| < draft-ietf-oauth-jwt-bcp-02.txt | draft-ietf-oauth-jwt-bcp-03.txt > | |||
|---|---|---|---|---|
| OAuth Working Group Y. Sheffer | OAuth Working Group Y. Sheffer | |||
| Internet-Draft Intuit | Internet-Draft Intuit | |||
| Intended status: Best Current Practice D. Hardt | Intended status: Best Current Practice D. Hardt | |||
| Expires: November 3, 2018 Amazon | Expires: November 9, 2018 Amazon | |||
| M. Jones | M. Jones | |||
| Microsoft | Microsoft | |||
| May 02, 2018 | May 08, 2018 | |||
| JSON Web Token Best Current Practices | JSON Web Token Best Current Practices | |||
| draft-ietf-oauth-jwt-bcp-02 | draft-ietf-oauth-jwt-bcp-03 | |||
| Abstract | Abstract | |||
| JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security | JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security | |||
| tokens that contain a set of claims that can be signed and/or | tokens that contain a set of claims that can be signed and/or | |||
| encrypted. JWTs are being widely used and deployed as a simple | encrypted. JWTs are being widely used and deployed as a simple | |||
| security token format in numerous protocols and applications, both in | security token format in numerous protocols and applications, both in | |||
| the area of digital identity, and in other application areas. The | the area of digital identity, and in other application areas. The | |||
| goal of this Best Current Practices document is to provide actionable | goal of this Best Current Practices document is to provide actionable | |||
| guidance leading to secure implementation and deployment of JWTs. | guidance leading to secure implementation and deployment of JWTs. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 3, 2018. | This Internet-Draft will expire on November 9, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| skipping to change at page 2, line 40 ¶ | skipping to change at page 2, line 40 ¶ | |||
| 3.7. Use UTF-8 . . . . . . . . . . . . . . . . . . . . . . . . 8 | 3.7. Use UTF-8 . . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 3.8. Validate Issuer and Subject . . . . . . . . . . . . . . . 8 | 3.8. Validate Issuer and Subject . . . . . . . . . . . . . . . 8 | |||
| 3.9. Use and Validate Audience . . . . . . . . . . . . . . . . 8 | 3.9. Use and Validate Audience . . . . . . . . . . . . . . . . 8 | |||
| 3.10. Do Not Trust Received Claims . . . . . . . . . . . . . . 8 | 3.10. Do Not Trust Received Claims . . . . . . . . . . . . . . 8 | |||
| 3.11. Use Explicit Typing . . . . . . . . . . . . . . . . . . . 9 | 3.11. Use Explicit Typing . . . . . . . . . . . . . . . . . . . 9 | |||
| 3.12. Use Mutually Exclusive Validation Rules for Different | 3.12. Use Mutually Exclusive Validation Rules for Different | |||
| Kinds of JWTs . . . . . . . . . . . . . . . . . . . . . . 9 | Kinds of JWTs . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 | 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 | 7.1. Normative References . . . . . . . . . . . . . . . . . . 11 | |||
| 7.2. Informative References . . . . . . . . . . . . . . . . . 11 | 7.2. Informative References . . . . . . . . . . . . . . . . . 11 | |||
| Appendix A. Document History . . . . . . . . . . . . . . . . . . 13 | Appendix A. Document History . . . . . . . . . . . . . . . . . . 13 | |||
| A.1. draft-ietf-oauth-jwt-bcp-02 . . . . . . . . . . . . . . . 13 | A.1. draft-ietf-oauth-jwt-bcp-03 . . . . . . . . . . . . . . . 13 | |||
| A.2. draft-ietf-oauth-jwt-bcp-01 . . . . . . . . . . . . . . . 13 | A.2. draft-ietf-oauth-jwt-bcp-02 . . . . . . . . . . . . . . . 13 | |||
| A.3. draft-ietf-oauth-jwt-bcp-00 . . . . . . . . . . . . . . . 13 | A.3. draft-ietf-oauth-jwt-bcp-01 . . . . . . . . . . . . . . . 13 | |||
| A.4. draft-sheffer-oauth-jwt-bcp-01 . . . . . . . . . . . . . 13 | A.4. draft-ietf-oauth-jwt-bcp-00 . . . . . . . . . . . . . . . 13 | |||
| A.5. draft-sheffer-oauth-jwt-bcp-00 . . . . . . . . . . . . . 13 | A.5. draft-sheffer-oauth-jwt-bcp-01 . . . . . . . . . . . . . 13 | |||
| A.6. draft-sheffer-oauth-jwt-bcp-00 . . . . . . . . . . . . . 13 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 1. Introduction | 1. Introduction | |||
| JSON Web Tokens, also known as JWTs [RFC7519], are URL-safe JSON- | JSON Web Tokens, also known as JWTs [RFC7519], are URL-safe JSON- | |||
| based security tokens that contain a set of claims that can be signed | based security tokens that contain a set of claims that can be signed | |||
| and/or encrypted. The JWT specification has seen rapid adoption | and/or encrypted. The JWT specification has seen rapid adoption | |||
| because it encapsulates security-relevant information in one, easy to | because it encapsulates security-relevant information in one, easy to | |||
| protect location, and because it is easy to implement using widely- | protect location, and because it is easy to implement using widely- | |||
| available tools. One application area in which JWTs are commonly | available tools. One application area in which JWTs are commonly | |||
| skipping to change at page 10, line 43 ¶ | skipping to change at page 10, line 43 ¶ | |||
| This entire document is about security considerations when | This entire document is about security considerations when | |||
| implementing and deploying JSON Web Tokens. | implementing and deploying JSON Web Tokens. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document requires no IANA actions. | This document requires no IANA actions. | |||
| 6. Acknowledgements | 6. Acknowledgements | |||
| Thanks to Antonio Sanso for bringing the "ECDH-ES" invalid point | Thanks to Antonio Sanso for bringing the "ECDH-ES" invalid point | |||
| attack to the attention of JWE and JWT implementers. Thanks to Nat | attack to the attention of JWE and JWT implementers. Tim McLean | |||
| Sakimura for advocating the use of explicit typing. Thanks to Neil | published the RSA/HMAC confusion attack. Thanks to Nat Sakimura for | |||
| Madden for his numerous comments, and to Carsten Bormann for his | advocating the use of explicit typing. Thanks to Neil Madden for his | |||
| review. | numerous comments, and to Carsten Bormann and Brian Campbell for | |||
| their reviews. | ||||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | DOI 10.17487/RFC2119, March 1997, | |||
| editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature | |||
| Algorithm (DSA) and Elliptic Curve Digital Signature | Algorithm (DSA) and Elliptic Curve Digital Signature | |||
| Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August | |||
| 2013, <https://www.rfc-editor.org/info/rfc6979>. | 2013, <https://www.rfc-editor.org/info/rfc6979>. | |||
| [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web | |||
| Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May | |||
| 2015, <https://www.rfc-editor.org/info/rfc7515>. | 2015, <https://www.rfc-editor.org/info/rfc7515>. | |||
| [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | |||
| RFC 7516, DOI 10.17487/RFC7516, May 2015, | RFC 7516, DOI 10.17487/RFC7516, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7516>. | <https://www.rfc-editor.org/info/rfc7516>. | |||
| [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, | [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, | |||
| DOI 10.17487/RFC7518, May 2015, <https://www.rfc- | DOI 10.17487/RFC7518, May 2015, | |||
| editor.org/info/rfc7518>. | <https://www.rfc-editor.org/info/rfc7518>. | |||
| [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, | |||
| <https://www.rfc-editor.org/info/rfc7519>. | <https://www.rfc-editor.org/info/rfc7519>. | |||
| [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data | |||
| Interchange Format", STD 90, RFC 8259, | Interchange Format", STD 90, RFC 8259, | |||
| DOI 10.17487/RFC8259, December 2017, <https://www.rfc- | DOI 10.17487/RFC8259, December 2017, | |||
| editor.org/info/rfc8259>. | <https://www.rfc-editor.org/info/rfc8259>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [I-D.ietf-oauth-discovery] | [I-D.ietf-oauth-discovery] | |||
| Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 | Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 | |||
| Authorization Server Metadata", draft-ietf-oauth- | Authorization Server Metadata", draft-ietf-oauth- | |||
| discovery-10 (work in progress), March 2018. | discovery-10 (work in progress), March 2018. | |||
| [I-D.ietf-secevent-token] | [I-D.ietf-secevent-token] | |||
| Hunt, P., Jones, M., Denniss, W., and M. Ansari, "Security | Hunt, P., Jones, M., Denniss, W., and M. Ansari, "Security | |||
| skipping to change at page 12, line 29 ¶ | skipping to change at page 12, line 29 ¶ | |||
| [OpenID.Core] | [OpenID.Core] | |||
| Sakimura, N., Bradley, J., Jones, M., Medeiros, B., and C. | Sakimura, N., Bradley, J., Jones, M., Medeiros, B., and C. | |||
| Mortimore, "OpenID Connect Core 1.0", November 2014, | Mortimore, "OpenID Connect Core 1.0", November 2014, | |||
| <http://openid.net/specs/openid-connect-core-1_0.html>. | <http://openid.net/specs/openid-connect-core-1_0.html>. | |||
| [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", | |||
| RFC 6749, DOI 10.17487/RFC6749, October 2012, | RFC 6749, DOI 10.17487/RFC6749, October 2012, | |||
| <https://www.rfc-editor.org/info/rfc6749>. | <https://www.rfc-editor.org/info/rfc6749>. | |||
| [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, | [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, | |||
| DOI 10.17487/RFC7517, May 2015, <https://www.rfc- | DOI 10.17487/RFC7517, May 2015, | |||
| editor.org/info/rfc7517>. | <https://www.rfc-editor.org/info/rfc7517>. | |||
| [Sanso] Sanso, A., "Critical Vulnerability Uncovered in JSON | [Sanso] Sanso, A., "Critical Vulnerability Uncovered in JSON | |||
| Encryption", March 2017, | Encryption", March 2017, | |||
| <https://blogs.adobe.com/security/2017/03/critical- | <https://blogs.adobe.com/security/2017/03/ | |||
| vulnerability-uncovered-in-json-encryption.html>. | critical-vulnerability-uncovered-in-json-encryption.html>. | |||
| [Valenta] Valenta, L., Sullivan, N., Sanso, A., and N. Heninger, "In | [Valenta] Valenta, L., Sullivan, N., Sanso, A., and N. Heninger, "In | |||
| search of CurveSwap: Measuring elliptic curve | search of CurveSwap: Measuring elliptic curve | |||
| implementations in the wild", March 2018, | implementations in the wild", March 2018, | |||
| <https://ia.cr/2018/298>. | <https://ia.cr/2018/298>. | |||
| Appendix A. Document History | Appendix A. Document History | |||
| [[ to be removed by the RFC editor before publication as an RFC ]] | [[ to be removed by the RFC editor before publication as an RFC ]] | |||
| A.1. draft-ietf-oauth-jwt-bcp-02 | A.1. draft-ietf-oauth-jwt-bcp-03 | |||
| - Acknowledgements. | ||||
| A.2. draft-ietf-oauth-jwt-bcp-02 | ||||
| - Implemented WGLC feedback. | - Implemented WGLC feedback. | |||
| A.2. draft-ietf-oauth-jwt-bcp-01 | A.3. draft-ietf-oauth-jwt-bcp-01 | |||
| - Feedback from Brian Campbell. | - Feedback from Brian Campbell. | |||
| A.3. draft-ietf-oauth-jwt-bcp-00 | A.4. draft-ietf-oauth-jwt-bcp-00 | |||
| - Initial WG draft. No change from the latest individual version. | - Initial WG draft. No change from the latest individual version. | |||
| A.4. draft-sheffer-oauth-jwt-bcp-01 | A.5. draft-sheffer-oauth-jwt-bcp-01 | |||
| - Added explicit typing. | - Added explicit typing. | |||
| A.5. draft-sheffer-oauth-jwt-bcp-00 | A.6. draft-sheffer-oauth-jwt-bcp-00 | |||
| - Initial version. | - Initial version. | |||
| Authors' Addresses | Authors' Addresses | |||
| Yaron Sheffer | Yaron Sheffer | |||
| Intuit | Intuit | |||
| EMail: yaronf.ietf@gmail.com | EMail: yaronf.ietf@gmail.com | |||
| End of changes. 20 change blocks. | ||||
| 31 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||