IETF Logo Mail Archive

Re: [Last-Call] [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard

Neil Madden <neil.madden@forgerock.com> Mon, 31 August 2020 08:33 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 098833A10E4 for <last-call@ietfa.amsl.com>; Mon, 31 Aug 2020 01:33:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Etl9adtWCYNc for <last-call@ietfa.amsl.com>; Mon, 31 Aug 2020 01:33:26 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 379E23A10EB for <last-call@ietf.org>; Mon, 31 Aug 2020 01:33:26 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id k15so5004914wrn.10 for <last-call@ietf.org>; Mon, 31 Aug 2020 01:33:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=OtjzWbCLRw76mAOJaRenBGRKRyaTiG6mArf9LNqowbA=; b=gDwIRVz+hgzyzpMJpv2zbHFtWwFgHWebcvXBckQw6nLbv2rrayO6TJOfA9Iyb1evdL 3IDUBftVfiguYkZO5UlihRL2Os19gFKSIFZyC9wHeVjqWsz6PfNiE12eSnkGou42oGle /2Hi/7Z92sQOMsIe6CpH2uAUkLBQrRHVbMZuw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=OtjzWbCLRw76mAOJaRenBGRKRyaTiG6mArf9LNqowbA=; b=YCTkNfo9rf6IeCotMHhBe9uqzXHvkdcGF5iY2ErdqZOohh8B6aFVhLf9qRKTj+Qwr+ hR3XlprWFHJetnrzCGPsTs/kEqlUVywj0woEN3rhboeVx9yxORXicBs4Fam/+rKB68NP S1pK5ou9M77EWjsfFBP9ZaWn59SvnqjzcxGKzWmev2FN2j+AZGX4I+ffLN/43vDpa9rs TO7f93m5M1t7KyT3n84zfs5s1hk51fDR8wYElUgZMZaSjs+Xq/lZk42W6x/ytmC+BmjH Dv8BP4LSFYQeodgkKYa+0gnXV3oTeYIQjms6mipT3M2y+WcYi5KHY8C8Wn33Y7CJ2W0h Qc5w==
X-Gm-Message-State: AOAM531qetiFnloo45eDJs6j+Jlqn1qvRK9Ja2vi54Pejz0LTKHw3sW2 tO8CFErAQ4TXuJgqh5Ty0Cmk/w==
X-Google-Smtp-Source: ABdhPJxMr0rpEZHgjf6/TCa602d9oqr8fZjn7WkP0KAowGhdaVlwrG/nE8ZlRIvwRaCSJqxkg6p3YQ==
X-Received: by 2002:adf:f189:: with SMTP id h9mr591031wro.122.1598862804089; Mon, 31 Aug 2020 01:33:24 -0700 (PDT)
Received: from [10.0.0.3] (38.227.143.150.dyn.plus.net. [150.143.227.38]) by smtp.gmail.com with ESMTPSA id o2sm11734324wrh.70.2020.08.31.01.33.22 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 31 Aug 2020 01:33:23 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-9DC168A0-83A9-4F74-9DA7-42F6C5DB6718"
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Mon, 31 Aug 2020 09:33:22 +0100
Message-Id: <32F1225F-1366-46BB-A17C-396854D553FB@forgerock.com>
References: <CH2PR00MB0678DA2BC7234C2AC1CE784DF5541@CH2PR00MB0678.namprd00.prod.outlook.com>
Cc: "dick.hardt" <dick.hardt@gmail.com>, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, oauth <oauth@ietf.org>
In-Reply-To: <CH2PR00MB0678DA2BC7234C2AC1CE784DF5541@CH2PR00MB0678.namprd00.prod.outlook.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (17G80)
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/-sUnsoZm4pIi2tj_NStmgXVEbHc>
Subject: Re: [Last-Call] [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2020 08:33:29 -0000

But if you want to handle revocation (and you do), then the alternative is short-lived access tokens with frequent refreshing, which also informs the AS of activity. So is this any better?

If an org running an RS decides to use a 3rd-party AS (eg cloud hosted) then there are privacy implications to that arrangement, regardless of the specific technology used for token validation.

> On 26 Aug 2020, at 22:16, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> 
> 
> I agree with Dick’s observation about the privacy implications of using an Introspection Endpoint.  That’s why it’s preferable to not use one at all and instead directly have the Resource understand the Access Token.  One way of doing this is the JWT Access Token spec.  There are plenty of others.
>  
> The downsides of using an Introspection Endpoint should be described in the Privacy Considerations section.
>  
>                                                        -- Mike
>  
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
> Sent: Wednesday, August 26, 2020 9:52 AM
> To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
> Cc: last-call@ietf.org; oauth <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
>  
>  
>  
> On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
> Hi Denis,
> 
> > On 25. Aug 2020, at 16:55, Denis <denis.ietf@free.fr> wrote:
> 
> > The fact that the AS will know exactly when the introspection call has been made and thus be able to make sure which client 
> > has attempted perform an access to that RS and at which instant of time. The use of this call allows an AS to track where and when 
> > its clients have indeed presented an issued access token.
> 
> That is a fact. I don’t think it is an issue per se. Please explain the privacy implications.
>  
> As I see it, the privacy implication is that the AS knows when the client (and potentially the user) is accessing the RS, which is also an indication of when the user is using the client.
>  
> I think including this implication would be important to have in a Privacy Considerations section.
>  
> /Dick
> ᐧ
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email