IETF Logo Mail Archive

Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 02 December 2014 11:30 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 100051A1AA5 for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 03:30:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cW6BzqSbOr-f for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 03:30:42 -0800 (PST)
Received: from mail-wg0-x22d.google.com (mail-wg0-x22d.google.com [IPv6:2a00:1450:400c:c00::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82B2C1A1AA0 for <oauth@ietf.org>; Tue, 2 Dec 2014 03:30:42 -0800 (PST)
Received: by mail-wg0-f45.google.com with SMTP id b13so16757990wgh.32 for <oauth@ietf.org>; Tue, 02 Dec 2014 03:30:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=7K1DtPssSb8aW8//LEoRgLZmIjegaLRyAL6kXL9ZjGc=; b=TSWGiyOujBuEYboAAARLWsk26vt0MkigTUmMtRirNgmgPEhSJWm1OKw9blJaqY0Ofo oj3z0AUWQ1sk/0atjKTonCwfXUzpVmU764kHaMwHVgBase0C1JThHXhRVq7dUHm8ZzgI vWCaesWoxaSNUA9K5vTAtyzAwi2irG6InsJLxWKIzIE/vfR2GvHc/c3PtHpAEaDqMYtx 77Gt2gCFEEM/qCJAmOnry21MA7VKGWS4qMGVr+s+a9S/4B8l+AMwgdQ69W6QAh3ucLwy z54eu9CjX7ILATAqiop3xNcX819blDXU+MOPHzgVeJTIiE93yky/Eof1VFw+9CphpMXa bTXA==
X-Received: by 10.194.238.3 with SMTP id vg3mr63841589wjc.69.1417519839857; Tue, 02 Dec 2014 03:30:39 -0800 (PST)
Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id td9sm32375192wic.15.2014.12.02.03.30.38 for <oauth@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Dec 2014 03:30:39 -0800 (PST)
Message-ID: <547DA2DE.4050400@gmail.com>
Date: Tue, 02 Dec 2014 11:30:38 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <547DA128.9090606@gmx.net>
In-Reply-To: <547DA128.9090606@gmx.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/JQMRT9umXmR8tDNC7GLVrW51poc
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 11:30:45 -0000

Hi Hannes
On 02/12/14 11:23, Hannes Tschofenig wrote:
> Hi Justin,
>
> I have a few remarks regarding version -01 of the token introspection
> document.
>
> * Terminology
>
> The token introspection protocol is a client-server protocol but the
> term "client" already has a meaning in OAuth. Here the client of the
> token introspection protocol is actually the resource server. I believe
> it would make sense to clarify this issue in the terminology section or
> in the introduction. Maybe add a figure (which you could copy from
> Figure 4 of
> http://www.ietf.org/id/draft-ietf-oauth-pop-architecture-00.txt.
>
> Maybe you want to call these two parties, the introspection client and
> the introspection server.
>
> * Scope
>
> I think the document needs to be very clear that is only applicable to
> bearer tokens (and not to PoP tokens). This issue was raised at the last
> IETF meeting as well.
>
Interesting, I was reading the doc yesterday and thought it was good it 
was not talking about specific access token types :-)

I wonder why a pop token can not be introspected in the interoperable 
way as per the text for the resource server to tale the authorization 
decision ?

Thanks, Sergey

> * Meta-Information
>
> You have replicated a lot of the claims defined in
> https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-31
> and I am wondering why you have decided to not just re-use the entire
> registry from JWT?
>
> If you want to create a separate registry (which I wouldn't recommend)
> then you have to put text into the IANA consideration section.
>
> When you write:
>
> "
> The endpoint MAY allow other parameters to provide further context to
> the query.
> "
>
> You could instead write that the token introspection MUST ignore any
> parameters from the request message it does not understand.
>
> Of course, there is the question whether any of those would be security
> critical and hence ignoring them would cause problems?!
>
> * Security
>
> The requirement for authenticating the party issuing the introspection
> request to the token introspection endpoint is justified in the security
> and the privacy consideration section. The security threat is that an
> attacker could use the endpoint to testing for tokens. The privacy
> threat is that a resource server learns about the content of the token,
> which may contain personal data. I see the former as more dangerous than
> the latter since a legitimate resource server is supposed to learn about
> the authorization information in the token. An attacker who had gotten
> hold of tokens will not only learn about the content of the token but he
> will also be able to use it to get access to the protected resource itself.
>
> In any case, to me this sounds like mutual authentication should be
> mandatory to implement. This is currently not the case. On top of that
> there is single technique mandatory-to-implement outlined either (in
> case someone wants to use it). That's in general not very helpful from
> an interoperability point of view. Yet another thing to agree on between
> the AS and the RS.
>
> * SHOULDs
>
> This is my usual comment that any SHOULD statement should give the
> reader enough information about the trade-off decision he has to make.
> When should he implement something and when should he skip it?
>
> * Minor items
>
> You write:
>
> "
> These include using
>     structured token formats such as JWT [JWT] or SAML [[ Editor's Note:
>     Which SAML document should we reference here? ]] and proprietary
>     inter-service communication mechanisms (such as shared databases and
>     protected enterprise service buses) that convey token information.
> "
>
> Just reference the JWT since that's what we standardize.
>
> * 'Active' claim
>
> you write:
> "
>     active  REQUIRED.  Boolean indicator of whether or not the presented
>        token is currently active.  The authorization server determines
>        whether and when a given token is in an active state.
> "
>
> Wouldn't it make more sense to return an error rather than saying that
> this token is not active.
>
> * Capitalization
>
> Reading through the text I see bearer token/Bearer Token, Client/client,
> etc. issue.
>
> * AS <-> RS relationship
>
> You write:
> "
>     Since
>     OAuth 2.0 [RFC6749] defines no direct relationship between the
>     authorization server and the protected resource, only that they must
>     have an agreement on the tokens themselves, there have been many
>     different approaches to bridging this gap.
> "
>
> I am not sure what you mean by "defines no relationship" between the AS
> and the RS. Of course, there is a relationship. The AS issues tokens for
> access for a specific RS. The RS needs to understand the tokens or if it
> does not understand them it needs to know which AS to interact with to
> learn about the content.
>
> In a nutshell, I am not sure what you want to say with this paragraph
> particularly since you state that they have to have an agreement about
> the tokens.
>
>
> Ciao
> Hannes
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.39.1 | Report a Bug | By Email | System Status