IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Brian Campbell <bcampbell@pingidentity.com> Mon, 19 March 2018 11:55 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDC09124234 for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2018 04:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aJnmA78z_-l9 for <oauth@ietfa.amsl.com>; Mon, 19 Mar 2018 04:55:53 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3DC3412741D for <oauth@ietf.org>; Mon, 19 Mar 2018 04:55:53 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id b20so3780367iof.5 for <oauth@ietf.org>; Mon, 19 Mar 2018 04:55:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jbkPXgwvBnPTROo5+8Es1Ctvz72ghldgEW8k3MDiBZU=; b=g386TEWBd9L3cefQQIitz95Q/b0bflRluOjYQaGVsuWuxPtJaZbyZY/l3MNPMefAOO 4BcCUnrYe8mnEsAEtf+tXVChjY+lJ8JNGe5QdXZY8mibEXufXcgD475npdJ039lvNttg KhE/8Qw4BdWx1JJ3xazzwmGxoK1UG6+xdRxyc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jbkPXgwvBnPTROo5+8Es1Ctvz72ghldgEW8k3MDiBZU=; b=BCh4TTWgW9poNbqd7EkHm9V8bGnpDnsnGlku4rFJB5Git3SM0Eqn6KNxyy8TPoA0/7 u71ySTK2XU/IFDvVm+gCSmJFJqLBIzV3bbVyJT789zPCLrSrR39QpcP0/oPhJUE9Bdp2 y0sM57Nr+UdwRCeye5GJKmlX5DxiEJc8Jj34vYc2+hrQKnx+tkfdn/S5oQgGgIIJMwAF iVqwdmWJxpxBXIN+bFfu3RT5Fa/SCdkrn+Dt2NTPGY0YEnv2NUEUOTXa/+utS/qWv20N dcbaBCIuczjKQEqah4xzrskvhBovcuLJCIuNUmdYidRDlnUHctik2+a1NazcbT719ZUf ZemQ==
X-Gm-Message-State: AElRT7HTo/dHu2otuLtwKs4PEwp2yYCVPszMrETe0wGeHHKLFKWGn+oW 1trCm24kS5DWtsFUDDQZgVA48N2tOXdpck+x6wHWOHtZZpi+zXkQeBxUUY/Dj09MgRso8S1iXCd pks03S4wqfZglWA==
X-Google-Smtp-Source: AG47ELthzO9Cwfu2mwX60WsBvdbHt1NVwSBfgdq+f0P2kvLbsFJEsS4mMI4VrLMpkbAnmTGbLeZLsHa+l0Y4/6dlwNY=
X-Received: by 10.107.18.162 with SMTP id 34mr11254504ios.168.1521460552389; Mon, 19 Mar 2018 04:55:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.73.214 with HTTP; Mon, 19 Mar 2018 04:55:51 -0700 (PDT)
Received: by 10.2.73.214 with HTTP; Mon, 19 Mar 2018 04:55:51 -0700 (PDT)
In-Reply-To: <CAF2hCbaKkR0mQR8Qo9hWEqC+J26QovED=P+iLHNF8j74FQ2gFg@mail.gmail.com>
References: <152140077785.15835.11388192447917251931.idtracker@ietfa.amsl.com> <2A1E98B8-973E-44F0-96F0-E319FD6969A8@lodderstedt.net> <308c1c61-a2ba-4e45-9fe6-9d525e554fb7@getmailbird.com> <DB5PR03MB1191DFA3BACC2806E2C07899F6D40@DB5PR03MB1191.eurprd03.prod.outlook.com> <85274C99-A8AA-452C-B8BC-46E7869642EB@oracle.com> <D5EA9141-08A3-427A-A4E7-A69DD5138327@lodderstedt.net> <84E8CEAD-98D3-48D2-AC48-0899BAC4419C@oracle.com> <CAF2hCbaKkR0mQR8Qo9hWEqC+J26QovED=P+iLHNF8j74FQ2gFg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 19 Mar 2018 11:55:51 +0000
Message-ID: <CA+k3eCSYYAnOyYt=2czdmZPYET6s2M+3APSE-+AZ_+wq35x62g@mail.gmail.com>
To: Samuel Erdtman <samuel@erdtman.se>
Cc: phil.hunt@oracle.com, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a113f6216c411d30567c2a346"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3OqndEQPqoMuynIYABKLoHPASmY>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 11:55:57 -0000

And let us not forget about JWS unencoded payload
https://tools.ietf.org/html/rfc7797

On Mar 19, 2018 11:41 AM, "Samuel Erdtman" <samuel@erdtman.se> wrote:

> Hi,
>
> Adding an additional proposal to the table. Mike Jones, Anders Rundgren
> and I have created a version of JWS there the signed JSON data does not
> have to be Base64url encoded (the JSON is signed using ES6 serialization
> rules). One of the benefits to this approach would be that the
> introspection data is transferred in cleartext while still fully protected.
> Since it is transferred in the response body and not in a URL there is no
> need for the Base64url encoding.
>
> The draft can be fond here
> https://tools.ietf.org/html/draft-erdtman-jose-cleartext-jws-00
>
> And the example from your draft would look like this (the signature is not
> valid, I just copied it from another place)
> {
>   "sub": "Z5O3upPC88QrAjx00dis",
>   "aud": "https://protected.example.net/resource",
>   "extension_field": "twenty-seven",
>   "scope": "read write dolphin",
>   "iss": "https://server.example.com/",
>   "active": true,
>   "exp": 1419356238,
>   "iat": 1419350238,
>   "client_id": "l238j323ds-23ij4",
>   "username": "jdoe"
>   "__cleartext_signature": {
>     "alg": "ES256",
>     "kid": "example.com:p256",
>     "signature": "pXP0GFHms0SntctNk1G1pHZfccVYdZkmAJktY_hpMsI
>                   AckzX7wZJIJNlsBzmJ1_7LmKATiW-YHHZjsYdT96JZw"
>   }
> }
>
>
>
>
> On Mon, Mar 19, 2018 at 11:22 AM, Phil Hunt <phil.hunt@oracle.com> wrote:
>
>> +1.  This is what I expected.
>>
>> Phil
>>
>> Oracle Corporation, Identity Cloud Services Architect
>> @independentid
>> www.independentid.com
>> phil.hunt@oracle.com
>>
>> On Mar 19, 2018, at 10:16 AM, Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>>
>> We explicitly want the token (JSON object) to be signed not the HTTP
>> response. I think using JWS is the most generic way to achieve that goal.
>>
>> Am 19.03..2018 um 09:57 schrieb Phil Hunt <phil.hunt@oracle.com>:
>>
>> This draft has similar issues to https://tools.ietf.org/html
>> /draft-richer-oauth-signed-http-request-01
>>
>> Rather than *try* sign HTTP, a signed JWT object is more reliably
>> returned.
>>
>> Phil
>>
>>
>> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis <
>> Louis.LARMIGNAT@wavestone.com> wrote:
>>
>> Hi,
>>
>> The draft *Signing HTTP Messages** (https://tools.ietf.org/html/draft-cavage-http-signatures-09
>> <https://tools.ietf.org/html/draft-cavage-http-signatures-09>)* could
>> not meet this requirement in a more generic way ?
>>
>> Regards,
>> Louis
>>
>> *De :* OAuth <oauth-bounces@ietf.org> *De la part de* Brock Allen
>> *Envoyé :* dimanche 18 mars 2018 20:40
>> *À :* Torsten Lodderstedt <torsten@lodderstedt.net>; oauth@ietf.org
>> *Objet :* Re: [OAUTH-WG] Fwd: New Version Notification for
>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>>
>> Why is TLS to the intospection endpoint not sufficient? Are you thinking
>> there needs to be some multi-tenancy support of some kind?
>>
>> -Brock
>>
>>
>> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt <torsten@lodderstedt.net>
>> wrote:
>> Hi all,
>>
>> I just submitted a new draft that Vladimir Dzhuvinov and I have written.
>> It proposes a JWT-based response type for Token Introspection. The
>> objective is to provide resource servers with signed tokens in case they
>> need cryptographic evidence that the AS created the token (e.g. for
>> liability).
>>
>> I will present the new draft in the session on Wednesday.
>>
>> kind regards,
>> Torsten.
>>
>>
>> Anfang der weitergeleiteten Nachricht:
>>
>> *Von: *internet-drafts@ietf.org
>> *Betreff: New Version Notification for
>> draft-lodderstedt-oauth-jwt-introspection-response-00.txt*
>> *Datum: *18. März 2018 um 20:19:37 MEZ
>> *An: *"Vladimir Dzhuvinov" <vladimir@connect2id.com>, "Torsten
>> Lodderstedt" <torsten@lodderstedt.net>
>>
>>
>>
>> A new version of I-D, draft-lodderstedt-oauth-jwt-in
>> trospection-response-00.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to the
>> IETF repository.
>>
>> Name:           draft-lodderstedt-oauth-jwt-introspection-response
>> Revision: 00
>> Title:          JWT Response for OAuth Token Introspection
>> Document date:  2018-03-15
>> Group:          Individual Submission
>> Pages:          5
>> URL:            https://www.ietf.org/internet-drafts/draft-lodder
>> stedt-oauth-jwt-introspection-response-00.txt
>> Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-
>> oauth-jwt-introspection-response/
>> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-jw
>> t-introspection-response-00
>> Htmlized:       https://datatracker.ietf.org/doc/html/draft-loddersted
>> t-oauth-jwt-introspection-response
>> <https://datatracker..ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response>
>>
>>
>> Abstract:
>>   This draft proposes an additional JSON Web Token (JWT) based response
>>   for OAuth 2.0 Token Introspection.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org.
>>
>> The IETF Secretariat
>>
>>
>>
>> The information transmitted in the present email including the attachment
>> is intended only for the person to whom or entity to which it is addressed
>> and may contain confidential and/or privileged material. Any review,
>> retransmission, dissemination or other use of, or taking of any action in
>> reliance upon this information by persons or entities other than the
>> intended recipient is prohibited. If you received this in error, please
>> contact the sender and delete all copies of the material.
>>
>> Ce message et toutes les pièces qui y sont éventuellement jointes sont
>> confidentiels et transmis à l'intention exclusive de son destinataire.
>> Toute modification, édition, utilisation ou diffusion par toute personne ou
>> entité autre que le destinataire est interdite. Si vous avez reçu ce
>> message par erreur, nous vous remercions de nous en informer immédiatement
>> et de le supprimer ainsi que les pièces qui y sont éventuellement jointes.
>>  _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*

v2.23.0 | Report a Bug | By Email