |||
| Namespace for OAuth [RFC6755]. | Namespace for OAuth [RFC6755]. | |||
| o URN: urn:ietf:params:oauth:grant-type:jwt-bearer | o URN: urn:ietf:params:oauth:grant-type:jwt-bearer | |||
| o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0 | o Common Name: JWT Bearer Token Grant Type Profile for OAuth 2.0 | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Specification Document: [[this document]] | o Specification Document: [[this document]] | |||
| 7.2. Sub-Namespace Registration of urn:ietf:params:oauth:client- | 8.2. Sub-Namespace Registration of urn:ietf:params:oauth:client- | |||
| assertion-type:jwt-bearer | assertion-type:jwt-bearer | |||
| This specification registers the value "client-assertion-type:jwt- | This specification registers the value "client-assertion-type:jwt- | |||
| bearer" in the IANA urn:ietf:params:oauth registry established in An | bearer" in the IANA urn:ietf:params:oauth registry established in An | |||
| IETF URN Sub-Namespace for OAuth [RFC6755]. | IETF URN Sub-Namespace for OAuth [RFC6755]. | |||
| o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer | o URN: urn:ietf:params:oauth:client-assertion-type:jwt-bearer | |||
| o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client | o Common Name: JWT Bearer Token Profile for OAuth 2.0 Client | |||
| Authentication | Authentication | |||
| o Change controller: IETF | o Change controller: IETF | |||
| o Specification Document: [[this document]] | o Specification Document: [[this document]] | |||
| 8. References | 9. References | |||
| 8.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-oauth-assertions] | [I-D.ietf-oauth-assertions] | |||
| Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | Campbell, B., Mortimore, C., Jones, M., and Y. Goland, | |||
| "Assertion Framework for OAuth 2.0 Client Authentication | "Assertion Framework for OAuth 2.0 Client Authentication | |||
| and Authorization Grants", draft-ietf-oauth-assertions | and Authorization Grants", draft-ietf-oauth-assertions | |||
| (work in progress), April 2014. | (work in progress), July 2014. | |||
| [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", draft-ietf-oauth-json-web-token (work in | (JWT)", draft-ietf-oauth-json-web-token (work in | |||
| progress), March 2014. | progress), July 2014. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, March 1997. | |||
| [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform | |||
| Resource Identifier (URI): Generic Syntax", STD 66, RFC | Resource Identifier (URI): Generic Syntax", STD 66, RFC | |||
| 3986, January 2005. | 3986, January 2005. | |||
| [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC | [RFC6749] Hardt, D., "The OAuth 2.0 Authorization Framework", RFC | |||
| 6749, October 2012. | 6749, October 2012. | |||
| [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | [RFC6755] Campbell, B. and H. Tschofenig, "An IETF URN Sub-Namespace | |||
| for OAuth", RFC 6755, October 2012. | for OAuth", RFC 6755, October 2012. | |||
| [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | [RFC7159] Bray, T., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", RFC 7159, March 2014. | Interchange Format", RFC 7159, March 2014. | |||
| 8.2. Informative References | 9.2. Informative References | |||
| [I-D.ietf-oauth-dyn-reg] | [I-D.ietf-oauth-dyn-reg] | |||
| Richer, J., Jones, M., Bradley, J., Machulak, M., and P. | Richer, J., Jones, M., Bradley, J., Machulak, M., and P. | |||
| Hunt, "OAuth 2.0 Dynamic Client Registration Core | Hunt, "OAuth 2.0 Dynamic Client Registration Core | |||
| Protocol", draft-ietf-oauth-dyn-reg-16 (work in progress), | Protocol", draft-ietf-oauth-dyn-reg-16 (work in progress), | |||
| February 2014. | February 2014. | |||
| [I-D.ietf-oauth-saml2-bearer] | [I-D.ietf-oauth-saml2-bearer] | |||
| Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0 | Campbell, B., Mortimore, C., and M. Jones, "SAML 2.0 | |||
| Profile for OAuth 2.0 Client Authentication and | Profile for OAuth 2.0 Client Authentication and | |||
| Authorization Grants", draft-ietf-oauth-saml2-bearer (work | Authorization Grants", draft-ietf-oauth-saml2-bearer (work | |||
| in progress), April 2014. | in progress), July 2014. | |||
| [OpenID.Discovery] | [OpenID.Discovery] | |||
| Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID | Sakimura, N., Bradley, J., Jones, M., and E. Jay, "OpenID | |||
| Connect Discovery 1.0", February 2014. | Connect Discovery 1.0", February 2014. | |||
| [OpenID.Registration] | [OpenID.Registration] | |||
| Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect | Sakimura, N., Bradley, J., and M. Jones, "OpenID Connect | |||
| Dynamic Client Registration 1.0", February 2014. | Dynamic Client Registration 1.0", February 2014. | |||
| Appendix A. Acknowledgements | Appendix A. Acknowledgements | |||
| This profile was derived from SAML 2.0 Profile for OAuth 2.0 Client | This profile was derived from SAML 2.0 Profile for OAuth 2.0 Client | |||
| Authentication and Authorization Grants [I-D.ietf-oauth-saml2-bearer] | Authentication and Authorization Grants [I-D.ietf-oauth-saml2-bearer] | |||
| by Brian Campbell and Chuck Mortimore. | by Brian Campbell and Chuck Mortimore. | |||
| Appendix B. Document History | Appendix B. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| draft-ietf-oauth-jwt-bearer-10 | ||||
| o Added Privacy Considerations section per AD review discussion | ||||
| http://www.ietf.org/mail-archive/web/oauth/current/msg13148.html | ||||
| and http://www.ietf.org/mail-archive/web/oauth/current/ | ||||
| msg13144.html | ||||
| draft-ietf-oauth-jwt-bearer-09 | draft-ietf-oauth-jwt-bearer-09 | |||
| o Clarified some text around the treatment of subject based on the | o Clarified some text around the treatment of subject based on the | |||
| rough rough consensus from the thread staring at http:// | rough rough consensus from the thread staring at | |||
| www.ietf.org/mail-archive/web/oauth/current/msg12630.html | http://www.ietf.org/mail-archive/web/oauth/current/msg12630.html | |||
| draft-ietf-oauth-jwt-bearer-08 | draft-ietf-oauth-jwt-bearer-08 | |||
| o Updated references, including replacing references to RFC 4627 | o Updated references, including replacing references to RFC 4627 | |||
| with RFC 7159. | with RFC 7159. | |||
| draft-ietf-oauth-jwt-bearer-07 | draft-ietf-oauth-jwt-bearer-07 | |||
| o Clean up language around subject per http://www.ietf.org/mail- | o Clean up language around subject per http://www.ietf.org/mail- | |||
| archive/web/oauth/current/msg12250.html. | archive/web/oauth/current/msg12250.html. | |||
| o As suggested in http://www.ietf.org/mail-archive/web/oauth/current | o As suggested in http://www.ietf.org/mail- | |||
| /msg12251.html stated that "In the absence of an application | archive/web/oauth/current/msg12251.html stated that "In the | |||
| profile specifying otherwise, compliant applications MUST compare | absence of an application profile specifying otherwise, compliant | |||
| the audience values using the Simple String Comparison method | applications MUST compare the audience values using the Simple | |||
| defined in Section 6.2.1 of RFC 3986." | String Comparison method defined in Section 6.2.1 of RFC 3986." | |||
| o Added one-time use, maximum lifetime, and specific subject and | o Added one-time use, maximum lifetime, and specific subject and | |||
| attribute requirements to Interoperability Considerations based on | attribute requirements to Interoperability Considerations based on | |||
| http://www.ietf.org/mail-archive/web/oauth/current/msg12252.html. | http://www.ietf.org/mail-archive/web/oauth/current/msg12252.html. | |||
| o Remove "or its subject confirmation requirements cannot be met" | o Remove "or its subject confirmation requirements cannot be met" | |||
| text. | text. | |||
| o Reword security considerations and mention that replay protection | o Reword security considerations and mention that replay protection | |||
| is not mandated based on http://www.ietf.org/mail-archive/web/ | is not mandated based on http://www.ietf.org/mail- | |||
| oauth/current/msg12259.html. | archive/web/oauth/current/msg12259.html. | |||
| -06 | -06 | |||
| o Stated that issuer and audience values SHOULD be compared using | o Stated that issuer and audience values SHOULD be compared using | |||
| the Simple String Comparison method defined in Section 6.2.1 of | the Simple String Comparison method defined in Section 6.2.1 of | |||
| RFC 3986 unless otherwise specified by the application. | RFC 3986 unless otherwise specified by the application. | |||
| -05 | -05 | |||
| o Changed title from "JSON Web Token (JWT) Bearer Token Profiles for | o Changed title from "JSON Web Token (JWT) Bearer Token Profiles for | |||
| OAuth 2.0" to "JSON Web Token (JWT) Profile for OAuth 2.0 Client | OAuth 2.0" to "JSON Web Token (JWT) Profile for OAuth 2.0 Client | |||
| Authentication and Authorization Grants" to be more explicit about | Authentication and Authorization Grants" to be more explicit about | |||
| the scope of the document per http://www.ietf.org/mail-archive/web | the scope of the document per http://www.ietf.org/mail- | |||
| /oauth/current/msg11063.html. | archive/web/oauth/current/msg11063.html. | |||
| o Numbered the list of processing rules. | o Numbered the list of processing rules. | |||
| o Smallish editorial cleanups to try and improve readability and | o Smallish editorial cleanups to try and improve readability and | |||
| comprehensibility. | comprehensibility. | |||
| o Cleaner split out of the processing rules in cases where they | o Cleaner split out of the processing rules in cases where they | |||
| differ for client authentication and authorization grants. | differ for client authentication and authorization grants. | |||
| o Clarified the parameters that are used/available for authorization | o Clarified the parameters that are used/available for authorization | |||
| End of changes. 23 change blocks. | ||||
| 38 lines changed or deleted | 61 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||