Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt
Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 04 June 2018 16:30 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F72F1286CD for <oauth@ietfa.amsl.com>; Mon, 4 Jun 2018 09:30:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g6wcGglsW2c1 for <oauth@ietfa.amsl.com>; Mon, 4 Jun 2018 09:30:00 -0700 (PDT)
Received: from smtprelay07.ispgateway.de (smtprelay07.ispgateway.de [134.119.228.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5155A126CE2 for <oauth@ietf.org>; Mon, 4 Jun 2018 09:30:00 -0700 (PDT)
Received: from [84.158.233.58] (helo=[192.168.71.123]) by smtprelay07.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1fPsMn-0002n7-Hc; Mon, 04 Jun 2018 18:29:57 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <2F83959E-1CE4-46D8-9AEF-F35F5B958D29@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_63161726-6057-4794-8B84-A6E99A6A0E41"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Mon, 04 Jun 2018 18:29:48 +0200
In-Reply-To: <37aa8ce8-c999-57bd-e4d5-387c6e365adc@aol.com>
Cc: oauth <oauth@ietf.org>
To: George Fletcher <gffletch@aol.com>
References: <152752608213.4961.1659822390005305046.idtracker@ietfa.amsl.com> <4D24E05B-EDC1-458C-A106-662345090399@lodderstedt.net> <37aa8ce8-c999-57bd-e4d5-387c6e365adc@aol.com>
X-Mailer: Apple Mail (2.3445.6.18)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OQVMx75oCZg5R8pR6ui6ezsqIFI>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Jun 2018 16:30:09 -0000
Hi George, > Am 01.06.2018 um 17:41 schrieb George Fletcher <gffletch@aol.com>: > > What is the expectation if the RS requests a signed JWT response but the AS doesn't support it? Should getting a signed response require both? (meaning the Accept header and an AS config that that RP wants it)? That may be the safest from a backward compatibility perspective. we assume the RS is set up with the AS in advance, so the RS should know whether the AS supports signing. > > I have some concerns around relying on 'iss' and 'aud' to prevent abuse It’s iss + aud + all replay prevention means you can think of (including token binding). > and wonder if a JWT Header claim describing the context of the JWT might be better. Any suggestions (cty)? I’m not sure abuse can be prevented that way since developers need to consider this header claim. best regards, Torsten. > > Thanks, > George > > On 5/28/18 12:58 PM, Torsten Lodderstedt wrote: >> Hi all, >> >> I just published a new revision of the JWT Introspection response draft. Based on the feedback in London, the draft entirely focuses on use cases where the RS requires stronger assurance that the respective AS issued the token, including cases where the AS assumes liability for the token’s content. >> >> We incorporated the following changes: >> • fixed typos in client meta data field names (thanks Petteri!) >> • added OAuth Server Metadata parameters to publish algorithms supported for signing and encrypting the introspection response >> • added registration of new parameters for OAuth Server Metadata and Client Registration >> • added explicit request for JWT introspection response >> • made iss and aud claims mandatory in introspection response (thanks Neil!) >> • Stylistic and clarifying edits, updates references >> >> Thanks to all reviewers! >> >> Vladimir and I are on the fence whether the Introspection Response format should be determined by the AS based on its policy and/or RS-related registration metadata or whether the RS should explicitly request a JWT response by including an Accept header „application/jwt“ in the respective request. >> >> What do you think? >> >> kind regards, >> Torsten. >> >>> Anfang der weitergeleiteten Nachricht: >>> >>> Von: internet-drafts@ietf.org >>> Betreff: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt >>> Datum: 28. Mai 2018 um 18:48:02 MESZ >>> An: "Vladimir Dzhuvinov" <vladimir@connect2id.com>, "Torsten Lodderstedt" <torsten@lodderstedt.net> >>> >>> >>> A new version of I-D, draft-lodderstedt-oauth-jwt-introspection-response-01.txt >>> has been successfully submitted by Torsten Lodderstedt and posted to the >>> IETF repository. >>> >>> Name: draft-lodderstedt-oauth-jwt-introspection-response >>> Revision: 01 >>> Title: JWT Response for OAuth Token Introspection >>> Document date: 2018-05-28 >>> Group: Individual Submission >>> Pages: 10 >>> URL: https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-01.txt >>> Status: https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/ >>> Htmlized: https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01 >>> Htmlized: https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response >>> Diff: https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-jwt-introspection-response-01 >>> >>> Abstract: >>> This draft proposes an additional JSON Web Token (JWT) based response >>> for OAuth 2.0 Token Introspection. >>> >>> >>> >>> >>> Please note that it may take a couple of minutes from the time of submission >>> until the htmlized version and diff are available at tools.ietf.org. >>> >>> The IETF Secretariat >>> >> >> >> >> _______________________________________________ >> OAuth mailing list >> >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Fwd: New Version Notification for draf… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt