<div dir="ltr">Hi All,<div><br></div><div>Since we've received a lot of good feedback from members and done some iteration, we would like to include this on the agenda for the WG APAC friendly call on September 18th. </div><div><br></div><div>Thanks,</div><div>Luke </div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 6, 2017 at 11:51 PM, Roland Hedberg via Openid-specs-ab <span dir="ltr"><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">+1<div><br><div><blockquote type="cite"><span class=""><div>On 6 Sep 2017, at 20:33, Mike Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.<wbr>net</a>> wrote:</div><br class="m_5610912685956348575Apple-interchange-newline"></span><div><div class="m_5610912685956348575WordSection1" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span class=""><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)">Thanks for bringing this project idea to us, Adam.  Promoting high-quality JWT libraries is clearly a good thing.  One thing that I think would be really valuable to this effort is for the working group to produce a clear specification of what features of the JWT libraries would be validated.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)">I’ll also note that there may be multiple layers to the validation we want to do.  The first level is probably testing specific invariants specified in the JWS, JWE, JWK, JWA, and JWT specs.  However, as much of the claims and header parameters functionality (other than “crit”) is optional, I doubt that this level of validation will be adequate by itself.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></div></span><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)">The second layer is probably testing the validation of specific token invariants.  For instance, some example tests would be making sure that the “c_hash”, “at_hash”, and “nonce” values in ID Tokens are correct and present when required.  These kinds of invariants are specified for ID Tokens in the ID Token Validation Sections<a href="http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken" style="color:purple;text-decoration:underline" target="_blank">http://openid.net/<wbr>specs/openid-connect-core-1_0.<wbr>html#CodeIDToken</a>,<span class="m_5610912685956348575Apple-converted-space"> </span><a href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation" style="color:purple;text-decoration:underline" target="_blank">http://<wbr>openid.net/specs/openid-<wbr>connect-core-1_0.html#<wbr>ImplicitIDTValidation</a>, and<span class="m_5610912685956348575Apple-converted-space"> </span><a href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDTValidation" style="color:purple;text-decoration:underline" target="_blank">http://openid.net/specs/<wbr>openid-connect-core-1_0.html#<wbr>ImplicitIDTValidation</a>.  Similarly, the logout token validation rules are specified at<span class="m_5610912685956348575Apple-converted-space"> </span><a href="http://openid.net/specs/openid-connect-backchannel-1_0.html#Validation" style="color:purple;text-decoration:underline" target="_blank">http://openid.net/specs/<wbr>openid-connect-backchannel-1_<wbr>0.html#Validation</a>.<u></u><u></u></span></div><div><div class="h5"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)">Negative tests should be implemented for each of the invariants being tested – such as passing the test suite an invalid “c_hash” value or an ID Token without a “c_hash” value when one is required.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)">I’d be curious to know what other kinds of specifics people think we should be testing.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)">                              <wbr>                                <wbr>  Cheers,<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)">                              <wbr>                              <wbr>    -- Mike<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="color:rgb(0,32,96)"><u></u> <u></u></span></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b>From:</b><span class="m_5610912685956348575Apple-converted-space"> </span>Openid-specs-ab [<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">mailto:openid-specs-ab-<wbr>bounces@lists.openid.net</a>]<span class="m_5610912685956348575Apple-converted-space"> </span><b>On Behalf Of<span class="m_5610912685956348575Apple-converted-space"> </span></b>Adam Dawes via Openid-specs-ab<br><b>Sent:</b><span class="m_5610912685956348575Apple-converted-space"> </span>Wednesday, September 6, 2017 5:27 AM<br><b>To:</b><span class="m_5610912685956348575Apple-converted-space"> </span>Vladimir Dzhuvinov <<a href="mailto:vladimir@connect2id.com" target="_blank">vladimir@connect2id.com</a>><br><b>Cc:</b><span class="m_5610912685956348575Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.<wbr>openid.net</a><br><b>Subject:</b><span class="m_5610912685956348575Apple-converted-space"> </span>Re: [Openid-specs-ab] Feedback requested: JWT library effort<u></u><u></u></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9.5pt">Sorry for the slow reply.</span><u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9.5pt"><u></u> <u></u></span></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9.5pt">I've had a couple of others also ask me about the relationship between the RP certification suite and the JWT validation libraries. This is a good question. <u></u><u></u></span></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9.5pt"><u></u> <u></u></span></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9.5pt">Basically, we think that these are complementary efforts. The main reason why we think the validation libraries are a good thing even with the existence of the testing suite:<u></u><u></u></span></div></div><div><div style="margin:0in 0in 0.0001pt 47.25pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:Symbol"><span>·<span style="font-style:normal;font-variant-caps:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'"> <span class="m_5610912685956348575Apple-converted-space"> </span></span></span></span><span style="font-size:9.5pt">Libraries help get the implementation right in the first place. The conformance suite does a great job of highlighting issues with and implementation but it is less helpful in getting validation actually created.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt 47.25pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:Symbol"><span>·<span style="font-style:normal;font-variant-caps:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'"> <span class="m_5610912685956348575Apple-converted-space"> </span></span></span></span><span style="font-size:9.5pt">It allows us to be more prescriptive in our documentation. Instead of telling developers "validate your ID token per the spec and check with the conformance tests" we can say "use this library for x framewords and use the conformance suite to test it".<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt 47.25pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:Symbol"><span>·<span style="font-style:normal;font-variant-caps:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'"> <span class="m_5610912685956348575Apple-converted-space"> </span></span></span></span><span style="font-size:9.5pt">More JWTs are coming. Between back channel log out, RISC and SETs, there are more kinds of validation that need to be done correctly. Good libraries can help make these other use cases easy for developers.<u></u><u></u></span></div><div style="margin:0in 0in 0.0001pt 47.25pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:10pt;font-family:Symbol"><span>·<span style="font-style:normal;font-variant-caps:normal;font-weight:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'"> <span class="m_5610912685956348575Apple-converted-space"> </span></span></span></span><span style="font-size:9.5pt">New kinds of flows. Google and Facebook do a lot of auth via our native client SDKs and we document that developers can use our ID tokens from the client to their home server. I don't believe the conformance tests support that flow. We're also starting to see cases of using id tokens as statically verifiable access tokens so the library helps with these use cases too.<u></u><u></u></span></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9.5pt">thanks,<u></u><u></u></span></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:9.5pt">AD<u></u><u></u></span></div></div></div></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">On Mon, Aug 28, 2017 at 1:10 AM, Vladimir Dzhuvinov <<a href="mailto:vladimir@connect2id.com" style="color:purple;text-decoration:underline" target="_blank">vladimir@connect2id.com</a>> wrote:<u></u><u></u></div><blockquote style="border-style:none none none solid;border-left-width:1pt;border-left-color:rgb(204,204,204);padding:0in 0in 0in 6pt;margin-left:4.8pt;margin-right:0in"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Hi Adam,<br><br>Client code and client developers are indeed the weak link in the whole<br>system.<br><br>Since 2012 we maintain a JOSE/JWT library and a separate SDK for<br>building OAuth 2.0 and OpenID Connect clients and servers. We actively<br>discourage developers from using the JWT library directory for ID token<br>validation. Even if you give developers a JWT library that is<br>cryptographically sound and compliant with the JWT spec, this is no<br>guarantee that the ID token validation will be implemented correctly and<br>according to the requirements of the specific OpenID Connect flow /<br>profile. What has worked best was to provide developers with an OpenID<br>Connect client abstraction for validating ID tokens where dealing with<br>the JWT specific stuff is completely hidden (including things like<br>OpenID provider key retrieval and caching), so developers need only<br>provide the following inputs:<br><br>1. An object with the OpenID provider details (endpoints).<br><br>2. An object with the OpenID client details (client_id, secret or JWKs,<br>etc).<br><br>3. The OpenID authentication request.<br><br>4. The OpenID authentication response and / or token response.<br><br><br><br>How to achieve this practically and with minimum effort?<br><br>Fortunately, the OpenID Foundation has created a Relying Party<br>certification program, which includes a test suite for OpenID clients,<br>and is platform / language / framework independent:<br><br><a href="http://openid.net/certification/" style="color:purple;text-decoration:underline" target="_blank">http://openid.net/<wbr>certification/</a><br><br><br>Suggesting client library developers certify, or giving them with some<br>incentive to do so (e.g. when they register with Google) will probably<br>be the most efficient way to achieve the security you're looking for,<br>without having to maintain "compliant" libraries yourself for a variety<br>of platforms, etc.<br><br>In terms of innovation, this also seems like the best approach -<br>developers will be free to innovate, e.g. by adding support for new<br>frameworks, languages, platforms, etc. They just need to make sure their<br>client library becomes certified to be credible.<br><br>If you want to achieve particular security objectives, you could do that<br>by contributing to / extending the certification suite. The suite itself<br>is open source.<br><br><br>Vladimir<br><br><br>On 24/08/17 03:50, Adam Dawes via Openid-specs-ab wrote:<br>> Hi all,<br>><br>> I have mentioned to some of you that Google is very interested in making it<br>> easy and secure for developers to do JWT/ID Token validation on their<br>> servers. We think resources like<span class="m_5610912685956348575Apple-converted-space"> </span><a href="http://jwt.io/" style="color:purple;text-decoration:underline" target="_blank">jwt.io</a><span class="m_5610912685956348575Apple-converted-space"> </span>and the many open source libraries<br>> have helped developers a lot with this process. But we are also concerned<br>> that there are still many ways to mess up validation and want to make it<br>> easy for developers to automatically do the right thing. I'm reaching out<br>> because we would like to partner with the Foundation and the Connect WG to<br>> build canonical libraries that gain wide adoption and which help drive<br>> greater adoption of federation.<br>><br>> To drive this effort forward, I wanted to introduce a new PM on my team,<br>> Luke Camery. He's put together a spec<br>> <<a href="https://docs.google.com/document/d/1V5uE-aR6k5JYuQQ6Ylgj8t1F_HMS7DEMJ4AIRMyR9Ts/edit" style="color:purple;text-decoration:underline" target="_blank">https://docs.google.com/<wbr>document/d/1V5uE-<wbr>aR6k5JYuQQ6Ylgj8t1F_<wbr>HMS7DEMJ4AIRMyR9Ts/edit#</a>><u></u><u></u></div><div><div><p class="MsoNormal" style="margin:0in 0in 12pt;font-size:11pt;font-family:Calibri,sans-serif">> for<br>> the libraries.<br>><br>> I'd like to invite the group to provide feedback and also see if it would<br>> be worthwhile to walk through this on an upcoming WG call. Also, we're also<br>> going to be looking for contractors to help us implement these requirements<br>> so if any of you are available or have recommendations, we would love to<br>> get those.<br>><br>> Please let us know what you think.<br>><br>> thanks,<br>> AD<br>><u></u><u></u></p></div></div></blockquote></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br><br clear="all"><u></u><u></u></div><div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">--<span class="m_5610912685956348575Apple-converted-space"> </span><u></u><u></u></div><div><div><div style="margin-top:7.5pt"><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif;line-height:18pt"><span style="font-size:12pt;font-family:Arial,sans-serif;color:rgb(85,85,85);border:1.5pt solid rgb(213,15,37);padding:2pt">Adam Dawes |</span><span style="font-size:12pt;font-family:Arial,sans-serif;color:rgb(85,85,85);border:1.5pt solid rgb(51,105,232);padding:2pt"> Sr. Product Manager |</span><span style="font-size:12pt;font-family:Arial,sans-serif;color:rgb(85,85,85);border:1.5pt solid rgb(0,153,57);padding:2pt"> <a href="mailto:adawes@google.com" style="color:purple;text-decoration:underline" target="_blank">adawes@google.com</a> |</span><span style="font-size:12pt;font-family:Arial,sans-serif;color:rgb(85,85,85);border:1.5pt solid rgb(238,178,17);padding:2pt"> <a href="tel:(650)%20214-2410" value="+16502142410" target="_blank"><wbr>+1 650-214-2410</a></span><span style="font-size:12pt;font-family:Arial,sans-serif;color:rgb(85,85,85)"><u></u><u></u></span></div></div><div style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><u></u> <u></u></div></div></div></div></div></div></div><span class=""><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">______________________________<wbr>_________________</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important">Openid-specs-ab mailing list</span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important"><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.<wbr>net</a></span><br style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><span style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;float:none;display:inline!important"><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a></span></span></div></blockquote></div><br></div></div><br>______________________________<wbr>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.<wbr>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><table cellspacing="0" cellpadding="0" dir="ltr" border="1" style="color:rgb(136,136,136);font-size:13px;line-height:normal;margin:0px;padding:0px;border:1px solid rgb(204,204,204);border-collapse:collapse;table-layout:fixed;font-family:arial,sans,sans-serif"><tbody style="margin:0px;padding:0px;border:0px"><tr style="margin:0px;padding:0px;border:0px;height:48px"><td style="padding:2px 3px;border:1px solid rgb(255,255,255);vertical-align:middle;text-align:center"><img src="http://i.imgur.com/Ya4Rhss.gif" width="96" height="42" class="CToWUd"></td><td style="padding:2px 3px;border-width:1px 1px 1px 0px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-top-color:rgb(255,255,255);border-right-color:rgb(255,255,255);border-bottom-color:rgb(255,255,255);vertical-align:middle;text-align:center"><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"></blockquote></td><td style="padding:2px 3px;border-width:1px 1px 1px 0px;border-top-style:solid;border-right-style:solid;border-bottom-style:solid;border-top-color:rgb(255,255,255);border-right-color:rgb(255,255,255);border-bottom-color:rgb(255,255,255);vertical-align:bottom"><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><b style="font-size:small;color:rgb(61,133,198);font-family:arial">  •  </b><b style="font-size:small;font-family:arial"><font color="#666666">Luke Camery</font></b><font face="arial" color="#3d85c6" style="margin:0px;padding:0px;border:0px"><b><br></b></font><b style="font-size:small;color:rgb(255,0,0);font-family:arial">  •  </b><font color="#666666" style="margin:0px;padding:0px;border:0px">Associate Product Manager</font><font color="#ff0000" face="arial" style="margin:0px;padding:0px;border:0px"><b><br></b></font><b style="color:rgb(255,204,51);font-size:12.8px">  •  </b><font color="#666666" style="margin:0px;padding:0px;border:0px">Federated Identity</font></blockquote></td></tr></tbody></table></div></div>
</div>