Re: [OAUTH-WG] can a resource server provide indications about expected access tokens?

Warren Parad <wparad@rhosys.ch> Sat, 11 December 2021 11:26 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC013A0C19 for <oauth@ietfa.amsl.com>; Sat, 11 Dec 2021 03:26:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VUTcnLzPSb1g for <oauth@ietfa.amsl.com>; Sat, 11 Dec 2021 03:25:55 -0800 (PST)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 599833A0C18 for <oauth@ietf.org>; Sat, 11 Dec 2021 03:25:55 -0800 (PST)
Received: by mail-yb1-xb2d.google.com with SMTP id f9so27101540ybq.10 for <oauth@ietf.org>; Sat, 11 Dec 2021 03:25:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/vjOylVAO18uEOo7qMxhd+u+PwlT3ywbXE2UUj4H2NI=; b=AP/ghYtLMWyj1FRt3O3aZ/ILqRCwiZUXkALZu/RX/8cYUZGhjojsS9xX7LrTAy/NQG evHB+oil3FuqnlkXz7KcxSv+ssWVPAwmYGbvt/a9NUYh0N6bUX+Ysdu6QI+CuTnLjECz Xs+jCoOKNsCs/EKftHd6Fg+GA/IGWZPevpLCHuBvQXcladNGTlIHF9GKUdYVAR1xAasp Hr/SLnzsK8s1QC289jpUwFMVFkQm8Gzb9mCXkgEq6gg6DHbMicRO23rAxN3E6yLVlDqY kJCHPe4MWGrubboCTtq+itF1RLFj7hAxQUxhs6hTLpv3ULvS5t0Kwhz92t7ZgeU9eZy0 y6gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/vjOylVAO18uEOo7qMxhd+u+PwlT3ywbXE2UUj4H2NI=; b=hAwi0Qh+CG1Jd8bRPQ/7DnGkqi11ZvLesblkqg2dP6y1NyXBTYrKQ0aJGyCCf/1s5d 86/xP/+oG0ilIxbYgk4VXeI4kRuZLvNZjIz9RI4PO1it6xn/MzhiPph565csajb3Q5zU TFO7i0MNh4jfUdjBfweO4Mju2JVq2Uq8wnVRc0pS1M+jqZjNLYoh/xAGIYKXA1AQT3TI Pgj04PdJbnsKM/mcPfPbQeeOTGMVsKzp3rjATXFtwXtvAik7INdyB+KvKHpOFTTR2+7S Fuz0cnOcLe7POrXOJz1kioOHZdnXV/alSTU1iOT5yONBlH/+LhpNMaG/kBvGQDY7yAkC 7JgQ==
X-Gm-Message-State: AOAM531Oecw15Ivq5CO2KKK+hWdaQ3YoFg11zXeUCg2l37yXx1ACtUz9 qJ0QW0fbBdp66VnZ7p+h7Dfrp+uq9+fIj2yMAdW+bOMd8g74nhg=
X-Google-Smtp-Source: ABdhPJxZ5hU4tDXO1pKSU++B3U75vmTw6vEx4A+JZh3iB5AKfXRLUfRpCOERb44ZO/YO3eyigihYNLZcHa2pWVgeIMQ=
X-Received: by 2002:a25:2304:: with SMTP id j4mr19429097ybj.359.1639221952442; Sat, 11 Dec 2021 03:25:52 -0800 (PST)
MIME-Version: 1.0
References: <359ad163-82fb-7620-a2d2-2704372b5f54@connect2id.com> <5F026928-695C-4F4F-9B73-4927AFD047D8@aueb.gr>
In-Reply-To: <5F026928-695C-4F4F-9B73-4927AFD047D8@aueb.gr>
From: Warren Parad <wparad@rhosys.ch>
Date: Sat, 11 Dec 2021 12:25:41 +0100
Message-ID: <CAJot-L1O7nRUpz63-fA8K1Xdki2Lm6OLKiagqKC9PWPaXDkrZA@mail.gmail.com>
To: Nikos Fotiou <fotiou@aueb.gr>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002f093905d2dd1a3f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CgqoPS4-CTK9YtINyG0LQ0SMp0M>
Subject: Re: [OAUTH-WG] can a resource server provide indications about expected access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2021 11:26:01 -0000

The section from the RFC, allows for the *scope* or any other standard
parameter to be returned in the WWW-Authenticate header, those would be
machine readable.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Sat, Dec 11, 2021 at 11:59 AM Nikos Fotiou <fotiou@aueb.gr> wrote:

> Thanks Vladimir,
> I am looking for something which is machine readable so that clients can
> handle the error automatically.
>
> Best,
> Nikos
>
> On 11 Dec 2021, at 12:44 PM, Vladimir Dzhuvinov <vladimir@connect2id.com>
> wrote:
>
> 
>
> Hi Nikos,
>
> The "error_description" can be used to explain the expected token issuer
> and other facts to client developers.
>
> https://datatracker.ietf.org/doc/html/rfc6750#section-3
>
> If you want to give client software the ability to respond
> programmatically this will require some sort of a proprietary extension.
>
> Vladimir
>
> Vladimir Dzhuvinov
>
> On 11/12/2021 12:35, Nikos Fotiou wrote:
>
> Hi,
>
> I have a use case where a resource server is protected  and can only be accessed if a JWT is presented. Is there any way for the server to "indicate" the "expected" format of the JWT. For example,  respond to unauthorized requests with something that would be translated into "I expect tokens form iss X with claims [A,B,C]"
>
> Best,
> Nikos
>
> --
> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
> Researcher - Mobile Multimedia Laboratory
> Athens University of Economics and Businesshttps://mm.aueb.gr
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>