Open whitlockjc opened 5 years ago
whitlockjc
commented
5 years ago I realize that we want to make this forward thinking and not lock ourselves into one implementation but JSON Web Keys (JWK) allow for describing all key types I interact with. So my question is can't we treat JWK as the description format for security keys and go from there?
MikeRalphson
commented
5 years ago JSON Web Keys (JWK) allow for describing all key types I interact with. So my question is can't we treat JWK as the description format for security keys
Conversely, if we find that JWKs satisfy all likely general requirements for secure-keys, can't we still use a more generic term for both the property which defines or points to one, and the same for the container within components and our definition will then 'just happen' to allow for everything a JWK needs?
whitlockjc
commented
5 years ago Agreed. I want the top-level security key properties to be implementation agnostic.
cmheazel
commented
5 years ago A JWT describes a cryptographic instance. We need to describe the space of acceptable cryptographic instances. For example, an API may accept requests signed using RS256, RS384, and RS512. That would require three different JWT objects. What if we tried a JWT-like structure describing the names and valid values for the JOSE JWE and JOSE JWS parameters as well as the JWT claims? Each entry could identify the parameter/claim name and list the valid values for the entry. It should also indicate if it is protected or unprotected.
whitlockjc
commented
5 years ago I'm not following, JWS already has a "JWT-like" structure where the algorithm and key details are describes. So what's missing?
cmheazel
commented
5 years ago First of all, JWT describes the encryption operations that HAVE been performed. We need to describe the operations that CAN be formed. For example, how do I tell a user that they can use HS256, HS384, or HS512 to generate their signatures?
Second, OpenAPI is not restricted to JSON payloads. If I support XML signatures, how do I tell users which canonicalization algorithms my API supports?
I'm not saying that JWT is not a good place to start. But there is still more to do.
whitlockjc
commented
5 years ago I think your crossing the streams, if I understand you correctly. I'm talking about JSON Web Keys (JWS) and not JSON Web Tokens (JWT). You're right about JWT, they are encrypted/signed and the JWT self-describes what was used to encrypt/sign the key. My proposal is for defining JWS (not JWT) that are used for secure interactions with an API, like a JWS used to verify a JWT or like a JWS used to encrypt/sign a request/response. How an operation dictates that it's encrypted/signed, and how, is a consumer of keys and is yet to be decided. Security Schemes will need a way to consume keys as well.
fosrias
commented
4 years ago @whitlockjc I think you need to expand your example to include the following (oneOf jwk or jwks_uri):
security:
jwks-oath:
type: http
scheme: bearer
bearerFormat: JWT
jwks_uri: https://example.com/.well-known/jwks.jsonThis then works with Oauth2 providers that use JWTs and enables using JWKs with remote look up for key rotation.
SensibleWood
commented
4 years ago @whitlockjc I think you need to expand your example to include the following (oneOf jwk or jwks_uri):
security: jwks-oath: type: http scheme: bearer bearerFormat: JWT jwks_uri: https://example.com/.well-known/jwks.jsonThis then works with Oauth2 providers that use JWTs and enables using JWKs with remote look up for key rotation.
As an addendum to this, a good shout would be to ensure that the jwks_uri can be reflective of different environments in an API providers promotional model. For example, in the EU many banks are implementing JWKS for PSD2/open banking and they have several JWKS across their sandbox and production. For those doing OpenID Connect obvs it can be defined and exposed in Discovery endpoint but for those not this would be a good feature.
Simplest approach probably in the style of a Server object I guess
Often times when interacting with APIs, security keys are involved. From a JWT perspective, keys are used for encrypting, signing and verifying tokens. In issue #1464, keys are used for encrypting and signing requests/responses. I would like to propose that we officially support describing security keys in OAS, starting with JSON Web Keys.
Shooting from the hip, here is a first-pass example:
As you can see, each key has three common properties:
description: A human-readable description of the keytype: The type of the key (One could argue that JSON Web Keys are capable of describing any key and only JSON Web Keys should be supported but for now, this value would be free-form and it would be tooling specific as to how the values are validated.)metadata: This is the information describing the key based on the key type (This field must be free-form to allow for future expansion)Once we have a common way to describe security keys, you have the ability to reference them using JSON References to use. Here are two examples:
Signed Reqeusts/Responses (#1464)
JWT-based Security Scheme
Note: This example uses a JWT-based Security Scheme that DOES NOT exist yet and is only for example purposes. There is an ongoing discussion about supporting JWT for security in OAS but this is not indicative of what will be supported if/when a decision is made.
Now that we have some examples, let's get the conversation started.