Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 08 February 2021 02:18 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7B6F3A0E3D for <oauth@ietfa.amsl.com>; Sun, 7 Feb 2021 18:18:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.987
X-Spam-Level:
X-Spam-Status: No, score=-1.987 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tXBopuhP7fyP for <oauth@ietfa.amsl.com>; Sun, 7 Feb 2021 18:18:50 -0800 (PST)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3C923A0E3A for <oauth@ietf.org>; Sun, 7 Feb 2021 18:18:49 -0800 (PST)
Received: by mail-wm1-x332.google.com with SMTP id a16so11340855wmm.0 for <oauth@ietf.org>; Sun, 07 Feb 2021 18:18:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=tCer/IFcTArqgPndcDvIqqI+DjC4Vd9OuLV9mR6LFjE=; b=f4u5nBrBlrqio7nSlRS21xmxvir8cVJzScSl05FPHYuUjk5BffFI1hmBd9GHXbvd5U 9yHZJ5ibCx9wXbCbp/0U1i5hj0uUSrlLQu4dP2bXwq7NeEBXjJBBDJobnaRWZOLHixzc BgsM1FgtlLPGNyKhL/Ii2n4ELEvg2k6FYh28aPnsdNORZO4ikQKgEBhUpTdbRVbuG8ZI N4k0vKa0PhwO0T+YXaBf5yqUT3zNveojeDDbN1auBp+YNTHe6Tl3hK1O1dJrBGbYXBQj swgOBhn5MqAV6cRde0PMf5JGDDDZyfun3F4RVRJFfaHwolGsKfDv4Lw9Sh9IEE9PEm8Z 92nw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=tCer/IFcTArqgPndcDvIqqI+DjC4Vd9OuLV9mR6LFjE=; b=IgmCHc9pxRrr2iItmwHVmETrDz28yMjYB+RYm4Jl748/1kkgGUq/pbYKMVPeman5Ji 6FQaS7EBJyl5D4cMRelKfQBOJIN28Vu+5jLBwqkbEWTCKNDefL0gQwrsphIwAeeUHC8n PIUVILm+BiPGoq6HnKKDlg9ybZEmQ7LXg2bPmkwC7BxAjHFCC6WjS22IfwW01fy5YQJo 4wJdBUJpB6FbDNaQ2N3mjG/Ogn8TQVhnaylI9Ihc6Ze+GG2a/5fnrFetIKQoA7mbrRNa J4KroIcJiR+8g9SBKY0woXphXdZ1nPyxjUDxXofjIfjiGe1tRAWDAr3Lag5j+d90xamo ZXgw==
X-Gm-Message-State: AOAM533C/w9Q3H5BdNmgkD55Q3+vDr6OOJRxcivVYIi4vALcG8Bmcvxg U4BTQGgGNU2SdilTjslZg8ezkA==
X-Google-Smtp-Source: ABdhPJxCzI8ceKQHOQoj7qSWyWhhx0Vzv/pdsx6vMiwxJS1rkmP6KqNpnxbK+fSxsI5HJiE56Yd+cg==
X-Received: by 2002:a05:600c:4f48:: with SMTP id m8mr12846876wmq.12.1612750727848; Sun, 07 Feb 2021 18:18:47 -0800 (PST)
Received: from [192.168.71.135] (p5b0d9c0a.dip0.t-ipconnect.de. [91.13.156.10]) by smtp.gmail.com with ESMTPSA id y5sm6803333wmi.10.2021.02.07.18.18.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Feb 2021 18:18:46 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail-F01FBA13-513D-475E-8FB7-EB1119030663"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Mon, 08 Feb 2021 03:18:45 +0100
Message-Id: <579E1C30-107C-43E6-A521-01A674DAB0F3@lodderstedt.net>
References: <CAJot-L05Nb5FQQ_OOgW_s4Mswo0GW3-j7HTTxtbR2OgqESijWg@mail.gmail.com>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Andrii Deinega <andrii.deinega@gmail.com>, oauth <oauth@ietf.org>, draft-ietf-oauth-jwt-introspection-response@ietf.org
In-Reply-To: <CAJot-L05Nb5FQQ_OOgW_s4Mswo0GW3-j7HTTxtbR2OgqESijWg@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
X-Mailer: iPad Mail (18B92)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/L-7opMsLLS3O68GwdNHy98hiRJ4>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 02:18:53 -0000


> Am 08.02.2021 um 00:56 schrieb Warren Parad <wparad@rhosys.ch>:
> 
> 
>> I‘m therefore leaning towards explicitly stating in our draft that it is not intended to be used with refresh tokens.
> I'm not following, why explicitly state that it isn't intended. If an AS wants to provide a similar JSON response to a query with the refresh token, why not encourage that?

Why should we encourage it? 

> 
> 	
> Warren Parad
> Founder, CTO
> Secure your user data and complete your authorization architecture. Implement Authress.
> 
> 
>> On Sun, Feb 7, 2021 at 10:58 PM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>> Hi Andrii,
>> 
>>>> Am 07.02.2021 um 21:30 schrieb Andrii Deinega <andrii.deinega@gmail.com>:
>>>> 
>>> 
>>> Hi Torsten,
>>> 
>>> thank you for your response.
>>> 
>>> My use case is pretty straight forward
>>> 
>>> An OAuth client queries the AS to determine the active state of an access token and gets the introspection response which indicates that this access token is active (using RFC7662).
>>> 
>>> An OAuth client queries the AS to determine the active state of a refresh token and gets the introspection response which indicates that this refresh token is active (using RFC7662).
>>> 
>>> An OAuth client queries the AS to determine the active state of an access token and gets the introspection response (JWT) which indicates that this access token is active (using this draft).
>>> 
>>> Now, an OAuth client queries the AS to determine the active state of a refresh token (using this draft)... How will the introspection response look like assuming that the client provides the valid refresh token and technically, nothing stops it from doing so.
>> 
>> why should the state be provided as JWT?I think the plain JSON response is sufficient in that case.  I also think using token introspection for checking the state of a token from the client side has limited utility. The definitive decision is always made when the client tries to access a resource. 
>> 
>> I‘m therefore leaning towards explicitly stating in our draft that it is not intended to be used with refresh tokens.
>> 
>> best regards,
>> Torsten.
>> 
>>> 
>>> Regards,
>>> Andrii
>>> 
>>> 
>>>> On Sun, Feb 7, 2021 at 4:14 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>> Hi Andrii,
>>>> 
>>>> thanks for your post. 
>>>> 
>>>> The draft is intended to provide AS and RS with a solution to exchange signed (and optionally encrypted) token introspection responses in order to provide stronger assurance among those parties. This is important in use cases where the RS acts upon the introspection response data and wants the AS to take liability re the data quality. 
>>>> 
>>>> I’m not sure whether there are similar use cases if a client introspects a refresh token. What is your use case?
>>>> 
>>>> best regards,
>>>> Torsten.  
>>>> 
>>>> > Am 07.02.2021 um 08:41 schrieb Andrii Deinega <andrii.deinega@gmail.com>:
>>>> > 
>>>> > Hi WG,
>>>> > 
>>>> > draft-ietf-oauth-jwt-introspection-response-10 states that "OAuth 2.0 Token Introspection [RFC7662] specifies a method for a protected resource to query an OAuth 2.0 authorization server to determine the state of an access token and obtain data associated with the access token." which is true. Although, according to RFC7662, the introspection endpoint allows to introspect a refresh token as well. Hence, the question I have is how will a token introspection response look like when the caller provides a refresh token and sets the "Accept" HTTP header to "application/token-introspection+jwt"?
>>>> > 
>>>> > I expect there will be no differences, right?
>>>> > 
>>>> > If so, I suggest to
>>>> >       • replace "a resource server" by "the caller" in section 4 (Requesting a JWT Response)
>>>> >       • change "If the access token is invalid, expired, revoked" by "If a given token is invalid, expired, revoked" in section 5 (JWT Response)
>>>> > If not, my suggestion would be to clarify what the AS should do when it asked to introspect the refresh token in general and additionally, what should happen in the same case based on the type of the caller from the AS's point of view.
>>>> > 
>>>> > Regards,
>>>> > Andrii
>>>> > 
>>>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth