search

oauth-wg / oauth-selective-disclosure-jwt

https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
Other
55 stars 27 forks source link

JSON serialization doesn't cover key binding #392

Closed bifurcation closed 2 months ago

bifurcation commented 7 months ago

As in #383, 9. JWS JSON Serialization invokes specification by magic:

Key Binding (if applicable) will be provided by means not specifically defined in this specification

If we are defining a format for SD-JWT, that format needs to include all of the parts of the SD-JWT. Unless #374 gets fixed, that means the format needs an optional key binding field.

But I think that this issue is actually a symptom #374. The document doesn't define a format for "SD-JWT with KB" because it is actually substantively different thing from "SD-JWT without KB". Putting it in JSON just highlights the difference more clearly than ~-delimited text.

The current syntax seems fine to me for "SD-JWT without KB". For "SD-JWT with KB", I would think you would want something like:

{
  "sd_jwt": { /* format currently specified, or compact */ },
  "key_binding: { /* JSON-formatted JWS of KB-JWT */ }
}

Here the sd_jwt field MUST hash to sd_hash, after serialization to the ~ compact form.

bc-pi commented 7 months ago

Such a field was removed in -06,kb_jwt in PR https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/344, when it became more evident that that the folks wanting to use JSON serialization were intending to do key binding by other means - some kind of enveloping rather than a separate KB JWT. That along with the introduction of the _sd_hash to the KB JWT (which is much trickier than you've suggested esp wrt to the General JWS JSON Serialization) motivated the removal of the field.

bifurcation commented 7 months ago

That just further emphasizes that we need to address #374 and separate "SD-JWT without KB" and "SD-JWT with KB", since the JSON serialization folks want to use the former and not the latter. If we have that separation, this section can just have a JSON format for "SD-JWT without KB" and there's no mismatch.

Sakurann commented 5 months ago

@danielfett will open a separate ticket with specific mechanisms to address this based on the implementation experience

danielfett commented 5 months ago

The discussion about KB JWT in JSON-serialized JWS came up in the EUDI Wallet context as well, so we plan to fix it: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/403