Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 24 September 2019 09:48 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DE26120825 for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2019 02:48:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GhlQOHpFRmsz for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2019 02:48:55 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00449120043 for <oauth@ietf.org>; Tue, 24 Sep 2019 02:48:54 -0700 (PDT)
Received: from [80.155.34.3] (helo=[10.3.21.206]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) (envelope-from <torsten@lodderstedt.net>) id 1iChRD-0004nP-Q2; Tue, 24 Sep 2019 11:48:51 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <83C409C4-3B36-466C-9C49-28A6C9C8A722@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_90EE9B8F-BFBF-4540-8FA1-84E469539D41"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 24 Sep 2019 11:48:51 +0200
In-Reply-To: <c5ee3eed-99df-5d64-a005-e30a0afb3e37@connect2id.com>
Cc: oauth@ietf.org
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
References: <156898250596.30287.14524104153595179086@ietfa.amsl.com> <c5ee3eed-99df-5d64-a005-e30a0afb3e37@connect2id.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KZTH7ehstFTk36Ir__3pHMFOBwE>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwt-introspection-response-08.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 09:48:58 -0000

Hi Vladimir,

> On 24. Sep 2019, at 08:03, Vladimir Dzhuvinov <vladimir@connect2id.com>; wrote:
> 
> When implementing 08 a question came up:
> 
> * The token has multiple audiences (aud), e.g ["rs1", "rs2", "rs3"].
> 
> * The RS "rs1" is in the expected audience.
> 
> Are there any considerations (privacy, etc) about returning the full
> audience list ["rs1", "rs2", "rs3"] in the introspection response?
> Theoretically, the RS shouldn't be interested which other RSs may
> legally consume the token, so those may be excluded from the list,
> returning only ["rs1”]

From a privacy perspective, I would expect the AS to reduce the data to the minimum required for the particular RS. In your case, the AS should narrow down the audience to ["rs1”].

From a security perspective, this also reduces the risk for replay at other RSs. https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08#section-8.1

best regards,
Torsten. 


> ?
> 

> Vladimir
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth