Re: [OAUTH-WG] self-issued access tokens
Nikos Fotiou <fotiou@aueb.gr> Thu, 30 September 2021 06:47 UTC
Return-Path: <fotiou@aueb.gr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9ED963A15EB for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 23:47:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aueb.gr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmnqEL9w7zIF for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 23:47:49 -0700 (PDT)
Received: from blade-b3-vm-relay.servers.aueb.gr (blade-b3-vm-relay.servers.aueb.gr [195.251.255.106]) by ietfa.amsl.com (Postfix) with ESMTP id 9998A3A15E6 for <oauth@ietf.org>; Wed, 29 Sep 2021 23:47:46 -0700 (PDT)
Received: from blade-a1-vm-smtp.servers.aueb.gr (blade-a1-vm-smtp.servers.aueb.gr [195.251.255.217]) by blade-b3-vm-relay.servers.aueb.gr (Postfix) with ESMTP id 198F3E50; Thu, 30 Sep 2021 09:47:44 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aueb.gr; s=201901; t=1632984464; bh=k9F7BFIohYnfwyeygAtIi/V8Ne85bMU1x0NstW/k1gI=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=pWxCEjkL9yFKfZCxtf+ABQS9++DLm3s6o6DiVqy8252sf/Vo9wwYTd1FkbWbfunwW HdWForj1BkuPzPwDIejPePGWcoHjtREwxPUaJqmM4tY4KsEgn/F0hMbpANQyBpKGak x7mt2b+iDdhhTqiFjWBAfBJKJqnbEYi6aJOM3M2zs4PM1bXf3pw9lwuRC0lS5FN3sL ktf4jiajS3Z5sstL7xpeWbcRbJEDXfvSdhOTBuk14ZaOtkkIa91cPjzlemAVEShCpQ DZGNoRjNPNVfm54QsRlDfYw80rYDaI184MUiFr3NFMnVrNlGQ+slCmltwwENici4en rOCxb1GIeU4/A==
Received: from smtpclient.apple (ppp-2-86-52-197.home.otenet.gr [2.86.52.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou) by blade-a1-vm-smtp.servers.aueb.gr (Postfix) with ESMTPSA id 984504E7; Thu, 30 Sep 2021 09:47:43 +0300 (EEST)
From: Nikos Fotiou <fotiou@aueb.gr>
Message-Id: <09C675DC-1DC8-4860-A4DD-CE70B1FD5577@aueb.gr>
Content-Type: multipart/signed; boundary="Apple-Mail=_70F5995D-1260-4C37-96EE-FE9CD4B9043C"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Thu, 30 Sep 2021 09:47:42 +0300
In-Reply-To: <581ea93b-ab52-e4e2-ec53-c776060e99d1@danielfett.de>
Cc: oauth@ietf.org
To: Daniel Fett <fett@danielfett.de>
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <581ea93b-ab52-e4e2-ec53-c776060e99d1@danielfett.de>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5rIZI9xrF_sZefsBj4eKogqjVlM>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 06:47:55 -0000
FYI, this is exactly what we are doing in [1] to manage Verifiable Credentials using OAuth2.0. The AS issues a verifiable credential that stays (for long time) in the client. The client uses DPoP to prove ownership of the credential. We just started a new project funded by essif [2] that will further develop this idea and provide implementations. Best, Nikos [1] N. Fotiou, V.A. Siris, G.C. Polyzos, "Capability-based access control for multi-tenant systems using Oauth 2.0 and Verifiable Credentials," Proc. 30th International Conference on Computer Communications and Networks (ICCCN), Athens, Greece, July 2021 (https://mm.aueb.gr/publications/0a8b37c5-c814-4056-88a7-19556221728c.pdf) [2]https://essif-lab.eu -- Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou Researcher - Mobile Multimedia Laboratory Athens University of Economics and Business https://mm.aueb.gr > On 29 Sep 2021, at 6:42 PM, Daniel Fett <fett@danielfett.de> wrote: > > That very much sounds like a static string as the access token plus DPoP. > > -Daniel > > Am 29.09.21 um 03:54 schrieb toshio9.ito@toshiba.co.jp: >> Hi OAuth folks, >> >> I have a question. Is there (or was there) any standardizing effort for >> "self-issued access tokens"? >> >> Self-issued access tokens are mentioned in a blog post by P. Siriwardena in 2014 >> [*1]. It's an Access Token issued by the Client and sent to the Resource Server. >> The token is basically a signed document (e.g. JWT) by the private key of the >> Client. The Resource Server verifies the token with the public key, which is >> provisioned in the RS in advance. >> >> I think self-issued access tokens are handy replacement for Client Credentials >> Grant flow in simple deployments, where it's not so necessary to separate AS and >> RS. In fact, Google supports this type of authentication for some services >> [*2][*3]. I'm wondering if there are any other services supporting self-signed >> access tokens. >> >> Any comments are welcome. >> >> [*1]: >> https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/ >> >> [*2]: >> https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth >> >> [*3]: >> https://google.aip.dev/auth/4111 >> >> >> ------------- >> Toshio Ito >> Research and Development Center >> Toshiba Corporation >> >> >> >> _______________________________________________ >> OAuth mailing list >> >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > -- > > https://danielfett.de > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens Vittorio Bertocci
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Daniel Fett
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Warren Parad
- Re: [OAUTH-WG] self-issued access tokens David Chadwick
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito