Re: [OAUTH-WG] JWT access tokens and the revocation endpoint

Jim Manico <jim@manicode.com> Mon, 05 October 2020 00:17 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3893A0AB8 for <oauth@ietfa.amsl.com>; Sun, 4 Oct 2020 17:17:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L9dzPg55y8x6 for <oauth@ietfa.amsl.com>; Sun, 4 Oct 2020 17:17:24 -0700 (PDT)
Received: from mail-pj1-x1042.google.com (mail-pj1-x1042.google.com [IPv6:2607:f8b0:4864:20::1042]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 152BC3A0AB6 for <oauth@ietf.org>; Sun, 4 Oct 2020 17:17:23 -0700 (PDT)
Received: by mail-pj1-x1042.google.com with SMTP id t7so4750359pjd.3 for <oauth@ietf.org>; Sun, 04 Oct 2020 17:17:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=ySwJQBCfC93U9Xwrxqf7oGDSZQ5pB7gBgOZDIIWlHfA=; b=DNetaAwYAx2Xtqnbi26Ya3OfX+1g1fyOFqmJQnlg1Vk1gpltMTvYXmrBrhFEHO6CQW U1RsqTkTD0D6/739OVO8bsG5B5XcfFG9NGRTtbSG7zO7kQaegHDXqDJ/3PyUIiO2HZIh Z2HjjUndtmgFpmb0imZecZnZ4LSYwixJtmMo8YEiigGo2KrelVzKSNu+FZmDMkIujR2G lalrrXM3ZBzC3LYEwvKI+oCZNNNeXkOAgh5aCsnvNvRXrkgGYpjTngH8geyOEMhMMvgC Ze9FJuDYXLS43rctAPXugdBENZM8RzGtHvuoAY/qD/S2Az1LjD6CR+tSep10DWd2sslM BXxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=ySwJQBCfC93U9Xwrxqf7oGDSZQ5pB7gBgOZDIIWlHfA=; b=OB0Y4VwreevwqBnfgCXDjAc9yrLCyHsbF0wmSuEDauhH6yV/Z1O6etm7VVUfy0w++T AWwep/GYY4KC/PyEi3Pfa9L25wn5U3K19f/P4yLDRXG2K5YQa4YYwf2QaAjhf3mU6yAr jPI+xfVSFwrPPZOF1RiPT4UbKlgodevndgzghd+JIxmMcpQlQYiwNXP829RZcTOvr56+ 6Dob2FivDWB2XrkC+EZGjyJ8Vw9xzJ3KauZRWyec1vo3ephb4fNbLYd96dLNCvyf5NxX Ld2wlVHRGYJFLmaUKi5YbOgQw9NgbkERub4aiYEeBiPeYCQVJoasN+/nF/a8xhnLetWz 136Q==
X-Gm-Message-State: AOAM533n3ebwZV1pwKfBjrtAVhytbfcVm3D5Pj6SzizMj2nfRJIfSjpX Ko9xDnNkh8phB2oYuzvkQ48uGg==
X-Google-Smtp-Source: ABdhPJzzRnnRypRl2iLPGcYD1fqZErsIsTk/lPJu4Xj1088xA0v74vexLO9r3hKHtgHsvRYdXiFrgw==
X-Received: by 2002:a17:90a:bb81:: with SMTP id v1mr4493765pjr.62.1601857043275; Sun, 04 Oct 2020 17:17:23 -0700 (PDT)
Received: from ?IPv6:2605:e000:112c:15:1c86:c08:4402:5c13? ([2605:e000:112c:15:1c86:c08:4402:5c13]) by smtp.gmail.com with ESMTPSA id d129sm9203954pfc.161.2020.10.04.17.17.21 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 04 Oct 2020 17:17:22 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
From: Jim Manico <jim@manicode.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 4 Oct 2020 14:17:19 -1000
Message-Id: <13035645-B875-48E5-80DC-C1FD401423E2@manicode.com>
References: <a5b45629-c770-2294-4277-73801fff1857@babelouest.org>
Cc: Thomas Broyer <t.broyer@gmail.com>, oauth@ietf.org
In-Reply-To: <a5b45629-c770-2294-4277-73801fff1857@babelouest.org>
To: Nicolas Mora <nicolas@babelouest.org>
X-Mailer: iPhone Mail (18A393)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/-jQSGeWOHdGQ05KH-QBGK-QPlvY>
Subject: Re: [OAUTH-WG] JWT access tokens and the revocation endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2020 00:17:26 -0000

> In this model, considering that token revocations don't happen a lot...

Just a brief note, a secure piece of software makes the logout feature prominent. Every logout event should trigger token revocation.

I’m mentioning this because a lot of OAuth solutions in the mobile space literally ignore the logout event, such as Facebook’s mobile OAuth solution. 

- Jim

> On Oct 4, 2020, at 6:55 AM, Nicolas Mora <nicolas@babelouest.org> wrote:
> 
> Hello,
> 
>> Le 20-10-04 à 11 h 27, Thomas Broyer a écrit :
>> 
>>    There might be some kind of pushed events between the AS and the RS when
>>    a JWT AT is revoked, to allow the RS not to introspect a JWT AT at all.
>>    Like this, the RS knows if a JWT AT has been revoked or not.
>> 
>> 
>> If there are some kind of pushed events between the AS and the RS, then
>> it could push the revoked (and/or expired) opaque AT too, giving almost
>> no advantage to JWT ATs.
>> 
> Not necessarily, let's say the AS informs the RS only of the revoked
> ATs, when a RS checks an AT, it verifies the signature first, then the
> claims, then checks if the AT has been revoked by checking its internal
> list filled by the AS pushed events.
> 
> In this model, considering that token revocations don't happen a lot,
> the ratio revoked AT/valid AT is very low, so the advantage of a JWT is
> important, because it means not so much communication between the AS and
> the RSs, and a very reliable AT.
> 
> But this means a communication mechanism that isn't standardized yet.
> 
> /Nicolas
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth