[Openid-specs-fapi] [E] Re: Verification: non-compliant JWT audience

Hjelm, Bjorn Bjorn.Hjelm at VerizonWireless.com
Sat Sep 30 00:50:11 UTC 2017


Tom,
My comment was made from the perspective of aligning the MODRNA Client Registration spec and the (FAPI/Open Banking) Dynamic Client Registration spec Pam is working given that both share similar design fundamentals.

BR,
Bjorn

On Sep 29, 2017, at 2:05 PM, Tom Jones <thomasclinganjones at gmail.com<mailto:thomasclinganjones at gmail.com>> wrote:

I don't think the infrastructure exists to do this. If there were real working framework, such as open banking has created.

..Tom's phone

On Sep 29, 2017, at 1:18 PM, Hjelm, Bjorn via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:

Pam,
I believe that the logical audience would work for the use case in MODRNA as well (for example, “As a participant in Mobile Connect,” etc.).

BR,
Bjorn

From: Openid-specs-fapi [mailto:openid-specs-fapi-bounces at lists.openid.net] On Behalf Of Pamela Dingle via Openid-specs-fapi
Sent: Friday, September 29, 2017 8:20 AM
To: Financial API Working Group List
Subject: [E] Re: [Openid-specs-fapi] Verification: non-compliant JWT audience

We discussed the audience question on the call on Wednesday, and two options were discussed for compliance, removing the audience and adding a logical audience.
Given our short time frame, the first goal is to get to spec compliance.   Based on feedback both during the call and on this thread I think we can safely move to request that audience be removed from the software statement.
Long term,  I see a lot of advantage to creating a logical audience for the assertion, essentially the ASPSP would know itself by several names and respond to assertions designated for any name:

  *   As itself, with an explicit issuer name
  *   As a participant in UK Openbanking
  *   As a an ASPSP in UK OpenBanking
  *   Possibly as an ASPSP suppporting the AISP software role for UK Open Banking.. etc
This may not be critical for the first phase, but I see the concept possibly becoming a big deal as additional competent authorities come online, and it becomes likely that a given ASPSP may start processing software statements issued by multiple authorities.

Any additional arguments for or against this plan or vendor insights or implementer reactions would be welcome.

Thanks!

On Thu, Sep 28, 2017 at 6:29 PM, Tom Jones <thomasclinganjones at gmail.com<mailto:thomasclinganjones at gmail.com>> wrote:
I agree.
AUD should not be in a s/w statement at all.

I also think that you should ban question like this that are not issues.

Peace ..tom

On Fri, Sep 22, 2017 at 3:53 PM, Pamela Dingle via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
Hi FAPI'ers,

Can anyone here comment on whether they use or make technology that CANNOT override the standard RFC7519 JWT audience validation requirements?

I know that the jose4j library allows the ability to override the rules set out in https://tools.ietf.org/html/rfc7519#section-4.1.3<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7519-23section-2D4.1.3&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=XB8A9XpFSiCkp7WJoBT1d4fjI3FYSDJOk0ewQJox71g&e=> but I don't know if that is a common feature of other libraries.  As I read those rules, any entity that receives a JWT with an aud claim populated but which does not have the entity itself listed as a recipient should reject that JWT.

In this case we are talking about validating software statements in a dynamic client requests -- if the software statement is generated with an audience set to be the client requesting the software statement, technically every AS the client tries to post that statement to should reject the statement, since the aud claim does not reference them directly.  Any opinions on whether at the end of the day this is a serious compliance issue (or not), and/or a real problem for implementers (or not) would be welcome.

Cheers,

Pamela

--
[Ping Identity]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=QHffpsW6yBrBc5BYfn8Z1JxeXA6SkKUCaQkIPBNSv3c&e=>

Pam Dingle
Principal Technical Architect
pdingle at pingidentity.com<mailto:pdingle at pingidentity.com>
w: +1 303.999.5890<tel:(303)%20999-5890>
c: +1 303.999.5890<tel:(303)%20999-5890>


Connect with us:

[Glassdoor logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.glassdoor.com_Overview_Working-2Dat-2DPing-2DIdentity-2DEI-5FIE380907.11-2C24.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=i1qH57NcJZDY_tQO_C5YHFqjbX3sd5pG5f-dz6shpN8&e=>[LinkedIn logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_21870&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=5zHHVsYFugt79K9p7fnNMwDBEcAM_ueswGibuC-UOLs&e=>[twitter logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pingidentity&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=m11wMIL_cZ2Dkn3Jwfdy6duGl_ScJajOzRNCFe8maPM&e=>[facebook logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_pingidentitypage&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=A_KZVvCRbJFnobx6BqeMeL9Tz-LxpYiFLR2I-uV78XI&e=>[youtube logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_PingIdentityTV&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=z5mXYlQ_j_oeRRrGx_uBzpSxCJ8QpAucnuJ8z6dYCGU&e=>[Google+ logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__plus.google.com_u_0_114266977739397708540&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=j3kfXrPatm-aExnditOuoDIYIadyTYJOZdiTl8Cqyrc&e=>[Blog logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_blog.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=Ou6NyZ4jdxajiVzvjlu9nPshGZhJth-fNBCw0IihJKU&e=>


[https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify2017-emailsignature_revised_NB.png]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_lp_identify-2D2017.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=K9qotde56q7MM99o4HRlBEiJfKrldNXJNsBuNIComNk&e=>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=SHelxmwTpfqRYOfba56dfhqW1Vbsv94eKTBcXtl6PZo&e=>




--
[Ping Identity]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=QHffpsW6yBrBc5BYfn8Z1JxeXA6SkKUCaQkIPBNSv3c&e=>

Pam Dingle
Principal Technical Architect
pdingle at pingidentity.com<mailto:pdingle at pingidentity.com>
w: +1 303.999.5890
c: +1 303.999.5890


Connect with us:

[Glassdoor logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.glassdoor.com_Overview_Working-2Dat-2DPing-2DIdentity-2DEI-5FIE380907.11-2C24.htm&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=i1qH57NcJZDY_tQO_C5YHFqjbX3sd5pG5f-dz6shpN8&e=>[LinkedIn logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.linkedin.com_company_21870&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=5zHHVsYFugt79K9p7fnNMwDBEcAM_ueswGibuC-UOLs&e=>[twitter logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_pingidentity&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=m11wMIL_cZ2Dkn3Jwfdy6duGl_ScJajOzRNCFe8maPM&e=>[facebook logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.facebook.com_pingidentitypage&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=A_KZVvCRbJFnobx6BqeMeL9Tz-LxpYiFLR2I-uV78XI&e=>[youtube logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_user_PingIdentityTV&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=z5mXYlQ_j_oeRRrGx_uBzpSxCJ8QpAucnuJ8z6dYCGU&e=>[Google+ logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__plus.google.com_u_0_114266977739397708540&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=j3kfXrPatm-aExnditOuoDIYIadyTYJOZdiTl8Cqyrc&e=>[Blog logo]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_blog.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=Ou6NyZ4jdxajiVzvjlu9nPshGZhJth-fNBCw0IihJKU&e=>


[https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify2017-emailsignature_revised_NB.png]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.pingidentity.com_en_lp_identify-2D2017.html&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=D5-orHImKQftmdCiwV0fsC85YLX7oxz3dr72eE1Y3jU&s=K9qotde56q7MM99o4HRlBEiJfKrldNXJNsBuNIComNk&e=>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=udBTRvFvXC5Dhqg7UHpJlPps3mZ3LRxpb6__0PomBTQ&r=NMZJHCV8pjvGIH2fTx9z6l7g7-V-a2xW7ISf9uHdz0A&m=yCsSMtTTpPOXdx_zzpXxizNTxg7GEOAF3wuo3iU4ZBE&s=H3oAw_-XtN3QYMUtcMo8xHlReP2STz60vLPKOIntqjc&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170930/c91043df/attachment-0001.html>


More information about the Openid-specs-fapi mailing list