[OAUTH-WG] Standardising JWT access token type determination
Akila Amarasinghe <akilaa@wso2.com> Fri, 12 January 2024 09:21 UTC
Return-Path: <akilaa@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 742BAC14F706 for <oauth@ietfa.amsl.com>; Fri, 12 Jan 2024 01:21:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TKj4qIV7mc7A for <oauth@ietfa.amsl.com>; Fri, 12 Jan 2024 01:21:54 -0800 (PST)
Received: from mail-yw1-x112a.google.com (mail-yw1-x112a.google.com [IPv6:2607:f8b0:4864:20::112a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86AF5C14F701 for <oauth@ietf.org>; Fri, 12 Jan 2024 01:21:54 -0800 (PST)
Received: by mail-yw1-x112a.google.com with SMTP id 00721157ae682-5e7c1012a42so60136577b3.3 for <oauth@ietf.org>; Fri, 12 Jan 2024 01:21:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; t=1705051313; x=1705656113; darn=ietf.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=jyJj8ozyEWOxLHycC1gp5pV/ctzlS/WBXJxz6QpoWxY=; b=bpN1i1yu7W7ZwedNCdK+G6NkwB6Pr80oynpQmtH9cEAeifPmQHTf7mfA8DLHFPIfEO dZYajor3Cm25RYb9mYJB84cFVWwdpkuOROx0bZIfwUig5v/rVJ18QhQ86KyW/zLRmwVe L4CeHXeqwMHMlO2ulAFWtLyygcCPCDjzPgtC8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705051313; x=1705656113; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=jyJj8ozyEWOxLHycC1gp5pV/ctzlS/WBXJxz6QpoWxY=; b=FnacmjZlBcEVMZt1exPQ6cx6xXBwH6pdVnBHB0pqsiRje98PYeylR4vMPbLsrnEpLh FmewzCiBnbX64n4mSLjfWRO86r5/olonQwT2ShxX8p4+bav3lWU0f0SRidf438dEXusq UVZE3XmwlzCVaMer80OKxdLqD6hztlHUkJlZ38IhWI61/4/yOju3iQx80vttOTbuCEuS vLpI7irw5SKm5jCiPlrMnUkkT2R+7N5XicyhVVWdps1/+0SeVWy4nkr3wh55/PwIIqY7 xWb9B627rVRTnxtdbeOHEWgJtwoCpmE0E87HpW+BOaJCLcQqXyhjsptIYN1JTCIucMbD DH9w==
X-Gm-Message-State: AOJu0YzjHBzvUCyjSFnKPkKlz074kxbIqJ7zIJMkAdMq7deeNqmBRg/3 1O0Bm6aMDytx/nyl7TbCoFRRdMEOrxUG2myDhviSdjsiHb5aVE+UqW47t7H3
X-Google-Smtp-Source: AGHT+IHOTxhd98m2lorzDWG7ouPmmRxDjqcNMsZrp4g6iO5o0SJ80njThKUFf5FuZqeAO9TphnL5Ptv7cg2NzUq+YxA=
X-Received: by 2002:a5b:4b:0:b0:dbd:b464:63a with SMTP id e11-20020a5b004b000000b00dbdb464063amr402810ybp.26.1705051313095; Fri, 12 Jan 2024 01:21:53 -0800 (PST)
MIME-Version: 1.0
From: Akila Amarasinghe <akilaa@wso2.com>
Date: Fri, 12 Jan 2024 14:51:16 +0530
Message-ID: <CADo1+pUHvk6uK0pveDKbfxFDwDBkvmFbUEb=n_1pAsFfJ37Gmw@mail.gmail.com>
To: oauth@ietf.org, openid-gain-poc@lists.openid.net
Cc: Lalaji Sureshika <lalaji@wso2.com>
Content-Type: multipart/related; boundary="000000000000d7a041060ebc312e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IDAeyCQwYfyR4Cz7LDR0kNniRG0>
Subject: [OAUTH-WG] Standardising JWT access token type determination
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jan 2024 09:47:37 -0000
Hi all, I am researching a standard way to distinguish the token grant type (client credentials of authorization code) by inspecting the content of the self-contained JWT token. I expect to build a discussion within the Oauth/OpenID community around the need to identify the grant type in which a JWT access token is issued. In the context of Open Banking, regulators around the world enforce the API resource access validation specifying which type of access token should be used to access the API resources. This is becoming a general enforcement and the Open Banking solution providers are searching for a standard way to distinguish the access token type by checking the content of the JWT token. I researched this and please find my findings below, 1. *"sub" claim is a potential way to distinguish the token type* In rfc9068 <https://datatracker.ietf.org/doc/html/rfc9068> specification, it is mentioned that the "sub" claim should contain the client ID of the authorization server if the resource owner is not involved during authorization (see the screenshot below). [image: Screenshot 2024-01-12 at 12.15.42 PM.png] We had discussions about using this claim to validate the token type (auth code or client credentials), but it seems this is not a standard way to do this since there can be client impersonation attacks. However, it is very rare for an actual authorization code access token to have the same client ID in the "sub" claim as the client exists in the authorization server. 2. *Add a custom claim to the access token* Another option is to add a custom claim to determine the token type. This will be set after determining the grant type of the token request and will be contained in the JWT access token when issued by the authorization server. This is a reliable way to identify the token type because the authorization server determines the grant type by inspecting the request sent into it. Therefore, making it more reliable. This custom claim will contain from which grant type the access token is obtained. 3. *Validating the "azp" claim in the token* This is not applicable generally because this claim is optional and is only used in OpenID connect. The applications that don't use ID tokens cannot use this claim. We seek the help of the OAuth/OpenID community to build up a discussion on this and find a standard way to do the token type determination using the JWT token. It could be one of the above scenarios. The feedback from the Oauth/OpenID community is highly appreciated. Thanks, *Akila Amarasinghe **| **Software Engineer | WSO2 LLC* (M)+94719799034 *| *(E)akilaa@wso2.com (B) medium.com/@akilaamarasinghe <http://wso2.com/signature>
- [OAUTH-WG] Standardising JWT access token type de… Akila Amarasinghe
- Re: [OAUTH-WG] Standardising JWT access token typ… Warren Parad
- Re: [OAUTH-WG] Standardising JWT access token typ… Akila Amarasinghe
- Re: [OAUTH-WG] Standardising JWT access token typ… Warren Parad
- Re: [OAUTH-WG] Standardising JWT access token typ… Akila Amarasinghe
- Re: [OAUTH-WG] Standardising JWT access token typ… Warren Parad
- Re: [OAUTH-WG] Standardising JWT access token typ… Akila Amarasinghe
- Re: [OAUTH-WG] Standardising JWT access token typ… Warren Parad