Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

self-contained token - cover sub claim #2406

Closed
elarlang opened this issue Nov 24, 2024 · 2 comments
Closed

self-contained token - cover sub claim #2406

elarlang opened this issue Nov 24, 2024 · 2 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V3 V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@elarlang
Copy link
Collaborator

elarlang commented Nov 24, 2024
edited
Loading

Spin-off from #1967, Post by TobiasAhnoff from #1967 (comment):

As far as I can tell this is all covered by other 3.5 requirements, except for 'sub', which covered by

2.11.1

Verify that, if the application supports multiple identity providers (IDPs), the user's identity cannot be spoofed via another supported identity provider (eg. by using the same user identifier). Usually, the application should register and identify the user using a combination of the IdP ID (serving as a namespace) and the user's ID in the IDP.

51.4.4

Verify that if an access control decision requires identifying a unique user from an access token (JWT or related token introspection response), the resource server identifies the user from claims that can not be reassigned to other users. Typically it means using a combination of 'iss' and 'sub' claims.

Perhaps it would make sense to have a requirement in 3.5 for "sub", perhaps change 3.5.6 to only address "sub"?
(this is from https://www.rfc-editor.org/rfc/rfc8725.html#section-3.8)

Verify that the consumers identity (subject) cannot be spoofed via another trusted issuer (eg. by using the same user identifier). For a JWT, if it contains a 'sub' claim, the application must validate that the subject value corresponds to a valid subject and/or issuer-subject pair at the application.

This is basically the same as 2.11.1, but 2.11.1 is focused on IdP and users (not users and clients, consumers) and 51.4.4 has OAuth details, so maybe all three are needed?
@elarlang
Copy link
Collaborator Author

Is there actual difference between proposed requirement for sub and current 2.11.1?

@elarlang elarlang mentioned this issue Nov 24, 2024
Closed
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements labels Nov 24, 2024
@elarlang elarlang added V3 V51 Group issues related to OAuth and removed V5 Temporary label for grouping input validation, sanitization, encoding, escaping related requirements labels Nov 25, 2024
@elarlang elarlang changed the title stateless token - cover sub claim self-contained token - cover sub claim Nov 25, 2024
@elarlang
Copy link
Collaborator Author

The context for current V3.5 section is "validate the token before further usage". The sub claim in this context is not usually the information based on that you can say, that this token is not valid - this decision comes later, e. g. when enforcing authorization decisions.

So current decision is, we don't create a new requirement into V3.5, the sub claim will be mentioned in V51.4.3 (#2183).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet V3 V51 Group issues related to OAuth _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tghosth @elarlang