[Openid-specs-fapi] Verification: non-compliant JWT audience

Ralph Bragg Ralph.Bragg at openbanking.org.uk
Fri Sep 29 15:25:37 UTC 2017 

?As an implementer creating the SSA I support this plan.


Cheers,

RB

________________________________
From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Pamela Dingle via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: 29 September 2017 16:20
To: Financial API Working Group List
Subject: Re: [Openid-specs-fapi] Verification: non-compliant JWT audience

We discussed the audience question on the call on Wednesday, and two options were discussed for compliance, removing the audience and adding a logical audience.

Given our short time frame, the first goal is to get to spec compliance.   Based on feedback both during the call and on this thread I think we can safely move to request that audience be removed from the software statement.

Long term,  I see a lot of advantage to creating a logical audience for the assertion, essentially the ASPSP would know itself by several names and respond to assertions designated for any name:

  *   As itself, with an explicit issuer name
  *   As a participant in UK Openbanking
  *   As a an ASPSP in UK OpenBanking
  *   Possibly as an ASPSP suppporting the AISP software role for UK Open Banking.. etc

This may not be critical for the first phase, but I see the concept possibly becoming a big deal as additional competent authorities come online, and it becomes likely that a given ASPSP may start processing software statements issued by multiple authorities.

Any additional arguments for or against this plan or vendor insights or implementer reactions would be welcome.

Thanks!

On Thu, Sep 28, 2017 at 6:29 PM, Tom Jones <thomasclinganjones at gmail.com<mailto:thomasclinganjones at gmail.com>> wrote:
I agree.
AUD should not be in a s/w statement at all.

I also think that you should ban question like this that are not issues.

Peace ..tom

On Fri, Sep 22, 2017 at 3:53 PM, Pamela Dingle via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
Hi FAPI'ers,

Can anyone here comment on whether they use or make technology that CANNOT override the standard RFC7519 JWT audience validation requirements?

I know that the jose4j library allows the ability to override the rules set out in https://tools.ietf.org/html/rfc7519#section-4.1.3 but I don't know if that is a common feature of other libraries.  As I read those rules, any entity that receives a JWT with an aud claim populated but which does not have the entity itself listed as a recipient should reject that JWT.

In this case we are talking about validating software statements in a dynamic client requests -- if the software statement is generated with an audience set to be the client requesting the software statement, technically every AS the client tries to post that statement to should reject the statement, since the aud claim does not reference them directly.  Any opinions on whether at the end of the day this is a serious compliance issue (or not), and/or a real problem for implementers (or not) would be welcome.

Cheers,

Pamela

--
<https://www.pingidentity.com>[Ping Identity]<https://www.pingidentity.com>
Pam Dingle
Principal Technical Architect
pdingle at pingidentity.com<mailto:pdingle at pingidentity.com>
w: +1 303.999.5890<tel:(303)%20999-5890>
c: +1 303.999.5890<tel:(303)%20999-5890>

Connect with us:        [Glassdoor logo] <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>  [LinkedIn logo] <https://www.linkedin.com/company/21870>  [twitter logo] <https://twitter.com/pingidentity>  [facebook logo] <https://www.facebook.com/pingidentitypage>  [youtube logo] <https://www.youtube.com/user/PingIdentityTV>  [Google+ logo] <https://plus.google.com/u/0/114266977739397708540>  [Blog logo] <https://www.pingidentity.com/en/blog.html>

[https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify2017-emailsignature_revised_NB.png]<https://www.pingidentity.com/en/lp/identify-2017.html>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi





--
<https://www.pingidentity.com>[Ping Identity]<https://www.pingidentity.com>
Pam Dingle
Principal Technical Architect
pdingle at pingidentity.com<mailto:pdingle at pingidentity.com>
w: +1 303.999.5890
c: +1 303.999.5890

Connect with us:        [Glassdoor logo] <https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm>  [LinkedIn logo] <https://www.linkedin.com/company/21870>  [twitter logo] <https://twitter.com/pingidentity>  [facebook logo] <https://www.facebook.com/pingidentitypage>  [youtube logo] <https://www.youtube.com/user/PingIdentityTV>  [Google+ logo] <https://plus.google.com/u/0/114266977739397708540>  [Blog logo] <https://www.pingidentity.com/en/blog.html>

[https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify2017-emailsignature_revised_NB.png]<https://www.pingidentity.com/en/lp/identify-2017.html>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

Please consider the environment before printing this email.

This email is from Open Banking Limited, Company Number 10440081.  Our registered and postal address is 2 Thomas More Square, London, E1W 1YN.  Any views or opinions are solely those of the author and do not necessarily represent those of Open Banking Limited.  

This email and any attachments are confidential and are intended for the above named only.  They may also be legally privileged or covered by other legal rights and rules.  Unauthorised dissemination or copying of this email and any attachments, and any use or disclosure of them, is strictly prohibited and may be illegal.  If you have received them in error, please delete them and all copies from your system and notify the sender immediately by return email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170929/9b6a578d/attachment-0001.html>

More information about the Openid-specs-fapi mailing list