IETF Logo Mail Archive

[OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

Andrii Deinega <andrii.deinega@gmail.com> Sun, 07 February 2021 07:42 UTC

Return-Path: <andrii.deinega@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6BA873AFA39; Sat, 6 Feb 2021 23:42:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YsyY1qdtTJEm; Sat, 6 Feb 2021 23:42:10 -0800 (PST)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D14643AFA37; Sat, 6 Feb 2021 23:42:09 -0800 (PST)
Received: by mail-ej1-x62f.google.com with SMTP id w1so19681566ejf.11; Sat, 06 Feb 2021 23:42:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=VDYVyxi/nYE39ZFyNGD+PNhq0+R18VMWYAmXdHuBdIY=; b=NCxIzHzxp/UL6dJ9ASQK/8i2EvksdvhQxNVCW9Ltp8l6f3ooLklLY57vrn+RDu6Haj gz7Osartmjo3s2We1KwM/eL5rIcRlBuZCPYGEUDxnSCO38pVWtEIgngUTk+KnwsN7me4 msE2kVnFCf2o0+tt1v5xp+Hd827EFfIdLiwT0m1YSyke9Jg7aUq3hfiT2ttfM5JiZXv/ jCr1sMSv+mFNHZm/iC2mEjH3m4IUL+qs2LOQLMQFZ5SjU6hVs2sNeaa4XzcQ5lQuMEVh pZiwkKx3vTe5WB+nGdQ01XOPGgCX050it61Tfzk6DvFFFASUTYeilDo/REVLNw+hr1Rp VuFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=VDYVyxi/nYE39ZFyNGD+PNhq0+R18VMWYAmXdHuBdIY=; b=VuHDgFpow8BGuVOa+JnhdmSx0c51STWK3SiKAdfDSDrka3jDcac1wLR+2dq3Uf3Mhw zfKEPND0dZypPhAEjnUII9dsLNiAkSboB+E+k0NBK7hwDQm0ipTbLg1fICVskrsxt/I/ 6UHSU9E8Bvw5AWfIUjcacscai1clmT+EcJAXrFRcZkqEWGafNNQL55mD/HOhkysdCDHz 9g8ARdYIoNAtkhlbOZaI6WzrwdNiDbsV1re8fJRQJVOQj4fehbfbfpj5b8Bn5j8M5avH 1ZoWZ8wv824eYEMkCFMn+w+7RDEiOil18IGBFAR6Nhd+rp8BULwdHgq5tTQdSllPzPKH sB2g==
X-Gm-Message-State: AOAM532xgYTNhStK6rFcJnEaTIwpee1FusVhzTMhQC1zRg/asEDmxJlW 6kKALJxAMAqK3ei1A0s75GvgvsJlfZH6uDmxyXFoBUp1mck=
X-Google-Smtp-Source: ABdhPJwYByDOd0z25XUE8ggocZPzfdFoW77P66M2FRrQ8tDldf18waPicptNZSfvkUZqDx5epvYYPkj9FLF2lKLNULc=
X-Received: by 2002:a17:906:a14e:: with SMTP id bu14mr11656352ejb.303.1612683727950; Sat, 06 Feb 2021 23:42:07 -0800 (PST)
MIME-Version: 1.0
From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Sat, 06 Feb 2021 23:41:57 -0800
Message-ID: <CALkShcso4KbR39X=FfvyJeBYf1Qb-_ZH4qe8xKkzRjzN338f_A@mail.gmail.com>
To: oauth@ietf.org, draft-ietf-oauth-jwt-introspection-response@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bd600705baba308b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/H82qFYWhEHUZin9TJ6ksfK2OeKE>
Subject: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 07:42:11 -0000

Hi WG,

draft-ietf-oauth-jwt-introspection-response-10 states that "OAuth 2.0 Token
Introspection [RFC7662] specifies a method for a protected resource to
query an OAuth 2.0 authorization server to determine the state of an access
token and obtain data associated with the access token." which is true.
Although, according to RFC7662, the introspection endpoint allows to
introspect a refresh token as well. Hence, the question I have is how will
a token introspection response look like when the caller provides a refresh
token and sets the "Accept" HTTP header to
"application/token-introspection+jwt"?

I expect there will be no differences, right?

If so, I suggest to

   1. replace "a resource server" by "the caller" in section 4 (Requesting
   a JWT Response)
   2. change "If the access token is invalid, expired, revoked" by "If a
   given token is invalid, expired, revoked" in section 5 (JWT Response)

If not, my suggestion would be to clarify what the AS should do when it
asked to introspect the refresh token in general and additionally, what
should happen in the same case based on the type of the caller from the
AS's point of view.

Regards,
Andrii

v2.23.0 | Report a Bug | By Email