Re: [OAUTH-WG] JWS Access Token concerns

Sergey Beryozkin <> Tue, 23 February 2016 21:54 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7B9371ACCF6 for <>; Tue, 23 Feb 2016 13:54:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 42Au1e7Namij for <>; Tue, 23 Feb 2016 13:54:36 -0800 (PST)
Received: from ( [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 774E71A8AB3 for <>; Tue, 23 Feb 2016 13:54:36 -0800 (PST)
Received: by with SMTP id g62so244073081wme.1 for <>; Tue, 23 Feb 2016 13:54:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=Kr0akONdsVF9yrjHko2WWWvYI8jgMSYB4wzj2JBHPM0=; b=LxvrpdqcRY1BFdrP+ccASz2cnd65sWWnS8cAB71SEY1Sjq36RINk9JJtyf5iwcZi8a EycBJzoi/w6tUCTT1hYd34/Isrcg5ICo91aUw2ZkAob3Tugfau42njhkzjgjW8H5hELO dxL3mVRyYVEBkjPWckmygDqFoUBHRC99c0UQkE+GYAhNK4j0t30B9ZsYnLb9tjs+hTvv zH1BW3MqHmp6TsDxHXVqqFPm8NEwwTxhQKXm4Nhz65InQlnQxbxmWaLw99gIYqCwnH7P BuIAg7kqLtKNJDAkaHQ77zvqDvltRQfkNy5z3UlDgKI+oKhLYOQRHSYg7qVwHowwRO+7 iYOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-type :content-transfer-encoding; bh=Kr0akONdsVF9yrjHko2WWWvYI8jgMSYB4wzj2JBHPM0=; b=hooGbLYhCEj4YiQ9WlvCK7R9emwNyvVKZKm49qVlpnbF2YTUgZDkoLT5A6IIcg6F5k iHWkSfqhbeEy4DrNzap7+R+qDJSjb1SZQ6nyDiE5AJvbGbKvn+9u76+mxIHzZcLLixRa NR6Q8Y7JO2fQ0jLnTg5iB6MdlQ7PaLdhxogOysj7t55TU/dlU1A/4VKZ66qak8sdYqAt fzFvZx9st92YQv6pxuaA4wjoTebxpg7T2GnzT48AyOZtE3jhUvk1Axbwl6EjXWO5DUOD r8ZGrUwMD39kS7lSrNNramSqJJcTRjegdnUC66UabNgFqgMore2g0uyzqHK9m+pSvKgI gI4Q==
X-Gm-Message-State: AG10YOTUNbrvCt9SdeGrs3SSWvwfzi9Lgt+Z+fRM1aGPuv5cN14Nx5/5sTMnD0X9BG9UoA==
X-Received: by with SMTP id p2mr668285wjz.93.1456264474902; Tue, 23 Feb 2016 13:54:34 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id x65sm335173wmg.4.2016. (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Feb 2016 13:54:34 -0800 (PST)
To: Antonio Sanso <>
References: <> <> <> <> <> <> <05af01d16d4a$20230af0$606920d0$> <> <> <> <>
From: Sergey Beryozkin <>
Message-ID: <>
Date: Tue, 23 Feb 2016 21:54:20 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] JWS Access Token concerns
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Feb 2016 21:54:38 -0000

On 23/02/16 19:31, Antonio Sanso wrote:
> hi Sergey,
> just my 2 cents
> let’s start from a simple fact that encryption is not authentication. :)
And since then the access tokens are supposed to provide the source 
guarantee to the client ? Can you point to any text somewhere suggesting 
the clients must expect the access tokens be a set of JWT JWS signed 
claims ? (lets put the whole PoP aside for now...)

> Now, if the claim sets of a JWS contains only not confidential information JWS is enough.
You are right - this is close to what I was asking about. My point is 
that given that a JWS-signed JWT content can be processed as easily as 
Base64 encoded data, the problems will start happening if a given OAuth2 
server inadvertently puts more into this JWT container than it should...

Thanks Sergey

> See also inline
> On Feb 23, 2016, at 6:15 PM, Sergey Beryozkin <> wrote:
>> Hi
>> Some OAuth2 providers may return self-contained access tokens which are JWS Compact-encoded.
>> I wonder is it really a good idea and would it not be better to only JWE-encrypt the tokens. I'm not sure JWS signing the claims is necessarily faster then only encrypting the claims, assuming the symmetric algorithms are used in both cases.
> JWE algorithms are all AEAD AFAIK so is not only symmetric encryption plus there is the content key  "wrap algorithm”.
> regards
> antonio
>> For example, my colleague and myself, while dealing with the issue related to parsing an access token response from a 3rd party provider were able to easily check the content of the JWS-signed access_token by simply submitting an easily recognized JWS Compact-formatted value (3 dots) into our JWS reader - we did not have to worry about decrypting it neither the fact we did not validate the signature mattered.
>> But access tokens are opaque values as far as the clients are concerned and if the introspection is needed then the introspection endpoint does exist for that purpose...
>> Thanks, Sergey
>> _______________________________________________
>> OAuth mailing list

Sergey Beryozkin

Talend Community Coders