search

camaraproject / IdentityAndConsentManagement

Repository to describe, develop, document and test the Identity And Consent Management for CAMARA APIs
Apache License 2.0
21 stars 30 forks source link

Proposal for CAMARA mandated minimum acceptable JWT token lifetime #208

Open eric-murray opened 1 day ago

eric-murray commented 1 day ago

Problem description CAMARA mandate that clients be authenticated using private_key_jwt. The OIDC code specification mandates that the JWT includes an exp claim. Whilst tokens that have expired must be rejected by the authorisation server, creating long lived tokens (to remove the risk of token expiration) itself leads to potential security risks.

This is recognised by RFC 7523, which states:

... the authorization server may reject JWTs with an "exp" claim value that is unreasonably far in the future

However, neither RFC 7523 nor OIDC nor CAMARA give any guidance as to what is considered to be "unreasonably far in the future" , or what should be the minimum token lifetime that must be accepted by all authorisation servers. This could lead to a situation where client implementations generate tokens that are accepted by some authorisation servers, but rejected by others, purely because of the token lifetime.

Possible evolution A minimum JWT token lifetime that must be accepted by all authorisation servers should be mandated by CAMARA. It is proposed that this minimum lifetime be 300 seconds, which is plenty of time for a token to be generated and then presented to the authorisation server. This requirement could be appended to the existing text on client authentication as follows:

The token expiration time SHOULD be no more than 300 seconds later than the time of issue. Authorization servers MAY reject tokens whose lifetime (measured from the "issued at" time if known, or otherwise from the time of receipt) exceeds this.

Alternative solution None offered

Additional context None

garciasolero commented 1 day ago

If we are considering adding this restriction for the exp claim, or warning that some implementations may have this restriction, it might be convenient to include a similar statement for the jti claim according to RFC 7523:

The authorization server MAY ensure that JWTs are not replayed by maintaining the set of used "jti" values for the length of time for which the JWT would be considered valid based on the applicable "exp" instant.

eric-murray commented 1 day ago

some implementations may have this restriction

ALL implementations will have some limitation on acceptable token lifetime. I am proposing that we make it explicit to the API consumer that tokens with a lifetime less that 300 seconds will be accepted by all authorisation servers. This would be new information for the API consumer.

Your proposed text on jti values is an implementation hint for authorisation servers, but adds no new information for API consumers. CAMARA should try to keep its specifications compact by only providing information that the API consumer needs to know. So I'd prefer not to include such hints.