verifiable consent of visa usage

[dvoet]

When considering implementation of the AAI spec, we have a concern that there is no way for a clearinghouse to verify that the user has consented to allow a visa to be used by a broker. As the spec currently stands users who trust a Broker A effectively must trust all other brokers that Broker A trusts and so on down the trust chain. The user has no visibility into or mechanism to limit this.

This addition to the spec hopes to achieve this by adding audiences to Embedded Access Tokens or Embedded Document Tokens. Users can consent to a list of brokers when the tokens are generated. If the audience field does not exist then there is no restriction. How the token issuer knows what list to present to the user is unspecified.

Example embedded access token payload:

{
 "iss": "https://<embedded-token-issuer-website>/",
 "sub": "<subject-identifier>",
 "aud": [
  "https://<consented-broker1-website>/",
  "https://<consented-broker2-website>/" ...
 ],
 "iat": <seconds-since-epoch>,
 "exp": <seconds-since-epoch>,
 "jti": <token-identifier>,
 "scope": "openid <ga4gh-spec-scopes>",
}

Example access token issued by broker to clearinghouse:

{
 "iss": "https://<consented-broker1-website>/",
 "sub": "<subject-identifier>",
 "iat": <seconds-since-epoch>,
 "exp": <seconds-since-epoch>,
 "jti": <token-identifier>,
 "scope": "openid <ga4gh-spec-scopes>",
}

In this example, the clearinghouse MUST verify that the aud field in the embedded access token payload contains the iss field of the broker access token.

[davidbernick]

I'd like @cdvoisin to take first pass. Might also be worth having @mikael-linden look and chat...

[davidbernick]

@dvoet please add versioning info on top

[mikael-linden]

Looks reasonable. Aud is a common OIDC practice to restrict access token consumers.

[davidbernick]

Great if Mikael is a thumb, then once Craig says yes we're good to go.

[cdvoisin]

"consent" has its own flavor of interpretation that may be both too broad (perhaps in GDPR) and too narrow (in that it doesn't have to involve a user). For the Passport spec, the relationship between the Broker and the Visa Issuer is purposely unspecified except to follow this spec. Agreed, there is a MAY here, but it won't have much meaning if the wording covers a more narrow use case.

Instead of "to indicate which Brokers were consented by the user", I would pivot "to identify the Brokers as the intended audience as specified by RFC 7523 Section 3".

Although this seems more vague, it does provide more coverage for who can make use of this statement such that the network can handle the "how" and "what" the user interaction is that leads to this result.

[cdvoisin]

Based on previous feedback on the spec, we try to avoid the term "OIDC access token" due to the various layers of specs involved. Just "access tokens" here is preferred based on those previous nits and not to undo that previous nit-fixing work.

[cdvoisin]

Add "an" to yield: "If an Embedded Token".

[cdvoisin]

Couple of things here:

• contains is too vague, it must be an exact match as per https://tools.ietf.org/html/rfc3986#section-6.2.1
• "access token provided by Broker" can be ambiguous in cases where the there are multiple brokers involved or multiple embedded tokens that happen to be signed by one or more brokers. The intent comes across, but it just isn't tightly worded.

To fix:
"[matches] (https://tools.ietf.org/html/rfc3986#section-6.2.1) the Broker's iss claim (i.e. a Broker's access token iss claim must match the aud claim within its Embedded Tokens if the Embedded Token aud claim is provided)"

[cdvoisin]

This section is for headers and doesn't carry aud (even though the sentence mentions payload). To solve, delete this line and leave the "payload" line that already exists below.

Let me know if your intent is to replicate claims here: https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-5.3

This should be done with caution if using the aud field.

[cdvoisin]

micro-nit: please add 2 spaces after the dash ("-") to align with the other entries above and add period punctuation at the end for consistency.

[dvoet]

@cdvoisin I think I addressed your comments. Please take another look. Thanks.

[davidbernick]

@cdvoisin -- can you take a look?

[cdvoisin]

Suggestion just to make language clear. Given this is a MAY, and then have a sentence here saying "the values ... must match". How about:

"When an aud claim is specified, the values within the aud claim MUST match the iss claim for the Broker that includes the embedded token."

[cdvoisin]

"field" -> "claim"

[cdvoisin]

@dvoet almost there, just a couple more nits for you to look at. Ping me when ready.

[davidbernick]

Everyone okay with this now?

[cdvoisin]

aud -> aud

[martin-kuba]

Why broker's? The "aud" claim means "audience", so it should match the clearing house's client id, not the broker's issuer id. The audience ("the recipients processing the JWT" as per RFC 7519#4.1.3) is the clearing house, not the broker.

[dvoet]

Please see the PR summary for what I am trying to achieve.

In addition to allowing the aud claim to contain brokers we could say it must also contain clearing houses then the clearing house must verify that it is in the list itself as well as the broker. Essentially the visa issuer would specify all the parties, brokers and clearing houses, who are allowed to use the JWT. This spec would then go above and beyond the JWT RFC by saying the clearing house much check that the broker is in the aud claim.

If aud is not the right claim to use then I would propose adding a new claim to the spec and registering that with IANA.

[martin-kuba]

Defining a new claim seems to be a better way to me.

[itsJiaqi]

I think adding aud as a claim would be beneficial for a variety of use cases so certainly no objections from me on this PR.

However, this doesn't address consent or verifiable consent at all.

As I understand it, consent is an agreement between the user and an organization or company (a legal entity).

In the proposed flow, the organization needs to obtain the user’s data (their Visa) and parse it in order to verify if the user has consented or not. That’s already too late. The organization should not even have access to the user’s data without knowing that the user has consented. Verification of user consent needs to happen prior to the user’s data being shared.

[davidbernick]

A key philosophy that we ask across the AAI and Passport, without asking, is "Should a JWT, signed from a trusted source, full of visas from sources that can be checked, sufficient for Authentication?"

It might help us to include things about JWT-only auth, such as that it is assumed that JWT-only auth works in a fairly closed network of sources where it is ensured that the User understands that their JWT might be used be these related downstream systems. These systems are NOT 3rd parties in the traditional sense. Maybe I'll write something and add it to the spec, at least as an explanation.

It is NOT a replacement for OIDC/Oauth but rather an expression of them upstream. It is NOT the intention of AAI/Passports ONLY to "just be OIDC", but rather an alternative. JWT-only auth IS allowed by AAI/Passport provided that risk is appropriately assessed.

[davidbernick]

Hi @jiaqi216, I've started this PR #41 to make sure that the GA4GH spec explicitly mentions JWT_only auth as a possible, and not recommended, method of auth. I feel, with your feedback, that it was lacking to have an explicit callout.