Re: [OAUTH-WG] oauth-jwt-introspection-response and RFC 7797

Vladimir Dzhuvinov <> Mon, 08 February 2021 16:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 97EC23A10BA for <>; Mon, 8 Feb 2021 08:03:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.917
X-Spam-Status: No, score=-1.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3nwHGebFTZor for <>; Mon, 8 Feb 2021 08:03:11 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D12DC3A10E8 for <>; Mon, 8 Feb 2021 08:03:11 -0800 (PST)
Received: from [] ([]) by :SMTPAUTH: with ESMTPSA id 990HlxIGCw5Jf990HlRyik; Mon, 08 Feb 2021 09:03:10 -0700
X-CMAE-Analysis: v=2.4 cv=X62XlEfe c=1 sm=1 tr=0 ts=602160be a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=O7ycHR8boHRv27uBlEwA:9 a=QEXdDO2ut3YA:10 a=pGLkceISAAAA:8 a=nak9Ox0lsa0-jk66YjIA:9 a=216G3L1HtJXoGbrs:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22
References: <>
From: Vladimir Dzhuvinov <>
Autocrypt:; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
Organization: Connect2id Ltd.
Message-ID: <>
Date: Mon, 08 Feb 2021 18:03:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms050304000102030505030502"
X-CMAE-Envelope: MS4xfERgXj7uEwKyHNT/spE+n/A3TkqamwaPblbuUhfOiAiFgSXPsmdUcMFhLTw9ZeMYE2ITLWJkUosgXYQ1JWHHsEXOdNEpwxhWY7o8M0hw8G+yyfU1VYZd 8fCAZC2LFEPguiTHDfvaXhZI54bjkXbHaEgvJxrA+lk2rFwI2MHUDjmZKOaNaWsSiKeGhX3wZ+ugtw==
Archived-At: <>
Subject: Re: [OAUTH-WG] oauth-jwt-introspection-response and RFC 7797
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Feb 2021 16:03:14 -0000

Hi Andrii,

The unencoded payload JWS from RFC 7797 appears to be harder to get
right. Web frameworks can for instance make serialization and parsing of
JSON and text in general in HTTP unpredictable or difficult to control.
A single \n introduced at the end of the body can for instance break the
signature (been in one such situation). Incorrectly set charsets can
also cause issues. To mitigate this there has been an effort to
canonicalize JSON.

Also note that the JSON payload of the signed introspection response is
not a 1:1 copy of the RFC 7662 token introspection response. It includes
claims outside the token_introspection container - iss, aud and iat. So
where will they go and how is the signature going to include them as well?

There's also the issue with encryption - we don't have a standard way of
doing JWE over an RFC 7797 style signed text yet.


On 07/02/2021 11:56, Andrii Deinega wrote:
> Hi WG.
> draft-ietf-oauth-jwt-introspection-response-10 proposes to return
> signed JWTs as a response from the introspection endpoint... which is
> making me wonder if there are any particular reasons to not avail JSON
> Web Signature (JWS) Unencoded Payload Option (RFC 7797) and the
> X-JWS-SIGNATURE HTTP header in order to achieve the same goals?
> Pros would be
>  1. a token introspection response remains to be exactly the same as
>     it was before with an exception for a JWT in the X-JWS-SIGNATURE
>     HTTP header (where a detached payload is the actual token
>     introspection response)
>  2. the AS can safely enable it for all responses from the
>     introspection endpoint so clients who don't require or just aren't
>     aware of this header will continue to work as before and
>     accordingly, the clients who require some stronger assurance will
>     require and check a JWT in X-JWS-SIGNATURE HTTP header
>  3. the same approach could also work for other endpoints such as the
>     revocation and OIDC UserInfo endpoints
> What do you think?
> Regards,
> Andrii
> _______________________________________________
> OAuth mailing list

Vladimir Dzhuvinov