Understanding JWT Profiles for OAuth2 Access Tokens
Explore the usage of JWT profiles for OAuth2 access tokens, highlighting the benefits, common traits, and why providers are opting for this format. Discover how various products like Auth0, Azure AD, Ping Identity, and more are implementing JWTs for access tokens to facilitate interoperability and ease of validation.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
A JWT profile for OAuth2 Access Tokens vittorio@auth0.com @vibronet
TL;DR OAuth2 doesn t mandate a format for access tokens Many AS products are issuing access tokens in JWT format but everyone does it slightly differently A JWT profile for ATs would make it possible to create vendor-agnostic SDKs for API make it easier for developers to move their code across vendors Aspects to specify Mandatory claims for validation Metadata docs for validation info Claims carrying authorization information Optional claims in common use
Agenda Analysis of JWT use in ATs issued by production services today Draft proposal of a JWT as AT profile
Why are providers using JWT for ATs Format based validation is a well proven approach Performant No extra network traffic No bottlenecks Resilient No throttling Not sensitive to network issues Not sensitive to AS outages Easy troubleshooting Easy setup/ubiquitous validation SDKs Easy extensibility (custom claims etc)
Products considered Auth0 Azure AD Ping Identity IdentityServer OKTA AWS Thanks to Daniel Dobalian, Brian Campbell, Dominick Bauer, Karl Guinness for providing sample ATs in JWT format
Common traits Nearly everyone use id_token/introspection infrastructural claims Nearly everyone use OIDC discover to advertise issuer, signing keys Different claim types for scopes Wide gamut of additional identity, client & auth info, authorization claims
Claims idtoken Auth0 Azure AD PingIdentity IdentityServer AWS OKTA Profile Validation iss aud exp iat nonce auth_time iss aud exp iat iss aud exp iat nbf iss exp jti [aud] iss aud nbf exp auth_time iss iat exp auth_time iss aud iad exp iss aud exp iat jti auth_time Identity sub lots sub <any> sub name preferred_user name oid ipaddr unique_name sub email uid [sub] sub username sub cid uid sub Authorization N/A scope roles scp groups scope memberOf scope scope scp scope ?roles, groups aio app_displayname appid idp tid uti ver xms_tcdt --- azp azpacr Context/misc azp acr amr azp gty idpid client_id client_id idp amr token_use ver client_id acr amr ?idp ?azpacr
ATs as JWT Proposal - summary ATs are JWTs signed with RS256 (or any other asymm algo) Strongly typed to ensure they are not interchangeable w it_tokens typ=access_token+jwt Validation coordinates (issuer, signature check keys ) published via OIDC discovery and/or AS metadata 8414 (more or less) same validation rules as id_token in OIDC Core But ensuring strong type check, disallowing nonce, etc Mandatory + optional claims layout Thanks to Brian Campbell, Filip Skokan for early feedback and valuable insights
ATs as JWT claims layout Functional area claim type origin as for id_token in OIDC core, introspection iss Validation exp, iat auth_time resource indicators aud 7519 JWT jti 7519 JWT sub Identity as for id_token in OIDC core <oidc profile claims> from token_exchange scope Authorization 7643 (SCIM) groups, roles, entitlements from token_exchange client_id Context/misc as for id_token in OIDC core acr, amr <new?> azpacr <new?> OIDC federation? idp Bold == mandatory
Auth0 { "iss": "https://flosser.auth0.com/", "sub": "auth0|5ba552d674717b20e52f56cd", "aud": [ "https://flosser.com/api/", "https://flosser.auth0.com/userinfo" ], "iat": 1544558774, "exp": 1544645174, "azp": "xHMI55zgwY0PnaztfSQflbFAwxxHUM8_", "scope": "openid profile email read:reports read:appointments offline_access" } { "iss": "https://flosser.auth0.com/", "sub": "uNkUAIDPx1zgXfuodmR7CNHutYWPZ96L@clients", "aud": "https://flosser.auth0.com/api/v2/", "iat": 1537798395, "exp": 1537884795, "azp": "uNkUAIDPx1zgXfuodmR7CNHutYWPZ96L", "scope": "read:users", "gty": "client-credentials" } Validation Identity Authorization Context
Azure AD { "aud": "6e74172b-be56-4843-9ff4-e66a39bb12e3", "iss": "https://login.microsoftonline.com/72f988bf-86f1- 41af-91ab-2d7cd011db47/v2.0", "iat": 1537231048, "nbf": 1537231048, "exp": 1537234948, "aio": "AXQAi/8IAAAAtAaZLo3ChMif6KOnttRB7eBq4/DccQzjcJGxPYy/C3jDaNG xXd6wNIIVGRghNRnwJ1lOcAnNZcjvkoyrFxCttv33140RioOFJ4bCCGVuoCa g1uOTT22222gHwLPYQ/uf79QX+0KIijdrmp69RctzmQ==", "azp": "6e74172b-be56-4843-9ff4-e66a39bb12e3", "azpacr": "0", "name": "Abe Lincoln", "oid": "690222be-ff1a-4d56-abd1-7e4f7d38e474", "preferred_username": "abeli@microsoft.com", "rh": "I", "scp": "access_as_user", "sub": "HKZpfaHyWadeOouYlitjrI-KffTm222X5rrV3xDqfKQ", "tid": "72f988bf-86f1-41af-91ab-2d7cd011db47", "uti": "fqiBqXLPj0eQa82S-IYFAA", "ver": "2.0" } { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/26039cce-489d-4002-8293- 5b0c5134eacb/", "iat": 1551922140, "nbf": 1551922140, "exp": 1551965640, "aio": "42JgYNilxTPr/L1HxVu+ZvT nmZWBQA=", "app_displayname": "TestSecVuln", "appid": "50ddfc06-811f-4fcf-85c9-e7febdfd7885", "appidacr": "1", "idp": "https://sts.windows.net/26039cce-489d-4002-8293- 5b0c5134eacb/", "oid": "83820349-ca67-44e5-851b-79685d996ba2", "roles": [ "User.Read.All" ], "sub": "83820349-ca67-44e5-851b-79685d996ba2", "tid": "26039cce-489d-4002-8293-5b0c5134eacb", "uti": "XHWCcMtGeE-u_E-Dv1IOAA", "ver": "1.0", "xms_tcdt": 1467231125 }
PingIdentity { "sub": "mdorey+adminaudit@pingidentity.com", "idpid": "24ad9bc6-a69f-4498-a9be-258126beaa6f", "scope": "openid", "iss": "https://test-sso.connect.pingidentity.com/cdd237bb- 3404-4ad4-90eb-d2e252808037", "memberOf": [ "Domain Administrators@directory", "Users@directory", "PINGONE.CLOUD.DIRECTORY.GROUP.UI.ENTITLEMENT.OKRGSK YHXRGFKJGBNOGIKRSAZZQJNYFCMKHFULMJPTFRBI" ], "exp": 1533832421, "jti": "IDa57ef23fb8909d45100882a89d29d56cfdf981fc6d7fe2c6020 00001651f895ea0", "client_id": "cdd237bb-3404-4ad4-90eb-d2e252808037" } { "scope": "sure:whatever ok:fine", "client_id": "bdc", "iss": "https://pfdev.ping-eng.com", "aud": "urn:some:api", "sub": "test", "uid": "2d425f77", "rtttl": 2147483647, "email": "test@example.com", "exp": 1551382159 }
{ "nbf": 1551775904, "exp": 1551779504, "iss": "http://localhost:5000", "aud": [ "http://localhost:5000/resources", "api1" ], "client_id": "mvc.hybrid", "sub": "88421113", "auth_time": 1551775899, "idp": "local", "scope": [ "openid", "profile", "email", "api1", "offline_access" ], "amr": [ "pwd" ] } IdentityServer { "nbf": 1551775833, "exp": 1551779433, "iss": "http://localhost:5000", "aud": [ "http://localhost:5000/resources", "api1" ], "client_id": "client", "scope": [ "api1" ] }
OKTA { "ver": 1, "jti": "AT.0mP4JKAZX1iACIT4vbEDF7LpvDVjxypPMf0D7uX39RE", "iss": "https://okta.okta.com/oauth2/0oacqf8qaJw56czJi0g4", "aud": "https://api.example.com", "sub": "00ujmkLgagxeRrAg20g3", "iat": 1467145094, "exp": 1467148694, "cid": "nmdP1fcyvdVO11AL7ECm", "uid": "00ujmkLgagxeRrAg20g3", "scp": [ "openid", "email", "flights", "custom" ], "custom_claim": "CustomValue" }
