Re: [OAUTH-WG] can a resource server provide indications about expected access tokens?

Nikos Fotiou <fotiou@aueb.gr> Sat, 11 December 2021 10:59 UTC

Return-Path: <fotiou@aueb.gr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7E073A0BE3 for <oauth@ietfa.amsl.com>; Sat, 11 Dec 2021 02:59:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aueb.gr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 25Vqd7qblEDg for <oauth@ietfa.amsl.com>; Sat, 11 Dec 2021 02:59:19 -0800 (PST)
Received: from blade-b3-vm-relay.servers.aueb.gr (blade-b3-vm-relay.servers.aueb.gr [195.251.255.106]) by ietfa.amsl.com (Postfix) with ESMTP id 19EE43A0BE6 for <oauth@ietf.org>; Sat, 11 Dec 2021 02:59:18 -0800 (PST)
Received: from blade-a1-vm-smtp.servers.aueb.gr (blade-a1-vm-smtp.servers.aueb.gr [195.251.255.217]) by blade-b3-vm-relay.servers.aueb.gr (Postfix) with ESMTP id E4AC6DD2; Sat, 11 Dec 2021 12:59:15 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aueb.gr; s=201901; t=1639220355; bh=j1/6X7ky6H6DrkIwqWa0nTHqkBxONW+ek75tnjP8Y54=; h=From:Subject:Date:References:Cc:In-Reply-To:To:From; b=woEJn4N4YMMwRY+RGz2FaC9w+y0p6W9NsRT5AFcoLwx7PonDwxO1kedcKofdGuH8S D/LuhJhwX0c69MhWfqS6IUQKUNuVMq3G3hM3czxrf0LYUlGnL5AiT6kPF8/tby08jq yRKNMPHHSjHp2bV2h07hlfK1q0gdwQeZHiuAKE0YaTQcc6cTesTfPIOwbcgATXcsVm /2kTCA9Cj1WYbzQl7sZzlHInQO2nhyqxSz2oO6wet3gJxMe+Kj3LBH3Vl5IQAO422p 9lQlY8G412fp9PQEVU6fP03SRQFSrqWzBXvzbVswAA7KwybLCEnZCRE+h92LYyH0zj OsoLO3/EaD8kA==
Received: from smtpclient.apple (athedsl-4545948.home.otenet.gr [94.70.41.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou) by blade-a1-vm-smtp.servers.aueb.gr (Postfix) with ESMTPSA id B66AC4C5; Sat, 11 Dec 2021 12:59:15 +0200 (EET)
Content-Type: multipart/alternative; boundary="Apple-Mail-7F60C6C5-9E6F-4791-AE94-E44EA30921B0"
Content-Transfer-Encoding: 7bit
From: Nikos Fotiou <fotiou@aueb.gr>
Mime-Version: 1.0 (1.0)
Date: Sat, 11 Dec 2021 12:59:14 +0200
Message-Id: <5F026928-695C-4F4F-9B73-4927AFD047D8@aueb.gr>
References: <359ad163-82fb-7620-a2d2-2704372b5f54@connect2id.com>
Cc: oauth@ietf.org
In-Reply-To: <359ad163-82fb-7620-a2d2-2704372b5f54@connect2id.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
X-Mailer: iPad Mail (19A404)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FPa___EjU2EEw82Ys_rdZ0PfAKM>
Subject: Re: [OAUTH-WG] can a resource server provide indications about expected access tokens?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Dec 2021 10:59:25 -0000

Thanks Vladimir,
I am looking for something which is machine readable so that clients can handle the error automatically.

Best,
Nikos

> On 11 Dec 2021, at 12:44 PM, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
> 
> 
> Hi Nikos,
> 
> The "error_description" can be used to explain the expected token issuer and other facts to client developers.
> 
> https://datatracker.ietf.org/doc/html/rfc6750#section-3
> 
> If you want to give client software the ability to respond programmatically this will require some sort of a proprietary extension.
> 
> Vladimir
> 
> Vladimir Dzhuvinov
> On 11/12/2021 12:35, Nikos Fotiou wrote:
>> Hi,
>> 
>> I have a use case where a resource server is protected  and can only be accessed if a JWT is presented. Is there any way for the server to "indicate" the "expected" format of the JWT. For example,  respond to unauthorized requests with something that would be translated into "I expect tokens form iss X with claims [A,B,C]"
>> 
>> Best,
>> Nikos
>> 
>> --
>> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou
>> Researcher - Mobile Multimedia Laboratory
>> Athens University of Economics and Business
>> https://mm.aueb.gr
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth