idnits 2.17.1 draft-yusef-oauth-nested-jwt-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. == The document seems to contain a disclaimer for pre-RFC5378 work, but was first submitted on or after 10 November 2008. The disclaimer is usually necessary only for documents that revise or obsolete older RFCs, and that take significant amounts of text from those RFCs. If you can contact all authors of the source material and they are willing to grant the BCP78 rights to the IETF Trust, you can and should remove the disclaimer. Otherwise, the disclaimer is needed and you can ignore this comment. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 10, 2021) is 1142 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'NSM' is mentioned on line 172, but not defined Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 OAuth Working Group R. Shekh-Yusef 3 Internet-Draft Auth0 4 Intended status: Standards Track March 10, 2021 5 Expires: September 11, 2021 7 Multi-Subject JSON Web Token (JWT) 8 draft-yusef-oauth-nested-jwt-04 10 Abstract 12 This specification defines a mechanism for including multiple 13 subjects in a JWT. A primary subject in an enclosing JWT with its 14 own claims, and a related subject in a nested JWT with its own 15 claims. 17 Status of This Memo 19 This Internet-Draft is submitted in full conformance with the 20 provisions of BCP 78 and BCP 79. 22 Internet-Drafts are working documents of the Internet Engineering 23 Task Force (IETF). Note that other groups may also distribute 24 working documents as Internet-Drafts. The list of current Internet- 25 Drafts is at https://datatracker.ietf.org/drafts/current/. 27 Internet-Drafts are draft documents valid for a maximum of six months 28 and may be updated, replaced, or obsoleted by other documents at any 29 time. It is inappropriate to use Internet-Drafts as reference 30 material or to cite them other than as "work in progress." 32 This Internet-Draft will expire on September 11, 2021. 34 Copyright Notice 36 Copyright (c) 2021 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents 41 (https://trustee.ietf.org/license-info) in effect on the date of 42 publication of this document. Please review these documents 43 carefully, as they describe your rights and restrictions with respect 44 to this document. Code Components extracted from this document must 45 include Simplified BSD License text as described in Section 4.e of 46 the Trust Legal Provisions and are provided without warranty as 47 described in the Simplified BSD License. 49 This document may contain material from IETF Documents or IETF 50 Contributions published or made publicly available before November 51 10, 2008. The person(s) controlling the copyright in some of this 52 material may not have granted the IETF Trust the right to allow 53 modifications of such material outside the IETF Standards Process. 54 Without obtaining an adequate license from the person(s) controlling 55 the copyright in such materials, this document may not be modified 56 outside the IETF Standards Process, and derivative works of it may 57 not be created outside the IETF Standards Process, except to format 58 it for publication as an RFC or to translate it into languages other 59 than English. 61 Table of Contents 63 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 64 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 65 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 66 2.1. Primary Subject with Secondary Authority Subject . . . . 3 67 2.2. Multiple Primary Subjects . . . . . . . . . . . . . . . . 3 68 2.3. Delegation of Authority . . . . . . . . . . . . . . . . . 3 69 2.4. Replaced Primary Subjects . . . . . . . . . . . . . . . . 4 70 2.4.1. STIR . . . . . . . . . . . . . . . . . . . . . . . . 4 71 2.4.2. Network Service Mesh (NSM) . . . . . . . . . . . . . 4 72 3. JWT Content . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 4. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 74 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 75 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 76 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 77 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 78 8.1. Normative References . . . . . . . . . . . . . . . . . . 5 79 8.2. Informative References . . . . . . . . . . . . . . . . . 6 80 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 82 1. Introduction 84 JSON Web Token (JWT) [RFC7519] is a mechanism that is used to 85 transfer claims between two parties across security domains. Nested 86 JWT is a JWT in which the payload is another JWT. The current 87 specification does not define a means by which the enclosing JWT 88 could have its own Claims Set, only the enclosed JWT would have 89 claims. 91 There are a number of use cases where there is a need to represent 92 multiple related subjects in one JWT; a primary subject and a related 93 secondary subject. 95 This specification defines a mechanism for including multiple 96 subjects in a JWT. A primary subject in an enclosing JWT with its 97 own claims, and a related subject in a nested JWT with its own 98 claims. 100 1.1. Terminology 102 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 103 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 104 document are to be interpreted as described in [RFC8174]. 106 2. Use Cases 108 The following are few categories of use cases that might benefit from 109 such a concept: 111 2.1. Primary Subject with Secondary Authority Subject 113 A primary subject with a related secondary subject that has authority 114 over the primary subject, e.g. Child/Parent, Pet/Owner. 116 The secondary user (e.g., parent) logs in to an application (e.g., 117 pharmacy application), gets redirected to the authorization server, 118 authenticates, and asks for permission to access resources (e.g., 119 medication) for the primary subject (e.g., child). The authorization 120 server then issues a JWT with the primary subject in the enclosing 121 JWT and the secondary subject in the nested JWT. 123 In this case, both JWTs are issued by the same issuer. 125 2.2. Multiple Primary Subjects 127 Two or more primary related subjects e.g. a married couple. The 128 authorization server is setup to provide one of the subjects with 129 permissions to access the other related subject resources. 131 One user (e.g., wife) logs in to a application (e.g., pharmacy 132 application), gets redirected to the authorization server, 133 authenticates, and asks for permission to access resources (e.g., 134 medication) for the other primary subject (e.g., husband). The 135 authorization server then issues a JWT with the primary subject in 136 the enclosing JWT and the other primary subject in the nested JWT. 138 In this case, both JWTs are issued by the same issuer. 140 2.3. Delegation of Authority 142 A primary subject delegates authority over a resource to a secondary 143 subject who acts on behalf of the primary subject, as defined in 144 [RFC8693]. 146 In this case, both JWTs are issued by the same issuer. 148 2.4. Replaced Primary Subjects 150 A primary subject is replaced with a new primary subject, and the 151 original primary subject included in the new issued JWT as a nested 152 JWT. 154 2.4.1. STIR 156 [RFC8225] defines a PASSporT, which is a JWT, that is used to verify 157 the identity of a caller in an incoming call. 159 The PASSporT Extension for Diverted Calls draft [STIR] uses a nested 160 PASSporT to deliver the details of an incoming call that get 161 redirected. An authentication service acting for a retargeting 162 entity generates new PASSporT and embeds the original PASSporT inside 163 the new one. When the new target receives the nested PASSporT it 164 will be able to validate the enclosing PASSporT and use the details 165 of the enclosed PASSporT to identify the origianl target. 167 In this case, the original JWT is issued by the calling service, and 168 the new enclosing JWT is issued by the retargeting service. 170 2.4.2. Network Service Mesh (NSM) 172 Network Service Mesh [NSM] is a mechanism that maps the concept of a 173 service mesh in Kubernetes to L2/L3 payloads. 175 NSM GRPS messages may pass throught multiple intermediaries, each of 176 which may transform the message. Each intermediary is expected to 177 create its own JWT token, and include a claim that conains the JWT it 178 received with the message it has transformed. 180 In this case, the original JWT is issued by the entity sending the 181 initial message, and the new enclosing JWT is issued by the 182 intermediate entity. 184 3. JWT Content 186 The payload of the enclosing JWT is JSON object that contains the 187 Claims Set of the primary subject, and one new claim that is used to 188 hold the enclosed JWT and its relation to the primary subject. 190 This document defines a new claim, "rsub" (Related Subject) Claim, 191 that is used to contain the enclosed JWT and its relation to the 192 primary subject. 194 4. Example 196 { 197 "alg": "HS256", 198 "typ": "JWT", 199 } 201 { 202 "sub": "1234567890", 203 "name": "John Doe", 204 "iat": 1516239022, 205 "rsub": { 206 "rel" : urn:ietf:params:oauth:subject-type:authority | 207 urn:ietf:params:oauth:subject-type:primary | 208 urn:ietf:params:oauth:subject-type:actor | 209 urn:ietf:params:oauth:subject-type:original 210 "jwt" : "" 211 } 212 } 214 5. Security Considerations 216 TODO 218 6. IANA Considerations 220 TODO 222 7. Acknowledgments 224 TODO 226 8. References 228 8.1. Normative References 230 [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token 231 (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, 232 . 234 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 235 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 236 May 2017, . 238 8.2. Informative References 240 [RFC8225] Wendt, C. and J. Peterson, "PASSporT: Personal Assertion 241 Token", RFC 8225, DOI 10.17487/RFC8225, February 2018, 242 . 244 [RFC8693] Jpnes, M., Nadalin, A., Campbell, B., Bradley, J., and C. 245 Mortimore, "OAuth 2.0 Token Exchange", October 2018. 247 [STIR] Peterson, J., "PASSporT Extension for Diverted Calls", 248 October 2018. 250 Author's Address 252 Rifaat Shekh-Yusef 253 Auth0 254 Ottawa, Ontario, Canada 256 Email: rifaat.s.ietf@gmail.com