[OAUTH-WG] JWT access tokens and the revocation endpoint

Andrii Deinega <andrii.deinega@gmail.com> Fri, 02 October 2020 22:20 UTC

Return-Path: <andrii.deinega@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE1053A0CB3 for <oauth@ietfa.amsl.com>; Fri, 2 Oct 2020 15:20:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DqWILpJ0PtpX for <oauth@ietfa.amsl.com>; Fri, 2 Oct 2020 15:19:59 -0700 (PDT)
Received: from mail-ej1-x643.google.com (mail-ej1-x643.google.com [IPv6:2a00:1450:4864:20::643]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFA7F3A0A21 for <oauth@ietf.org>; Fri, 2 Oct 2020 15:19:59 -0700 (PDT)
Received: by mail-ej1-x643.google.com with SMTP id q13so3909158ejo.9 for <oauth@ietf.org>; Fri, 02 Oct 2020 15:19:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=VCSCREu4D+SVbIJZe9P31G1Kjg+Q0Yrr46B48uZrQBw=; b=d+CszksDiOIIuzSI5iGlsScgT3CAYq1CkHbVaZ+SfEjwfXximD0NZi/2sKjtvjbLes DY8GUF9QwwQGm9BE3J+jOG+O27MPJimvytuRLbl9RDCyv23XzOVT0cOHuyAzT+mBVx24 ScUDeOA8L09Wjorrzjlbgesx/NPbqbGnLmFgLCpW3AXtU3syN2F46TQprcRRwhuKLpD6 l+HlEQC3zWyLUAZie1DY6eT3BEZpx/ijxNPZ07GCM7hM2iQniUv9cja4MZQ6ccfcBjRt tVXq/OkBdB9Hm5lqHfKnuZtIMSEsmWzFtcVnC8g8xioTAxactacvWas+mfjIjPBFJZxU PZ9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=VCSCREu4D+SVbIJZe9P31G1Kjg+Q0Yrr46B48uZrQBw=; b=NpdAMEAx75u/iwXAyDYrKrr9VCt6qOuo6QRRRg2X/NPKKeShRv0EEdCjN3dGTRgdE5 xy9nbGnuLYBrc9e6sFrxXFjIB1w0oqk7RQsCN0pIurgdw8Wah0Ib5mvrgIZqWE5/cebY YaxoFC2OPQfZ6EJgza+PUkrQ69zsHVZKrwsByUWKnnWiKJ+gZ4c1Fvz/sUjDmbGdxCj4 Uq4oZ8Hy93uVGA+XPCo6o4XmIcu5fFYzyBu5/kXQy44Yo/ZytI+d22uu5+6NcY50WlI1 svnUjMLyV69EdhwVsnytVWlihFguhqOt1WSA1htVb1jYHqeYziuyQdnzTsIWokEq9lMg 3wGg==
X-Gm-Message-State: AOAM531JZ2lmSXcU6g9KjOuwjmiNSXp3JYEY1X/VQAd1C1NIyv+xtCI1 LQdMn4+3KLj4kvKt7b+CZXwXiepd4csLyih+B5pmg+XhUig=
X-Google-Smtp-Source: ABdhPJxb5aD53M8CgTjgVjmtuDVtW6KdEU99DuAdeImXYoTUS6cRylGQm2PfMW0rQlymUwWNxzbJViUH9r+9WOzCIr8=
X-Received: by 2002:a17:906:7695:: with SMTP id o21mr4281350ejm.176.1601677197856; Fri, 02 Oct 2020 15:19:57 -0700 (PDT)
MIME-Version: 1.0
From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Fri, 2 Oct 2020 15:19:47 -0700
Message-ID: <CALkShcsApoXc=4p_e5mbs9vQCDPHDLrdt-8bd5D_5XhLGYOOJA@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006c56ed05b0b78828"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1kuvt-FP_Hija_edHVNurZrIRSE>
Subject: [OAUTH-WG] JWT access tokens and the revocation endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2020 22:20:02 -0000

Hi WG,

https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-10 provides
the flowing about JWT access tokens

“resource servers can consume them directly for authorization or other
purposes without any further round trips to introspection ( [RFC7662]) or
userinfo [OpenID.Core]) endpoints.”

which is completely understandable. I do understand that the objective of
this document is to standardize the token which the AS shares with the RS
as it was discussed in other email threads.

Here is what I would like to get a better understanding of:
1. How should a response of the introspection endpoint look like if the RS
makes an attempt to introspect a JWT access token?
2. How should a response of the OpenID Connect userinfo endpoint look like
for a JWT access token?

I assume that it’s expected to have no difference compared to a regular
bearer token (given that a particular implementation of the AS provides
these endpoints). Does it sound right?

If so, what are we going to get if the RS or the client revokes a valid JWT
access token using the revocation endpoint (RFC 7009)?

Do you think there is a need to add more detailed information about these
scenarios in the document? This way, we could refer back to these sections
in the documentation in case any disputes around security-related topics
come up.

Thank you.

Regards,
Andrii