Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard

Mike Jones <Michael.Jones@microsoft.com> Wed, 26 August 2020 21:12 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 630A83A0C69; Wed, 26 Aug 2020 14:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WALl6PsaafJ; Wed, 26 Aug 2020 14:12:55 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650135.outbound.protection.outlook.com [40.107.65.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A804C3A0C6B; Wed, 26 Aug 2020 14:12:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jMg3bhSWvc2J52pHVk34twYMFjrPiFxsfxm2QAB4Vbhh702JMJFwdX5FlhLepF52hzwRXLJo7CKpYrhS8F0UVLz0dsdn7IFI0ZZPhcUyAvZ+IU+xz+2CLmyebuP9ISYloIExn0UbR50secjXIw4564iVHguYUgcWN8nasCf6XxYrnwAJ5pcez4ASeA6GSeon7z9vWht3Oq/g1+FVM+1u5eu8X8ZJsK2w/cX6uoEYIF7Pq0QRmMmywA6e80YZNGP9zsg4Ba/tuU638wxRb0J8RXpqJ+5vka0vRG2GXp+Qn3Qw1CJ/RB6NGaVWBzw7ic1et7e8Mc6gWLk/f+sn/K5Njw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eZk88HOWZaHhJXHMcocH1aSyFE/4awUdZ6gMw5GjFNg=; b=mNl2QnZrkjPBvZCsi3nLUksIFUfbmb1zqXYQaUesLJ0PBKf7kKemu2KMh1Sskx1LR/G62/bThCSa7jiazHk0+t7WntnXUnwgkXqT0W7mCSDQrwdnkgfqEN2mANhM+FUBNw1B+5B2PQ1rBBLK2YgORkZIJdZ9UL9sbfZcLqWst9nywCn+3th/RWFT6Xdk50/LBRkVHtcPZ1Pkq+dxtr10rKY2hqRxWYONWJpCnSKmbZod7lEOxkUJfWf0/9x+0GYH2ctx0sm3q11NV6ALDzzJo0US1GNBR/oRAq+zOCfAvrXIUquzH+E/uWdKS92GWKvxXitVjUIhqGSRwh+n6HaV5w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eZk88HOWZaHhJXHMcocH1aSyFE/4awUdZ6gMw5GjFNg=; b=Ijffl/qh7eLsx2J+qQiehaT6KhJ87nUx4CUTFixxQS16D3/jXyFr/N1bt7HFneCayZuSIZKD/yXXAyHXRea6qKjeM86tW4ltWvMKKEhqYu6nPvr3dXYEW0G1L5EKtr+5hgf7ZB8ZxXuMi+G3KTp9w1uJZInv8Sk2vvVoI5RQSm8=
Received: from (2603:10b6:610:a9::23) by CH2PR00MB0696.namprd00.prod.outlook.com (2603:10b6:610:7b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3368.0; Wed, 26 Aug 2020 21:12:30 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::b8b7:3f55:bae6:5458]) by CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::b8b7:3f55:bae6:5458%6]) with mapi id 15.20.3368.000; Wed, 26 Aug 2020 21:12:27 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: dick.hardt <dick.hardt@gmail.com>, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
CC: "last-call@ietf.org" <last-call@ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
Thread-Index: AdZ77Za0JLDyfkgOSU2noMsXqL8EHw==
Date: Wed, 26 Aug 2020 21:12:27 +0000
Message-ID: <CH2PR00MB0678DA2BC7234C2AC1CE784DF5541@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=b92bed32-f10c-4f53-8858-91e752d3bc45; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-08-26T21:09:13Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.86.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 5a90a64f-4ddc-436a-0dd7-08d84a04bc58
x-ms-traffictypediagnostic: CH2PR00MB0696:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <CH2PR00MB0696873D3F0962A1A9CF10B2F5541@CH2PR00MB0696.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XGWUHgYjYUtC+WqgKZFmB3y93n6OQA3+T0Wh1ABonn5R4/5c0xBm7jOqgGNyKtaRmvBjlh6mQAFQkCH2hCvR8oduVG6gXuif8DEQeI3nuh1TWE8wDjMXfZfpoEBhn3wgLSY8cGrgxkNMOs/n/bbbVGqQPj/MTwCLaNoODzz4wZ0cdQ9SMmInHQlH3ChaIijZ9F65BlxMy1WJgUK5cQS/83/HeacUVGSGnnu1HSIQgRnnYutsjpZa9X21TJVRRmeoaSFFOuRC4xUIU+jbRDrnQbfdA7TuY/T2/5zepnV0kbKqUV1KHB4lGUU1yVvrHg03AF78evyzrEUtqCd4OXdAB7Drgsq9T+W5f+AyOgh2uWjqh5Y52+fqyBVNxuDzB2gE1wWcL3ZdIl+bsiz8Yt55Rm7Z0IiVG8r5yMKqRNokJ/U=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0678.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(136003)(376002)(396003)(346002)(53546011)(55016002)(7696005)(66556008)(33656002)(9686003)(8936002)(4326008)(26005)(316002)(186003)(2906002)(66446008)(64756008)(54906003)(110136005)(478600001)(5660300002)(52536014)(8990500004)(66946007)(76116006)(71200400001)(82950400001)(82960400001)(6506007)(66476007)(76236003)(83380400001)(86362001)(10290500003)(8676002)(99710200001)(15866825006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 172ui0ccP7odhn1MNWu8Aj94E6z/W78YbhmdKJWb8VrYgGUCjzR9wSsPOOy0ZsYPHYj1y4Gt5+/MY6jpsbYpmqxGIDT4yN/sh2upcBg1E7SRLqoKCsUhZbDN7F6u4gsxq41Fb03FtlO14E4nLdFLexzs0jJg43yzFj9Ep8KuEZmJ2T5P3fftlcw9BeSjHJlB0BV1OrqmUCC4BZhIDD6Pe9m+z5LHlUx753froDYuS50KsZN27sHN+DDEUdQPA6T9bAgShciWPQvPQYTGGaPqCdepNXzcv7d093mC5El7mrMS5Qk7t+UJLU5U0jbE5Eo0nDHxih1L0plwnYW7BIf3+VaGiOeUjvtnyfS43tIwPPO0LMokONlLsDwwtR0yqBSLLCbc4g+27+pvvmUqsnvv8LBITkiGjXj6wdvLr8WYIV5Vhy+w+JRuPrIa1Z6OFXotOCJj0v+/jNMMObIrk8LzYAPvXFSiyboYhr58M5557ILhX9KNlWgrAbUKf+TW6JWCGx89vBLRImTKbpHzSnEvZF84b4IQ+H1Wj5iR7N7YvtioXYNmwGGkUOUzibptoxu25S/z4divzf5Y8WVQdy5NEdn18nM0nMH/I3n4oqp0Thahcrj8uVvnFLDhQySTSWKeh3zvzsPzSZ1FqQw0RFJIyg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB0678DA2BC7234C2AC1CE784DF5541CH2PR00MB0678namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0678.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5a90a64f-4ddc-436a-0dd7-08d84a04bc58
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Aug 2020 21:12:27.2101 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: O7JAI8LW3acekMlkINvQbA4ge75073UyQQbmQ859mFq///QVig6ReZCftck7GZHiiUUDm5eTAPugxRdpv1f76Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0696
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gCvuuMo5WJdmtrG4uBaajH7WptE>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 21:13:04 -0000

I agree with Dick’s observation about the privacy implications of using an Introspection Endpoint.  That’s why it’s preferable to not use one at all and instead directly have the Resource understand the Access Token.  One way of doing this is the JWT Access Token spec.  There are plenty of others.

The downsides of using an Introspection Endpoint should be described in the Privacy Considerations section.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
Sent: Wednesday, August 26, 2020 9:52 AM
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Cc: last-call@ietf.org; oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard



On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org<mailto:40lodderstedt.net@dmarc.ietf..org>> wrote:
Hi Denis,

> On 25. Aug 2020, at 16:55, Denis <denis.ietf@free.fr<mailto:denis.ietf@free..fr>> wrote:

> The fact that the AS will know exactly when the introspection call has been made and thus be able to make sure which client
> has attempted perform an access to that RS and at which instant of time. The use of this call allows an AS to track where and when
> its clients have indeed presented an issued access token.

That is a fact. I don’t think it is an issue per se. Please explain the privacy implications.

As I see it, the privacy implication is that the AS knows when the client (and potentially the user) is accessing the RS, which is also an indication of when the user is using the client.

I think including this implication would be important to have in a Privacy Considerations section.

/Dick
ᐧ