Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

Neil Madden <neil.madden@forgerock.com> Tue, 09 February 2021 08:44 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6C0C3A0D62 for <oauth@ietfa.amsl.com>; Tue, 9 Feb 2021 00:44:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.089
X-Spam-Level:
X-Spam-Status: No, score=-2.089 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NXfwxyZQiqC for <oauth@ietfa.amsl.com>; Tue, 9 Feb 2021 00:43:57 -0800 (PST)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21E9C3A0D25 for <oauth@ietf.org>; Tue, 9 Feb 2021 00:43:57 -0800 (PST)
Received: by mail-wm1-x335.google.com with SMTP id a16so1238899wmm.0 for <oauth@ietf.org>; Tue, 09 Feb 2021 00:43:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=YvzG5Ua8DK3HSBf4ppxnWV7zVlbyyawHIq5jV0YIGsE=; b=aUoQPA663Kc22qhM4cJaeg4gk0UzXhAaZbQHSN23CnIsCWmgMZiHWYWqXU7l2jg8mX hRaQ+VwAjhMUtb9q2IrcxRRG3TP596LW4JIu2EBwLKUmAp/pBaNzMW6/Ohlv+poNZjPC 7cw7DK2RTFuK2CAVKHks9w+M/PALVlrzIFTyQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=YvzG5Ua8DK3HSBf4ppxnWV7zVlbyyawHIq5jV0YIGsE=; b=udqap/deEYIxMAUsFoCNT6U8nP7HQJ2hMfu1sG+i7c/MEN+jD4dHKXsGTKtpd2PtlT 5lk1mDpDYkdPRLd/BDeEr/QRtrM8oftqEbJK/VWAJN6Z0gPaUwOscKuODSvvKKA0uKJc cLIV6qnlfgiS+MpqZrHGDUAQpm4CgGaYIB499TCZw8G3/dwKgWesr6Fg4R4/ba2YYPxN C7hlqHdL2JZIxaDHEpjfl8LmuPcT1Pl4xXpsV9JMiAO+zR5in+ebn2jzcTKtiLIegMob 24F5G29eNkbDFZh1SUQCmSj7MmwcFODv3/taxO9EjM23wN8kzO7agvBv8Sj5mTTjcY6g VSsQ==
X-Gm-Message-State: AOAM5321b9YKoVspbvMPJMiqbGoxWlMH2cvaTMdTB2BmHpMfKBKzdahb BXIDlVzP1XaS3/SM1sz7MIwjsaDjQBB+GGV0Ui0nzZDrxFcubm/nApTdCk7f8xKVASo6J5o0Fw= =
X-Google-Smtp-Source: ABdhPJz8wzEH5wkHMatdLwjYkf2QZY1Y/s6v7nNYFZqTS6hTFpKguglRLZSGdQHXcqGFr2G1KqcssA==
X-Received: by 2002:a05:600c:4ec7:: with SMTP id g7mr2323350wmq.56.1612860235347; Tue, 09 Feb 2021 00:43:55 -0800 (PST)
Received: from [10.0.0.2] (252.207.159.143.dyn.plus.net. [143.159.207.252]) by smtp.gmail.com with ESMTPSA id g1sm33303815wrq.30.2021.02.09.00.43.54 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 09 Feb 2021 00:43:55 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Tue, 09 Feb 2021 08:43:53 +0000
Message-Id: <BBF3CC22-557F-4816-ADB3-E0B8D45E1BBB@forgerock.com>
References: <CALkShctQxb2M=c_u99VbMw1dHSbyNfC__eARgcKFoFpmj87c3w@mail.gmail.com>
Cc: oauth <oauth@ietf.org>, draft-ietf-oauth-jwt-introspection-response@ietf.org
In-Reply-To: <CALkShctQxb2M=c_u99VbMw1dHSbyNfC__eARgcKFoFpmj87c3w@mail.gmail.com>
To: Andrii Deinega <andrii.deinega@gmail.com>
X-Mailer: iPhone Mail (18C66)
Content-Type: multipart/alternative; boundary="Apple-Mail-EA56D820-484D-4B52-AD83-4C3A0094E6EC"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DphTc2ubzu8SufaY6gIurY4qgVM>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Feb 2021 08:44:02 -0000

On 9 Feb 2021, at 06:55, Andrii Deinega <andrii.deinega@gmail.com> wrote:
> 
> 
> Hi WG,
> 
> I wonder if there are any particular reasons to not make nonce a mandatory parameter for the current JWT Response for OAuth Token Introspection draft. Or, at least, force an AS to include the nonce claim in a JWT response when nonce is presented in the introspection request similar to what happens with the similar scenario in the OpenID Connect ID Token?
> 
> https://openid.net/specs/openid-connect-core-1_0.html#:~:text=If%20present%20in%20the%20Authentication%20Request%2C,value%20sent%20in%20the%20Authentication%20Request.
> 
> This will allow to mitigate replay attacks because clients can correlate the response with the initial request

ID tokens involve flows using an insecure channel (the browser). This is not the case for introspection requests which happen over a direct TLS connection and so are already protected against replay attacks. 

— Neil
-- 
ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>