IETF Logo Mail Archive

Re: [Last-Call] [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 27 August 2020 13:48 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BAE43A0B2C for <last-call@ietfa.amsl.com>; Thu, 27 Aug 2020 06:48:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bII7dHD3xR4F for <last-call@ietfa.amsl.com>; Thu, 27 Aug 2020 06:48:43 -0700 (PDT)
Received: from mail-ej1-x62e.google.com (mail-ej1-x62e.google.com [IPv6:2a00:1450:4864:20::62e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8FBB3A0AE7 for <last-call@ietf.org>; Thu, 27 Aug 2020 06:48:42 -0700 (PDT)
Received: by mail-ej1-x62e.google.com with SMTP id b17so7734425ejq.8 for <last-call@ietf.org>; Thu, 27 Aug 2020 06:48:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kHeXIKmH65EUQSrx7OAbDut9oPWI2hHaFImpWWyBHlQ=; b=doTCS7PDZosT+LySONKvde5DR2C3j6Hv31x8SWSktmBbdFnk6/aE2BTuDL9yxt0oCW 6xXjHVVPoWm9XAI8mj51PYzOwyZ9nbjcfnlpYUaw3xirVS9jCTJq2wjMjfDoWOCki/4Q b0kjYW188d+hatKp5C01xo6Nc/oRz6TTZyBLEJMa09dqVfR6M/s14sHcgyXCcWxox5Tb dq2VhNKAXthc6UBfCmMyt633NqisPqm2wYtNeA48RzoiSjsqaI/PPLiNGPK4MOOzq5zF 5ekiJGUgDlzeZFXxSqePdqMSG69dBkLXWNA5hP9mjy/0KT6Jv1dRtnOoJFLSGmwlwFrL Uq7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=kHeXIKmH65EUQSrx7OAbDut9oPWI2hHaFImpWWyBHlQ=; b=lj6J/tPxYZDA92wpj+7VlJ6KMe8EWYOdxJeDA38+U/xev2XbxGIpUxOjwGBJjMA5Kw 40WN3+D9SZl+kbq+N8+f2zESTrCE07R5Z2elbHPXyKEA+mTzHopk6DC1WpcRb7AzDD+s 0Q/flPqbruVw14ALAYly3E82yqyvXgzTZLPmGaWVujJGfhG+s7iIZcuJ4FG+Pm+uimNl BvWjtI1zIO57zLZsprH3eXOxaWfh0k6b5MUcf9UYeoqO8qioO5A4Uvk8wM3DUquT6Fsj zQeCNDsTJak/5t4t57FvCI3wDi0oNJpVhk4Q8uqUMT6eJDKgqwgyuhy7dSY8F15hpHnf a8hw==
X-Gm-Message-State: AOAM531dS1qyhYbp5J7lTCY9hrolkmnqfvnystfnXcQ1jRHK3rJhECJr Fd0aIp1N3JQpj4KXyPhQ9KKdXg==
X-Google-Smtp-Source: ABdhPJw/b4yn0hEbsFobapzU0mz0UJwq90mQdze6JP9aiUd3p4I/Hqw+3qZaE83bn47S8AX51sPW6w==
X-Received: by 2002:a17:906:54d3:: with SMTP id c19mr22307411ejp.408.1598536121160; Thu, 27 Aug 2020 06:48:41 -0700 (PDT)
Received: from p200300eb8f1e2a30818db2e1d08b89c0.dip0.t-ipconnect.de (p200300eb8f1e2a30818db2e1d08b89c0.dip0.t-ipconnect.de. [2003:eb:8f1e:2a30:818d:b2e1:d08b:89c0]) by smtp.gmail.com with ESMTPSA id e14sm1615365edl.86.2020.08.27.06.48.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Aug 2020 06:48:40 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CH2PR00MB0678DA2BC7234C2AC1CE784DF5541@CH2PR00MB0678.namprd00.prod.outlook.com>
Date: Thu, 27 Aug 2020 15:48:38 +0200
Cc: "last-call@ietf.org" <last-call@ietf.org>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <412A63AD-DDE1-4BFE-8234-5A721A0ED88D@lodderstedt.net>
References: <CH2PR00MB0678DA2BC7234C2AC1CE784DF5541@CH2PR00MB0678.namprd00.prod.outlook.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "dick.hardt" <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/mCg6jOzR-bVf5zlpmIF1ZOdeODI>
Subject: Re: [Last-Call] [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 13:48:45 -0000

Will the following text work for you?

Implementers should be aware that a token introspection request lets the AS know when the client 
     (and potentially the user) is accessing the RS, which is also an indication of when the user is using 
     the client. If this impliction is not accepatable, implementars MUST use other means to carry 
     access token data, e.g. directly transferring the data needed by the RS within the access token.


> On 26. Aug 2020, at 23:12, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
> 
> I agree with Dick’s observation about the privacy implications of using an Introspection Endpoint.  That’s why it’s preferable to not use one at all and instead directly have the Resource understand the Access Token.  One way of doing this is the JWT Access Token spec.  There are plenty of others.
>  
> The downsides of using an Introspection Endpoint should be described in the Privacy Considerations section.
>  
>                                                        -- Mike
>  
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
> Sent: Wednesday, August 26, 2020 9:52 AM
> To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
> Cc: last-call@ietf.org; oauth <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
>  
>  
>  
> On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
> Hi Denis,
> 
> > On 25. Aug 2020, at 16:55, Denis <denis.ietf@free.fr> wrote:
> 
> > The fact that the AS will know exactly when the introspection call has been made and thus be able to make sure which client 
> > has attempted perform an access to that RS and at which instant of time. The use of this call allows an AS to track where and when 
> > its clients have indeed presented an issued access token.
> 
> That is a fact. I don’t think it is an issue per se. Please explain the privacy implications.
>  
> As I see it, the privacy implication is that the AS knows when the client (and potentially the user) is accessing the RS, which is also an indication of when the user is using the client.
>  
> I think including this implication would be important to have in a Privacy Considerations section.
>  
> /Dick
> ᐧ

v2.23.0 | Report a Bug | By Email