CIBA: rt_hash and auth_req_id in ID Token from Token Endpoint

Issue #127 resolved

Takahiko Kawasaki created an issue 2018-12-12

In the "push" mode, an ID token is directly issued to the client notification endpoint. The non-normative example of a base64url decoded ID token in "10.3.1. Successful Token Delivery" contains the following claims.

urn:openid:params:jwt:claim:rt_hash
urn:openid:params:jwt:claim:auth_req_id

On the other hand, the ID token in the non-normative example in "10.1.1. Successful Token Response", which is an ID token issued from the token endpoint, does not contain the claims. Is this difference intentional?

The ID token in 10.1.1. before decoding:

eyJhbGciOiJSUzI1NiIsImtpZCI6IjE2NzcyNiJ9.eyJpc3MiOiJ
odHRwOi8vc2VydmVyLmV4YW1wbGUuY29tIiwic3ViIjoiMjQ4Mjg5NzYxMDAxIiw
iYXVkIjoiczZCaGRSa3F0MyIsImVtYWlsIjoiamFuZWRvZUBleGFtcGxlLmNvbSI
sImV4cCI6MTUzNzgxOTgwMywiaWF0IjoxNTM3ODE5NTAzfQ.LW5TN_gGHzRSNb4Y
8UIQCoXEwRVW-BYf60I0nVxKHWM968CKdCyK4DlSBS2Fw6wk92cbHCsL0hjAaLyy
xHcaPjAmKLkJV6gS9sgWye8Oo_f2EbacV7igICM_0nTNYq4OH0AHmgHWbF_abmjx
P2abYYXX-CKmx9S3CPvW65lakh2yFXNkB5_u-RYmJQFpY2MQpOG-2qu0SbzeRkxG
AYG2xOi2aVCSEztl5jD1N5OH9EKS8bl5Rsp3kdgpRiMADVYYLqDM7U1Y5ucpLyy6
tboJQNkEUPfjff1lxkrI1RRqjxDHR8yqIJ2ak8DClTvaKeC8faBRX-_QbSPFEEjH
ust2eQ

The payload part of the ID token in 10.1.1. after decoding:

{
  "iss": "http://server.example.com",
  "sub": "248289761001",
  "aud": "s6BhdRkqt3",
  "email": "janedoe@example.com",
  "exp": 1537819803,
  "iat": 1537819503
}

BTW, it would be better to change the scheme part of the iss claim from http to https because 2. ID Token in OIDC Core 1.0 says as follows:

iss

REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

Comments (14)

Dave Tonge
So this is definitely intentional.

Those 2 claims are only needed in the push callback to ensure that the access/refresh tokens are bound to the id_token and the auth_req_id. This is because of the different security context of the push callback - the RP can't rely on the TLS connection to ensure that there has been no tampering with the values.

When the tokens are retrieved via the token endpoint the RP is directly passing the auth_req_id to the OP and synchronously getting back the tokens. In this instance the RP can rely on the TLS connection to ensure that there is no tampering and that they are communicating directly with the OP.

With regards to the http issuer, I suppose this is worth updating, what do you think @b_d_c ?

@authlete-taka I would also like to know if you think its worth adding more text to explain why we need those values in the ID Token on the push callback?
- 2018-12-12T12:19:17+00:00
Takahiko Kawasaki reporter
@dgtonge From an implementer's point of view, text to explain the reason is not necessary. I just worried about the possibility that lack of rt_hash and auth_req_id was unintentional. However, such explanation may be able to reduce the possibility that similar questions are posted and/or discussed again in the future. 😅
- 2018-12-12T12:43:19+00:00
Brian Campbell
Agree that http issuer should be updated and I'll take care of it.
- 2018-12-12T18:00:15+00:00
Brian Campbell
examples now use https for iss per b7eb8b2
- 2018-12-12T20:31:18+00:00
Dave Tonge
thanks @b_d_c @authlete-taka I think we probably do need some more text. And I think it should probably go in the security considerations section.

I will propose some text.
- 2018-12-13T12:25:57+00:00
Dave Tonge
@authlete-taka @b_d_c I've pushed this commit: https://bitbucket.org/openid/mobile/commits/f8a6db8222066acdc2e45658217c77dd437ab9ae

I'd be grateful for your review, but I felt that we do need to call out the different security properties of the Push mode.
- 2018-12-13T12:56:02+00:00
Brian Campbell
The last sentence in that commit:

However due to the different security properties of the Push Callback mode, implementers may want to consider the use of sender constrained tokens to further protect this mode.

Which tokens and how would they be constrained (noting MTLS and TB are only defined to bind tokens issued from the token endpoint) and what protections does that give this mode specifically? That's meant to be kinda rhetorical.

IMHO that last sentence should be removed. But otherwise it's quite good.
- 2018-12-13T18:32:58+00:00
Dave Tonge
Sure, I was struggling with it as well. I'll remove the last sentence.
- 2018-12-13T19:15:37+00:00
Brian Campbell
and 7d859c0 looks good @dgtonge - thanks for that. I think this one can be resolved?
- 2018-12-13T19:35:25+00:00
Takahiko Kawasaki reporter
I think it is well written. BTW,

implementers may want to consider the use of sender constrained tokens to further protect this mode.

This is interesting. In Poll and Ping modes, the client certificate used in the “token request” will be associated with the issued access token. But, in order to support certificate-bound access tokens in Push mode, the client certificate used in the “backchannel authentication request” is the only candidate for the binding.
- 2018-12-13T19:39:40+00:00
Takahiko Kawasaki reporter
I'm wondering what CIBA-FAPI profile (?) which I imagine will be drafted after the CIBA Core spec is finalized will require for HoK.
- 2018-12-13T19:43:59+00:00
Dave Tonge
@b_d_c thanks I'll resolve it.

@authlete-taka we attempted to cover that in the current FAPI profile of CIBA. However I think we are now just going to take the easy route and restrict the use of Push mode for FAPI.
- 2018-12-13T19:45:08+00:00
Dave Tonge
- changed status to resolved
- 2018-12-13T19:45:22+00:00
Brian Campbell
+1 for easy route :)
- 2018-12-13T19:46:10+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: minor

Status: resolved

Component: CIBA

Milestone: CIBA Implementer's Draft

Votes: 0

Watchers: 0