Re: [OAUTH-WG] JWT access tokens and the revocation endpoint

Jim Manico <> Mon, 05 October 2020 00:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8A3893A0AB8 for <>; Sun, 4 Oct 2020 17:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id L9dzPg55y8x6 for <>; Sun, 4 Oct 2020 17:17:24 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::1042]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 152BC3A0AB6 for <>; Sun, 4 Oct 2020 17:17:23 -0700 (PDT)
Received: by with SMTP id t7so4750359pjd.3 for <>; Sun, 04 Oct 2020 17:17:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ySwJQBCfC93U9Xwrxqf7oGDSZQ5pB7gBgOZDIIWlHfA=; b=DNetaAwYAx2Xtqnbi26Ya3OfX+1g1fyOFqmJQnlg1Vk1gpltMTvYXmrBrhFEHO6CQW U1RsqTkTD0D6/739OVO8bsG5B5XcfFG9NGRTtbSG7zO7kQaegHDXqDJ/3PyUIiO2HZIh Z2HjjUndtmgFpmb0imZecZnZ4LSYwixJtmMo8YEiigGo2KrelVzKSNu+FZmDMkIujR2G lalrrXM3ZBzC3LYEwvKI+oCZNNNeXkOAgh5aCsnvNvRXrkgGYpjTngH8geyOEMhMMvgC Ze9FJuDYXLS43rctAPXugdBENZM8RzGtHvuoAY/qD/S2Az1LjD6CR+tSep10DWd2sslM BXxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ySwJQBCfC93U9Xwrxqf7oGDSZQ5pB7gBgOZDIIWlHfA=; b=OB0Y4VwreevwqBnfgCXDjAc9yrLCyHsbF0wmSuEDauhH6yV/Z1O6etm7VVUfy0w++T AWwep/GYY4KC/PyEi3Pfa9L25wn5U3K19f/P4yLDRXG2K5YQa4YYwf2QaAjhf3mU6yAr jPI+xfVSFwrPPZOF1RiPT4UbKlgodevndgzghd+JIxmMcpQlQYiwNXP829RZcTOvr56+ 6Dob2FivDWB2XrkC+EZGjyJ8Vw9xzJ3KauZRWyec1vo3ephb4fNbLYd96dLNCvyf5NxX Ld2wlVHRGYJFLmaUKi5YbOgQw9NgbkERub4aiYEeBiPeYCQVJoasN+/nF/a8xhnLetWz 136Q==
X-Gm-Message-State: AOAM533n3ebwZV1pwKfBjrtAVhytbfcVm3D5Pj6SzizMj2nfRJIfSjpX Ko9xDnNkh8phB2oYuzvkQ48uGg==
X-Google-Smtp-Source: ABdhPJzzRnnRypRl2iLPGcYD1fqZErsIsTk/lPJu4Xj1088xA0v74vexLO9r3hKHtgHsvRYdXiFrgw==
X-Received: by 2002:a17:90a:bb81:: with SMTP id v1mr4493765pjr.62.1601857043275; Sun, 04 Oct 2020 17:17:23 -0700 (PDT)
Received: from ?IPv6:2605:e000:112c:15:1c86:c08:4402:5c13? ([2605:e000:112c:15:1c86:c08:4402:5c13]) by with ESMTPSA id d129sm9203954pfc.161.2020. (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 04 Oct 2020 17:17:22 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Jim Manico <>
Mime-Version: 1.0 (1.0)
Date: Sun, 04 Oct 2020 14:17:19 -1000
Message-Id: <>
References: <>
Cc: Thomas Broyer <>,
In-Reply-To: <>
To: Nicolas Mora <>
X-Mailer: iPhone Mail (18A393)
Archived-At: <>
Subject: Re: [OAUTH-WG] JWT access tokens and the revocation endpoint
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 05 Oct 2020 00:17:26 -0000

> In this model, considering that token revocations don't happen a lot...

Just a brief note, a secure piece of software makes the logout feature prominent. Every logout event should trigger token revocation.

I’m mentioning this because a lot of OAuth solutions in the mobile space literally ignore the logout event, such as Facebook’s mobile OAuth solution. 

- Jim

> On Oct 4, 2020, at 6:55 AM, Nicolas Mora <> wrote:
> Hello,
>> Le 20-10-04 à 11 h 27, Thomas Broyer a écrit :
>>    There might be some kind of pushed events between the AS and the RS when
>>    a JWT AT is revoked, to allow the RS not to introspect a JWT AT at all.
>>    Like this, the RS knows if a JWT AT has been revoked or not.
>> If there are some kind of pushed events between the AS and the RS, then
>> it could push the revoked (and/or expired) opaque AT too, giving almost
>> no advantage to JWT ATs.
> Not necessarily, let's say the AS informs the RS only of the revoked
> ATs, when a RS checks an AT, it verifies the signature first, then the
> claims, then checks if the AT has been revoked by checking its internal
> list filled by the AS pushed events.
> In this model, considering that token revocations don't happen a lot,
> the ratio revoked AT/valid AT is very low, so the advantage of a JWT is
> important, because it means not so much communication between the AS and
> the RSs, and a very reliable AT.
> But this means a communication mechanism that isn't standardized yet.
> /Nicolas
> _______________________________________________
> OAuth mailing list