-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
verifiable consent of visa usage #40
base: master
Are you sure you want to change the base?
Conversation
I'd like @cdvoisin to take first pass. Might also be worth having @mikael-linden look and chat... |
@dvoet please add versioning info on top |
Looks reasonable. Aud is a common OIDC practice to restrict access token consumers. |
Great if Mikael is a thumb, then once Craig says yes we're good to go. |
AAI/AAIConnectProfile.md
Outdated
@@ -396,6 +397,10 @@ the Broker. | |||
presented and/or transformed without misrepresenting the original intent, | |||
except for accommodating for `exp` timestamps to be represented as | |||
indicated above. | |||
|
|||
3. An Embedded Token Issuer MAY include the `aud` field to indicate which | |||
[Brokers](#term-broker) were consented by the user. The values within the `aud` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"consent" has its own flavor of interpretation that may be both too broad (perhaps in GDPR) and too narrow (in that it doesn't have to involve a user). For the Passport spec, the relationship between the Broker and the Visa Issuer is purposely unspecified except to follow this spec. Agreed, there is a MAY here, but it won't have much meaning if the wording covers a more narrow use case.
Instead of "to indicate which Brokers were consented by the user", I would pivot "to identify the Brokers as the intended audience as specified by RFC 7523 Section 3".
Although this seems more vague, it does provide more coverage for who can make use of this statement such that the network can handle the "how" and "what" the user interaction is that leads to this result.
AAI/AAIConnectProfile.md
Outdated
|
||
3. An Embedded Token Issuer MAY include the `aud` field to indicate which | ||
[Brokers](#term-broker) were consented by the user. The values within the `aud` | ||
field must match the `iss` field of OIDC access tokens issued by consented Brokers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on previous feedback on the spec, we try to avoid the term "OIDC access token" due to the various layers of specs involved. Just "access tokens" here is preferred based on those previous nits and not to undo that previous nit-fixing work.
AAI/AAIConnectProfile.md
Outdated
@@ -426,6 +431,8 @@ the Broker. | |||
any other Broker involved in the propagation of the claims to | |||
also be trusted if the Claim Clearinghouse needs to restrict its | |||
trust model). | |||
2. If Embedded Token contains `aud` field, Clearinghouse MUST check |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add "an" to yield: "If an Embedded Token".
AAI/AAIConnectProfile.md
Outdated
@@ -426,6 +431,8 @@ the Broker. | |||
any other Broker involved in the propagation of the claims to | |||
also be trusted if the Claim Clearinghouse needs to restrict its | |||
trust model). | |||
2. If Embedded Token contains `aud` field, Clearinghouse MUST check | |||
that the Embedded Token's `aud` contains `iss` of access token provided by Broker. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple of things here:
- contains is too vague, it must be an exact match as per https://tools.ietf.org/html/rfc3986#section-6.2.1
- "access token provided by Broker" can be ambiguous in cases where the there are multiple brokers involved or multiple embedded tokens that happen to be signed by one or more brokers. The intent comes across, but it just isn't tightly worded.
To fix:
"[matches] (https://tools.ietf.org/html/rfc3986#section-6.2.1) the Broker's iss
claim (i.e. a Broker's access token iss
claim must match the aud
claim within its Embedded Tokens if the Embedded Token aud
claim is provided)"
AAI/AAIConnectProfile.md
Outdated
@@ -628,6 +635,8 @@ where: | |||
|
|||
2. The header MUST NOT contain a `jku`. | |||
|
|||
3. JWT payload MAY contain `aud` to list approved brokers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This section is for headers and doesn't carry aud
(even though the sentence mentions payload). To solve, delete this line and leave the "payload" line that already exists below.
Let me know if your intent is to replicate claims here: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-5.3
This should be done with caution if using the aud
field.
AAI/AAIConnectProfile.md
Outdated
@@ -701,6 +710,8 @@ Issuer. | |||
- `<ga4gh-spec-claims>`: OPTIONAL. One or more GA4GH Claims MAY be | |||
provided. See [Authorization/Claims](#authorizationclaims) for an | |||
example. | |||
|
|||
- MAY contain `aud` to list approved brokers |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
micro-nit: please add 2 spaces after the dash ("-") to align with the other entries above and add period punctuation at the end for consistency.
@cdvoisin I think I addressed your comments. Please take another look. Thanks. |
@cdvoisin -- can you take a look? |
AAI/AAIConnectProfile.md
Outdated
3. An Embedded Token Issuer MAY include the `aud` field to identify the | ||
[Brokers](#term-broker) as the intended audience as specified by | ||
[RFC 7523 Section 3](https://tools.ietf.org/html/rfc7523#section-3). | ||
The values within the `aud` field must match the `iss` field of access tokens |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Suggestion just to make language clear. Given this is a MAY, and then have a sentence here saying "the values ... must match". How about:
"When an aud
claim is specified, the values within the aud
claim MUST match the iss
claim for the Broker that includes the embedded token."
AAI/AAIConnectProfile.md
Outdated
@@ -396,6 +397,12 @@ the Broker. | |||
presented and/or transformed without misrepresenting the original intent, | |||
except for accommodating for `exp` timestamps to be represented as | |||
indicated above. | |||
|
|||
3. An Embedded Token Issuer MAY include the `aud` field to identify the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"field" -> "claim"
@dvoet almost there, just a couple more nits for you to look at. Ping me when ready. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Everyone okay with this now?
that one of the Embedded Token's `aud` entries | ||
[matches](https://tools.ietf.org/html/rfc3986#section-6.2.1) the Broker's | ||
`iss` claim (i.e. a Broker's access token `iss` claim must match the `aud` | ||
claim within its Embedded Tokens if the Embedded Token aud claim is provided). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aud -> aud
@@ -429,6 +436,11 @@ the Broker. | |||
any other Broker involved in the propagation of the claims to | |||
also be trusted if the Claim Clearinghouse needs to restrict its | |||
trust model). | |||
2. If an Embedded Token contains an `aud` claim, Clearinghouse MUST check | |||
that one of the Embedded Token's `aud` entries | |||
[matches](https://tools.ietf.org/html/rfc3986#section-6.2.1) the Broker's |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why broker's? The "aud" claim means "audience", so it should match the clearing house's client id, not the broker's issuer id. The audience ("the recipients processing the JWT" as per RFC 7519#4.1.3) is the clearing house, not the broker.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please see the PR summary for what I am trying to achieve.
In addition to allowing the aud
claim to contain brokers we could say it must also contain clearing houses then the clearing house must verify that it is in the list itself as well as the broker. Essentially the visa issuer would specify all the parties, brokers and clearing houses, who are allowed to use the JWT. This spec would then go above and beyond the JWT RFC by saying the clearing house much check that the broker is in the aud
claim.
If aud
is not the right claim to use then I would propose adding a new claim to the spec and registering that with IANA.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Defining a new claim seems to be a better way to me.
I think adding However, this doesn't address consent or verifiable consent at all. As I understand it, consent is an agreement between the user and an organization or company (a legal entity). In the proposed flow, the organization needs to obtain the user’s data (their Visa) and parse it in order to verify if the user has consented or not. That’s already too late. The organization should not even have access to the user’s data without knowing that the user has consented. Verification of user consent needs to happen prior to the user’s data being shared. |
A key philosophy that we ask across the AAI and Passport, without asking, is "Should a JWT, signed from a trusted source, full of visas from sources that can be checked, sufficient for Authentication?" It might help us to include things about JWT-only auth, such as that it is assumed that JWT-only auth works in a fairly closed network of sources where it is ensured that the User understands that their JWT might be used be these related downstream systems. These systems are NOT 3rd parties in the traditional sense. Maybe I'll write something and add it to the spec, at least as an explanation. It is NOT a replacement for OIDC/Oauth but rather an expression of them upstream. It is NOT the intention of AAI/Passports ONLY to "just be OIDC", but rather an alternative. JWT-only auth IS allowed by AAI/Passport provided that risk is appropriately assessed. |
For issues brought up here, #40, we are trying to clarify that GA4GH explicitly supports JWT-only auth though it is not the most recommended way to use it.
Hi @jiaqi216, I've started this PR #41 to make sure that the GA4GH spec explicitly mentions JWT_only auth as a possible, and not recommended, method of auth. I feel, with your feedback, that it was lacking to have an explicit callout. |
When considering implementation of the AAI spec, we have a concern that there is no way for a clearinghouse to verify that the user has consented to allow a visa to be used by a broker. As the spec currently stands users who trust a Broker A effectively must trust all other brokers that Broker A trusts and so on down the trust chain. The user has no visibility into or mechanism to limit this.
This addition to the spec hopes to achieve this by adding audiences to Embedded Access Tokens or Embedded Document Tokens. Users can consent to a list of brokers when the tokens are generated. If the audience field does not exist then there is no restriction. How the token issuer knows what list to present to the user is unspecified.
Example embedded access token payload:
Example access token issued by broker to clearinghouse:
In this example, the clearinghouse MUST verify that the
aud
field in the embedded access token payload contains theiss
field of the broker access token.