Re: [OAUTH-WG] self-issued access tokens

[toshio9.ito@toshiba.co.jp]

Thanks Dick,

Our use case is to connect IoT devices to a cloud service. The cloud service has
to authenticate those devices. The devices are not operated by humans. They run
on its own.

We want public key-based authentication for those devices. In that case, mutual
TLS is a popular option (e.g. AWS IoT Core). However, we don't want to use
mutual TLS for several reasons (e.g. it's too coupled with the transport layer).
So, we are seeking a solution that is more in application layer.


Toshio Ito

From: Dick Hardt <dick.hardt@gmail.com>
Sent: Friday, October 1, 2021 12:53 PM
To: ito toshio(伊藤 俊夫 ○ＲＤＣ□ＩＴ研○ＣＮＬ) <toshio9.ito@toshiba.co.jp>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] self-issued access tokens

Would be useful to understand your use case and what you the goals and constraints are

On Thu, Sep 30, 2021 at 5:58 PM <toshio9.ito@toshiba.co.jp<mailto:toshio9.ito@toshiba.co.jp>> wrote:
Thanks Dick,

I agree. The scenario of self-issued access tokens doesn't really follow the
model of OAuth.

So, if we do standardize self-issued access tokens, maybe OAUTH WG is not the
right venue. Maybe HTTPBIS or HTTPAPI WGs?


Toshio Ito

From: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>
Sent: Wednesday, September 29, 2021 3:06 PM
To: ito toshio(伊藤 俊夫 ○ＲＤＣ□ＩＴ研○ＣＮＬ) <toshio9.ito@toshiba.co.jp<mailto:toshio9.ito@toshiba.co.jp>>
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] self-issued access tokens

If the client is sending a self-signed JWT to the RS, you essentially are just authenticating directly to the RS. Not really OAuth as the RS has not delegated authorization authority to the AS.

If the client sends a self-signed JWT (a PAR) to the AS, and gets back an access token to present to the RS, you get centralized authorization decisions, a key feature of OAuth.