Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
Justin Richer <jricher@mit.edu> Wed, 04 March 2020 15:38 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A37383A1199 for <oauth@ietfa.amsl.com>; Wed, 4 Mar 2020 07:38:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FMJ6sOGrjzSv for <oauth@ietfa.amsl.com>; Wed, 4 Mar 2020 07:37:56 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E7DC3A118B for <oauth@ietf.org>; Wed, 4 Mar 2020 07:37:55 -0800 (PST)
Received: from [192.168.1.5] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 024Faw2A004321 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 4 Mar 2020 10:37:53 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <B9BFA279-0C95-410E-8DAC-72DD8B080B79@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_833CE589-A3FC-4C55-8B4F-164F8A684B67"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 04 Mar 2020 10:37:52 -0500
In-Reply-To: <CALAqi_-Nj6rfFJThH3H-r1oivKCFFW3Wwhhfbephq4f9OMTTQw@mail.gmail.com>
Cc: Takahiko Kawasaki <taka@authlete.com>, oauth <oauth@ietf.org>
To: Filip Skokan <panva.ip@gmail.com>
References: <CAHdPCmPCMJqH-aOC2SjFhGd9sjd01xw=VEj5y1jA5nRNRhu4EA@mail.gmail.com> <CAHdPCmMP5=wQSq_YW3+honto==s_bZpCas+=bxJqfqJh24gTzQ@mail.gmail.com> <CALAqi_-Nj6rfFJThH3H-r1oivKCFFW3Wwhhfbephq4f9OMTTQw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CI3RJPMubJ0oL5IsFoq1jFK-pH4>
Subject: Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2020 15:38:03 -0000
+1, this encapsulation is much cleaner. > On Mar 2, 2020, at 2:25 AM, Filip Skokan <panva.ip@gmail.com> wrote: > > Perhaps we should consider leaving the root level JWT claims as-is per JWT and push the introspection response unmodified as if it was regular json response to a JWT claim called "introspection". Since regular introspection uses the same claim names as JWT this would get around all the conflicts. > > Last time i brought it up the authors didn't want to consider it because of existing implementations. > > S pozdravem, > Filip Skokan > > > On Mon, 2 Mar 2020 at 07:52, Takahiko Kawasaki <taka@authlete.com <mailto:taka@authlete.com>> wrote: > Thank you, Tatsuo Kudo, for showing me that Justin Richer expressed the same concerns in this mailing list about 6 months ago (on Sep. 4, 2019). RFC 8707 didn't exist then, though. > > Re: [OAUTH-WG] Question regarding draft-ietf-oauth-jwt-introspection-response-05 > https://mailarchive.ietf.org/arch/msg/oauth/LmMAxd35gW5Yox0j4MmU2rI_eUA/ <https://mailarchive.ietf.org/arch/msg/oauth/LmMAxd35gW5Yox0j4MmU2rI_eUA/> > > A JWT puts both (a) information about itself and (b) other data in its payload part. When the "other data" have the same claim names as are used to express information about the JWT itself, conflicts happen. > > Also, it should be noted that Ben pointed out in other thread that the requirement for "jti" in draft-ietf-oauth-jwt-introspection-response, which says "jti" is a unique identifier for the access token that MUST be stable for all introspection calls, contradicts the definition of "jti", which should be unique for each JWT. > > Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT) > https://mailarchive.ietf.org/arch/msg/oauth/S4q7cF0TMZMzFO61I5M4QXCUWCM/ <https://mailarchive.ietf.org/arch/msg/oauth/S4q7cF0TMZMzFO61I5M4QXCUWCM/> > > draft-ietf-oauth-jwt-introspection-response needs to be modified to solve the conflicts. > > Taka > > On Sun, Mar 1, 2020 at 4:10 PM Takahiko Kawasaki <taka@authlete..com <mailto:taka@authlete.com>> wrote: > Hello, > > I'm wondering if the following conflicts in "JWT Response for OAuth Token Introspection" (draft 8 <https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08>) have already been pointed out. > > RFC 8707 <https://tools.ietf.org/html/rfc8707> (Resource Indicators for OAuth 2.0) requires that 'aud' in an introspection response hold the values of the 'resource' request parameters, whereas "JWT Response for OAuth Token Introspection" says that 'aud' MUST identify the resource server receiving the token introspection response. The definitions conflict. > > RFC 7662 <https://tools.ietf.org/html/rfc7662> (OAuth 2.0 Token Introspection) requires that 'iat' in an introspection response indicate when the access/refresh token was issued, whereas "JWT Response for OAuth Token Introspection" says that 'iat' indicates when the introspection response in JWT format was issued. The definitions conflict. > > Best Regards, > Takahiko Kawasaki > Authlete, Inc. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Conflicting definitions in JWT Respons… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Filip Skokan
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Justin Richer
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Justin Richer
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Justin Richer
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Filip Skokan
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Filip Skokan
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Benjamin Kaduk