-
Notifications
You must be signed in to change notification settings - Fork 1
/
draft-balfanz-clientassertions-00.html
324 lines (300 loc) · 15 KB
/
draft-balfanz-clientassertions-00.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en"><head><title>Draft: Client Assertion JSON Tokens</title>
<meta http-equiv="Expires" content="Tue, 14 Sep 2010 05:10:36 +0000">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="description" content="Client Assertion JSON Tokens">
<meta name="keywords" content="signatures, PKI">
<meta name="generator" content="xml2rfc v1.34 (http://xml.resource.org/)">
<style type='text/css'><!--
body {
font-family: verdana, charcoal, helvetica, arial, sans-serif;
font-size: small; color: #000; background-color: #FFF;
margin: 2em;
}
h1, h2, h3, h4, h5, h6 {
font-family: helvetica, monaco, "MS Sans Serif", arial, sans-serif;
font-weight: bold; font-style: normal;
}
h1 { color: #900; background-color: transparent; text-align: right; }
h3 { color: #333; background-color: transparent; }
td.RFCbug {
font-size: x-small; text-decoration: none;
width: 30px; height: 30px; padding-top: 2px;
text-align: justify; vertical-align: middle;
background-color: #000;
}
td.RFCbug span.RFC {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: bold; color: #666;
}
td.RFCbug span.hotText {
font-family: charcoal, monaco, geneva, "MS Sans Serif", helvetica, verdana, sans-serif;
font-weight: normal; text-align: center; color: #FFF;
}
table.TOCbug { width: 30px; height: 15px; }
td.TOCbug {
text-align: center; width: 30px; height: 15px;
color: #FFF; background-color: #900;
}
td.TOCbug a {
font-family: monaco, charcoal, geneva, "MS Sans Serif", helvetica, sans-serif;
font-weight: bold; font-size: x-small; text-decoration: none;
color: #FFF; background-color: transparent;
}
td.header {
font-family: arial, helvetica, sans-serif; font-size: x-small;
vertical-align: top; width: 33%;
color: #FFF; background-color: #666;
}
td.author { font-weight: bold; font-size: x-small; margin-left: 4em; }
td.author-text { font-size: x-small; }
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a { font-weight: bold; }
a:link { color: #900; background-color: transparent; }
a:visited { color: #633; background-color: transparent; }
a:active { color: #633; background-color: transparent; }
p { margin-left: 2em; margin-right: 2em; }
p.copyright { font-size: x-small; }
p.toc { font-size: small; font-weight: bold; margin-left: 3em; }
table.toc { margin: 0 0 0 3em; padding: 0; border: 0; vertical-align: text-top; }
td.toc { font-size: small; font-weight: bold; vertical-align: text-top; }
ol.text { margin-left: 2em; margin-right: 2em; }
ul.text { margin-left: 2em; margin-right: 2em; }
li { margin-left: 3em; }
/* RFC-2629 <spanx>s and <artwork>s. */
em { font-style: italic; }
strong { font-weight: bold; }
dfn { font-weight: bold; font-style: normal; }
cite { font-weight: normal; font-style: normal; }
tt { color: #036; }
tt, pre, pre dfn, pre em, pre cite, pre span {
font-family: "Courier New", Courier, monospace; font-size: small;
}
pre {
text-align: left; padding: 4px;
color: #000; background-color: #CCC;
}
pre dfn { color: #900; }
pre em { color: #66F; background-color: #FFC; font-weight: normal; }
pre .key { color: #33C; font-weight: bold; }
pre .id { color: #900; }
pre .str { color: #000; background-color: #CFF; }
pre .val { color: #066; }
pre .rep { color: #909; }
pre .oth { color: #000; background-color: #FCF; }
pre .err { background-color: #FCC; }
/* RFC-2629 <texttable>s. */
table.all, table.full, table.headers, table.none {
font-size: small; text-align: center; border-width: 2px;
vertical-align: top; border-collapse: collapse;
}
table.all, table.full { border-style: solid; border-color: black; }
table.headers, table.none { border-style: none; }
th {
font-weight: bold; border-color: black;
border-width: 2px 2px 3px 2px;
}
table.all th, table.full th { border-style: solid; }
table.headers th { border-style: none none solid none; }
table.none th { border-style: none; }
table.all td {
border-style: solid; border-color: #333;
border-width: 1px 2px;
}
table.full td, table.headers td, table.none td { border-style: none; }
hr { height: 1px; }
hr.insert {
width: 80%; border-style: none; border-width: 0;
color: #CCC; background-color: #CCC;
}
--></style>
</head>
<body>
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<table summary="layout" width="66%" border="0" cellpadding="0" cellspacing="0"><tr><td><table summary="layout" width="100%" border="0" cellpadding="2" cellspacing="1">
<tr><td class="header">Draft</td><td class="header">D. Balfanz, Ed.</td></tr>
<tr><td class="header"> </td><td class="header">Google Inc.</td></tr>
<tr><td class="header"> </td><td class="header">September 13, 2010</td></tr>
</table></td></tr></table>
<h1><br />Client Assertion JSON Tokens</h1>
<h3>Abstract</h3>
<p>This document describes the JSON Token assertion type for
OAuth 2. Client Assertions JSON Tokens can be used whenever an
"assertion" access grant type is required.
</p><a name="toc"></a><br /><hr />
<h3>Table of Contents</h3>
<p class="toc">
<a href="#anchor1">1.</a>
Introduction<br />
<a href="#anchor2">1.1.</a>
Requirements Language<br />
<a href="#params">2.</a>
Client Assertion JSON Token Parameters<br />
<a href="#anchor3">3.</a>
OAuth2 Signed Token Data Type<br />
<a href="#generation">4.</a>
Generating Client Assertion JSON Tokens<br />
<a href="#anchor4">5.</a>
Validating Client Assertion JSON Tokens<br />
<a href="#rfc.references1">6.</a>
Normative References<br />
<a href="#rfc.authors">§</a>
Author's Address<br />
</p>
<br clear="all" />
<a name="anchor1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1"></a><h3>1.
Introduction</h3>
<p>Client Assertion JSON Tokens are <a class='info' href='#JsonTokens'>JSON
Tokens<span> (</span><span class='info'>Balfanz, D., “JSON Tokens,” .</span><span>)</span></a> [JsonTokens] with additional payload parameters and a specific
envelope data type. Client Assertions JSON Tokens can be used whenever an
"assertion" access grant type is required in the OAuth 2 protocol.
</p>
<a name="anchor2"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.1.1"></a><h3>1.1.
Requirements Language</h3>
<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <a class='info' href='#RFC2119'>RFC 2119<span> (</span><span class='info'>Bradner, S., “Key words for use in RFCs to Indicate Requirement Levels,” March 1997.</span><span>)</span></a> [RFC2119].
</p>
<a name="params"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.2"></a><h3>2.
Client Assertion JSON Token Parameters</h3>
<p>Client Assertion JSON Tokens are <a class='info' href='#JsonTokens'>JSON
Tokens<span> (</span><span class='info'>Balfanz, D., “JSON Tokens,” .</span><span>)</span></a> [JsonTokens] with the following additional payload parameters:
</p>
<blockquote class="text"><dl>
<dt>nonce</dt>
<dd>Used to prevent replay
attacks. Receivers of OAuth2 Signed Token may verify that
nonces have not been previously used within a reasonable
interval. Type: string
</dd>
<dt>subject</dt>
<dd>(optional) If specified, the Client
requests an access token not for itself, but for the
specified user. Type: string
</dd>
</dl></blockquote><p>
</p>
<a name="anchor3"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.3"></a><h3>3.
OAuth2 Signed Token Data Type</h3>
<p>OAuth2 Signed Tokens SHALL use the data type
"application/oauth-assertion+json" for the data type element in the
Magic Signature envelope.
</p>
<a name="generation"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.4"></a><h3>4.
Generating Client Assertion JSON Tokens</h3>
<p>OAuth Clients generate Client Assertion JSON Tokens. The
Client must use its client id as the issuer value in the token
payload. The audience field must be the
<a class='info' href='#JsonTokens'>Server Descriptor<span> (</span><span class='info'>Balfanz, D., “JSON Tokens,” .</span><span>)</span></a> [JsonTokens] of the
Authorization Server (AS) that receives this assertion.
</p>
<p>Senders should set the token_lifetime in the token payload
to a short lifetime, e.g., 1 minute.
</p>
<p>Clients use a Client Assertion JSON Token during
"assertion" grant types by specifying the following parameter
values:
</p>
<ul class="text">
<li>assertion_type: http://oauth.net/json-assertion
</li>
<li>assertion: the Client Assertion JSON Token
</li>
<li>scope: (optional) as defined in the OAuth2 spec.
</li>
</ul><p>
</p>
<p>The Authorization Server (AS) returns an access token to the
client. Normally, the access token will be for an (role)
account (on the AS's side) that corresponds to the Client. If
the Client has specified a subject, and the Client is
permitted to impersonate the account in question, then the
returned access token will be for the account in question. If
the Client specifies a subject, but is not allowed to
impersonate that account, the AS returns an error.
</p>
<a name="anchor4"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<a name="rfc.section.5"></a><h3>5.
Validating Client Assertion JSON Tokens</h3>
<p>Receivers of Client Assertion JSON Tokens proceed as follows to
validate an incoming HTTP request:
</p>
<ol class="text">
<li>They validate the JSON Tokens as explained in
the <a class='info' href='#JsonTokens'>JSON Token spec<span> (</span><span class='info'>Balfanz, D., “JSON Tokens,” .</span><span>)</span></a> [JsonTokens].
</li>
<li>They verify the correct data type in the Magic Signature
envelope.
</li>
<li>They verify that the audience in the token payload
identifies the validating Authorization Server.
</li>
<li>They may verify that the token nonce has not been used
within the lifetime of the token.
</li>
</ol><p>
If all these steps succeed, then the issuer value in the
token's payload can be assumed to correctly identify the
origin of the assertion.
</p>
<a name="rfc.references1"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>6. Normative References</h3>
<table width="99%" border="0">
<tr><td class="author-text" valign="top"><a name="JsonTokens">[JsonTokens]</a></td>
<td class="author-text">Balfanz, D., “<a href="http://balfanz.github.com/jsontoken-spec/draft-balfanz-jsontoken-00.html">JSON Tokens</a>.”</td></tr>
<tr><td class="author-text" valign="top"><a name="RFC2119">[RFC2119]</a></td>
<td class="author-text"><a href="mailto:[email protected]">Bradner, S.</a>, “<a href="http://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>,” BCP 14, RFC 2119, March 1997 (<a href="http://www.rfc-editor.org/rfc/rfc2119.txt">TXT</a>, <a href="http://xml.resource.org/public/rfc/html/rfc2119.html">HTML</a>, <a href="http://xml.resource.org/public/rfc/xml/rfc2119.xml">XML</a>).</td></tr>
</table>
<a name="rfc.authors"></a><br /><hr />
<table summary="layout" cellpadding="0" cellspacing="2" class="TOCbug" align="right"><tr><td class="TOCbug"><a href="#toc"> TOC </a></td></tr></table>
<h3>Author's Address</h3>
<table width="99%" border="0" cellpadding="0" cellspacing="0">
<tr><td class="author-text"> </td>
<td class="author-text">Dirk Balfanz (editor)</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Google Inc.</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">1600 Ampitheatre Parkway</td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">Mountain View, CA </td></tr>
<tr><td class="author-text"> </td>
<td class="author-text">USA</td></tr>
<tr><td class="author" align="right">Phone: </td>
<td class="author-text"></td></tr>
<tr><td class="author" align="right">Email: </td>
<td class="author-text"><a href="mailto:[email protected]">[email protected]</a></td></tr>
</table>
</body></html>