Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Where to move or what to do with V3.5 section (tokens section in session management chapter) #2384

Closed
elarlang opened this issue Nov 18, 2024 · 36 comments
Assignees
Labels
6) PR awaiting review V3 _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@elarlang
Copy link
Collaborator

elarlang commented Nov 18, 2024

There has been discussions here and there, what to do with V3.5 section. Mostly I have opened the topic in

Problem to solve: stateless tokens or "cryptographically secured tokens" as those are named now in requirements, are a wider topic and are not limited to sessions. Additionally, using stateless tokens for session management causes many new challenges for achieving the expected solution to fulfill security requirements.

Options are:

  • Option 1 - A separate chapter for "Cryptographically Secured Tokens", for example located between "Web Services and API" and "OAuth and OIDC" chapters
    • At the moment it seems that we may have enough content for 2 sections: the crypto part for verifying the integrity and then the token content part such as expiration time, and audience, type etc. Need to re-check from V51 OAuth and OIDC requirements, how many of them can be made abstract.
    • We have better overview of the situation when current V3 opened issues are sorted
    • Easy to take it separately into scope while implementing and testing, for example, when no session management is needed (m2m)
    • We don't have the clear need for that yet, but it gives/leaves option to add token-specific section, for example JWT.
  • Option 2 - Move the V3.5 section to V13 API and Web Service
    • It is mostly related to web services, but, by principle not limited to it.
  • Option 3 - Move the V3.5 section to V5 Validation, Sanitization and Encoding
    • From the perspective, that "Validate before you accept and use it" it is input validation
  • Option 4 - Leave it as it is
    • Something I really don't like and I have seen it causing confusion too many times. But it is one option.
@tghosth
Copy link
Collaborator

tghosth commented Nov 18, 2024

My order of preference:

  • Option 4 - I still feel like the primary use is as a "session" although I agree it is a little weird.
  • Option 2 - I think very closely related although not a 100% match
  • Option 1 - Might prevent confusion with other topics.
  • Option 3 - I really think this is confusing and the token stuff is to specialised to be here. V5 is also massive.

@elarlang
Copy link
Collaborator Author

ping @ryarmst @randomstuff @TobiasAhnoff

@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 labels Nov 18, 2024
@ryarmst
Copy link
Collaborator

ryarmst commented Nov 18, 2024

I do not have a strong opinion here as I do not see a clear obvious location.

Option 3 - @elarlang I have agreed with your point that many of these requirements are fundamentally validation issues and that V5 logically makes sense, but I don't think anyone looking at the ASVS for the first time would expect to find it there.

Option 1 - The more I think about this option, the more it seems reasonable especially thinking about implementation and testing.

@tghosth I do think if it moves, there ought to be guidance text in V3 for those who expect to find it there.

@randomstuff
Copy link
Contributor

Would including "Cryptographically Secured Tokens" as a section of "V6 Cryptography" be weird?

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 19, 2024

Would including "Cryptographically Secured Tokens" as a section of "V6 Cryptography" be weird?

Yes, for entire section it is weird. I would like to get out everything from V6 that is not a clear crypto problem or the "main problem to solve" is not a crypto problem. For that discussion we have #2375 (comment)

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 19, 2024

Making the "Option 1" more clear.

VX.1 Token source and intgrity

Before validating the token content there is a need to verify, whether the token is initiated by a trusted party and if it is not tampered.

# Description L1 L2 L3 CWE
3.5.3 [MODIFIED, LEVEL L2 > L1] Verify that cryptographically secured tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents. 345
3.5.5 [ADDED] Verify that only algorithms on an allowlist can be used to create and verify cryptographically secured tokens, for a given context. The allowlist should include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and should not include the 'None' algorithm. If both symmetric and asymmetric are needed, additional controls should prevent key confusion. 757
3.5.7 [ADDED] Verify that key material that is used to validate cryptographically secured tokens is from trusted pre-configured sources for the token issuer, preventing attackers from specifying untrusted sources and keys. For JWTs and other JWS structures, headers such as 'jku', 'x5u', and 'jwk' must be validated against an allowlist of trusted sources.

Related open issues:

VX.2 Accepting stateless token content

Before accepting the token content there is a need to validate if the token is in a valid time window and meant to be used for the given service and for a given purpose to avoid cross-usage over different services and token types from the same issuer.

Specific requirements for OAuth and OIDC are covered in the dedicated chapter.

# Description L1 L2 L3 CWE
3.5.4 [ADDED] Verify that, if a validity time span is present in the token data, the token and its content are accepted only if the verification time is within this validity time span. For example, for JWTs the claims 'nbf' and 'exp' must be verified. 613
3.5.8 [ADDED] Verify that the service only accepts tokens which are intended for use with that service (audience). For JWTs, this can be achieved by validating the 'aud' claim against an allowlist defined in the service.
3.5.9 [ADDED] Verify that the service receiving a token validates the token to be the correct type and is meant for the intended purpose before accepting the token's contents. For example, only access tokens can be accepted for authorization decisions and only ID tokens can be used for proving user authentication.

Related open issues:

@TobiasAhnoff
Copy link

TobiasAhnoff commented Nov 20, 2024

Hard to choose! I think option 1 is worth a try, sounds logical to have things closely related to APIs and Web Services together. I will try to explain how I reason about it.

If we do option 1 (or 2), then you could look at ASVS chapters as 3 main tracks:

Track 1, if your focus is a "classic" web application where users login, then it seems logical to look in V2 for user authentication, V3 to deal with user sessions, V4 for authorization and then V5, V6, V7... etc for more validation things that applies to your application.

Track 2, if your focus is integration APIs (service-to-service), you can basically skip V2 and V3 and start with V13 for general API and Web Services verifications, V14.7 for authenticating the service/client, then the new "cryptographically secured tokens" chapter (perhaps V15) for authenticating requests to the API , and then V4 and V5, V6, V7... etc.

Track 3, if the application use OAuth/OIDC, both tracks 1 and 2 apply, together with V51.

I'm not sure if it is good to think this way, but it is one way to look at how to organize ASVS chapters!

@elarlang elarlang added the next meeting Filter for leaders label Nov 20, 2024
@randomstuff
Copy link
Contributor

Yes, for entire section it is weird. I would like to get out everything from V6 that is not a clear crypto problem or the "main problem to solve" is not a crypto problem. For that discussion we have #2375 (comment)

Yes, the thing is that this does not feed neatly in "authentication" nor in "authorization" (because it can be both). On the other hand, these considerations overlaps greatly with certificate validation requirements (because a JWT token, a SAML token and a X.509 certificate are basically the same thing and JWT or CWT are sometimes used as certificates.

That being said maybe option 1 (a "Cryptographically Secured Tokens" chapter) would be fine. This chapter might be expanded later on to cover (if need be):

  • JWT (having a dedicated section about JWT)
  • X.509 certificate and certificate chain validation;
  • SAML, XML signature, etc. (aargh);
  • CWT
  • PASETO
  • Biscuit tokens
  • attestations such as FIDO U2F Attestations, Remote attestations

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 21, 2024

At the moment "Option 1" seems the way to go, but I think we should get the understanding of the topic and focus aligned first.

Tokens are just a format for delivering a message between parties - it's just a technology, it is not tied to authentication, authorization, or session management. It is a separate thing often used to provide other functionalities. So the separate chapter serves that goal.

A thing that bothers me is the discussions here are too cryptography-oriented. Cryptography is used to provide the confidence for separate parties, that the token came from a trusted party and is not tampered with. It is the important corner-stone for this, but at the same time - that is it. It is just one important part of the topic, but it is not the topic.

Validating the source and integrity gives the possibility to not keep the state for that information and that is why the rest of the world calls it stateless. Why this term is not good for us, is still not clear to me. The point for the token is to be stateless - cryptography is just a solution to make it happen. I don't think it deserves the name for that.

All this crypto part is important only for those few requirements that handle the source and integrity, as displayed in #2384 (comment) in section V1.X. After those checks, there is a need to validate the token's meta info, and then it is possible to validate and use the token's content. That means we should not carry the crypto requirement forward to other requirements, as it is already checked as a pre-condition. We have had this discussion also in some other issues #2182 (comment).

@tghosth
Copy link
Collaborator

tghosth commented Nov 21, 2024

Ok, I support Option 1. It sounds like the chapter heading would be something like "Stateless Tokens". As discussed with Elar, the goal is to be stateless and "cryptography" is just the mechanism to achieve this.

@elarlang
Copy link
Collaborator Author

Before I go for the PR, I would like to get "pong" from @randomstuff @ryarmst and @TobiasAhnoff . Any strong arguments against this direction?

@TobiasAhnoff
Copy link

TobiasAhnoff commented Nov 21, 2024

I support Option 1, but I think "stateless" is worth discussing some more...should we do that here before we decide on Option 1? Or should it be part of a new issue for title and chapter text (given the new Option 1 chapter)?

There are some things about "stateless" that I feel are not clear to me, but I need some more time to be able to write something that is good input for the discussion :)

@randomstuff
Copy link
Contributor

Option 1 sounds nice but actually I thinking restricting to stateless tokens as opposed to tokens in general might be problematic as many requirements might apply to stateful/opaque tokens as well?

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 21, 2024

Or should it be part of a new issue for title and chapter text (given the new Option 1 chapter)?

This issue is about (re)structuring the current V3.5 content, so this issue here suits well.

Option 1 sounds nice but actually I thinking restricting to stateless tokens as opposed to tokens in general might be problematic as many requirements might apply to stateful/opaque tokens as well?

Yes, that is true and the main question here is, how to set the focus or priority for the chapter. If the focus is for crypto, then I can understand and agree with your previous question, that crypto-related requirements may belong to V6. For me, the topic here is stateless information transfer between services. At the same time, if we watch requirements we have at the moment in V3.5, only 3 of them are about crypto, the rest (at the moment also 3) are about token content/metainfo validation.

tokens in general

If we could call it "Token Security" or something like that, for me it feels too vague. But at the end, it is just a question how we set the logical scope for the structure and what kind of requirements are suitable for that.

In short, I repeat my current position - the topic I want to cover here is stateless information change between services (in a way, for stateful we have V3), crypto is important part for provide integrity check, but it is not the main topic.

@ryarmst
Copy link
Collaborator

ryarmst commented Nov 21, 2024

For me, the topic here is stateless information transfer between services.

This is not the case in many applications I have seen where this content (existing requirements) would apply (either not fully stateless, or not for collaboration of different services).

To give a counterexample, 3.5.3 and 3.5.5 could (and perhaps should) apply to tokens that use stateful session (or other) identifiers, but are secured with a signature. Other requirements could apply as well and I am sure there are many scenarios where some state information is captured in tokens and some is stored by some server.

I think "Token Security" is a fine option, but I do agree that it is vague (hence the use of Cryptographically Secured Token). If the emphasis on cyrptography is at issue, what if we modified the definition to just "Secured Token"? There is existing terminology that is similar (like OAuth's Self-Encoded Tokens), but IMO it fails to capture the diversity of implementations that I think we ought to have requirements for.

Ultimately, however, as long as the terminology is defined and consistently used, I am less concerned about what naming is chosen. We have this challenge precisely because there is no clear precedent in the industry (mostly just confusion - see the previous debates over "stateless"), so as I have mentioned before, I think ASVS has the opportunity to set a more clear standard.

@elarlang
Copy link
Collaborator Author

Other requirements could apply as well and I am sure there are many scenarios where some state information is captured in tokens and some is stored by some server.

Important is to keep in mind that we don't talk about sessions here. Crypto provides the possibility to have the information stateless. If someone uses the same method for stateful token or opaque string, it does not make the concept of stateless token invalid.

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 21, 2024

You can all throw in (here, or in slack) scenarios that you feel are not covered by current proposal AND are covered now. The goal is to have everything covered without any confusion.

@TobiasAhnoff
Copy link

TobiasAhnoff commented Nov 22, 2024

I think "Token Security" or something else with Token is good, like "Token Management" or "Token Request Authentication". I also think it would be logical if the Session chapter had the same kind of title ("Session Management", "Session Security" or "Session Request Authentication".

The way I see it is that first you have either "User Authentication" (V2) or "Service Authentication" (V14.7). Then, depending on application requirements, you can do authentication on every request (not good for human users, but might be fine for services) or authenticate requests using either a session (V3) or a token (new chapter).

The session chapter contains all requirements that are expected when managing a session, like creation, termination, inactivity timeouts etc.

The token chapter contains all requirements that are expected when managing a token, like validation, expiration etc.

This works but perhaps gets somewhat confusing...since both sessions and tokens can be regarded as "stateless" or "stateful" solutions.

A session can have only the session id in a client-side cookie or custom header, and a token, in example an OAuth reference token, can be just a secure random string providing access to some server-side "state" (the token claims/properties).

While a JWT typically has no state on the server-side that needs to be shared between all server instances (except perhaps key material needed to validate the token), and you can also have a session without any server-side state.

An example of this is .NET, where you by default get an encrypted cookie (or set of cookies) containing e g a GUID, session data (claims) and maybe even access and refresh tokens (if also using OAuth/OIDC).

This session mechanism is "stateless", since (just as for a JWT) the only thing that need to be shared between server instances (to authenticate requests and provide information needed for authorization) is the key material (all client-side state/stateless session/tokens need to be integrity protected in some way).

The main difference is where state is stored and if it is expected to behave as a "session" or as a "token", e g if there are requirements on termination. A "stateless" solutions can´t be terminated like a "stateful" one (a good example is OAuth access-tokens, when using reference-tokens they can be revoked instantly, while JWTs are valid until they expire).

So maybe one way to see it is to have one chapter for "Authentication of requests with server-side state" and one for "Authentication of requests with client-side state (a k a stateless)"?

This might be explained in chapter text and titles can still be "Session Security" and "Token Security", since we often associate server-side state with "sessions" and client-side (stateless) with the term "token". Or, we can have titles that reflect this, perhaps something like "Server-side State Security" and "Client-side State Security", but I think I still prefer "Session Security/Management" and "Token Security/Management" (and having chapter text that explains "stateless" and how the two chapters relates to each other)

This might be a good idea or not...I have not had time to analyze how something like this would affect current requirements and organization, perhaps not that much, perhaps mostly chapter texts and where things are put...

This is a hard one!

@tghosth
Copy link
Collaborator

tghosth commented Nov 22, 2024

Having read the above, I see the challenge of the term "stateless" and the challenge of the term "cryptographically secured".

Maybe an alternative heading could be "Trusted Tokens". I don't think this is an industry term but I think it captures the whole point here which is that we are relying on values included in the token.

@elarlang
Copy link
Collaborator Author

Please give me some more hour(s) to prepare the points.

Meanwhile I recommend to read the issue content written so far - scope: (stateless) tokens only. No session management or other functionality involved.

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 22, 2024

Sometimes I feel like my comments are not reaching GitHub. For example, explaining, that the topic here is not about session management (#2384 (comment), #2384 (comment))

So I make my points referenceable.


update 2024-11-25: proposal by @randomstuff in #2384 (comment) provided better term than "stateless token" - "self-contained token". This carries more precisely the idea behind that. All the points balow are still valid, just instead of "stateless" should be read "self-contained".


  • Point 1 - "stateless" is a concept of delivering information to another party the way that the other party can be confident the message is correct and not tampered with
  • Point 2 - stateless is a separate underlying technology and not part of any functionality, such as authentication, authorization, or session management
  • Point 3 - "stateless token" is a well-known and industry-accepted term
  • Point 4 - this issue is to solve "Point 2" - move section V3.5 away from session handling
  • Point 5 - the scope for section V3.5 is "stateless token"
  • Point 6 - add-on for point 5, before crypto-related requirements were changed, every requirement was talking about stateless token
  • Point 7 - crypto is providing integrity checks for stateless tokens
  • Point 8 - add-on for point 7, using cryptography for message integrity has wider usage than stateless tokens
  • Point 9 - add-on for point 6, if the scope of a requirement is changed to be wider than the section it belongs, the requirement must be moved away
  • Point 10 - probably (assumption) due to point 8, the scope for crypto-related requirements (3.5.3, 3.5.5) was changed to wider than stateless tokens, but left to the stateless tokens section they don't fit anymore
  • Point 11 - so far, I have not been able to find the information or get the answer to my question - what was "the problem to solve" for the "Point 10" move?
  • Point 12 - stateless tokens are not only about checking the integrity, it is also validating the token's content (aud, sub, iss, exp, nbf)
  • Point 13 - to solve the created problem "Point 10", the entire section V3.5 can not be moved to V6 due to "Point 12"
  • Point 14 - for usability of ASVS, it is good that related requirements are not too much spread around the document
  • Point 15 - for having a separate chapter, there must be enough content
  • Point 16 - for each section it is good if it contains requirements for common functionality and scope
  • Point 17 - the "Option 1" proposal made in Where to move or what to do with V3.5 section (tokens section in session management chapter) #2384 (comment), explained in Where to move or what to do with V3.5 section (tokens section in session management chapter) #2384 (comment)
    • to solve Point 2 and Point 3 - it was proposed to have a separate chapter for stateless tokens
    • taking into account the scope: Point 5, Point 6 - stateless tokens
    • Point 15 - was satisfied
    • To satisfy Point 16 (and Point 12) - split crypto and content-related requirements into separate sections
    • conflict created in the section via Point 10 was underestimated
  • Point 18 - stateless tokens are underlying and really widespread technology worth a separate chapter
  • Point 19 - a separate chapter for stateless tokens makes it "extendable" for the future (it is not that flexible if to have a separate section in a separate chapters)
  • Point 20 - scoping (by current definition) opaque strings are not part of the chapter scope, it is something to take into account to solve Point 10
  • Point 21 - duplicating Point 1, Point 2 and some others - session management, keeping a state or whatever other functionality is out of scope from this issue

My first preference is to solve "Point 10" - revert the scope change for crypto-related requirements to be stateless tokens oriented.

Actually, the question is - are they by content wide enough to be valid outside of the stateless tokens section or it is just the attitude towards them? E. g. the validation question - are those ready to be moved to V6 as they are?

If it creates a gap or not covered area, it should be considered to have a separate more general requirement into V6 to cover that - as we have more general requirement in current V3.5 to have abstract requirements and specific requirements in the OAuth section to cover the special need.

This proposal satisfies: Point 5, Point 14, Point 15


If the first preference is "voted against"

  • Point 16 - we need to split crypto and token content-related requirements into a separate section in separate chapters

This does not satisfy points:

  • Point 14 - The usability of ASVS is not good
  • Point 15 - we don't have enough content anymore for a separate chapter
    • crypto-related parts to V6, content checks to V13

In summary, I find it to be not aligned (filtered) that I need to explain the scope for the section that was conflicted with a questionable move. And now there seems to be an attitude that everything else must be aligned with the questionable move going against many listed points (e.g. 2, 3, 5, 9, 14, 16).

@tghosth
Copy link
Collaborator

tghosth commented Nov 22, 2024

Point 2 - stateless is a separate underlying technology and not part of any functionality, such as authentication, authorization, or session management

Agree

Point 1 - "stateless" is a concept of delivering information to another party the way that the other party can be confident the message is correct and not tampered with
Point 3 - "stateless token" is a well-known and industry-accepted term

I think the point was made above that (right or wrong) you could have a system that uses "stateless tokens" but also relies on some sort of server side state (I am not using the word session here). This is why I suggested that maybe the word "stateless" is not 100% accurate despite being industry accepted and that trusted token might more accurately represent the situation. Again not session management specific.

Point 8 - add-on for point 7, using cryptography for message integrity has wider usage than stateless tokens
Point 10 - probably (assumption) due to point 8, the scope for crypto-related requirements (3.5.3, 3.5.5) was changed to wider than stateless tokens, but left to the stateless tokens section they don't fit anymore
Point 11 - so far, I have not been able to find the information or get the answer to my question - what was "the problem to solve" for the "Point 10" move?

3.5.3 and 3.5.5 explicitly refer to tokens, I am not sure what here would be considered "wider than stateless tokens". Do you mean that these requirements were expanded to not just be relevant to "session management" but trusted tokens in general?

Point 12 - stateless tokens are not only about checking the integrity, it is also validating the token's content (aud, sub, iss, exp, nbf)
Point 13 - to solve the created problem "Point 10", the entire section V3.5 can not be moved to V6 due to "Point 12"
Point 14 - for usability of ASVS, it is good that related requirements are not too much spread around the document
Point 15 - for having a separate chapter, there must be enough content
Point 16 - for each section it is good if it contains requirements for common functionality and scope
Point 18 - stateless tokens are underlying and really widespread technology worth a separate chapter
Point 19 - a separate chapter for stateless tokens makes it "extendable" for the future (it is not that flexible if to have a separate section in a separate chapters)

Agree

Point 17

I don't think there is significant conflict here, I think it is just a subtle terminology question about what stateless means, as noted in my response to Point 3.

Point 20 - scoping (by current definition) opaque strings are not part of the chapter scope, it is something to take into account to solve Point 10

I think there is a terminology thing here. Broadly speaking, I think that the new chapter should cover a situation where we rely on the contents of the token to make security sensitive decisions. The alternative is that the token or whatever is just an ID which is used to look something up at the back end.

Point 21 - duplicating Point 1, Point 2 and some others - session management, keeping a state or whatever other functionality is out of scope from this issue

I think that Server-side State != Session but given my response to Point 20 we could side-step the issue by not referring to "state" in the name of the chapter.

My first preference is to solve "Point 10" - revert the scope change for crypto-related requirements to be stateless tokens oriented.

I don't really understand what you are proposing here. From reading the comments, I think we all agree that these requirements can be moved to a dedicated section and there is just some discussion on the specific scope and definition.


In summary, I think we need to create a new chapter and move the token requirements over. I think we can argue about the specifics afterwards. I think your arguments above support my suggestion to refer to them as Trusted Tokens :)

@tghosth
Copy link
Collaborator

tghosth commented Nov 22, 2024

@elarlang if you feel this still needs discussion, I think we need to get a call together next week.

@elarlang
Copy link
Collaborator Author

I think the point was made above that (right or wrong) you could have a system that uses "stateless tokens" but also relies on some sort of server side state (I am not using the word session here). This is why I suggested that maybe the word "stateless" is not 100% accurate despite being industry accepted and that trusted token might more accurately represent the situation. Again not session management specific.

I also responded to that above, that if you use content from stateless token to keep the state, does not make the concept of stateless token invalid and it does not change anything of the process of validating it. In other words, does not change the scope of this issue/chapter.

3.5.3 and 3.5.5 explicitly refer to tokens, I am not sure what here would be considered "wider than stateless tokens". Do you mean that these requirements were expanded to not just be relevant to "session management" but trusted tokens in general?

Examples from this thread:

@ryarmst
Copy link
Collaborator

ryarmst commented Nov 23, 2024

As @tghosth noted, I think it is primarily an issue of terminology. I will focus just on a few key points of disagreement:

Point 1 - "stateless" is a concept of delivering information to another party the way that the other party can be confident the message is correct and not tampered with

Even this definition is exclusionary of implementations where there is only a single party that creates and consumes tokens, but otherwise I am in agreement.

Point 3 - "stateless token" is a well-known and industry-accepted term

I do not agree. Can you provide a reference to a single definition that is widely accepted? I think the fact that there have been so many issues related to this is strong evidence that there is disagreement over what this precisely means and what types of tokens technically qualify.

Issue #2100 was a discussion focused on terminology and then #2204 was a subsequent discussion and update to use the term "Cryptographically Secured Token" to refer specifically to tokens with self-contained information where integrity must be guaranteed. It just so happens that cryptography is what allows us to do this.

Point 10 - probably (assumption) due to point 8, the scope for crypto-related requirements (3.5.3, 3.5.5) was changed to wider than stateless tokens, but left to the stateless tokens section they don't fit anymore

The scope of these requirements was not changed. The terminology was changed due to the lack of clarity in using "stateless". The requirements should apply to all tokens with self-encoded information where integrity must be maintained.

I am not attached to the definition above, but I do think that "Stateless Token" is overly narrow. I agree that the new section should not be specific to use cases such as session management, but it should nevertheless apply to the relevant tokens (tokens where we guarantee integrity using cryptography).

@elarlang
Copy link
Collaborator Author

Point 3 - "stateless token" is a well-known and industry-accepted term

I do not agree. Can you provide a reference to a single definition that is widely accepted?

You can challenge the claim, but, little Google test:

  • "stateless token"
  • "cryptographically secured token" - you end up with NFT

I think the fact that there have been so many issues related to this is strong evidence that there is disagreement over what this precisely means and what types of tokens technically qualify.

All the issues were related to "stateless session" and that is completely different issue to discuss. The main reason to propose this move, is exactly to solve this confusion and issue.

I call you recheck points:

  • Point 2: stateless is a separate underlying technology and not part of any functionality, such as authentication, authorization, or session management
  • Point 4: this issue is to solve "Point 2" - move section V3.5 away from session handling

Also worth recheck Point 21. It is very important to point out again.


The scope of these requirements was not changed.

There are some lines in conflict with that descibed below.

Also, I answered to this here: #2384 (comment)


The terminology was changed due to the lack of clarity in using "stateless".

As described above, lack of clarity of "stateless session" should not be carried to "stateless token".


The requirements should apply to all tokens with self-encoded information where integrity must be maintained.

And we are back with the question, opaque tokens are in or out? "Scope was not changed" vs Point 5 + Point 20.


I am not attached to the definition above, ..

I'm not convinced :)

but I do think that "Stateless Token" is overly narrow.

This is the intended goal for the proposed section. I'm waiting for scenarios that are not covered by these proposed changes. Called it out here #2384 (comment). It should be easy to provide if there are obvious ones. Sincerely asking as there can be a risk of missing something and leaving a cap to the coverage. If there is need, we may need to create some more abstract requirements to V6, as proposed in #2384 (comment).


I agree that the new section should not be specific to use cases such as session management, ...

Again, session management is a separate topic. That is the problem to solve with this.

but it should nevertheless apply to the relevant tokens (tokens where we guarantee integrity using cryptography).

I find this line to be in conflict with previous statement that "scope was not changed". This is the scope change. See point 8, and maybe also Point 12.

And in general, I also pointing to my previous comment: #2384 (comment)

@ryarmst
Copy link
Collaborator

ryarmst commented Nov 25, 2024

@elarlang Sorry if this is hard to read, but I am keeping sections matched with your last response.

You can challenge the claim, but, little Google test:

"stateless token"
"cryptographically secured token" - you end up with NFT

I do not interpret the results here as favoring either case. A search for "stateless token" returns (for me) a mix of results with different meanings and no standard definition from anything that might be considered authoritative. Google's new "AI Overview" (which is displayed first for me) even returns this:

"A stateless token is a token that is used in stateless authentication, a method of user authentication that doesn't involve a database"

If we accepted this definition, it would be tied to specific use cases. I assume we don't wish to prohibit involvement of databases. This has been one of the sources of debate over these types of tokens because many uses in practice may not be "fully stateless" even though some elements (attributes/properties/whatever) are. Interestingly, the "AI Overview" definition continues (emphasis mine):

"What it is
A stateless token is a cryptographically signed token that contains information about the user and client. It's often a JSON Web Token (JWT)." [sourced from here]

This was the initial terminology that seemed promising to generalize these types of tokens before further making them less exclusionary by changing "signed" to "secured" to acknowledge that other techniques (like HMAC) can be used to secure the integrity of these tokens. Yes, some results from a Google search yield NFT content using this term, but many (perhaps most) do not (determined from scrolling, not a systematic analysis).


I call you recheck points

I have not claimed that the proposed section must reference sessions or include session-related requirements.

Developers using tokens secured with cryptography to maintain integrity of token attributes for any purpose should be able to utilize the requirements of the proposed chapter as appropriate. If a developer wishes to maintain the integrity of some stateful session identifier with cryptography (like using a JWT), then all present V3.5 requirements could apply depending on the implementation, but the token would not be stateless, only some attributes/values may be (if we take the meaning of stateless to be roughly: "the server does not store data or other information"). I am in agreement that we could consider 3.5.3 and 3.5.5 out of the scope of this proposal, but other V3.5 requirements would still apply in this scenario, yet the token would not be fully stateless.


There are some lines in conflict with that descibed below.

I must not understand this point because it seems to me to be a terminology change. Consider this definition in the Glossary:

Cryptographically Secured Token - These tokens will generally contain claims or assertions encoded within the token structure, with cryptographic techniques such as signatures or message authentication codes (MAC) used to verify the authenticity and integrity of this data. The most common examples are SAML assertions and JWTs.

From my reading, this implies that stateless attributes are necessarily involved, but perhaps it is unclear or overly broad?


As described above, lack of clarity of "stateless session" should not be carried to "stateless token".

This was not the case. "Stateless token" was changed to "cryptographically secured token". In fact, "stateless token" is what I believe introduces lack of clarity for reasons I have indicated.


And we are back with the question, opaque tokens are in or out? "Scope was not changed" vs Point 5 + Point 20.

I would also like to point out that "opaque token" is another conflicted term that I raised issue over here #2100 (comment) ;). That said, I think any token should be in scope as long as it transfers one or more attributes/values statelessly by guaranteeing integrity.

Would you still consider 3.5.3 out of scope for the proposed section if it was reverted? "Verify that stateless tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents."

If yes, then this is simply a question of terminology.


I'm not convinced :)

I promise I am not attached to the term :)

However, I think "Stateless Tokens" is bad for the reasons I hope I have clarified. In order for the chapter to have broad applicability, I think it should be clear that it concerns tokens that capture and guarantee stateless information.

From #2384 (comment):

the topic I want to cover here is stateless information change between services

Up until the "between services" I am in agreement unless the intended scope is purely stateless tokens.

I think a clumsy, but more appropriate title would be: "Stateless and Partially Stateless Tokens". I believe I have already presented scenarios.


I find this line to be in conflict with previous statement that "scope was not changed". This is the scope change. See point 8, and maybe also Point 12.

I think I understand your contention here as "tokens where we guarantee integrity using cryptography" could include tokens that do not transmit any information statelessly. This was imprecise on my part. Is this more suitable: "tokens where we guarantee the integrity of stateless information using cryptography"?

@randomstuff
Copy link
Contributor

(This comment is only about terminology only related to "stateless Tokens".)

What about "self-contained token"? I like the opposition of "self-contained token" vs "reference token". This opposition quite makes sense.

Discussion:

  • First I acknowledge that they are not completely mutually exclusive. Sometimes you have something which is mostly self-contained but not completely but I don't think this is such a big problem.
  • Compared to "stateless", it is probably less shocking to consider partially "self-contained tokens" (as contrast to "partially stateless tokens").
  • Compared to "cryptographicaly secured token", the "self-contained token" is possibly more a definition of the fundamental properties of the token. "Cryptographicaly secured token" is a consequence of "self-contained token": the token must be cryptographicaly secured because it is self-contained.

Random selection of sources using "self-contained token":


Another terms, we discussed was self-encoded token https://www.oauth.com/oauth2-servers/access-tokens/self-encoded-access-tokens/ (kinda meh to me but this is the term using in the OAuth specs).

The main argument against this one was by @ryarmst:

I think it may be worth referencing the term, but I think Cryptographically Signed Token captures a broader set of tokens. Based on my reading of the OAuth definition, self-encoded tokens are intended to encode all relevant info within the token. I have encountered tokens that are cryptographically signed, but not fully self-encoded.

@elarlang
Copy link
Collaborator Author

I was preparing the answer to Ryan and struggled to define the difference between "stateless token and stateless service" and "stateless token used in stateful service".

I think "self-contained token" vs "reference token" makes sense and solves the definition struggle. I agree with the "Discussion" section as well.

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 25, 2024

Response to @ryarmst

TLDR: if you agree that "self-contained token" should be used instead of "stateless token" and "cryptographically secured token" you can skip reading the rest of the comment.


I'm going to use self-contained token instead of stateless token, because it describe better what it is about without forcing a use-case (stateless service).

It also means, "stateless token" vs "cryptographically secured token" discussion is irrelevent now and it is replaced with "self-contained token" vs "cryptographically secured token"

My main point about the scoping stays: stateless token self-contained token requires crypto message integrity, but every crypto provided message integrity is not a stateless token self-contained token.


"What it is A stateless token is a cryptographically signed token that contains information about the user and client. It's often a JSON Web Token (JWT)."

and

That said, I think any token should be in scope as long as it transfers one or more attributes/values statelessly by guaranteeing integrity.

I think it is well covered by "self-contained token" definition and matches with points:

  • Point 7: crypto is providing integrity checks for stateless tokens self-contained token
  • Point 8: add-on for point 7, using cryptography for message integrity has wider usage than stateless tokens self-contained token

Would you still consider 3.5.3 out of scope for the proposed section if it was reverted? "Verify that stateless tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents."

If yes, then this is simply a question of terminology.

Yes, then it is in the scope (better to use "self-contained token") and no, it is not simply question of how to name it - "stateless token self-contained token" and "cryptographically secured token" are not synonyms, just to achieve first one the 2nd must be used.


However, I think "Stateless Tokens" is bad for the reasons I hope I have clarified.

Probably some arguments are removed if to use "self-contained token" instead of "stateless token". I can not see any reason to use "cryptographically secured token" over them.


If a developer wishes to maintain the integrity of some stateful session identifier with cryptography (like using a JWT), then all present V3.5 requirements could apply depending on the implementation, but the token would not be stateless,

The token IS stateless, the service is not. This is now covered by "self-contained token" definition.


I am in agreement that we could consider 3.5.3 and 3.5.5 out of the scope of this proposal, but other V3.5 requirements would still apply in this scenario, yet the token would not be fully stateless.

To be more precise, 3.5.3 and 3.5.5 are not out of scope, but wider, than the scope.

Other requirements belong to scope, as was also initially highlighted in point 12.


Is this more suitable: "tokens where we guarantee the integrity of stateless information using cryptography"?

It matches the points 1, 7 and with defined "self-contained tokens".

@ryarmst
Copy link
Collaborator

ryarmst commented Nov 25, 2024

@elarlang @randomstuff I think "self-contained token" is just fine if we are clear about what qualifies. If everyone agrees, I will open a separate issue to update terminology via the glossary so that there is a shared definition going forward.

Regarding 3.5.3 and 3.5.5, I see two options:

  1. They are kept broad and moved to another section (like V6), or
  2. They are refined for inclusion in the proposed chapter and apply only to "self-contained tokens".

If (2) is preferred, then we will need to consider whether additional requirements are needed for signed/secured tokens that are not self-contained tokens, but that is separate to this issue.

@elarlang
Copy link
Collaborator Author

So the proposal is aligned with my proposal, just in switched order: #2384 (comment).

For making a decision about moving or not moving requirements, we first need to have them (updated) - so waiting for:


As it is corner-stone for API security, I prefer to have specific requirements for self-contained tokens. At the same time, if those are not specific to self-contained tokens and can easily applied to whatever, we need to recheck the duplication part and the structure.

@tghosth
Copy link
Collaborator

tghosth commented Nov 25, 2024

I can live with "self-contained token".

Currently working in parallel on #2360 and #2361 so let's see where they go.

@ryarmst I think you can open a glossary pr in the meantime.

@tghosth tghosth added 4a) Waiting for another This issue is waiting for another issue to be resolved and removed 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet next meeting Filter for leaders labels Nov 25, 2024
@ryarmst
Copy link
Collaborator

ryarmst commented Nov 27, 2024

@tghosth There are a couple changes and I want to make sure there is agreement, so I've opened #2414

@elarlang
Copy link
Collaborator Author

elarlang commented Nov 28, 2024

To get it out from V3 and develop it further (also keep more realistic picture of V3) Josh will do a PR to move it to V52.

@elarlang elarlang added 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR and removed 4a) Waiting for another This issue is waiting for another issue to be resolved labels Nov 28, 2024
@tghosth
Copy link
Collaborator

tghosth commented Dec 2, 2024

Opened #2429

@tghosth tghosth added 6) PR awaiting review and removed 5) awaiting PR A proposal hs been accepted and reviewed and we are now waiting for a PR labels Dec 2, 2024
@tghosth tghosth closed this as completed in 326b37e Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6) PR awaiting review V3 _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Development

No branches or pull requests

5 participants