[OAUTH-WG] JWS Access Token concerns

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 23 February 2016 17:15 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61B451B371E for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 09:15:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eQqcc9vhpqru for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 09:15:31 -0800 (PST)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27CC1B371C for <oauth@ietf.org>; Tue, 23 Feb 2016 09:15:30 -0800 (PST)
Received: by mail-wm0-x234.google.com with SMTP id g62so210529310wme.0 for <oauth@ietf.org>; Tue, 23 Feb 2016 09:15:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=JgBX89sc0qIHTcm1aoe4v3mfV1D9ET+CxhGWq4KwYsc=; b=xLRle2D0d8ejbHeAeqXVVfCIPcSSXTQxCZN/2DnauJWb9D/C3dHknF1/MNZ+B9oqn8 sLC/IjJ+Uc6XQTlcTlc96sGtlTjW/qbbvuycEBvxfmykV4zTinJefJlOBOmYRf0fI+Qg 8A1iQpBA5r+ln+VDhPfwLLO0RinGr4ueLM/J2QYcYdI2ZSc7UhPE5NxRx+ponyTS8EO5 D099LUCuGGBYZR9Rz1MvwHL8kBdWsHr3eHt47iO0Qo6yag5QtbP7Jf2sKrmhkSq0Nh6M Yc5a74eRukv1LLMBsefkBLThupJrcb+p67GKYt58kWScGIM2Ji0RzGBlJQhNLjZvxE7A HOBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=JgBX89sc0qIHTcm1aoe4v3mfV1D9ET+CxhGWq4KwYsc=; b=bauiXTaoAngu5mOKsHq3Dtqzh44mxHR4ez4Cdu8U1VWvwVntSKs0XkIRXB5+syPeJm piVDzbLn2ndubNWiO9+5W0PRmrCjbyPtIb24yflzxfg5uI0HmUWO+0c6UONUDF7uephi yJE71mhwKKnJxnYSfCalaDYJ1biEvo5fJpWzw1hwFHGHaxAAUp8B1IwJQwN+U4/uSlee LANUxbPdyh7zysi2SqDQzKBA8JW6ir5cBixAnSSeeNhXU2Ur0avrx3awX2dwd77vhWau PFrXhD3SkZjooHMsUcJDS1xMfP7uoWO4xNw8Vaav4k30KCaPUUnhizNSr7cEZ37W2DMX qrsw==
X-Gm-Message-State: AG10YOTA84LSLM0ImZkrbF5575O7/OoWKctBeGzFkCyzZqcS6UD+C+9siTSqRxw+DNlfhw==
X-Received: by 10.28.1.196 with SMTP id 187mr19211001wmb.68.1456247729523; Tue, 23 Feb 2016 09:15:29 -0800 (PST)
Received: from [192.168.2.7] (31-187-45-195.dynamic.upc.ie. [31.187.45.195]) by smtp.googlemail.com with ESMTPSA id i12sm27103950wmf.10.2016.02.23.09.15.27 for <oauth@ietf.org> (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Feb 2016 09:15:28 -0800 (PST)
To: oauth@ietf.org
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com> <1756F20F-CE42-4523-BE8E-450762D34697@ve7jtb.com> <05af01d16d4a$20230af0$606920d0$@nri.co.jp> <0CD2EAC7-A9B6-44AC-9644-7E20E345464F@ve7jtb.com> <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <56CC93AF.1060105@gmail.com>
Date: Tue, 23 Feb 2016 17:15:27 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/6Dfw5dDJ429LocFDsc0Luqn-szs>
Subject: [OAUTH-WG] JWS Access Token concerns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 17:15:32 -0000

Hi

Some OAuth2 providers may return self-contained access tokens which are 
JWS Compact-encoded.
I wonder is it really a good idea and would it not be better to only 
JWE-encrypt the tokens. I'm not sure JWS signing the claims is 
necessarily faster then only encrypting the claims, assuming the 
symmetric algorithms are used in both cases.

For example, my colleague and myself, while dealing with the issue 
related to parsing an access token response from a 3rd party provider 
were able to easily check the content of the JWS-signed access_token by 
simply submitting an easily recognized JWS Compact-formatted value (3 
dots) into our JWS reader - we did not have to worry about decrypting it 
neither the fact we did not validate the signature mattered.

But access tokens are opaque values as far as the clients are concerned 
and if the introspection is needed then the introspection endpoint does 
exist for that purpose...

Thanks, Sergey