<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thanks Pedro,<div class=""><br class=""></div><div class="">Slides 78-82 also cover another use case Google addresses outside of Connect where the requestor/client wants a code for another client. </div><div class=""><br class=""></div><div class="">This use case may also want to be formalized in token exchange.</div><div class=""><br class=""></div><div class="">What they have works but in both cases Google has a lot of admin policy around the flows around registration of the two clients that may be hard to generalize.</div><div class=""><br class=""></div><div class="">That is why we only documented the security warning that tokens with a azp containing a value that is not one you recognize, should not be trusted.</div><div class=""><br class=""></div><div class="">We were attempting to document the security consideration, not how to use it in the way Google is.</div><div class=""><br class=""></div><div class="">I would prefer to think about what is required to identify the parties of these transactions first, and only the re use azp if it happens to fit.</div><div class=""><br class=""></div><div class="">The other thing that has changed is now we are talking about pop tokens, then we only had bearer. If we had had a way to identify the presenter to the recipient at the time via a POP </div><div class="">mechanism, we might have defined it as presenter, but given bearer tokens only allowed the identification of the requester in OAuth that was the term we agreed to use, as for the most part in Googles case it is the same party if you ignore the token agent.</div><div class=""><br class=""></div><div class="">Breno also had some other use cases for azp at the time that involved four parties, that was a part of the discussion.</div><div class=""><br class=""></div><div class="">John B.</div><div apple-content-edited="true" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="padding-bottom: 5px; margin-bottom: 0px;" class=""></div></div></div></div></div></div></div></div></div></div></div></div><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 21, 2015, at 9:40 AM, Pedro Felix <<a href="mailto:pmhsfelix@gmail.com" class="">pmhsfelix@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">I've some slides on this subject, based exclusively on using the Google public documentation and the Play Services SDK: <a href="https://speakerdeck.com/pmhsfelix/single-sign-on-for-mobile-native-applications?slide=71" target="_blank" class="">https://speakerdeck.com/pmhsfelix/single-sign-on-for-mobile-native-applications?slide=71</a><div class=""><br class=""></div><div class="">HTH</div><div class="">Cheers</div><div class="">Pedro</div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Thu, Aug 20, 2015 at 11:16 PM, Mike Jones <span dir="ltr" class=""><<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">
<div class="">
<div style="font-family:Calibri,sans-serif;font-size:11pt" class="">Thanks, Mengcheng!</div>
</div>
<div dir="ltr" class="">
<hr class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">From:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:mengcheng@google.com" target="_blank" class="">Mengcheng Duan</a></span><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Sent:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class="">8/20/2015 3:07 PM</span><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">To:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:adawes@google.com" target="_blank" class="">Adam Dawes</a></span><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Cc:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class=""><a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Mike Jones</a>;
<a href="mailto:wdenniss@google.com" target="_blank" class="">William Denniss</a>; <a href="mailto:breno@google.com" target="_blank" class="">
Breno de Medeiros</a>; <a href="mailto:naa@google.com" target="_blank" class="">Naveen Agarwal</a>; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">
openid-specs-ab@lists.openid.net</a>; <a href="mailto:jbradley@pingidentity.com" target="_blank" class="">
John Bradley</a></span><span class=""><br class="">
<span style="font-family:Calibri,sans-serif;font-size:11pt;font-weight:bold" class="">Subject:
</span><span style="font-family:Calibri,sans-serif;font-size:11pt" class="">Re: [Openid-specs-ab] Your help needed clarifying Google's "azp" claim usage</span><br class="">
<br class="">
</span></div>
<div class="">
<div dir="ltr" class="">the client ID is the android app is used in the request. An audience field which contains the home server client ID provided by the app is added in the request. An ID token whose azp is the android app and aud is the home server will be issued
if the two client IDs are in the same parent project, .</div>
<div class="gmail_extra"><br clear="all" class="">
<div class="">
<div class="">
<div class=""><br class="">
</div>
- Mengcheng</div>
</div><div class=""><div class="">
<br class="">
<div class="gmail_quote">On Thu, Aug 20, 2015 at 2:52 PM, Adam Dawes <span dir="ltr" class="">
<<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr" class="">+mengcheng</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Thu, Aug 20, 2015 at 9:03 AM, Mike Jones <span dir="ltr" class="">
<<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" class="">
<div class=""><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Thanks guys. A few follow-up questions…<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class="">Which Client ID is used in the Authentication Request to the OP – the Client ID of the Android App or the Client ID of the app’s home server? Also, what
information are you adding to the Authentication Request to tell the OP to issue a token with the audience being the app’s home server and the “azp” being the Android application?<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""> -- Mike<u class=""></u><u class=""></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d" class=""><u class=""></u> <u class=""></u></span></p><p class="MsoNormal"><b class=""><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class="">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" class=""> William Denniss [mailto:<a href="mailto:wdenniss@google.com" target="_blank" class="">wdenniss@google.com</a>]
<br class="">
<b class="">Sent:</b> Wednesday, August 19, 2015 11:39 PM<br class="">
<b class="">To:</b> Adam Dawes<br class="">
<b class="">Cc:</b> Mike Jones; Breno de Medeiros; Naveen Agarwal; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">
openid-specs-ab@lists.openid.net</a>; John Bradley<br class="">
<b class="">Subject:</b> Re: [Openid-specs-ab] Your help needed clarifying Google's "azp" claim usage<u class=""></u><u class=""></u></span></p>
<div class="">
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt" class="">So our interpretation is that 'azp' is the party who the token was issued to, 'aud' is the party who the token was intended for. The expectation being that the 'azp' client is presenting the token to their
server (the 'aud'). For our Android API, both client-ids must be registered under the same parent project (i.e. you can't request an id token for an arbitrary client id that you don't also own, and isn't a member of the same project).</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal">Of the two names, I think I prefer "<span style="" class="">Authorized Presenter" over "Authorized Party", as azp refers to the client authorized to present the token to the server.</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="" class="">The server could always choose to accept an ID Token issued with an 'aud' of its client app directly, this just makes the semantic a little more explicit I guess.</span><u class=""></u><u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class=""><p class="MsoNormal"><span style="" class="">It is curious that we have documented the claim semantic, without actually having a standards-compliant way to request such a token. I wonder if that's something we should address. It could be relevant for the
NAPPS effort.</span><u class=""></u><u class=""></u></p>
</div>
</div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Wed, Aug 19, 2015 at 10:57 PM, Adam Dawes <<a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a>> wrote:<u class=""></u><u class=""></u></p>
<div class=""><p class="MsoNormal">From one of our engineers:<u class=""></u><u class=""></u></p>
<span class="">
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
<div class="">
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt" class="">AFAIU, the only case where "azp" is different from "aud" is Android cross-client ID token.<u class=""></u><u class=""></u></span></p>
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt" class="">In that case, the azp is the ID token requestor, which is the Android app, and the audience is the app's home server, for which the ID token is intended.<u class=""></u><u class=""></u></span></p>
</div>
<div class=""><p class="MsoNormal"><span style="font-size:9.5pt" class="">Unfortunately, this underlying protocol is not standard OAuth2 or OIDC. I'm not sure we want to publicly document the protocol traces.<u class=""></u><u class=""></u></span></p>
</div>
</div>
</div>
</span></div>
<div class=""><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
<div class=""><p class="MsoNormal">On Wed, Aug 19, 2015 at 12:16 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" class="">Michael.Jones@microsoft.com</a>> wrote:<u class=""></u><u class=""></u></p>
<span class="">
<div class="">
<div class="">
<div class="">
<div class=""><p class="MsoNormal">Hi Googlers,<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">It would be hugely useful if you could capture protocol traces that demonstrate how Google actually uses the “azp” claim in cases where the “azp” and “aud” values differ. Ideally, I'd like to see actual protocol traces, including the Authentication
Request, the Authentication Response, and both directions of any the communication between the Client that made the request to the OP and any other Clients that it also sends the resulting token(s) to. Among other things, that would also answer OAuth-y questions
like which Client ID is being used for client authentication to the OP when more than one client is involved.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal">The Connect text about “azp” is currently both ambiguous and contradictory. This data would be of a huge help to us for sorting this out during the current errata round.<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p><p class="MsoNormal"> Thanks a bunch,<u class=""></u><u class=""></u></p><p class="MsoNormal"> -- Mike<u class=""></u><u class=""></u></p><p class="MsoNormal"> <u class=""></u><u class=""></u></p>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div><p class="MsoNormal" style="margin-bottom:12.0pt">_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists.openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=01%7c01%7cMichael.Jones%40microsoft.com%7c836d72deda5d482c47e908d2a92a1d41%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=7uvAkt5fiquNc%2bOVCQir5UvBmFs%2bpyCE0LiqSs14d%2bY%3d" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u class=""></u><u class=""></u></p>
</span></div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div><p class="MsoNormal"><u class=""></u> <u class=""></u></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</blockquote>
</div>
<br class="">
</div></div></div>
</div>
</div>
<br class="">_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
<br class=""></blockquote></div><br class=""></div></div>
</div></blockquote></div><br class=""></body></html>