IETF Logo Mail Archive

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

Warren Parad <wparad@rhosys.ch> Mon, 08 February 2021 16:00 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B927C3A10E6 for <oauth@ietfa.amsl.com>; Mon, 8 Feb 2021 08:00:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AhhCz0oNp_ar for <oauth@ietfa.amsl.com>; Mon, 8 Feb 2021 07:59:59 -0800 (PST)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC8B83A10E4 for <oauth@ietf.org>; Mon, 8 Feb 2021 07:59:59 -0800 (PST)
Received: by mail-io1-xd2f.google.com with SMTP id f6so15486921ioz.5 for <oauth@ietf.org>; Mon, 08 Feb 2021 07:59:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+DWucPBhygW12HqQsn3czO2ypyEqRbrB9yLRVHOEFb4=; b=TcGeHnzYMa1u/XQ01G1tSuFqjoU/vyfW56k44VapKujzTh2Fhc0/mr0r7YB9iQ0CjA GBnqdK+aon2wnY8yhqs4EW+S30wa/xqvTMln2q+mQ4CeVzM1JaPKaKrDgKjL7aIF/Ln9 EOx9wQdubKoGkNsHyGxTeK7fpnKvtBUDwdcbIuqcL8lchlC03gKUMFex6wrkTFHyfyKF Ld9pT5+x6tfHYODs5N2ohrxlhEeQoKS1Hc+lhdEvRhwoLvb3XCh3xy7jCiumz4MWqMBb X38VTEbO/lUr363HpmiWZdUeYC3jXbdenR9SwVF1OjHxu61YH3dYl7edz3u797Curcj8 5qzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+DWucPBhygW12HqQsn3czO2ypyEqRbrB9yLRVHOEFb4=; b=dGwwbydC51Qs3F2TNaZEb4H3WzVQaBCdK1SVGurPGANT45ugQaRYIpraUz5p/aww/K gTJ0ng1U5gHYPEPT7mypRNcRGj3AKtposqpo5ga0LNqJF/9Ay7ce4gZg3oU2DoUSwwR2 v3R3g97OtL0qYzhfeFU0EnSd6cxjg3Ku6PvRwZGAGsLc1iFUOELspDs/Glx9QzfzhfPD r3BYd1/CinRx8EdRUQGjtV6bq53QA7lcFK42ES7RaNs0wxjL42GVcE618XW/qBZz8Xad 6GU44SsajyFjp6GapM3wR9i/Yf3tJMKgZP9xEr7wTw4oUMYr5r40MPaacZgxNl/RBwG4 Zmzw==
X-Gm-Message-State: AOAM533mBlgT4qTsYS02LraDR+794T6G18+VRrH/fPwiykneNb7vWOuD j1rljw4b6kmNEZUvNFflmd1lEUbypBRVLiSYI0Bg
X-Google-Smtp-Source: ABdhPJxFOwEuaG1RtZ9IH0uWD4CSg/SbFCgKUsD/rkyVzCuKUvYLGHtcC8/XOCVD1uYjz7h48DSVJEhsPk7R6ZJ4kuE=
X-Received: by 2002:a05:6638:164c:: with SMTP id a12mr18318633jat.128.1612799998835; Mon, 08 Feb 2021 07:59:58 -0800 (PST)
MIME-Version: 1.0
References: <CAJot-L05Nb5FQQ_OOgW_s4Mswo0GW3-j7HTTxtbR2OgqESijWg@mail.gmail.com> <579E1C30-107C-43E6-A521-01A674DAB0F3@lodderstedt.net> <CAJot-L1tMjM=JHtn3sHROLtzoxAkOGr33m66mcRH9-Vvss6QRg@mail.gmail.com> <78c83541-0b77-1c16-a302-3e88b2842947@connect2id.com>
In-Reply-To: <78c83541-0b77-1c16-a302-3e88b2842947@connect2id.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Mon, 08 Feb 2021 16:59:47 +0100
Message-ID: <CAJot-L0q1MZvW_h=puyu6_htk_y5gx0VhdC4RyaJn_eucO_36Q@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, draft-ietf-oauth-jwt-introspection-response@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000658dd05bad543aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/775w2_8-UTykQg89yY6viE1nNsw>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 16:00:03 -0000

None of that justified explicitly stating that refresh token introspection
shouldn't be done. At best it suggests that we should explicitly add
language in the draft to directly encourage it. But if an AS wants to
support it, we shouldn't stop them, or suggest that they can't do it.

Allowing refresh tokens to be introspected can also create a conflict with
> the sec recommendation to rotate them


Not following, can you explain this further?

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress <https://authress.io>.


On Mon, Feb 8, 2021 at 4:13 PM Vladimir Dzhuvinov <vladimir@connect2id.com>
wrote:

> At first it may appear that allowing refresh tokens at the introspection
> endpoint may be a logical thing to do, but in practice there are issues
> with that and from an OAuth 2.x perspective it's not easy to justify.
>
> If the point is to let clients check what authorization they have been
> given OAuth 2.0 already provides a std way to do that - in the access token
> response - the "scope" parameter:
>
> https://tools.ietf.org/html/rfc6749#section-5.1
>
> RAR has a similar parameter:
>
> https://tools.ietf.org/html/draft-ietf-oauth-rar-03#section-3.4.1
>
> If the point is to find if a refresh token is still valid - this can be
> found out by simply using it. Allowing refresh tokens to be introspected
> can also create a conflict with the sec recommendation to rotate them. So
> thus it may be a better idea to not let clients assume too much about them.
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.2.2
>
> If the AS is going to expose refresh token data to a client it will also
> have to make a careful judgement what data it exposes.
>
> https://tools.ietf.org/html/rfc7662#section-2.2
>
> For instance "sub". OAuth 2.x in the relation between AS and client
> actually has no concept or definition of subject / end-user identifier. And
> this is done for a good reason, because it's not a user authentication
> protocol. OIDC was designed for that. And to prevent tracking of users and
> other privacy issues OIDC also specifies pairwise subject IDs. The plain
> OAuth 2.x world doesn't have this.
>
> Vladimir
> On 08/02/2021 11:07, Warren Parad wrote:
>
> It doesn't work that way. You suggested to add language to the draft, that
> means the burden of proof is on you to justify adding it.
>
> Otherwise I could just say why not?
>
> And I can go stronger, what's the purpose of nho introspection endpoint at
> all, and why encourage sending access tokens to the AS?
>
> Even if you can justify access tokens, there currently isn't evidence
> provided why we should explicity discourage.
>
>
> On Mon, Feb 8, 2021, 03:18 Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
>
>>
>>
>> Am 08.02.2021 um 00:56 schrieb Warren Parad <wparad@rhosys.ch>:
>>
>> 
>>
>>> I‘m therefore leaning towards explicitly stating in our draft that it is
>>> not intended to be used with refresh tokens.
>>
>> I'm not following, why explicitly state that it isn't intended. If an AS
>> wants to provide a similar JSON response to a query with the refresh token,
>> why not encourage that?
>>
>>
>> Why should we encourage it?
>>
>>
>> Warren Parad
>>
>> Founder, CTO
>> Secure your user data and complete your authorization architecture.
>> Implement Authress
>> <https://www.google.com/url?q=https://authress.io&source=gmail-imap&ust=1613346997000000&usg=AOvVaw267Z448csTGn3F6REIQ9pT>
>> .
>>
>>
>> On Sun, Feb 7, 2021 at 10:58 PM Torsten Lodderstedt <torsten=
>> 40lodderstedt.net@dmarc.ietf.org> wrote:
>>
>>> Hi Andrii,
>>>
>>> Am 07.02.2021 um 21:30 schrieb Andrii Deinega <andrii.deinega@gmail.com
>>> >:
>>>
>>> 
>>> Hi Torsten,
>>>
>>> thank you for your response.
>>>
>>> My use case is pretty straight forward
>>>
>>> An OAuth client queries the AS to determine the active state of an
>>> access token and gets the introspection response which indicates that this
>>> access token is active (using RFC7662).
>>>
>>> An OAuth client queries the AS to determine the active state of a
>>> refresh token and gets the introspection response which indicates that this
>>> refresh token is active (using RFC7662).
>>>
>>> An OAuth client queries the AS to determine the active state of an
>>> access token and gets the introspection response (JWT) which indicates
>>> that this access token is active (using this draft).
>>>
>>> Now, an OAuth client queries the AS to determine the active state of a
>>> refresh token (using this draft)... How will the introspection response
>>> look like assuming that the client provides the valid refresh token and
>>> technically, nothing stops it from doing so.
>>>
>>>
>>> why should the state be provided as JWT?I think the plain JSON response
>>> is sufficient in that case.  I also think using token introspection for
>>> checking the state of a token from the client side has limited utility. The
>>> definitive decision is always made when the client tries to access a
>>> resource.
>>>
>>> I‘m therefore leaning towards explicitly stating in our draft that it is
>>> not intended to be used with refresh tokens.
>>>
>>> best regards,
>>> Torsten.
>>>
>>>
>>> Regards,
>>> Andrii
>>>
>>>
>>> On Sun, Feb 7, 2021 at 4:14 AM Torsten Lodderstedt <
>>> torsten@lodderstedt.net> wrote:
>>>
>>>> Hi Andrii,
>>>>
>>>> thanks for your post.
>>>>
>>>> The draft is intended to provide AS and RS with a solution to exchange
>>>> signed (and optionally encrypted) token introspection responses in order to
>>>> provide stronger assurance among those parties. This is important in use
>>>> cases where the RS acts upon the introspection response data and wants the
>>>> AS to take liability re the data quality.
>>>>
>>>> I’m not sure whether there are similar use cases if a client
>>>> introspects a refresh token. What is your use case?
>>>>
>>>> best regards,
>>>> Torsten.
>>>>
>>>> > Am 07.02.2021 um 08:41 schrieb Andrii Deinega <
>>>> andrii.deinega@gmail.com>:
>>>> >
>>>> > Hi WG,
>>>> >
>>>> > draft-ietf-oauth-jwt-introspection-response-10 states that "OAuth 2.0
>>>> Token Introspection [RFC7662] specifies a method for a protected resource
>>>> to query an OAuth 2.0 authorization server to determine the state of an
>>>> access token and obtain data associated with the access token." which is
>>>> true. Although, according to RFC7662, the introspection endpoint allows to
>>>> introspect a refresh token as well. Hence, the question I have is how will
>>>> a token introspection response look like when the caller provides a refresh
>>>> token and sets the "Accept" HTTP header to
>>>> "application/token-introspection+jwt"?
>>>> >
>>>> > I expect there will be no differences, right?
>>>> >
>>>> > If so, I suggest to
>>>> >       • replace "a resource server" by "the caller" in section 4
>>>> (Requesting a JWT Response)
>>>> >       • change "If the access token is invalid, expired, revoked" by
>>>> "If a given token is invalid, expired, revoked" in section 5 (JWT Response)
>>>> > If not, my suggestion would be to clarify what the AS should do when
>>>> it asked to introspect the refresh token in general and additionally, what
>>>> should happen in the same case based on the type of the caller from the
>>>> AS's point of view.
>>>> >
>>>> > Regards,
>>>> > Andrii
>>>> >
>>>>
>>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> <https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1613346997000000&usg=AOvVaw3ZHWt08dlcHAgxyfj2hrsX>
>>>
>>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> --
> Vladimir Dzhuvinov
>
>

v2.23.0 | Report a Bug | By Email