[Openid-specs-fapi] [E] Re: Verification: non-compliant JWT audience
Tom Jones
thomasclinganjones at gmail.com
Tue Oct 3 20:54:54 UTC 2017
how is it possible to determine if a jwt is a software statement? The
presence of "software-id"?
Peace ..tom
On Fri, Sep 29, 2017 at 5:50 PM, Hjelm, Bjorn <
Bjorn.Hjelm at verizonwireless.com> wrote:
> Tom,
> My comment was made from the perspective of aligning the MODRNA Client
> Registration spec and the (FAPI/Open Banking) Dynamic Client Registration
> spec Pam is working given that both share similar design fundamentals.
>
> BR,
> Bjorn
>
> On Sep 29, 2017, at 2:05 PM, Tom Jones <thomasclinganjones at gmail.com>
> wrote:
>
> I don't think the infrastructure exists to do this. If there were real
> working framework, such as open banking has created.
>
> ..Tom's phone
>
> On Sep 29, 2017, at 1:18 PM, Hjelm, Bjorn via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
> Pam,
>
> I believe that the logical audience would work for the use case in MODRNA
> as well (for example, “As a participant in Mobile Connect,” etc.).
>
>
>
> BR,
>
> Bjorn
>
>
>
> *From:* Openid-specs-fapi [mailto:openid-specs-fapi-
> bounces at lists.openid.net <openid-specs-fapi-bounces at lists.openid.net>] *On
> Behalf Of *Pamela Dingle via Openid-specs-fapi
> *Sent:* Friday, September 29, 2017 8:20 AM
> *To:* Financial API Working Group List
> *Subject:* [E] Re: [Openid-specs-fapi] Verification: non-compliant JWT
> audience
>
>
>
> We discussed the audience question on the call on Wednesday, and two
> options were discussed for compliance, removing the audience and adding a
> logical audience.
>
> Given our short time frame, the first goal is to get to spec compliance.
> Based on feedback both during the call and on this thread I think we can
> safely move to request that audience be removed from the software statement.
>
> Long term, I see a lot of advantage to creating a logical audience for
> the assertion, essentially the ASPSP would know itself by several names and
> respond to assertions designated for any name:
>
> - As itself, with an explicit issuer name
> - As a participant in UK Openbanking
> - As a an ASPSP in UK OpenBanking
> - Possibly as an ASPSP suppporting the AISP software role for UK Open
> Banking.. etc
>
> This may not be critical for the first phase, but I see the concept
> possibly becoming a big deal as additional competent authorities come
> online, and it becomes likely that a given ASPSP may start processing
> software statements issued by multiple authorities.
>
>
>
> Any additional arguments for or against this plan or vendor insights or
> implementer reactions would be welcome.
>
>
>
> Thanks!
>
>
>
> On Thu, Sep 28, 2017 at 6:29 PM, Tom Jones <thomasclinganjones at gmail.com>
> wrote:
>
> I agree.
>
> AUD should not be in a s/w statement at all.
>
>
>
> I also think that you should ban question like this that are not issues.
>
>
> Peace ..tom
>
>
>
> On Fri, Sep 22, 2017 at 3:53 PM, Pamela Dingle via Openid-specs-fapi <
> openid-specs-fapi at lists.openid.net> wrote:
>
> Hi FAPI'ers,
>
>
>
> Can anyone here comment on whether they use or make technology that CANNOT
> override the standard RFC7519 JWT audience validation requirements?
>
>
>
> I know that the jose4j library allows the ability to override the rules
> set out in https://tools.ietf.org/html/rfc7519#section-4.1.3
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7519-23section-2D4.1.3&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=XB8A9XpFSiCkp7WJoBT1d4fjI3FYSDJOk0ewQJox71g&e=> but
> I don't know if that is a common feature of other libraries. As I read
> those rules, any entity that receives a JWT with an aud claim populated but
> which does not have the entity itself listed as a recipient should reject
> that JWT.
>
>
>
> In this case we are talking about validating software statements in a
> dynamic client requests -- if the software statement is generated with an
> audience set to be the client requesting the software statement,
> technically every AS the client tries to post that statement to should
> reject the statement, since the aud claim does not reference them
> directly. Any opinions on whether at the end of the day this is a serious
> compliance issue (or not), and/or a real problem for implementers (or not)
> would be welcome.
>
>
>
> Cheers,
>
>
>
> Pamela
>
>
>
> --
>
> [image: Ping Identity]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=QHffpsW6yBrBc5BYfn8Z1JxeXA6SkKUCaQkIPBNSv3c&e=>
>
> *Pam Dingle*
> Principal Technical Architect
> pdingle at pingidentity.com
> w: +1 303.999.5890 <(303)%20999-5890>
> c: +1 303.999.5890 <(303)%20999-5890>
>
> *Connect with us: *
>
> [image: Glassdoor logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.glassdoor.com_Overview_Working-2Dat-2DPing-2DIdentity-2DEI-5FIE380907.11-2C24.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=i1qH57NcJZDY_tQO_C5YHFqjbX3sd5pG5f-dz6shpN8&e=>[image:
> LinkedIn logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_21870&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=5zHHVsYFugt79K9p7fnNMwDBEcAM_ueswGibuC-UOLs&e=>[image:
> twitter logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pingidentity&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=m11wMIL_cZ2Dkn3Jwfdy6duGl_ScJajOzRNCFe8maPM&e=>[image:
> facebook logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_pingidentitypage&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=A_KZVvCRbJFnobx6BqeMeL9Tz-LxpYiFLR2I-uV78XI&e=>[image:
> youtube logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_PingIdentityTV&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=z5mXYlQ_j_oeRRrGx_uBzpSxCJ8QpAucnuJ8z6dYCGU&e=>[image:
> Google+ logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__plus.google.com_u_0_114266977739397708540&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=j3kfXrPatm-aExnditOuoDIYIadyTYJOZdiTl8Cqyrc&e=>[image:
> Blog logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_blog.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=Ou6NyZ4jdxajiVzvjlu9nPshGZhJth-fNBCw0IihJKU&e=>
>
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_lp_identify-2D2017.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=K9qotde56q7MM99o4HRlBEiJfKrldNXJNsBuNIComNk&e=>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=SHelxmwTpfqRYOfba56dfhqW1Vbsv94eKTBcXtl6PZo&e=>
>
>
>
>
>
>
> --
>
> [image: Ping Identity]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=QHffpsW6yBrBc5BYfn8Z1JxeXA6SkKUCaQkIPBNSv3c&e=>
>
> *Pam Dingle*
> Principal Technical Architect
> pdingle at pingidentity.com
> w: +1 303.999.5890 <(303)%20999-5890>
> c: +1 303.999.5890 <(303)%20999-5890>
>
> *Connect with us: *
>
> [image: Glassdoor logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.glassdoor.com_Overview_Working-2Dat-2DPing-2DIdentity-2DEI-5FIE380907.11-2C24.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=i1qH57NcJZDY_tQO_C5YHFqjbX3sd5pG5f-dz6shpN8&e=>[image:
> LinkedIn logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_21870&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=5zHHVsYFugt79K9p7fnNMwDBEcAM_ueswGibuC-UOLs&e=>[image:
> twitter logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pingidentity&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=m11wMIL_cZ2Dkn3Jwfdy6duGl_ScJajOzRNCFe8maPM&e=>[image:
> facebook logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_pingidentitypage&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=A_KZVvCRbJFnobx6BqeMeL9Tz-LxpYiFLR2I-uV78XI&e=>[image:
> youtube logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_PingIdentityTV&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=z5mXYlQ_j_oeRRrGx_uBzpSxCJ8QpAucnuJ8z6dYCGU&e=>[image:
> Google+ logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__plus.google.com_u_0_114266977739397708540&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=j3kfXrPatm-aExnditOuoDIYIadyTYJOZdiTl8Cqyrc&e=>[image:
> Blog logo]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_blog.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=Ou6NyZ4jdxajiVzvjlu9nPshGZhJth-fNBCw0IihJKU&e=>
>
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_lp_identify-2D2017.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=K9qotde56q7MM99o4HRlBEiJfKrldNXJNsBuNIComNk&e=>
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=yCsSMtTTpPOXdx_zzpXxizNTxg7GEOAF3wuo3iU4ZBE&s=H3oAw_-XtN3QYMUtcMo8xHlReP2STz60vLPKOIntqjc&e=>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20171003/e664f364/attachment-0001.html>
More information about the Openid-specs-fapi
mailing list