Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 25 May 2018 10:24 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F7E4126C0F for <oauth@ietfa.amsl.com>; Fri, 25 May 2018 03:24:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ot0ci5jtrjNT for <oauth@ietfa.amsl.com>; Fri, 25 May 2018 03:24:45 -0700 (PDT)
Received: from smtprelay01.ispgateway.de (smtprelay01.ispgateway.de [80.67.18.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A172D124D68 for <oauth@ietf.org>; Fri, 25 May 2018 03:24:45 -0700 (PDT)
Received: from [84.158.233.58] (helo=[192.168.71.123]) by smtprelay01.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1fM9tn-0007m0-M0; Fri, 25 May 2018 12:24:39 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <885F5820-1A64-4D68-A16F-31E24F450A04@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_B08D6154-0EE1-4481-BE37-7B507D1F0A1E"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Fri, 25 May 2018 12:24:36 +0200
In-Reply-To: <DB5PR05MB1704D9C2A95F37D4B5E6F118FAAD0@DB5PR05MB1704.eurprd05.prod.outlook.com>
Cc: oauth <oauth@ietf.org>
To: Petteri Stenius <Petteri.Stenius@ubisecure.com>
References: <152140077785.15835.11388192447917251931.idtracker@ietfa.amsl.com> <2A1E98B8-973E-44F0-96F0-E319FD6969A8@lodderstedt.net> <DB5PR05MB1704D9C2A95F37D4B5E6F118FAAD0@DB5PR05MB1704.eurprd05.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OF8HUoA0l7Bwk1RW_38T2JUltts>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 May 2018 10:24:49 -0000

HI Petteri,

thanks for your feedback. I incorporated it in the upcoming revision. 

kind regards,
Torsten. 

> Am 26.03.2018 um 11:02 schrieb Petteri Stenius <Petteri.Stenius@ubisecure.com>om>:
> 
> Hi all,
>  
> I want to show my support for this proposal
>  
>  
> I believe the two use cases presented at the IETF meeting [1] are important:
>  
> 1. implementing application level end-to-end integrity protection of the introspection response
> 2. simple conversion of by-reference access tokens into by-value JWT encoded tokens
>  
>  
> This proposal adds three fields to the client metadata. I think there are two issues that should be addressed:
>  
> 1. Remove double "response" from field names. Replace "introspection_response_signed_response_alg" with "introspection_signed_response_alg". Also address two other fields
> 2. Add corresponding fields to provider metadata. For client metadata field "introspection_signed_response_alg" there should exist "introspection_signing_alg_values_supported" in provider metadata. The two other fields need corresponding fields as well.
>  
>  
> Relationship with OpenID Connect
>  
> In OpenID Connect the userinfo endpoint is very similar to introspection endpoint of OAuth. Userinfo supports JWT signing and encryption. Adding JWT signing and encryption to introspection endpoint fills the gap between the two specifications.
>  
>  
> Best regards,
> Petteri Stenius
>  
> [1] https://datatracker.ietf.org/meeting/101/materials/slides-101-oauth-sessb-jwt-introspection-response-01
>  
>  
>  
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Torsten Lodderstedt
> Sent: sunnuntai 18. maaliskuuta 2018 21.33
> To: oauth <oauth@ietf.org>
> Subject: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
>  
> Hi all,
>  
> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It proposes a JWT-based response type for Token Introspection. The objective is to provide resource servers with signed tokens in case they need cryptographic evidence that the AS created the token (e.g. for liability). 
>  
> I will present the new draft in the session on Wednesday.
>  
> kind regards,
> Torsten. 
> 
> 
> Anfang der weitergeleiteten Nachricht:
>  
> Von: internet-drafts@ietf.org
> Betreff: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> Datum: 18. März 2018 um 20:19:37 MEZ
> An: "Vladimir Dzhuvinov" <vladimir@connect2id.com>om>, "Torsten Lodderstedt" <torsten@lodderstedt.net>
>  
> 
> A new version of I-D, draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> has been successfully submitted by Torsten Lodderstedt and posted to the
> IETF repository.
> 
> Name:                                           draft-lodderstedt-oauth-jwt-introspection-response
> Revision:                 00
> Title:                       JWT Response for OAuth Token Introspection
> Document date:      2018-03-15
> Group:                                          Individual Submission
> Pages:                                           5
> URL:            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
> Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
> Htmlized:       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
> 
> 
> Abstract:
>   This draft proposes an additional JSON Web Token (JWT) based response
>   for OAuth 2.0 Token Introspection.
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
>