draft-ietf-oauth-jwt-bcp-02.txt   draft-ietf-oauth-jwt-bcp-03.txt 
OAuth Working Group Y. Sheffer OAuth Working Group Y. Sheffer
Internet-Draft Intuit Internet-Draft Intuit
Intended status: Best Current Practice D. Hardt Intended status: Best Current Practice D. Hardt
Expires: November 3, 2018 Amazon Expires: November 9, 2018 Amazon
M. Jones M. Jones
Microsoft Microsoft
May 02, 2018 May 08, 2018
JSON Web Token Best Current Practices JSON Web Token Best Current Practices
draft-ietf-oauth-jwt-bcp-02 draft-ietf-oauth-jwt-bcp-03
Abstract Abstract
JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security JSON Web Tokens, also known as JWTs, are URL-safe JSON-based security
tokens that contain a set of claims that can be signed and/or tokens that contain a set of claims that can be signed and/or
encrypted. JWTs are being widely used and deployed as a simple encrypted. JWTs are being widely used and deployed as a simple
security token format in numerous protocols and applications, both in security token format in numerous protocols and applications, both in
the area of digital identity, and in other application areas. The the area of digital identity, and in other application areas. The
goal of this Best Current Practices document is to provide actionable goal of this Best Current Practices document is to provide actionable
guidance leading to secure implementation and deployment of JWTs. guidance leading to secure implementation and deployment of JWTs.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 3, 2018. This Internet-Draft will expire on November 9, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
skipping to change at page 2, line 40 skipping to change at page 2, line 40
3.7. Use UTF-8 . . . . . . . . . . . . . . . . . . . . . . . . 8 3.7. Use UTF-8 . . . . . . . . . . . . . . . . . . . . . . . . 8
3.8. Validate Issuer and Subject . . . . . . . . . . . . . . . 8 3.8. Validate Issuer and Subject . . . . . . . . . . . . . . . 8
3.9. Use and Validate Audience . . . . . . . . . . . . . . . . 8 3.9. Use and Validate Audience . . . . . . . . . . . . . . . . 8
3.10. Do Not Trust Received Claims . . . . . . . . . . . . . . 8 3.10. Do Not Trust Received Claims . . . . . . . . . . . . . . 8
3.11. Use Explicit Typing . . . . . . . . . . . . . . . . . . . 9 3.11. Use Explicit Typing . . . . . . . . . . . . . . . . . . . 9
3.12. Use Mutually Exclusive Validation Rules for Different 3.12. Use Mutually Exclusive Validation Rules for Different
Kinds of JWTs . . . . . . . . . . . . . . . . . . . . . . 9 Kinds of JWTs . . . . . . . . . . . . . . . . . . . . . . 9
4. Security Considerations . . . . . . . . . . . . . . . . . . . 10 4. Security Considerations . . . . . . . . . . . . . . . . . . . 10
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . 11 7.1. Normative References . . . . . . . . . . . . . . . . . . 11
7.2. Informative References . . . . . . . . . . . . . . . . . 11 7.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Document History . . . . . . . . . . . . . . . . . . 13 Appendix A. Document History . . . . . . . . . . . . . . . . . . 13
A.1. draft-ietf-oauth-jwt-bcp-02 . . . . . . . . . . . . . . . 13 A.1. draft-ietf-oauth-jwt-bcp-03 . . . . . . . . . . . . . . . 13
A.2. draft-ietf-oauth-jwt-bcp-01 . . . . . . . . . . . . . . . 13 A.2. draft-ietf-oauth-jwt-bcp-02 . . . . . . . . . . . . . . . 13
A.3. draft-ietf-oauth-jwt-bcp-00 . . . . . . . . . . . . . . . 13 A.3. draft-ietf-oauth-jwt-bcp-01 . . . . . . . . . . . . . . . 13
A.4. draft-sheffer-oauth-jwt-bcp-01 . . . . . . . . . . . . . 13 A.4. draft-ietf-oauth-jwt-bcp-00 . . . . . . . . . . . . . . . 13
A.5. draft-sheffer-oauth-jwt-bcp-00 . . . . . . . . . . . . . 13 A.5. draft-sheffer-oauth-jwt-bcp-01 . . . . . . . . . . . . . 13
A.6. draft-sheffer-oauth-jwt-bcp-00 . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction 1. Introduction
JSON Web Tokens, also known as JWTs [RFC7519], are URL-safe JSON- JSON Web Tokens, also known as JWTs [RFC7519], are URL-safe JSON-
based security tokens that contain a set of claims that can be signed based security tokens that contain a set of claims that can be signed
and/or encrypted. The JWT specification has seen rapid adoption and/or encrypted. The JWT specification has seen rapid adoption
because it encapsulates security-relevant information in one, easy to because it encapsulates security-relevant information in one, easy to
protect location, and because it is easy to implement using widely- protect location, and because it is easy to implement using widely-
available tools. One application area in which JWTs are commonly available tools. One application area in which JWTs are commonly
skipping to change at page 10, line 43 skipping to change at page 10, line 43
This entire document is about security considerations when This entire document is about security considerations when
implementing and deploying JSON Web Tokens. implementing and deploying JSON Web Tokens.
5. IANA Considerations 5. IANA Considerations
This document requires no IANA actions. This document requires no IANA actions.
6. Acknowledgements 6. Acknowledgements
Thanks to Antonio Sanso for bringing the "ECDH-ES" invalid point Thanks to Antonio Sanso for bringing the "ECDH-ES" invalid point
attack to the attention of JWE and JWT implementers. Thanks to Nat attack to the attention of JWE and JWT implementers. Tim McLean
Sakimura for advocating the use of explicit typing. Thanks to Neil published the RSA/HMAC confusion attack. Thanks to Nat Sakimura for
Madden for his numerous comments, and to Carsten Bormann for his advocating the use of explicit typing. Thanks to Neil Madden for his
review. numerous comments, and to Carsten Bormann and Brian Campbell for
their reviews.
7. References 7. References
7.1. Normative References 7.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature [RFC6979] Pornin, T., "Deterministic Usage of the Digital Signature
Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature
Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August Algorithm (ECDSA)", RFC 6979, DOI 10.17487/RFC6979, August
2013, <https://www.rfc-editor.org/info/rfc6979>. 2013, <https://www.rfc-editor.org/info/rfc6979>.
[RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web
Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May
2015, <https://www.rfc-editor.org/info/rfc7515>. 2015, <https://www.rfc-editor.org/info/rfc7515>.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)",
RFC 7516, DOI 10.17487/RFC7516, May 2015, RFC 7516, DOI 10.17487/RFC7516, May 2015,
<https://www.rfc-editor.org/info/rfc7516>. <https://www.rfc-editor.org/info/rfc7516>.
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, [RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015, <https://www.rfc- DOI 10.17487/RFC7518, May 2015,
editor.org/info/rfc7518>. <https://www.rfc-editor.org/info/rfc7518>.
[RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token
(JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015,
<https://www.rfc-editor.org/info/rfc7519>. <https://www.rfc-editor.org/info/rfc7519>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017, <https://www.rfc- DOI 10.17487/RFC8259, December 2017,
editor.org/info/rfc8259>. <https://www.rfc-editor.org/info/rfc8259>.
7.2. Informative References 7.2. Informative References
[I-D.ietf-oauth-discovery] [I-D.ietf-oauth-discovery]
Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0
Authorization Server Metadata", draft-ietf-oauth- Authorization Server Metadata", draft-ietf-oauth-
discovery-10 (work in progress), March 2018. discovery-10 (work in progress), March 2018.
[I-D.ietf-secevent-token] [I-D.ietf-secevent-token]
Hunt, P., Jones, M., Denniss, W., and M. Ansari, "Security Hunt, P., Jones, M., Denniss, W., and M. Ansari, "Security
skipping to change at page 12, line 29 skipping to change at page 12, line 29
[OpenID.Core] [OpenID.Core]
Sakimura, N., Bradley, J., Jones, M., Medeiros, B., and C. Sakimura, N., Bradley, J., Jones, M., Medeiros, B., and C.
Mortimore, "OpenID Connect Core 1.0", November 2014, Mortimore, "OpenID Connect Core 1.0", November 2014,
<http://openid.net/specs/openid-connect-core-1_0.html>. <http://openid.net/specs/openid-connect-core-1_0.html>.
[RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
RFC 6749, DOI 10.17487/RFC6749, October 2012, RFC 6749, DOI 10.17487/RFC6749, October 2012,
<https://www.rfc-editor.org/info/rfc6749>. <https://www.rfc-editor.org/info/rfc6749>.
[RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517,
DOI 10.17487/RFC7517, May 2015, <https://www.rfc- DOI 10.17487/RFC7517, May 2015,
editor.org/info/rfc7517>. <https://www.rfc-editor.org/info/rfc7517>.
[Sanso] Sanso, A., "Critical Vulnerability Uncovered in JSON [Sanso] Sanso, A., "Critical Vulnerability Uncovered in JSON
Encryption", March 2017, Encryption", March 2017,
<https://blogs.adobe.com/security/2017/03/critical- <https://blogs.adobe.com/security/2017/03/
vulnerability-uncovered-in-json-encryption.html>. critical-vulnerability-uncovered-in-json-encryption.html>.
[Valenta] Valenta, L., Sullivan, N., Sanso, A., and N. Heninger, "In [Valenta] Valenta, L., Sullivan, N., Sanso, A., and N. Heninger, "In
search of CurveSwap: Measuring elliptic curve search of CurveSwap: Measuring elliptic curve
implementations in the wild", March 2018, implementations in the wild", March 2018,
<https://ia.cr/2018/298>. <https://ia.cr/2018/298>.
Appendix A. Document History Appendix A. Document History
[[ to be removed by the RFC editor before publication as an RFC ]] [[ to be removed by the RFC editor before publication as an RFC ]]
A.1. draft-ietf-oauth-jwt-bcp-02 A.1. draft-ietf-oauth-jwt-bcp-03
- Acknowledgements.
A.2. draft-ietf-oauth-jwt-bcp-02
- Implemented WGLC feedback. - Implemented WGLC feedback.
A.2. draft-ietf-oauth-jwt-bcp-01 A.3. draft-ietf-oauth-jwt-bcp-01
- Feedback from Brian Campbell. - Feedback from Brian Campbell.
A.3. draft-ietf-oauth-jwt-bcp-00 A.4. draft-ietf-oauth-jwt-bcp-00
- Initial WG draft. No change from the latest individual version. - Initial WG draft. No change from the latest individual version.
A.4. draft-sheffer-oauth-jwt-bcp-01 A.5. draft-sheffer-oauth-jwt-bcp-01
- Added explicit typing. - Added explicit typing.
A.5. draft-sheffer-oauth-jwt-bcp-00 A.6. draft-sheffer-oauth-jwt-bcp-00
- Initial version. - Initial version.
Authors' Addresses Authors' Addresses
Yaron Sheffer Yaron Sheffer
Intuit Intuit
EMail: yaronf.ietf@gmail.com EMail: yaronf.ietf@gmail.com
 End of changes. 20 change blocks. 
31 lines changed or deleted 38 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/