IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt

Petteri Stenius <Petteri.Stenius@ubisecure.com> Wed, 24 July 2019 14:00 UTC

Return-Path: <Petteri.Stenius@ubisecure.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 678B1120088 for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2019 07:00:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ubisecure.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bbSWVa9wHsjz for <oauth@ietfa.amsl.com>; Wed, 24 Jul 2019 07:00:12 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0631.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5478512006F for <oauth@ietf.org>; Wed, 24 Jul 2019 07:00:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hTuSO/t4YqlpaYbX6Pr4QExw/s98xMbPFL0MG6glLxd5Kuiv6mORzrzo/+dyIzHtGFC/djZ8iCZ/NDpJCnt2k+uUSgUK2aOebxS2uAkYagkTTqIAXJwdo2GMY7GKjh0FJdBY/MFAKzHfIcvvnh4jcEYmoZRJEWLONU53qG677u9DAzbIL4btmjPfosVD+Cy3t/dkLRotscnnULIeLLReOklrJWZcf3rSHXfb+NCSv2tuKYRAJvesgVEpuOtiFGNloCFZ1mdLcWbAdX8Xmu2tLfmdaiHG7Wx1S4TUG6UpypkOViSfuOpc0luD0YwX+0pPlXA1uPpvx9/rCl2+1wDLrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zeDDrRMSKwipvHTJ2Krs/rP+/dEBb2dAroQQBbwisUM=; b=bxbJ0xIhXpta0/FHwEIVDwhz6IEivgRVByEcnbQmcl6oaThr6KE+r5mg92C2isMpzBx40VsfJfI6+2c7vHVTHwd5DxVLfdjN+WIRl1kbJM2+2dLLo5d56Fr0W9PJr3LnIgXy35GBuB79GbKyQoYtZzroBQKYCswsqh1ff+zj7GBvlBALhIyiy2uOpzu3DzyvCN/ODU+yAvgdZ85e9J1QaL0opqO02nw/fHipSGlTvQ/q63jrOtbJz92E+2ao3c/R0GQQV4PaNAt+qm3hACNyT7G5+nvjAX5BvSkNetW6FuiArmJN/4gPyzw5nL1RZnCiuEarGyJgcpyWLY1/9qxqvg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ubisecure.com;dmarc=pass action=none header.from=ubisecure.com;dkim=pass header.d=ubisecure.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ubisecure.onmicrosoft.com; s=selector2-ubisecure-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zeDDrRMSKwipvHTJ2Krs/rP+/dEBb2dAroQQBbwisUM=; b=NR3gC69K0RiXme9Ws1VKo/j+L1HHcz1EDMrKJ+ysiTFiC2rDtO72rem1UwFESxLLGUPJShWjNnam2CcTJkMX4r1dKcvce8K2i5tt0TkIgPJGxsOJJ8qTYv1mjAv8+ctxu9OLbWlc+z0QXXwYRWpP4E9Nu0ZP7dBSZOoEXH2M94I=
Received: from HE1PR05MB4713.eurprd05.prod.outlook.com (20.176.164.14) by HE1PR05MB4522.eurprd05.prod.outlook.com (20.176.163.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2094.17; Wed, 24 Jul 2019 14:00:09 +0000
Received: from HE1PR05MB4713.eurprd05.prod.outlook.com ([fe80::30b1:6957:654:6a3f]) by HE1PR05MB4713.eurprd05.prod.outlook.com ([fe80::30b1:6957:654:6a3f%7]) with mapi id 15.20.2094.013; Wed, 24 Jul 2019 14:00:09 +0000
From: Petteri Stenius <Petteri.Stenius@ubisecure.com>
To: "oauth@ietf.org" <oauth@ietf.org>, Vittorio Bertocci <Vittorio@auth0.com>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt
Thread-Index: AQHVP8O1aR003BiBLUSq4eEKB3WORqbZzhjg
Date: Wed, 24 Jul 2019 14:00:04 +0000
Message-ID: <HE1PR05MB4713DFD087FF2286CC9AE365FAC60@HE1PR05MB4713.eurprd05.prod.outlook.com>
References: <156371372426.20589.10365011724092335159@ietfa.amsl.com>
In-Reply-To: <156371372426.20589.10365011724092335159@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Petteri.Stenius@ubisecure.com;
x-originating-ip: [195.197.205.34]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: daa2c45b-280a-4574-5dcf-08d7103f3d31
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR05MB4522;
x-ms-traffictypediagnostic: HE1PR05MB4522:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <HE1PR05MB45225D7CC9A58A9726879257FAC60@HE1PR05MB4522.eurprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0108A997B2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(136003)(396003)(39840400004)(366004)(13464003)(189003)(199004)(68736007)(186003)(6666004)(76176011)(26005)(8936002)(71200400001)(7696005)(6506007)(102836004)(81156014)(81166006)(71190400001)(8676002)(14444005)(25786009)(11346002)(2906002)(316002)(446003)(99286004)(256004)(86362001)(6116002)(476003)(305945005)(3846002)(74316002)(7736002)(66574012)(229853002)(52536014)(486006)(2501003)(5660300002)(66066001)(66446008)(33656002)(66556008)(66476007)(64756008)(66946007)(76116006)(6306002)(9686003)(508600001)(110136005)(14454004)(966005)(6436002)(55016002)(6246003)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR05MB4522; H:HE1PR05MB4713.eurprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ubisecure.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PzXF+etqwgsZ7UhM5yeHkFQ4CnQGaP4bLccHR3mfpN14BuKbp31ypmUc9PuDXiVWybVDL9kfl+FJQq7Uhpb/BA53eO76FfJX1NQzGDq75FmePbmWfE7CS+spNfND6Kt+C4Vxl3urt7JEq/UwILUz/XOioehBHsJgeG2CLQ3FdbFyKuktm1Qzl6NwMpDiksFGKX9Zdnu2Z/WgGUksDuE+EYiCdrO2iEl/xuVHBdKc7fQjIkRY4UgoE2J/D2kuaeQXiZMCV5v/9ZRJGBMPKefS8Hb2WB2bt/P+lGIgrdAHBPFDYyWmCj8hSRKpeHB/bfTB7zsIeQ55gUijeyyHb1S5GXjQOt2RhFCUG2uPNtdA6pKPtbUGV7F2gS2WlHmPd2RBgK1CBoRY2Fpmx/k1mP6Fz6UKjZd44eoB6AiphmU5Zn0=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ubisecure.com
X-MS-Exchange-CrossTenant-Network-Message-Id: daa2c45b-280a-4574-5dcf-08d7103f3d31
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Jul 2019 14:00:04.1272 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: feaa1139-6ffc-4422-9c7b-980ad003c1a7
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Petteri.Stenius@ubisecure.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR05MB4522
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/esHdoK-oZ7Bsr2e8h2B-sja1XSg>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 14:00:16 -0000

Hi Vittorio,

Thanks for working on this. I think this will be valuable. I have a couple of comments.

About relationship of this draft with token exchange, introspection and revocation:

Should there be a distinct Token Type Identifier defined for JWT Access Token, to enable exchange of reference type access token and value type access token? I'm thinking of a use case where I want authorization code flow to return an opaque reference token and I want my backend services to exchange this into a value token, to avoid further introspection on the backend side.

Introspection (and userinfo) with JWT Access Token should work as expected. If a JWT Access Token is revoked then introspection response should become negative. Is it reasonable to add text that advises the resource server to invoke introspection if it wants to make sure the token has not been revoked?


Thanks,
Petteri


-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
Sent: sunnuntai 21. heinäkuuta 2019 15.55
To: i-d-announce@ietf.org
Cc: oauth@ietf.org
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-access-token-jwt-01.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens
        Author          : Vittorio Bertocci
	Filename        : draft-ietf-oauth-access-token-jwt-01.txt
	Pages           : 15
	Date            : 2019-07-20

Abstract:
   This specification defines a profile for issuing OAuth2 access tokens
   in JSON web token (JWT) format.  Authorization servers and resource
   servers from different vendors can leverage this profile to issue and
   consume access tokens in interoperable manner.


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-01
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-01

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-access-token-jwt-01


Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email