IETF Logo Mail Archive

Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 02 March 2020 17:42 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92D593A0D80 for <oauth@ietfa.amsl.com>; Mon, 2 Mar 2020 09:42:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59teALE05uUa for <oauth@ietfa.amsl.com>; Mon, 2 Mar 2020 09:42:19 -0800 (PST)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B5CE3A0D7D for <oauth@ietf.org>; Mon, 2 Mar 2020 09:42:19 -0800 (PST)
Received: by mail-wr1-x435.google.com with SMTP id r7so859545wro.2 for <oauth@ietf.org>; Mon, 02 Mar 2020 09:42:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=VfExlkafnc/PVVJcIArAaEDkG9BPO2U/F1GSOvJ3nQU=; b=ARjwL9VMYmYkbfWCQISs3cacCVDPJn0Aq1Vn31ilwTVNKoWk/DicAQIre9A1h1V0jt /dMkjpAP/HbCINpBQb9jkd4QBuKJnwfJBjWzfDVmLyMF3B0dN9c0TRdTbKMFLG+7Yekf uCrMaMLd6MvJ/utktTRoq+bo8nJWsSJ7rH/fW/8gUeaPfKeh/A+6AsS+SEWGjq4FW6qH br4nVjR1Cb7vf/JQxrOUQ871JgW2GS3ofcfx9LXq0Cyvg87oaro/4gy5WyikaXe0JH/Z JbA+ZOSrtm8PfqP+id5bk9tpr3GEUK1ZL4GCdB6m9Dc+X11KpfWendkx5MC1Sop8rpUL LcKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=VfExlkafnc/PVVJcIArAaEDkG9BPO2U/F1GSOvJ3nQU=; b=geajTVmBKbTjcjs4rqT7ZF5mqHvGgmcDe6/kqIxUI59eZbfZpIIxk/Qj8ibsNZ2K/X P5DARY9iGGr7MAXo17Z5twy0zOgALXvfATosVxXBIozV/9NVwcRf29n4Em2XpLRfw7P4 BnhWyA7kJZRxtSVHMFsSBMwxEeOpxyBbvjxF/3ehUojeD09rFN+AzOJNaoq/hKbHHKGq 8HVY69iUD8yCzDBpN5ybnki06ehhZ5AL8cyxUjft1Yp/6URq+LLHntlgHKebtkR5ucrX smodMEHEoUfR+m8umIUpmZoUIqpCooz45r21yzNbfoXSkWC63iec3xik7U6GeCeUNkIN m1Ug==
X-Gm-Message-State: ANhLgQ36WxcvbgjRY1W/a73xRPR/eh/8dHR7GJ7FGH08JhCDNOrUOMFB wJSjZu/cFhu7UnGKSC89W7eLlCizGY9k3g==
X-Google-Smtp-Source: ADFU+vtYtexjZV6wNroPD3jOMZM4Z/1UiPynxMb5jzaRY3o4BmAtqQTMoo5dLHKqqMc0FnXyLwBAdA==
X-Received: by 2002:a5d:55d1:: with SMTP id i17mr734921wrw.326.1583170937436; Mon, 02 Mar 2020 09:42:17 -0800 (PST)
Received: from [10.226.254.230] (80-254-69-38.dynamic.monzoon.net. [80.254.69.38]) by smtp.gmail.com with ESMTPSA id z131sm151163wmg.25.2020.03.02.09.42.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 02 Mar 2020 09:42:16 -0800 (PST)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <01F13FB2-9E7C-474D-95D6-4A14CAE2A1D6@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_40817F0E-AF00-4F15-AB64-D2875AA84E4D"; protocol="application/pkcs7-signature"; micalg="sha-256"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
Date: Mon, 02 Mar 2020 18:42:15 +0100
In-Reply-To: <CAHdPCmP112ag5cebTJ2-T31j3gRrDdoVme-jXeWVnLskn475YQ@mail.gmail.com>
Cc: oauth <oauth@ietf.org>, Brian Campbell <bcampbell@pingidentity.com>
To: Takahiko Kawasaki <taka@authlete.com>
References: <CAHdPCmPCMJqH-aOC2SjFhGd9sjd01xw=VEj5y1jA5nRNRhu4EA@mail.gmail.com> <5514F7A5-D87D-42D8-9DA0-9ADCDD75D989@lodderstedt.net> <CAHdPCmO7nfG6jXgo56HdUmmz8iu0O-Dd-sPO3pc_-6MWCheOMQ@mail.gmail.com> <13A6E943-3C58-4064-9DE4-AFB1F351BD47@lodderstedt.net> <CAHdPCmP112ag5cebTJ2-T31j3gRrDdoVme-jXeWVnLskn475YQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/J6APDWxalcqRMlJvsjksYPCY4L0>
Subject: Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 17:42:22 -0000


> On 2. Mar 2020, at 18:27, Takahiko Kawasaki <taka@authlete.com> wrote:
> 
> From RFC 7662, Section 2.1
> To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint, such as client authentication as described in OAuth 2.0 [RFC6749] or a separate OAuth 2.0 access token such as the bearer token described in OAuth 2.0 Bearer Token Usage [RFC6750].  The methods of managing and validating these authentication credentials are out of scope of this specification.
> 
> "Some form of authorization" may not be able to distinguish API callers. For example, if one pair of API key and API secret is shared by multiple resource servers.

Good point. If the AS would not authenticate the RS, it would need to put the whole aud array into the introspection response. 

However, draft-ietf-oauth-jwt-introspection-response states 

 In order to process the introspection requests in a secure and
   privacy-preserving manner, the authorization server MUST be able to
   identify, authenticate and authorize resource servers.

So this draft is more restrictive regarding RS authentication, mainly because of WG and IESG feedback.

> 
> Even if the number of "resource" request parameters is one, its value is not necessarily the identifier of a resource server. What if "https://rs.example.com/resource1" is given as "resource"? Which value should "aud" hold, "https://rs.example.com/resource1" or "https://rs.example.com"?
> 
> If the format of access tokens is JWT, when an authorization request includes "resource=https://host1.example.com/resource1" and "resource=https://host2.example.com/resource2", the resultant access token will have "aud" like below.
> 
> "aud" : [
>   "https://host1.example.com/resource1",
>   "https://host2.example.com/resource2"
> ]
> 
> However, if your logic applies, the introspection response for the access token will include a different value for "aud". This behavior is confusing.

That’s completely inline with RFC 8707 that states 

"The authorization server may use the exact "resource" value as the audience or it may map from that value to a more general URI or abstract identifier for the given resource.”

Mapping a client_id to a resource identifier (or vise versa) is just that “a mapping”.

> Because "some form of authorization" is performed when an introspection call is made, I don't think it's necessary to modify the value of "aud" per API caller.

Not necessarily but possible. I find it reasonable to have an external identifier for a RS (the value used for the resource parameter) and to have internal identifier used to identify & authenticate the RS (e.g. the client_id). 

> 
> Anyway, the root cause is that (a) "aud" in RFC 8707 and (b) "aud" in draft-ietf-oauth-jwt-introspection-response (in general "aud" in JWT) are different concepts but they share the same name. Any workaround without solving the root cause will bring about unhappy future.

My proposal is not a workaround but the logic an AS could apply that fits with RFC 8707 as well as draft-ietf-oauth-jwt-introspection-response.

best regards,
Torsten. 

> 
> Taka
> 
> 
> On Tue, Mar 3, 2020 at 1:44 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> Hi Taka,
> 
> I see, the audience is multi value. In my impression both specs assume a single value audience. 
> 
> But I think we can handle this as follows: Since the caller of the introspection respect is a single RS, the AS first needs to map & check the resources associated with the underlying access token against that caller. The RS is authenticated at the introspection endpoint using a client_id (and some credential), so the AS needs to map the client_id to resource identifier. If the result is in the set of the resources associated with the underlying access token, the AS can create an Introspection Response, which only contains this particular resource. 
> 
> What do you think?
> 
> best regards,
> Torsten. 
> 
> > On 2. Mar 2020, at 17:31, Takahiko Kawasaki <taka@authlete.com> wrote:
> > 
> > Hi Torsten,
> > 
> > For example, if an authorization request includes two "resource" request parameters like below,
> > 
> > resource=https://host1.example.com/resource1
> > resource=https://host2.example.com/resource2
> > 
> > RFC 8707 expects that the value of "aud" in an introspection response look like the following.
> > 
> > "aud" : [
> >   "https://host1.example.com/resource1",
> >   "https://host2.example.com/resource2",
> > ]
> > 
> > How does the implementation of the introspection endpoint insert the identifier of the resource server (the API caller?) into the "aud" array above? In other words, what is the expected resultant value of the "aud" array in this case?
> > 
> > Taka
> > 
> > 
> > On Mon, Mar 2, 2020 at 10:54 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> > Hi Taka, 
> > 
> > > On 1. Mar 2020, at 08:10, Takahiko Kawasaki <taka@authlete.com> wrote:
> > > 
> > > Hello,
> > > 
> > > I'm wondering if the following conflicts in "JWT Response for OAuth Token Introspection" (draft 8) have already been pointed out.
> > > 
> > > RFC 8707 (Resource Indicators for OAuth 2.0) requires that 'aud' in an introspection response hold the values of the 'resource' request parameters, whereas "JWT Response for OAuth Token Introspection" says that 'aud' MUST identify the resource server receiving the token introspection response. The definitions conflict.
> > 
> > RFC 8707 states 
> > 
> > The authorization server may use
> >    the exact "resource" value as the audience or it may map from that
> >    value to a more general URI or abstract identifier for the given
> >    resource.
> > 
> > draft-ietf-oauth-jwt-introspection-response-08 states
> > 
> > The value of the "aud" claims MUST identify the resource server
> >    receiving the token introspection response.
> > 
> > So RFC 8707 gives choices of how the resource server might be identified and draft-ietf-oauth-jwt-introspection-response-08 says the AS must identify the RS without prescribing any particular way. So basically you can use the advice given by  RFC 8707 to implement the requirement stated by draft-ietf-oauth-jwt-introspection-response-08.
> > 
> > I don’t see a conflict. 
> > 
> > > 
> > > RFC 7662 (OAuth 2.0 Token Introspection) requires that 'iat' in an introspection response indicate when the access/refresh token was issued, whereas "JWT Response for OAuth Token Introspection" says that 'iat' indicates when the introspection response in JWT format was issued. The definitions conflict.
> > 
> > I will come back to this issue in an answer to Filip’s post.
> > 
> > best regards,
> > Torsten. 
> > 
> > > 
> > > Best Regards,
> > > Takahiko Kawasaki
> > > Authlete, Inc.
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > OAuth mailing list
> > > OAuth@ietf.org
> > > https://www.ietf.org/mailman/listinfo/oauth
> > 
>

v2.23.0 | Report a Bug | By Email