idnits 2.17.1 draft-yusef-oauth-nested-jwt-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (September 10, 2019) is 1683 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OAuth Working Group R. Shekh-Yusef 3 Internet-Draft Avaya 4 Intended status: Standards Track September 10, 2019 5 Expires: March 13, 2020 7 Nested JSON Web Token (JWT) 8 draft-yusef-oauth-nested-jwt-03 10 Abstract 12 This specification extends the scope of the Nested JSON Web Token 13 (JWT) to allow the enclosing JWT to contain its own Claims Set in 14 addition to the enclosed JWT. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on March 13, 2020. 33 Copyright Notice 35 Copyright (c) 2019 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 This document may contain material from IETF Documents or IETF 49 Contributions published or made publicly available before November 50 10, 2008. The person(s) controlling the copyright in some of this 51 material may not have granted the IETF Trust the right to allow 52 modifications of such material outside the IETF Standards Process. 53 Without obtaining an adequate license from the person(s) controlling 54 the copyright in such materials, this document may not be modified 55 outside the IETF Standards Process, and derivative works of it may 56 not be created outside the IETF Standards Process, except to format 57 it for publication as an RFC or to translate it into languages other 58 than English. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 63 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 64 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 3 65 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 3.1. Native App . . . . . . . . . . . . . . . . . . . . . . . 3 67 3.2. STIR . . . . . . . . . . . . . . . . . . . . . . . . . . 4 68 3.3. Network Service Mesh (NSM) . . . . . . . . . . . . . . . 4 69 4. JWT Content Type Header Parameter . . . . . . . . . . . . . . 4 70 5. JWT Content . . . . . . . . . . . . . . . . . . . . . . . . . 4 71 6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 72 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 73 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 74 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 75 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 76 10.1. Normative References . . . . . . . . . . . . . . . . . . 5 77 10.2. Informative References . . . . . . . . . . . . . . . . . 6 78 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 80 1. Introduction 82 JSON Web Token (JWT) [RFC7519] is a mechanism that is used to 83 transfer claims between two parties across security domains. Nested 84 JWT is a JWT in which the payload is another JWT. The current 85 specification does not define a means by which the enclosing JWT 86 could have its own Claims Set, only the enclosed JWT would have 87 claims. 89 This specification extends the scope of the Nested JWT to allow the 90 enclosing JWT to contain its own Claims Set in addition to the 91 enclosed JWT. 93 1.1. Terminology 95 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 96 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 97 document are to be interpreted as described in [RFC8174]. 99 2. Overview 101 RFC7519 defines Nested JWT as a JWT in which nested signing and/or 102 encryption are employed. In Nested JWTs, a JWT is used as the 103 payload or plaintext value of an enclosing JWS or JWE structure, 104 respectively. 106 To indicate that the payload of an enclosing JWT is yet another JWT, 107 the value of the Content Type Parameter of the JOSE header, i.e. 108 "cty", must be set to "JWT", which means that the enclosing JWT 109 cannot have its own claims. 111 This document updates the enclosing JWT content to allow it to 112 represent a Claims Set and an enclosed JWT, using JSON data 113 structures, and updates the Content Type to indicate this new nested 114 content. 116 3. Use Cases 118 3.1. Native App 120 The use case is for a telephony application that is based on the 121 "Native Apps Using the Browser" flow defined in RFC8252. The Native 122 App needs access to a telephony and non-telephony services that are 123 controlled by different authorization servers, where the Native App 124 can validate tokens issued by only one of these authorization 125 servers. 127 The Native App starts the process by interacting with a Client that 128 requires the user to authenticate itself using a Browser. The 129 Browser starts by contacting an AS, which redirects it to an OP. The 130 user authenticates to the OP and obtains a Code, and then gets 131 redirected back to AS. The Native App gets access to the Code, then 132 sends the Code to the AS, which then interacts with the OP to 133 exchange the Code for an ID Token and OP Access Token. Since the 134 Native App has no way of validating the OP Access Token, when the AS 135 creates an AS Access Token, it embeds the OP Access Token inside the 136 AS Access Token, and returns it back to the Native App. The Native 137 App gets the AS Access Token and is able to validate it and extract 138 the OP Access Token, and access the different services protected with 139 these tokens. 141 3.2. STIR 143 [RFC8225] defines a PASSporT, which is a JWT, that is used to verify 144 the identity of a caller in an incoming call. 146 The PASSporT Extension for Diverted Calls draft [STIR] uses a nested 147 PASSporT to deliver the details of an incoming call that get 148 redirected. An authentication service acting for a retargeting 149 entity generates new PASSporT and embeds the original PASSporT inside 150 the new one. When the new target receives the nested PASSporT it 151 will be able to validate the enclosing PASSporT and use the details 152 of the enclosed PASSporT to identify the origianl target. 154 3.3. Network Service Mesh (NSM) 156 Network Service Mesh [NSM] is a mechanism that maps the concept of a 157 service mesh in Kubernetes to L2/L3 payloads. 159 NSM GRPS messages may pass throught multiple intermediaries, each of 160 which may transform the message. Each intermediary is expected to 161 create its own JWT token, and include a claim that conains the JWT it 162 received with the message it has transformed. 164 4. JWT Content Type Header Parameter 166 The JOSE Header contains an optional parameter that could be used to 167 indicate the type of the payload of a JWT. With a typical Nested 168 JWT, the value of the "cty" header must be "JWT". To indicate that 169 the payload contains a Claims Set in addition to the JWT, the value 170 of the "cty" header must be "NJWT". 172 5. JWT Content 174 The payload of the enclosing JWT is JSON object that contains the 175 Claims Set, and one new claim that is used to hold the enclosed JWT. 177 This document defines a new claim, "njwt", that is used to contain 178 the enclosed JWT. 180 6. Example 182 { 183 "alg": "HS256", 184 "typ": "JWT", 185 "cty": "NJWT" 186 } 188 { 189 "sub": "1234567890", 190 "name": "John Doe", 191 "iat": 1516239022, 192 "njwt": "" 193 } 195 7. Security Considerations 197 TODO 199 8. IANA Considerations 201 TODO 203 9. Acknowledgments 205 TODO 207 10. References 209 10.1. Normative References 211 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 212 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 213 . 215 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 216 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 217 May 2017, . 219 10.2. Informative References 221 [NSM] "Network Service Mesh (NSM), 222 https://networkservicemesh.io". 224 [RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion 225 Token", RFC 8225, DOI 10.17487/RFC8225, February 2018, 226 . 228 [STIR] Peterson, J., "PASSporT Extension for Diverted Calls", 229 October 2018. 231 Author's Address 233 Rifaat Shekh-Yusef 234 Avaya 235 425 Legget Drive 236 Ottawa, Ontario 237 Canada 239 Phone: +1-613-595-9106 240 EMail: rifaat.ietf@gmail.com