Re: [OAUTH-WG] Listing OAuth Access Token Metadata
Dhaura Pathirana <dhaurapathirana@gmail.com> Wed, 06 April 2022 03:50 UTC
Return-Path: <dhaurapathirana@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CF5E3A0A94 for <oauth@ietfa.amsl.com>; Tue, 5 Apr 2022 20:50:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UkrGi2D2YvG9 for <oauth@ietfa.amsl.com>; Tue, 5 Apr 2022 20:49:56 -0700 (PDT)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A508B3A0A8B for <OAuth@ietf.org>; Tue, 5 Apr 2022 20:49:56 -0700 (PDT)
Received: by mail-qt1-x82d.google.com with SMTP id j21so2590769qta.0 for <OAuth@ietf.org>; Tue, 05 Apr 2022 20:49:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=retUEeO8OlTGgqgPWC0CcuVtgSdzizpy0vDCshRVg9M=; b=YncLtX7t+az+Oz6tYb/gHuePjOaPUtElQw/bguJg3sscNu7L3yjnrjb9dYI/Pa9m91 UcgQKKYdbaVe9S441cCCOM09M8itQXI+ryTY5qrqPNHv1TSPe0fHFs5Izg5Ux+ioK+zT SJuxQ4FLj35i4lQAfMnV/lOgK9ATMalg4KNHvVv8h2S5/G+ejV11SKLxY0AC0HsofjgV k/d5gV2BwDZlR4JuDyTPWcnucXLo6zkWECLiceZ3Mkz1S2EzDEOLUYqUSWSPm7+iGXlH ajZtOMwAfxejgENWbfFf55/1rJZU/ein6n1dwYWA1m0PMM2w59tqYLGqOgFRznaTgYDh vWTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=retUEeO8OlTGgqgPWC0CcuVtgSdzizpy0vDCshRVg9M=; b=J9Y2xl53ey1lm9SYTnvNIhEldMyo0vjZm0GPI8T6HjG1hnPmDxviiaKequJO3UMjrW +m1AIW8fX9OuduUTP0ORr12j5Ne61j6QBUJ7GfWXEaUAc1g3zjZ+KMkurrBU81wcN5CO pVwNR50aKIwMf6slzs3J9Gh1kKDqPYun92F8XuLzAc2rhR2o51gF1ovuexhTMTnTCf0G AguqvK+iarjnA5GBuIN3kwBgJKBxL1Df9fdRh7GmuzqifrzfAFUwXXTToBrt+WcjgoXI sMNx4jhYa67qqfyjK88CcNeZABnwKsOT1KBlz+xWtJUXLEGXCkJpM1VQqUed/4wwJ3wW DyWA==
X-Gm-Message-State: AOAM533tb5785RepeJisAhpqjgoOv8aFdkuW3ysC+D6G5vBmQvCM/wDQ scM3ZZx1oGrocsFLmGTHQOgdsOyW6ZOJG+Fie04/ak0o
X-Google-Smtp-Source: ABdhPJzNZxj1cxV0w69biPderGuBbLcgSZTqbkStlmTOkQhctp5AKjzH3d57DxIRxEA9G35VnOn6qrxZZP+LXxaXnI4=
X-Received: by 2002:ac8:5745:0:b0:2e1:b8d9:d6d1 with SMTP id 5-20020ac85745000000b002e1b8d9d6d1mr5873478qtx.422.1649216995311; Tue, 05 Apr 2022 20:49:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAL4nJSZSAEQQOy0dEwwD88Ne+vsQfTmj_RM7MPAFHnd18D7wMA@mail.gmail.com> <CF00B22F-0F92-4578-82DA-7EBF0208F4C6@alkaline-solutions.com> <CAHdPCmNx28rHgBaLtvRKWg9NyVbtJvA2DAs0aNHOoK5h8NvXdQ@mail.gmail.com> <CAJot-L0Q-aA_9CcCDaeLieoqfFPn7S0vKDAXdO5jnwfUDu72FA@mail.gmail.com>
In-Reply-To: <CAJot-L0Q-aA_9CcCDaeLieoqfFPn7S0vKDAXdO5jnwfUDu72FA@mail.gmail.com>
From: Dhaura Pathirana <dhaurapathirana@gmail.com>
Date: Wed, 06 Apr 2022 09:19:44 +0530
Message-ID: <CAL4nJSbnhSpnaJ+wuO6kteUngqa3Wjt45wuq0fY6Ga-+NB1N5w@mail.gmail.com>
To: OAuth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000029c42905dbf44148"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OWqNafs5YpCqKFznce2LUxabwZM>
Subject: Re: [OAUTH-WG] Listing OAuth Access Token Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2022 03:50:02 -0000
Thank you all for the quick replies and I really appreciate the suggestions. One thing that I want to clarify is that, in this use case, the requirement is to list all the access tokens (metadata) (that belong to a single owner) issued for the custom grant but in the introspection specification only metadata can be listed for a given access token. Here, we need PATs rather than a standard OAuth grant type because the token should be issued to a user (not a client) and the user will use this token to access certain APIs through another third-party application (which could be a simple automation script). And also, there are some attributes like alias and description that should be stored with the PAT as they are required for token identification purposes (Those attributes are not common with other standard OAuth grant types). Furthermore, the user should be able to revoke any of his PATs at any time. In the ID token suggestion, it is mentioned to look into OIDC ID token specification. Does it imply that an ID token should be used as a Personal Access Token, instead of an OAuth2 access token, or is it proposed to extract user information? Thank You. Kind Regards, Dhaura Pathirana On Mon, 4 Apr 2022 at 00:13, Warren Parad <wparad@rhosys.ch> wrote: > I'm tempted to say user created PATs are incompatible with OAuth, and > OAuth already has a solution which avoids the user having to manually > create these sorts of tokens. Is there a reason OAuth wouldn't be able to > handle the specific use case. > > Warren Parad > > Founder, CTO > Secure your user data with IAM authorization as a service. Implement > Authress <https://authress.io/>. > > > On Sun, Apr 3, 2022 at 7:56 PM Takahiko Kawasaki <taka@authlete.com> > wrote: > >> Dear Dhaura, >> >> My recommendation to you (undergraduate? LinkedIn says so) is to >> investigate the following as the first step. >> >> >> - ID Token (OpenID Connect Core 1.0, Section 2) >> - UserInfo Endpoint (OpenID Connect Core 1.0, Section 5.3) >> >> >> In general, inventing a new grant type should be the last resort. >> >> Best Regards, >> Takahiko Kawasaki >> >> >> On Sun, Apr 3, 2022 at 3:35 PM David Waite <david= >> 40alkaline-solutions.com@dmarc.ietf.org> wrote: >> >>> >>> On Apr 1, 2022, at 3:24 AM, Dhaura Pathirana <dhaurapathirana@gmail.com> >>> wrote: >>> >>> I would like to know if anyone has seen this (listing token metadata) as >>> a common use case in OAuth2 and a standard way of doing it had been >>> proposed before? >>> >>> >>> OAuth Token Introspection (RFC 7662) defines a way to query for active >>> state and meta-info. >>> >>> However, its use is defined only for protected resources, and not the >>> resource owner or the client the token was issued to. >>> >>> -DW >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Listing OAuth Access Token Metadata Dhaura Pathirana
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata David Waite
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Takahiko Kawasaki
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Warren Parad
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Dhaura Pathirana
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Warren Parad