Reasoning behind removing the vfy claim:

Having the verify url within the token would encourage implementations to use the url without verifying its trusted, allowing the spoofing of tokens.

The verify url should be a pre-shared component for trust, just like the key would be pre-shared.

With the url having the advantage of not actually sharing the key, so that the host of the third party service could not actually generated trusted tokens.

Our implementation is updated to match the new pull request.

https://github.com/inspircd/inspircd-contrib/blob/master/4/m_ircv3_extjwt.cpp

Can we get an audit on implementations for this. Those I'm aware of:

• kiwi
• unreal (EXTJWT command for integrating external web services #341 (comment))
• inspircd (EXTJWT command for integrating external web services #547 (comment))
• ergo (EXTJWT, take 2 ergochat/ergo#1136)

Anyone else? Particularly would be nice to see clients, with examples of it being used.

@sadiepowell @k4bek4be @slingamn thoughts on whether this should be merged as a draft? (needs editing to reflect that)

AFAIK no client implements this other than kiwi, but any insight on how widely this is used on your servers?

I'm happy to see this merged as a draft. We have a few users who are using this with Kiwi. I'm not aware of any other client implementations.

I also support merging this as a draft. I don't have any concrete feedback from operators to report.

Server support: I know there is small amount of users using EXTJWT in UnrealIRCd. I'll be trying to get some more precise numbers.
Client support: The PIRC.pl web client uses it. But the client probably is not used outside of our IRC network (also source code of the service consuming JWTs is not yet released publicly).
No functional issues were noted with current implementation, and I hadn't thought much about improving underlying ideas.

Kiwi IRC currently has 3 main plugins that use EXTJWT they are:

kiwiirc/plugin-fileuploader allows file uploads that can be restricted to logged in accounts only or allow logged in account files to be retained for longer.

kiwiirc/plugin-conference integrates jitsi-meet in to channels and queries allowing for video conferencing with IRC. when used with a jitsi-meet side auth plugin this can be used to control who is moderator of the conference based on IRC channel mode and also restrict channels etc.

itsonlybinary/kiwiirc-plugin-avatar-upload allows logged in users to upload avatars which can then be shown to all users.

Other network admins do appear to have also created quite complex account/profile systems that also use EXTJWT tokens to link different pieces.

I hope these demonstrate the usefulness of this spec for linking IRC with 3rd party services

I really like this spec and see great potential for use if paired with an external-service discovery mechanism.
Something that could provide the clients with a list of external services with their infos (name, type, URL with token placeholder).
Maybe I misunderstood the spec, but it looks like it requires the client to know which external service exist, their name and their URL. It is therefore limited to clients specific to a given server.

Also, (it might be too late for this, given several implementations exists, but I'm proposing anyway), EXTJWT seems like a very specific verb that doesn't lend itself to other token generation protocols in the future. May I suggest s/EXTJWT/EXTTOKEN JWT/g? ^^
Just to leave room for EXTTOKEN OAUTH or whatever gets popular or requested.

re. the use of aud instead of service and the nullable fields, I think these changes are improvements in principle but I'm not sure the improvements are sufficient to justify the compatibility breakage. Do other people have thoughts?

Given its still a draft spec I'm fine with breaking compatibility to make the IRCv3 implementation behave more like the upstream spec, if necessary server implementations can emit both keys for a period.

There's no way to make the nullable field changes compatible since they use the same key names.

Since there's no prefixing here (this spec predates ISUPPORT prefixing, no need to add it now imo) there's not much to add in a "Notes for implementing work-in-progress version" section. The wip key is also already set.

So this is fine to merge once a decision is made on the other suggestions. I'd probably favour not changing the nullable fileds. The iss wording suggestion seems fine. I'm neutral on changing service to aud, probably not worth it though.

The more I look into this spec the less I like it. While I'm not going to expend any additional energy to block it from being merged or correct it, I think this is probably better off left as a vendor extension (unprefixed for historical reasons) and something goes back to the drawing board from square 1 with a better eye on security (and a different command name/ISUPPORT token). It attempts to implement authn and authz and fails at both because it tries to be too generic without any consideration of the threat models it is facing or that external services making use of this face.

• The channel form of the command will introduce security issues in external services for anything that needs to vet beyond "is this nickname a member of the channel" -- and may introduce security issues in external services even for that. Nicknames are both ephemeral and reusable identifiers, expiration can last longer than that nickname's membership in the channel, there is no revocation or other backchannel checks to ensure the token is still valid.
• Similarly for sub, same issue with nicknames and its presence on the server (rather than just channels). It ranges from largely useless to actively harmful as an authn identifier. If the service needs persistent ids, something persistent should be used. If wants transient ids, the generation scheme should avoid re-use.
• For the service form, the spec honestly needs less structure regarding the claims here. umodes are largely meaningless (especially o for oper since every modern ircd under the sun has different oper privs so simply knowing someone is an oper doesn't tell you what they're able to do). There's no reason to include useless crap in the JWT. The admins need to configure the services in conf anyway, they can specify exactly what that service needs and employ a least-privilege approach to what claims are passed.
• aud is an important security control and is missing entirely, and there is no protection against replay attacks.

While I do not mean to disparage the writers of this spec, it's fairly clear that minimal to no research was done on the federated authn/authz front. Please look at the security challenges that SAML and OIDC solve and how they solve them, or heck even OAuth in general with their Bearer tokens. I'm not saying this needs to replicate those precisely, but it should not regress in basic ways that make the spec inflexible and largely unusable in general, despite supposedly being general purpose.

As mentioned before, I'm not going to expend any additional energy on fighting this, so please do not expect further replies in this thread from me.

there is no revocation or other backchannel checks to ensure the token is still valid.

InspIRCd supports the vfy key which provides an endpoint that can be used for this purpose but I don't think it ever made it into the spec.

I removed vfy after reading #341 (comment)

I explain how a pre-shared verify url can be used in "external service verifies that the token has not been tampered with by one of two methods" this wording really should have security considerations notice, suggesting that both should be done and the risks of only using pre-shared password.

I will do some research into hardening and improving this spec. I am fully open to specific suggestions and wording.