Network Working Group P. Hunt, Ed. Internet-Draft Oracle Intended status: Standards Track W. Denniss Expires: October 10, 2016 Google M. Ansari Cisco April 8, 2016 Identity Event Token draft-hunt-idevent-token-01 Abstract This specification defines an Identity Event token which may be distributed via a protocol such as HTTP. An identity event token is based on the JSON Web Token and may be optionally signed and/or encrypted. It describes a statement of fact that may be shared by an event publisher with registered subscribers. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on October 10, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must Hunt, et al. Expires October 10, 2016 [Page 1] Internet-Draft draft-hunt-idevent-token April 2016 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction and Overview . . . . . . . . . . . . . . . . . . 2 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 4 1.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 4 2. Events . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.1. Core Event Attributes . . . . . . . . . . . . . . . . . . 7 2.2. Event Token Construction . . . . . . . . . . . . . . . . 8 3. Security Considerations . . . . . . . . . . . . . . . . . . . 11 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 4.1. Registration of Event URN Sub-namespace . . . . . . . . . 11 4.2. Event Registry . . . . . . . . . . . . . . . . . . . . . 11 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. Normative References . . . . . . . . . . . . . . . . . . 12 5.2. Informative References . . . . . . . . . . . . . . . . . 12 Appendix A. Contributors . . . . . . . . . . . . . . . . . . . . 13 Appendix B. Acknowledgments . . . . . . . . . . . . . . . . . . 13 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 13 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 1. Introduction and Overview This specification defines an extensible event token format which may be exchanged using protocols such as HTTP. The specification builds on the JSON Web Token format [RFC7519] in order to provide a self- contained message "token" that can be optionally signed using JSON Web Signature [RFC7515] and/or encrypted using JSON Web Encryption [RFC7516]. For the purpose of this specification an "event" is a statement of fact by a publisher (also known as an issuer) that the state of a resource it controls has changed in some way (explicitly or implicitly). Based on some agreed upon criteria for an event feed, the publisher distributes the event to the appropriate subscribers. [[Background: to be removed from final specification]]At the time of writing of this specifications there are several discussions regarding the need for identity events. Some of these include: o Events to allow SCIM resource co-ordination between SCIM domains. o OAuth Token Revocation (see [RFC7009]) o OpenID Logout or downstream logout notification. Hunt, et al. Expires October 10, 2016 [Page 2] Internet-Draft draft-hunt-idevent-token April 2016 o Session Cancellation o OpenID Risk Incident Sharing and Coordination (RISC) Events. See [RISC] o The HEART WG [HEART] which intends to define privacy and security related events in health-related data sharing APIs. This specification uses example SCIM events which are intended to be non-normative for the purpose of showing how an event may be used in practice. A resource state change event typically includes explicit operation events such as: a resource has been created, modified, removed, or updated in some way. In addition to explicit operations there may be higher-level statements made that describe an effect resulting from a change. For example, a publisher may wish to indicate that a user resource has taken over an email identifier that may have been used in the past. This cumulative event is a high-level statement that takes into account that another resource had a personal identifier that potentially conflicts with a newer resource. Because of the security impact, the publisher wishes to notify its subscribers of the identifier re-use. In this way, the event is not describing a particular state change to a resource, it describes a meta-conclusion based on its own business and security rules (this scenario is often called an 'account takeover' event). A subscriber having received an event, validates and interprets the event and takes its own independent action, if any. For example, having been informed of a personal identifier now being associated with a different resource (i.e. is being used by someone-else), the subscriber may choose to ensure that the new user is not granted access to resources associated with the previous user. Events SHOULD NOT be used to convey commands or requests. To do so requires complex bidirectional signalling and error recovery mechanisms which fall outside the scope of this specification. The intent of this specification is to define a way of exchanging historical statements of fact that subscribers may interpret for their own use. This specification is scoped to security and identity related events. While event tokens may be used for other purposes, the specification only considers security and privacy concerns relevant to identity and personal information. Hunt, et al. Expires October 10, 2016 [Page 3] Internet-Draft draft-hunt-idevent-token April 2016 This specification may be optionally used with the identity event subscription management specification which provides the details of event feeds and how subscribers register for events(see [idevent-subscription]), defines a protocol registry for event transmission methods including transmission using HTTP. 1.1. Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. These keywords are capitalized when used to unambiguously specify requirements of the protocol or application features and behavior that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense. For purposes of readability examples are not URL encoded. Implementers MUST percent encode URLs as described in Section 2.1 of [RFC3986]. Throughout this documents all figures MAY contain spaces and extra line-wrapping for readability and space limitations. Similarly, some URI's contained within examples, have been shortened for space and readability reasons. 1.2. Definitions The following definitions are used with Identity Events: Feed Publisher The Feed Provider publishes events to be distributed to registered subscribers. In JWT terminology, the Feed Publisher is also known as the issuer "iss"). Event An event is a resource change statement that is to be distributed to one or more registered subscribers. An event is constructed as a JWT token and MAY be signed or encrypted using JWS/JWE for authentication and confidentiality reasons. Feed A feed is a URI that describes the set of resources and events under which events may be issued. An interested client registers with the Feed Provider to subscribe to events associated with a feed. When expressed in a JWT token, a feed is defined as the event's audience ("aud"). Hunt, et al. Expires October 10, 2016 [Page 4] Internet-Draft draft-hunt-idevent-token April 2016 Subscriber A Subscriber registers to receive event notifications from a Feed Provider using a protocol such as HTTP. 2. Events An identity event conveys a message (in the form of a JWT token [RFC7519]) about a resource (i.e. a security subject) that may be of interest to a subscriber or set of subscribers participating in an event feed (see [idevent-subscription]). In addition to the JWT attributes "iss" and "aud", an event message contains the attribute "events" with at least one value. The event URI values indicate what event information (attributes) and what type of event (e.g. resource modified) is contained in the event message. The definition of registered events are found in the event registry (see Section 4.2), and implementers are free to define their own event types. The schema and structure of an event follows the JWT [RFC7519]. An event JWT has the following characteristics: o a common set of attributes common to every event, and o one or more event extensions that each contain a set of attributes that belonging to an extension. Hunt, et al. Expires October 10, 2016 [Page 5] Internet-Draft draft-hunt-idevent-token April 2016 The following is a non-normative example showing a password change event that conveys a SCIM event (see [idevent-scim]): { "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30", "events":[ "urn:ietf:params:event:SCIM:password", "https://example.com/event/password" ], "iat": 1458496025, "iss": "https://scim.example.com", "aud":[ "https://jhub.example.com/Feeds/98d52461fa5bbc879593b7754", "https://jhub.example.com/Feeds/5d7604516b1d08641d7676ee7" ], "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", "urn:ietf:params:event:SCIM:password":{ "id":"44f6142df96bd6ab61e7521d9", }, "https://example.com/scim/event/password":{ "resetAttempts":5 } } Figure 1: Example SCIM Password Reset Event The event in the figure above expresses hypothetical password reset event for SCIM. The JWT consists of an "iss" attribute which denotes the event publisher. The "aud" attribute specifies the intended audience for the event. In practical terms this MAY be the the URI for the event feed that a client has subscribed to. Additional extensions to an event may be added by adding more values to the "events" attribute. For each event URI value specified, there is a corresponding attribute that has its on JSON object that contains the attributes associated with that event (e.g. "https://example.com/scim/event/password"). In this example, the SCIM event indicates that a password has been updated and the current password reset count is 5. Notice that the value for "resetAttempts" is actually part of its own JSON object "https://example.com/scim/event/password". Hunt, et al. Expires October 10, 2016 [Page 6] Internet-Draft draft-hunt-idevent-token April 2016 Here is another example event message, this one for a Back-Channel Logout Token: { "iss": "https://server.example.com", "aud": "s6BhdRkqt3", "jti": "3d0c3cf797584bd193bd0fb1bd4e7d30", "sub": "248289761001", "iat": 1458668180, "exp": 1458668580, "events": [ "https://specs.openid.net/logout" ], "https://specs.openid.net/logout": { "sid": "08a5019c-17e1-4977-8f42-65a12843ea02" } } Figure 2: Example OpenID Logout Event 2.1. Core Event Attributes The following are attributes that are based on [RFC7519] claim definitions and are profiled for use in an event message: jti As defined by Section 4.1.7 [RFC7519] contains a unique identifier for an event. The identifier SHOULD be unique within a particular event feed and MAY be used by clients to track whether a particular event has already been received. This attribute is REQUIRED. [[Do we need a way to detect order of or missing events? Or should this be provided by the subscription spec?]] iss A single valued String containing the URI of the service provider publishing the event (the issuer). For example, in SCIM, this is the SCIM Service Provider's root endpoint. This attribute is REQUIRED. aud A multi-valued String containing the URIs representing the audience of the event. Values are typically URLs of the feeds the event is associated with. When an event has multiple audiences that go to the same subscriber, the publisher is not obligated to deliver repeated events to the same subscriber. This attribute is RECOMMENDED. iss Hunt, et al. Expires October 10, 2016 [Page 7] Internet-Draft draft-hunt-idevent-token April 2016 A single valued String containing the URI of the service provider publishing the event (the issuer). For example, in SCIM [RFC7644], this is the SCIM Service Provider's root endpoint. This attribute is REQUIRED. sub A value that identifies the subject of the event. This SHOULD be the URI of the affected resource. Some example resources include: users, tokens, grants, sessions, and any addressable resource about which a change in state may be described. This attribute is REQUIRED. iat As defined by Section 4.1.6 [RFC7519], a value containing a NumericDate which represents when the event was issued. Unless otherwise specified, the value SHOULD be interpreted by the subscriber as equivalent to the actual time of the event. This attribute is REQUIRED. [[DISCUSS: DO WE NEED TO DIFFERENTIATE?]] nbf As defined by Section 4.1.5 [RFC7519], a value containing a NumericDate which represents a future date when the event will occur. This attribute is OPTIONAL. The following are new attributes defined by this specification: events A multi-valued String that contains the URIs of events contained within the JWT. Values in this attribute further indicate what other JSON objects are present within the parent JSON event structure. Each OPTIONAL JSON sub-object is denoted by an attribute that matches a value in "events". This attribute is REQUIRED. 2.2. Event Token Construction An Event Token is a JWT [RFC7519] that is constructed by building a JSON structure that constitutes an event object and which is then used as the body of a JWT. While this specification uses JWT to convey an event message, implementers SHALL NOT use these events to convey authentication or authorization assertions. Hunt, et al. Expires October 10, 2016 [Page 8] Internet-Draft draft-hunt-idevent-token April 2016 The following is an example event message(it has been modified for readability): { "jti": "4d3559ec67504aaba65d40b0363faad8", "iat": 1458496404, "iss": "https://scim.example.com", "aud":[ "https://scim.example.com/Feeds/98d52461fa5bbc879593b7754", "https://scim.example.com/Feeds/5d7604516b1d08641d7676ee7" ], "sub": "https://scim.example.com/Users/44f6142df96bd6ab61e7521d9", "events":[ "urn:ietf:params:event:SCIM:create" ], "urn:ietf:params:event:SCIM:create":{ "attributes":["id","name","userName","password","emails"], "values":{ "emails":[ {"type":"work","value":"jdoe@example.com"} ], "password":"not4u2no", "userName":"jdoe", "id":"44f6142df96bd6ab61e7521d9", "name":{ "givenName":"John", "familyName":"Doe" } } } } Figure 3: Example Event JSON Data When transmitted, the above JSON body must be converted into a JWT as per [RFC7519]. In this example, because the event contains attribute values, the token MUST be encrypted per JWE (see [RFC7516]) before transmission. The following is an example of a SCIM Event expressed in an unsecured JWT token. The JWT header of: {"alg":"none"} Base64url encoding of the octets of the UTF-8 representation of the header yields: eyJhbGciOiJub25lIn0 Hunt, et al. Expires October 10, 2016 [Page 9] Internet-Draft draft-hunt-idevent-token April 2016 The example JSON Event Data is encoded as follows: eyAgCiAgImp0aSI6ICI0ZDM1NTllYzY3NTA0YWFiYTY1ZDQwYjAzNjNmYWFkOCIs CiAgImV2ZW50VXJpcyI6WwogICAgInVybjppZXRmOnBhcmFtczpldmVudDpTQ0lN OmNyZWF0ZSIKICBdLAogICJpYXQiOiAxNDU4NDk2NDA0LAogICJpc3MiOiAiaHR0 cHM6Ly9zY2ltLmV4YW1wbGUuY29tIiwgIAogICJhdWQiOlsKICAgImh0dHBzOi8v c2NpbS5leGFtcGxlLmNvbS9GZWVkcy85OGQ1MjQ2MWZhNWJiYzg3OTU5M2I3NzU0 IiwKICAgImh0dHBzOi8vc2NpbS5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZi MWQwODY0MWQ3Njc2ZWU3IgogIF0sICAKICAic3ViIjogImh0dHBzOi8vc2NpbS5l eGFtcGxlLmNvbS9Vc2Vycy80NGY2MTQyZGY5NmJkNmFiNjFlNzUyMWQ5IiwKICAi dXJuOmlldGY6cGFyYW1zOmV2ZW50OlNDSU06Y3JlYXRlIjp7CiAgICAiYXR0cmli dXRlcyI6WyJpZCIsIm5hbWUiLCJ1c2VyTmFtZSIsInBhc3N3b3JkIiwiZW1haWxz Il0sCiAgICAidmFsdWVzIjp7CiAgICAgICJlbWFpbHMiOlsKICAgICAgIHsidHlw ZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifQogICAgICBdLAog ICAgICAicGFzc3dvcmQiOiJub3Q0dTJubyIsCiAgICAgICJ1c2VyTmFtZSI6Impk b2UiLAogICAgICAiaWQiOiI0NGY2MTQyZGY5NmJkNmFiNjFlNzUyMWQ5IiwKICAg ICAgIm5hbWUiOnsKICAgICAgICAiZ2l2ZW5OYW1lIjoiSm9obiIsCiAgICAgICAg ImZhbWlseU5hbWUiOiJEb2UiCiAgICAgIH0KICAgIH0gIAogIH0KfQ The encoded JWS signature is the empty string. Concatenating the parts yields: eyJhbGciOiJub25lIn0 . eyAgCiAgImp0aSI6ICI0ZDM1NTllYzY3NTA0YWFiYTY1ZDQwYjAzNjNmYWFkOCIs CiAgImV2ZW50VXJpcyI6WwogICAgInVybjppZXRmOnBhcmFtczpldmVudDpTQ0lN OmNyZWF0ZSIKICBdLAogICJpYXQiOiAxNDU4NDk2NDA0LAogICJpc3MiOiAiaHR0 cHM6Ly9zY2ltLmV4YW1wbGUuY29tIiwgIAogICJhdWQiOlsKICAgImh0dHBzOi8v c2NpbS5leGFtcGxlLmNvbS9GZWVkcy85OGQ1MjQ2MWZhNWJiYzg3OTU5M2I3NzU0 IiwKICAgImh0dHBzOi8vc2NpbS5leGFtcGxlLmNvbS9GZWVkcy81ZDc2MDQ1MTZi MWQwODY0MWQ3Njc2ZWU3IgogIF0sICAKICAic3ViIjogImh0dHBzOi8vc2NpbS5l eGFtcGxlLmNvbS9Vc2Vycy80NGY2MTQyZGY5NmJkNmFiNjFlNzUyMWQ5IiwKICAi dXJuOmlldGY6cGFyYW1zOmV2ZW50OlNDSU06Y3JlYXRlIjp7CiAgICAiYXR0cmli dXRlcyI6WyJpZCIsIm5hbWUiLCJ1c2VyTmFtZSIsInBhc3N3b3JkIiwiZW1haWxz Il0sCiAgICAidmFsdWVzIjp7CiAgICAgICJlbWFpbHMiOlsKICAgICAgIHsidHlw ZSI6IndvcmsiLCJ2YWx1ZSI6Impkb2VAZXhhbXBsZS5jb20ifQogICAgICBdLAog ICAgICAicGFzc3dvcmQiOiJub3Q0dTJubyIsCiAgICAgICJ1c2VyTmFtZSI6Impk b2UiLAogICAgICAiaWQiOiI0NGY2MTQyZGY5NmJkNmFiNjFlNzUyMWQ5IiwKICAg ICAgIm5hbWUiOnsKICAgICAgICAiZ2l2ZW5OYW1lIjoiSm9obiIsCiAgICAgICAg ImZhbWlseU5hbWUiOiJEb2UiCiAgICAgIH0KICAgIH0gIAogIH0KfQ. Figure 4: Example Unsecured Event Token To create and or validate a signed or encrypted event token follow the instructions in section 7 of [RFC7519]. Hunt, et al. Expires October 10, 2016 [Page 10] Internet-Draft draft-hunt-idevent-token April 2016 3. Security Considerations [[TO BE COMPLETED ]] o Avoid using Maximal disclosure mode o Use TLS best practices. o Subscribers SHOULD use SCIM GET to obtain full state when not disclosed in the event. o Subscribers MAY use SCIM GET to get the latest state on a resource and discard events with iat and nbf that is older. o Subscribers must authenticae the message using either TLS, and/or validating signed event messages. o Publishers should avoid retaining events except for audit purposes. Events should not be accessible indefinitely - re: LDAP changelog problems. 4. IANA Considerations 4.1. Registration of Event URN Sub-namespace IANA has added an entry to the "IETF URN Sub-namespace for Registered Protocol Parameter Identifiers" registry and created a sub-namespace for the Registered Parameter Identifier as per [RFC3553]: "urn:ietf:params:event". To manage this sub-namespace, IANA is requested to create the "Event" Registry which shall be used to manage entries within the "urn:ietf:params:scim" namespace. The registry description is as follows: o Registry name: Event o Specification: [this document] o Repository: [see Section 4.2] o Index value: values [see Section 4.2] 4.2. Event Registry [[TO BE COMPLETED]] Hunt, et al. Expires October 10, 2016 [Page 11] Internet-Draft draft-hunt-idevent-token April 2016 5. References 5.1. Normative References [idevent-subscription] Oracle Corporation, "Identity Event Subscription Protocol (work in progress)". [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3553] Mealling, M., Masinter, L., Hardie, T., and G. Klyne, "An IETF URN Sub-namespace for Registered Protocol Parameters", BCP 73, RFC 3553, DOI 10.17487/RFC3553, June 2003, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . [RFC5988] Nottingham, M., "Web Linking", RFC 5988, DOI 10.17487/RFC5988, October 2010, . [RFC7159] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March 2014, . [RFC7519] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015, . [RFC7643] Hunt, P., Ed., Grizzle, K., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Core Schema", RFC 7643, DOI 10.17487/RFC7643, September 2015, . 5.2. Informative References [HEART] The OpenId Foundation, "HEART Working Group (work in progress)". [idevent-scim] Oracle Corporation, "SCIM Event Extensions (work in progress)". Hunt, et al. Expires October 10, 2016 [Page 12] Internet-Draft draft-hunt-idevent-token April 2016 [RFC7009] Lodderstedt, T., Ed., Dronia, S., and M. Scurtescu, "OAuth 2.0 Token Revocation", RFC 7009, DOI 10.17487/RFC7009, August 2013, . [RFC7515] Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015, . [RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015, . [RFC7517] Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10.17487/RFC7517, May 2015, . [RFC7644] Hunt, P., Ed., Grizzle, K., Ansari, M., Wahlstroem, E., and C. Mortimore, "System for Cross-domain Identity Management: Protocol", RFC 7644, DOI 10.17487/RFC7644, September 2015, . [RISC] The OpenId Foundation, "RISC (Risk and Incident Sharing and Coordination) Working Group (work in progress)". Appendix A. Contributors Appendix B. Acknowledgments The editor would like to thank the participants in the id-events mailing list and related working groups for their support of this specification. Appendix C. Change Log Draft 00 - PH - First Draft Authors' Addresses Phil Hunt (editor) Oracle Corporation Email: phil.hunt@yahoo.com William Denniss Salesforce.com Email: wdenniss@google.com Hunt, et al. Expires October 10, 2016 [Page 13] Internet-Draft draft-hunt-idevent-token April 2016 Morteza Ansari Cisco Email: morteza.ansari@cisco.com Hunt, et al. Expires October 10, 2016 [Page 14]