Re: [OAUTH-WG] Generalizing draft-ietf-oauth-jwt-introspection-response-01

Justin P Richer <jricher@mit.edu> Wed, 07 November 2018 01:16 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 392671292AD for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2018 17:16:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hlgg2AmDp8dk for <oauth@ietfa.amsl.com>; Tue, 6 Nov 2018 17:16:10 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BF901277BB for <oauth@ietf.org>; Tue, 6 Nov 2018 17:16:09 -0800 (PST)
X-AuditID: 1209190e-471ff70000000ceb-09-5be23cd85f2c
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id CC.47.03307.8DC32EB5; Tue, 6 Nov 2018 20:16:08 -0500 (EST)
Received: from outgoing-exchange-1.mit.edu (OUTGOING-EXCHANGE-1.MIT.EDU [18.9.28.15]) by mailhub-auth-3.mit.edu (8.14.7/8.9.2) with ESMTP id wA71G7eJ003411; Tue, 6 Nov 2018 20:16:07 -0500
Received: from OC11EXEDGE3.EXCHANGE.MIT.EDU (OC11EXEDGE3.EXCHANGE.MIT.EDU [18.9.3.21]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id wA71GFpN020103; Tue, 6 Nov 2018 20:16:18 -0500
Received: from OC11EXHUB8.exchange.mit.edu (18.9.3.20) by OC11EXEDGE3.EXCHANGE.MIT.EDU (18.9.3.21) with Microsoft SMTP Server (TLS) id 14.3.235.1; Tue, 6 Nov 2018 20:15:33 -0500
Received: from OC11EXPO25.exchange.mit.edu ([169.254.1.63]) by OC11EXHUB8.exchange.mit.edu ([18.9.3.20]) with mapi id 14.03.0352.000; Tue, 6 Nov 2018 20:16:04 -0500
From: Justin P Richer <jricher@mit.edu>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Generalizing draft-ietf-oauth-jwt-introspection-response-01
Thread-Index: AQHUdNFuzDsL/mmYCkuj+Od+5p+LBaVD2RQA
Date: Wed, 07 Nov 2018 01:16:03 +0000
Message-ID: <08ECF78A-74CB-483A-90BE-CC3194E68762@mit.edu>
References: <F3FA169B-2C8B-4FB7-80B3-5F9A995A4690@lodderstedt.net>
In-Reply-To: <F3FA169B-2C8B-4FB7-80B3-5F9A995A4690@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [18.9.1.81]
Content-Type: multipart/alternative; boundary="_000_08ECF78A74CB483A90BECC3194E68762mitedu_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprBJsWRmVeSWpSXmKPExsUixCmqrXvD5lG0QccTdYuTb1+xWbw69pTF gcljyZKfTB7HevpZA5iiuGxSUnMyy1KL9O0SuDJ2bvcoOGNSsfTTPOYGxnbjLkZODgkBE4kN lz+wdjFycQgJrGGS2DNtORuEs59R4kTLR0YI5xijxJJ7LSwQzlZGiV/frkOVrWCUePpiCxPI MDYBdYlt0+6A2SIChhLtExcyg9jMAlISj1pOsYDYwgKhEvP+nASKcwDVhEns6i+DKDeSWLRk MTtImEVARWLSUbAwr4CVxPpZ/ewgtpCAk8TK05vBSjgFnCU+fcwBCTMKiEl8P7WGCWKRuMSt J/OZID4TkFiy5zwzhC0q8fLxP1YIW1ZiwV+Y+jiJM0tfMEKsEpQ4OfMJywRG8VlIRs1CUjYL SdksoCuYBTQl1u/ShyhRlJjS/ZAdwtaQaJ0zF8q2l/g54RALspoFjByrGGVTcqt0cxMzc4pT k3WLkxPz8lKLdI31cjNL9FJTSjcxgqNYkm8H46QG70OMAhyMSjy8GjseRguxJpYVV+YeYpTk YFIS5U1fBhTiS8pPqcxILM6ILyrNSS0+xCjBwawkwnt6NVCONyWxsiq1KB8mJc3BoiTOO6Fl cbSQQHpiSWp2ampBahFMVoaDQ0mCVwiYrIQEi1LTUyvSMnNKENJMHJwgw3mAhn+1BqrhLS5I zC3OTIfIn2K053g0o2MGM8cLMPkOTF450zmDWYglLz8vVUqc9x5ImwBIW0ZpHtxkSIJmFn3F KA70qDDvE5AqHmByh5v9CmgtE9Dae7IPQNaWJCKkpBoYlyxXPfJsdl4n776YQB0m+zrWwL6v xxmPnr1p53fB6F7w20Mvfb91SU16usjhrsmK9rQgZmOTrQtfJG/6fE1t+jQLo5lsO8LjYuK8 bppFlq1vv3L9zZ6nhvx/tzqtEjjz7b92PNss99nL526P0/5vmix/9apf/9wP5jKnxG3nzjnb wPnDwWDXLCWW4oxEQy3mouJEALnAeBCrAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/H5kKQklYWnEnMdhl2hq5nvHFWLc>
Subject: Re: [OAUTH-WG] Generalizing draft-ietf-oauth-jwt-introspection-response-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Nov 2018 01:16:12 -0000

Since I brought this up initially, I want to re-voice my support for a general mechanism. I think it makes sense to have something that all of the OAuth JSON-spouting endpoints (introspection, token, revocation, registration, discovery) can use to universally put out signed and/or encrypted JWTs instead using the same mechanism.

Keying for each of these should be fairly clear and based on the nature of the requester. Discovery would be signed by the server key, token could be encrpyted to the client’s key or secret, introspection tied to the resource’s key, etc. I don’t see a lot of possibility for confusion but instead see a chance to make good re-use of a general mechanism all over the place.

The authorization endpoint doesn’t come into play at all because it doesn’t return JSON, and instead is a front-channel redirect endpoint. As such it’s a drastically different space and therefore this spec wouldn’t apply. In fact, that’s where JARM would come into play.

— Justin

On Nov 5, 2018, at 1:32 AM, Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>> wrote:

Hi all,

as mentioned during the presentation this morning, I would like to get a feeling what the working groups thinks about generalizing draft-ietf-oauth-jwt-introspection-response-01 to a mechanism supporting requesting and providing JWT responses from the different OAuth endpoints, such as token, revocation, client registration, and introspection.

Please share your thoughts on the list.

Thanks in advance,
Torsten. _______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth