Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"

Justin Richer <jricher@MIT.EDU> Wed, 04 March 2015 21:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BFDB91A893B for <>; Wed, 4 Mar 2015 13:45:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bqTgHAFWYOiB for <>; Wed, 4 Mar 2015 13:45:55 -0800 (PST)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6485A1A8963 for <>; Wed, 4 Mar 2015 13:45:55 -0800 (PST)
X-AuditID: 1209190f-f79546d000007593-1e-54f77d11ab14
Received: from ( []) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 44.FD.30099.11D77F45; Wed, 4 Mar 2015 16:45:53 -0500 (EST)
Received: from ( []) by (8.13.8/8.9.2) with ESMTP id t24LjrrR001551; Wed, 4 Mar 2015 16:45:53 -0500
Received: from artemisia.richer.local ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.13.8/8.12.4) with ESMTP id t24Ljp25019308 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 4 Mar 2015 16:45:52 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_064A87E6-A1C0-46F4-A636-8925D245F017"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: Justin Richer <jricher@MIT.EDU>
In-Reply-To: <>
Date: Wed, 4 Mar 2015 16:45:58 -0500
Message-Id: <2A7D9B45-2459-4558-8356-CAB1029D113D@MIT.EDU>
References: <>
To: Hannes Tschofenig <>
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42IRYrdT1xWs/R5isHS2qcXSnfdYLU6+fcXm wOSxeNN+No8lS34yBTBFcdmkpOZklqUW6dslcGU8vLaCrWBHN2PFvyNtLA2MnaVdjJwcEgIm Eg0TdjND2GISF+6tZ+ti5OIQEljMJNH2dyqUs4FR4vn8c+wQzgMmialzl7ODtDALJEgsfn8Y zOYVMJCYe+oLE4gtLBAgsWLbSVYQm01AVWL+yltgcU4BdYmj83+A1bMIqEi8PXwOKM4BNEdd ov2kC4jJK2Alsed2KkiFkICaxLRTrxlBbBEBQ4nrM6ezgpRICMhL9GxKn8AoMAvJDbOQ3AAR 15ZYtvA1M4StKbG/ezkLpriGROe3iawLGNlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zro5WaW 6KWmlG5iBIU7pyT/DsZvB5UOMQpwMCrx8GZEfwsRYk0sK67MPcQoycGkJMrrV/E9RIgvKT+l MiOxOCO+qDQntfgQowQHs5IIr50LUI43JbGyKrUoHyYlzcGiJM676QdfiJBAemJJanZqakFq EUxWhoNDSYL3ajVQo2BRanpqRVpmTglCmomDE2Q4D9DwDyA1vMUFibnFmekQ+VOMilLivNtB EgIgiYzSPLheWDp6xSgO9Iowr2INUBUPMJXBdb8CGswENPiW4heQwSWJCCmpBkaxm1r/Fjr9 ulO+9DeX++d2Lefrxzcf+fFVZWPUqnhHlwWeU30uX2S6YZO3kbs2tG71FgfZeVcT+36vd5Tj /N9Z1f+sP/aHIf/O/9sPn7wknttzRG+RhZirzo6tchK29Z6LnwVz/+sKCOialS90tsimgrEh UzmNNSdkndvK71debTGzaq9aW6DEUpyRaKjFXFScCACOVpbCIgMAAA==
Archived-At: <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Alignment of JWT Claims and Token Introspection "Claims"
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Mar 2015 21:45:58 -0000

Hi Hannes, thanks for the feedback. Responses inline.

> On Mar 3, 2015, at 5:56 AM, Hannes Tschofenig < <>> wrote:
> Hi Justin, Hi all,
> in OAuth we provide two ways for a resource server to make an
> authorization decision.
> 1) The resource server receives a self-contained token that contains all
> the necessary information to make a local authorization decision. With
> the JWT we have created such a standardized information and data model.
> 2) With an access request from a client the resource server asks the
> authorization server for "help". The authorization server provides
> information that help make the authorization decision. This is the token
> introspection approach.
> I believe the two approaches need to be aligned with regard to the
> information and the data model. Since both documents already use JSON as
> a way to encode information (=data model) and almost have an identical
> information model (the data that is being passed around).
> What needs to be done?
> * Use the term 'claims' in both documents.
> * Use the same registry (i.e., the registry established with the JWT).
> * Register the newly defined claims from the token introspection
> document in the claims registry.

We’ve already done this in the latest draft. Or at least, that’s the intent of the current text — the registry is referenced and the new claims are registered. Can you specifically point to places where this needs to be improved upon?

> Then, I have a few comments on the new claims that are proposed:
> Here is the definition of the 'active' claim:
>   active
>      REQUIRED.  Boolean indicator of whether or not the presented token
>      is currently active.  The authorization server determines whether
>      and when a given token is in an active state.
> This claim is not well-defined. You need to explain what "active" means.
> It could, for example, mean that the token is not yet expired. Then,
> there is of course the question why you are not returning the 'exp'
> claim together with the 'nbf' claim.

The definition of “active” is really up to the authorization server, and I’ve yet to hear from an actual implementor who’s confused by this definition. When you’re the one issuing the tokens, you know what an “active” token means to you. Still, perhaps we can be even more explicit, such as:

  REQUIRED. Boolean indicator of whether or not the presented token is currently active. The specifics of a token’s active state will vary depending on the implementation of the authorization server, but generally this will indicate that a given token has been issued by this authorization server, has not been revoked by the resource owner, and is within its given time window of validity (e.g. not expired). 

Also, this is one of the places where the overlap between JWT and introspection claims don’t make sense. It doesn’t make any sense for a JWT to carry an “active” claim at all. Why would you have a JWT claim to be anything but active? We should register it with the JWT registry to avoid name collisions, but there’s nothing in the JWT registry that says “don’t use this inside of a JWT”. Do you have any advice on how to address this?

> client_id: What is the resource server going to do with the client_id?
> What authorization decision could it make?

Whatever it wants to. If an RS can figure out something from the client_id, why not let it? The client_id is a piece of information about the context of the issuance of the token, and a common enough OAuth value for decision making. 

> I have a couple of reactions when I read the 'user_id' claim:
>  - I believe the inclusion of a user id field in the response could
> lead to further confusion regarding OAuth access token usage for
> authentication.

This isn’t any different from having a userinfo-endpoint equivalent (like social graph or twitter API) and it’s got the same trouble. 

>  - Since you define it as a human readable identifier I am wondering
> whether you want to say something about the usage. Here it seems that it
> might be used for displaying something on a webpage rather than making
> an authorization decision but I might well be wrong.

We added in “user_id” to our implementation due to developer demand — they wanted a username associated with the return value, but to leave the “sub” value the same as that defined by OpenID Connect. Note that this is in an environment where the username is a known quantity, and they’re not trying to do cross-domain authentication. They just want to know whose token this was so they can figure out whose data to return. It’s not used for display, but I tried to make the definition in contrast to the machine-facing “sub” value.

>  - I am missing a discussion about the privacy implications of it.
> While there is a privacy consideration section I am wondering what
> controls the release of this sensitive information from the
> authorization server to the resource server. While in some cases the two
> parties might belong to the same organization but in other cases that
> may not necessarily be true.

You’re correct, this is currently missing and I’ll add that in.

>  - In terms of the information exchanged about the user I am curious
> about the usefulness of including other information as well, such as the
> info that is included in an id token (see
> <>). If this
> has nothing to do with the ID token concept and the information carried
> within it then I would add that remark.

You could introspect an ID token if you wanted to, but it’s usually easier to just parse it yourself because it’s self-contained. The ID Token also extends JWT, so there’s nothing stopping you from returning those claims as well. However, note that the audience of the ID token is the OAuth *client* whereas the targeted user of the introspection endpoint is the *protected resource*. The PR isn’t going to see the ID Token most of the time, and the client’s not going to need to (or be able to) introspect its tokens most of the time, so in practice there’s not really any overlap.

 — Justin

> Ciao
> Hannes
> _______________________________________________
> OAuth mailing list
> <>
> <>