OAuth Working Group M.B. Jones Internet-Draft Self-Issued Consulting Updates: 7521, 7522, 7523, 9126 (if approved) B. Campbell Intended status: Standards Track Ping Identity Expires: 25 October 2025 C. Mortimore Disney 23 April 2025 Updates to Audience Values for OAuth 2.0 Authorization Servers draft-ietf-oauth-rfc7523bis-01 Abstract This specification updates the requirements for audience values for tokens whose audience is an OAuth 2.0 authorization server to address a security vulnerability identified in the previous requirements for those audience values in multiple OAuth 2.0 specifications. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 25 October 2025. Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. Jones, et al. Expires 25 October 2025 [Page 1] Internet-Draft Updates to Audience Values for ASs April 2025 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Updates to RFC 7521 . . . . . . . . . . . . . . . . . . . . . 3 3. Updates to RFC 7522 . . . . . . . . . . . . . . . . . . . . . 4 4. Updates to RFC 7523 . . . . . . . . . . . . . . . . . . . . . 6 5. Updates to RFC 9126 . . . . . . . . . . . . . . . . . . . . . 9 6. Security Considerations . . . . . . . . . . . . . . . . . . . 9 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7.1. Media Type Registration . . . . . . . . . . . . . . . . . 9 7.1.1. Registry Contents . . . . . . . . . . . . . . . . . . 9 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . 12 Appendix A. Document History . . . . . . . . . . . . . . . . . . 13 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction Multiple OAuth 2.0 specifications use tokens (also known as "assertions") that are sent to authorization servers. These tokens contain an audience value or values intended to identify the recipients that the token is intended for. When the token is a JSON Web Token (JWT) [JWT], the audience value(s) are contained in the aud (audience) claim. When performing a security analysis of a pre-final version of the OpenID Federation specification [OpenID.Federation.ID4], University of Stuttgart security researchers Pedram Hosseyni, Dr. Ralf Küsters, and Tim Würtele discovered a vulnerability affecting multiple OpenID and OAuth specifications caused by ambiguities in the audience values of tokens sent to authorization servers. The vulnerability was disclosed to the OAuth working group in an interim meeting in January 2025 called for that purpose, including providing a description of the vulnerability [private_key_jwt.Disclosure]. A paper they published describing the attack is [Audience.Injection]. Jones, et al. Expires 25 October 2025 [Page 2] Internet-Draft Updates to Audience Values for ASs April 2025 This specification updates the affected OAuth specifications to address the security vulnerability identified. Specifically, it eliminates former ambiguities in the audience values of tokens sent to OAuth 2.0 authorization servers. A general description of the update made to each specification is for it to require that the issuer identifier URL of the authorization server, as defined in [RFC8414], be used as the sole value of the token audience. Furthermore, the authorization server MUST reject any such token that does not contain its own issuer identifier as the sole audience value. An explicit type for each affected kind of token, as defined in [RFC8725], is also defined to facilitate distinguishing between tokens produced in accordance with specifications published prior to these updates and those incorporating them. Specific updates made to each affected specification follow. 1.1. Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. Terminology All terms are as defined in the following specifications: "The OAuth 2.0 Authorization Framework" [RFC6749], "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7521], and "JSON Web Token (JWT)" [JWT]. 2. Updates to RFC 7521 This section updates "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7521] to tighten its audience requirements. The description of the Audience parameter in Section 5.1 of [RFC7521] (Assertion Metamodel) is replaced by: Jones, et al. Expires 25 October 2025 [Page 3] Internet-Draft Updates to Audience Values for ASs April 2025 Audience A value that identifies the party intended to process the assertion. The audience MUST contain the issuer identifier [RFC8414] of the authorization server as its sole value. Unlike the audience value specified in [RFC7521], there MUST be no value other than the issuer identifier of the intended authorization server used as the audience of the assertion; this includes that the token endpoint URL of the authorization server MUST NOT be used as an audience value. The description of the Audience parameter in Section 5.2 of [RFC7521] (General Assertion Format and Processing Rules) is replaced by: The assertion MUST contain an audience that identifies the authorization server as the intended audience, with the issuer identifier [RFC8414] of the authorization server as its sole value. The authorization server MUST reject any assertion that does not contain its own issuer identifier as the sole audience value. In the list of agreements required by participants in Section 7 of [RFC7521] (Interoperability Considerations), "audience identifiers" is removed from the list. 3. Updates to RFC 7522 This section updates "Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7522] to tighten its audience requirements. The description of the Audience element in Item 2 of Section 3 of [RFC7522] (Assertion Format and Processing Requirements) is replaced by: The Assertion MUST contain a element with an element with a single element that identifies the authorization server as the intended audience. The value of the element MUST be the issuer identifier [RFC8414] of the authorization server. Section 2.5.1.4 of "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0" [OASIS.saml-core-2.0-os] defines the and elements. Unlike the audience value specified in [RFC7522], there MUST be no value other than the issuer identifier of the intended authorization server used as the audience of the assertion; this includes that the token endpoint URL of the authorization server MUST NOT be used as an audience value. Jones, et al. Expires 25 October 2025 [Page 4] Internet-Draft Updates to Audience Values for ASs April 2025 The authorization server MUST reject any assertion that does not contain its own issuer identifier as the sole audience value. In Section 4 of [RFC7522] (Authorization Grant Example), the sentence: The intended audience of the Assertion is https://saml- sp.example.net, which is an identifier for a SAML Service Provider with which the authorization server identifies itself. is replaced by: The intended audience of the Assertion is https://authz.example.net, which is the authorization server's issuer identifier. In the same section, the SAML 2.0 Assertion example is replaced by: Jones, et al. Expires 25 October 2025 [Page 5] Internet-Draft Updates to Audience Values for ASs April 2025 https://saml-idp.example.com [...omitted for brevity...] brian@example.com https://authz.example.net urn:oasis:names:tc:SAML:2.0:ac:classes:X509 Figure 1: Example SAML 2.0 Assertion In the list of agreements required by participants in Section 5 of [RFC7521] (Interoperability Considerations), "audience identifiers" is removed from the list. 4. Updates to RFC 7523 This section updates "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7523] to tighten its audience requirements. In Section 3 of [RFC7523] (JWT Format and Processing Requirements), Item 3, which describes the audience value, is replaced by: Jones, et al. Expires 25 October 2025 [Page 6] Internet-Draft Updates to Audience Values for ASs April 2025 The JWT MUST contain an aud (audience) claim containing the issuer identifier [RFC8414] of the authorization server as its sole value. The authorization server MUST have an issuer identifier to be used with this specification. Unlike the aud value specified in [RFC7523], there MUST be no value other than the issuer identifier of the intended authorization server used as the audience of the JWT; this includes that the token endpoint URL of the authorization server MUST NOT be used as an audience value. To simplify implementations, the aud claim value MUST be a JSON string, and not a single-valued JSON array. The authorization server MUST reject any JWT that does not contain its issuer identifier as its sole audience value. In the absence of an application profile specifying otherwise, compliant applications MUST compare the audience values using the Simple String Comparison method defined in Section 6.2.1 of RFC 3986 [RFC3986]. In Section 3.1 of [RFC7523] (Authorization Grant Processing), the following requirement is added: Authorization grant JWTs MUST be explicitly typed by using the typ header parameter value authorization-grant+jwt or another more specific explicit type value defined by a specification profiling this specification. Authorization grant JWTs not using the explicit type value MUST be rejected by the authorization server. In Section 3.2 of [RFC7523] (Client Authentication Processing), the following requirement is added: Client authentication JWTs MUST be explicitly typed by using the typ header parameter value client-authentication+jwt another more specific explicit type value defined by a specification profiling this specification. Client authentication JWTs not using the explicit type value MUST be rejected by the authorization server. In Section 4 of [RFC7523] (Authorization Grant Example), the sentence: The intended audience of the JWT is https://jwt-rp.example.net, which is an identifier with which the authorization server identifies itself. is replaced by: The intended audience of the JWT is https://authz.example.net, which is the authorization server's issuer identifier. In the same section, the JWT Claims Set example is replaced by: Jones, et al. Expires 25 October 2025 [Page 7] Internet-Draft Updates to Audience Values for ASs April 2025 {"aud":"https://authz.example.net", "iss":"https://jwt-idp.example.com", "sub":"mailto:mike@example.com", "iat":1731721541, "exp":1731725141, "http://claims.example.com/member":true } Figure 2: Example JWT Claims Set In the same section, the sentence: The following example JSON object, used as the header of a JWT, declares that the JWT is signed with the Elliptic Curve Digital Signature Algorithm (ECDSA) P-256 SHA-256 using a key identified by the kid value 16. is replaced by: The following example JSON object, used as the header parameters of a JWT, declares that the JWT is an authorization grant JWT, is signed with the Elliptic Curve Digital Signature Algorithm (ECDSA) P-256 with SHA-256, and was signed with a key identified by the kid value 16. In the same section, the JOSE Header Parameters example is replaced by: {"typ":"authorization-grant+jwt","alg":"ES256","kid":"16"} Figure 3: Example JOSE Header Parameters In the same section, the example POST body is replaced by: grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJ0eXAiOiJhdXRob3JpemF0aW9uLWdyYW50K2p3dCIsImFsZyI6Ik VTMjU2Iiwia2lkIjoiMTYifQ. eyJhdWQiOiJodHRwczovLw[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] Figure 4: Example POST Body In the list of agreements required by participants in Section 5 of [RFC7523] (Interoperability Considerations), "audience identifiers" is removed from the list. Jones, et al. Expires 25 October 2025 [Page 8] Internet-Draft Updates to Audience Values for ASs April 2025 5. Updates to RFC 9126 This section updates "OAuth 2.0 Pushed Authorization Requests" [RFC9126] to tighten its audience requirements. The paragraph describing the audience value in Section 2 of [RFC9126] (Pushed Authorization Request Endpoint) is replaced by: This update resolves the potential ambiguity regarding the appropriate audience value to use when employing JWT client assertion-based authentication (as defined in Section 2.2 of [RFC7523] with the private_key_jwt or client_secret_jwt authentication method names per Section 9 of [OpenID.Core]) that was described in [RFC9126]. To address that ambiguity, the issuer identifier URL of the authorization server according to [RFC8414] MUST be used as the sole value of the audience. The authorization server MUST reject any such JWT that does not contain its own issuer identifier as the sole audience value. 6. Security Considerations The security considerations described within the following specifications are all applicable to this document: "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7521], "Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7522], "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants" [RFC7523], "OAuth 2.0 Pushed Authorization Requests" [RFC9126], "The OAuth 2.0 Authorization Framework" [RFC6749], and "JSON Web Token (JWT)" [JWT]. This specification tightens token audience requirements to prevent attacks that could result from exploiting audience ambiguities previously allowed by [RFC7521], [RFC7522], [RFC7523], and [RFC9126]. These attacks are described in [private_key_jwt.Disclosure] and [Audience.Injection]. 7. IANA Considerations 7.1. Media Type Registration This section registers the following media types [RFC2046] in the "Media Types" registry [IANA.MediaTypes] in the manner described in [RFC6838]. 7.1.1. Registry Contents * Type name: application Jones, et al. Expires 25 October 2025 [Page 9] Internet-Draft Updates to Audience Values for ASs April 2025 * Subtype name: authorization-grant+jwt * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary; An authorization grant JWT is a JWT; JWT values are encoded as a series of base64url-encoded values (some of which may be the empty string) separated by period ('.') characters. * Security considerations: See Section 6 of this specification * Interoperability considerations: n/a * Published specification: Section 4 of this specification * Applications that use this media type: Applications that use this specification * Fragment identifier considerations: n/a * Additional information: Magic number(s): n/a File extension(s): n/a Macintosh file type code(s): n/a * Person & email address to contact for further information: Michael B. Jones, michael_b_jones@hotmail.com * Intended usage: COMMON * Restrictions on usage: none * Author: Michael B. Jones, michael_b_jones@hotmail.com * Change controller: IETF * Provisional registration? No * Type name: application * Subtype name: client-authentication+jwt * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary; A client authentication JWT is a JWT; JWT values are encoded as a series of base64url-encoded values (some of which may be the empty string) separated by period ('.') characters. * Security considerations: See Section 6 of this specification * Interoperability considerations: n/a * Published specification: Section 4 of this specification * Applications that use this media type: Applications that use this specification * Fragment identifier considerations: n/a * Additional information: Magic number(s): n/a File extension(s): n/a Macintosh file type code(s): n/a * Person & email address to contact for further information: Michael B. Jones, michael_b_jones@hotmail.com * Intended usage: COMMON * Restrictions on usage: none * Author: Michael B. Jones, michael_b_jones@hotmail.com Jones, et al. Expires 25 October 2025 [Page 10] Internet-Draft Updates to Audience Values for ASs April 2025 * Change controller: IETF * Provisional registration? No 8. References 8.1. Normative References [JWT] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . [OASIS.saml-core-2.0-os] Cantor, S., Kemp, J., Philpott, R., and E. Maler, "Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0", OASIS Standard saml-core- 2.0-os, March 2005, . [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [RFC6749] Hardt, D., Ed., "The OAuth 2.0 Authorization Framework", RFC 6749, DOI 10.17487/RFC6749, October 2012, . [RFC7521] Campbell, B., Mortimore, C., Jones, M., and Y. Goland, "Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7521, DOI 10.17487/RFC7521, May 2015, . [RFC7522] Campbell, B., Mortimore, C., and M. Jones, "Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7522, DOI 10.17487/RFC7522, May 2015, . [RFC7523] Jones, M., Campbell, B., and C. Mortimore, "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants", RFC 7523, DOI 10.17487/RFC7523, May 2015, . Jones, et al. Expires 25 October 2025 [Page 11] Internet-Draft Updates to Audience Values for ASs April 2025 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8414] Jones, M., Sakimura, N., and J. Bradley, "OAuth 2.0 Authorization Server Metadata", RFC 8414, DOI 10.17487/RFC8414, June 2018, . [RFC8725] Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best Current Practices", BCP 225, RFC 8725, DOI 10.17487/RFC8725, February 2020, . [RFC9126] Lodderstedt, T., Campbell, B., Sakimura, N., Tonge, D., and F. Skokan, "OAuth 2.0 Pushed Authorization Requests", RFC 9126, DOI 10.17487/RFC9126, September 2021, . 8.2. Informative References [Audience.Injection] Hosseyni, P., Küsters, R., and T. Würtele, "Audience Injection Attacks: A New Class of Attacks on Web-Based Authorization and Authentication Standards", Cryptology ePrint Archive Paper 2025/629, April 2025, . [IANA.MediaTypes] IANA, "Media Types", . [OpenID.Core] Sakimura, N., Bradley, J., Jones, M.B., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", 15 December 2023, . [OpenID.Federation.ID4] Hedberg, R., Jones, M. B., Solberg, A., Bradley, J., Marco, G. D., and V. Dzhuvinov, "OpenID Federation 1.0", 31 May 2024, . Jones, et al. Expires 25 October 2025 [Page 12] Internet-Draft Updates to Audience Values for ASs April 2025 [private_key_jwt.Disclosure] OpenID Foundation, "OIDF Responsible Disclosure Notice on Security Vulnerability for private_key_jwt", 24 January 2025, . [RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, DOI 10.17487/RFC2046, November 1996, . [RFC6838] Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10.17487/RFC6838, January 2013, . Appendix A. Document History [[ to be removed by the RFC Editor before publication as an RFC ]] -01 * Reworked to make updates to RFC 7523, rather than replacing it. * Removed updates to RFC 9101. * Added reference to the University of Stuttgart paper [Audience.Injection]. -00 * Initial working group draft, replacing draft-jones-oauth- rfc7523bis-00. Acknowledgements We would like to acknowledge the contributions of the following people to this specification: John Bradley, Ralph Bragg, Joseph Heenan, Pedram Hosseyni, Aaron Parecki, Filip Skokan, and Tim Würtele. Authors' Addresses Michael B. Jones Self-Issued Consulting Email: michael_b_jones@hotmail.com URI: https://self-issued.info/ Jones, et al. Expires 25 October 2025 [Page 13] Internet-Draft Updates to Audience Values for ASs April 2025 Brian Campbell Ping Identity Email: bcampbell@pingidentity.com Chuck Mortimore Disney Email: charliemortimore@gmail.com Jones, et al. Expires 25 October 2025 [Page 14]