Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt

Benjamin Kaduk <kaduk@mit.edu> Fri, 27 September 2019 22:51 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F7C212021C for <oauth@ietfa.amsl.com>; Fri, 27 Sep 2019 15:51:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EEf_LgeJVWOB for <oauth@ietfa.amsl.com>; Fri, 27 Sep 2019 15:51:12 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2E20120071 for <oauth@ietf.org>; Fri, 27 Sep 2019 15:51:11 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x8RMp7LU003169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 27 Sep 2019 18:51:09 -0400
Date: Fri, 27 Sep 2019 15:51:06 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Travis Spencer <travis.spencer@curity.io>
Cc: oauth <oauth@ietf.org>
Message-ID: <20190927225106.GE6424@kduck.mit.edu>
References: <156898250596.30287.14524104153595179086@ietfa.amsl.com> <CAEKOcs3mE0C0s_B+12J-+anxSLbVk_pDx_urJawpmCnw9dSVtA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAEKOcs3mE0C0s_B+12J-+anxSLbVk_pDx_urJawpmCnw9dSVtA@mail.gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GAqz-_MyFEIvZHTZqbWAgwRvmXE>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Sep 2019 22:51:14 -0000

On Thu, Sep 26, 2019 at 11:26:31AM +0200, Travis Spencer wrote:
> * Last but certainly not least is the restriction that the current
> version places on disallowing of the introspection JWT response as an
> access token. This is done in numerous places (the note in section 5,
> 8.1, etc.). I understand that there are some objection to this usage,
> but we have had this protocol deployed for years, and it's running in
> dozens of customer's facilities. This will break real applications of
> this specification without a clear alternative. As we discussed in
> London last year at the IETF meeting, token exchange isn't a viable
> alternative (even still in its current draft form to the best of my
> knowledge). Without a workable alternative to move to, I emphatically
> but humbly request that this specification remove this restriction.

I don't think I was in the London session, so would you mind saying a bit
more about why token exchange isn't viable for your scenario?
As an AD, I support the efforts to be explicit about what token flow/usage
is being defined, which in effect means keeping introspection just
introspection and not "producing new tokens".

Thanks,

Ben