Re: [OAUTH-WG] self-issued access tokens
David Waite <david@alkaline-solutions.com> Fri, 01 October 2021 21:03 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A45D3A0A68 for <oauth@ietfa.amsl.com>; Fri, 1 Oct 2021 14:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.54
X-Spam-Level:
X-Spam-Status: No, score=-0.54 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v4ej5jyZDYaG for <oauth@ietfa.amsl.com>; Fri, 1 Oct 2021 14:03:51 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 222B13A0AA9 for <oauth@ietf.org>; Fri, 1 Oct 2021 14:03:50 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by caesium6.alkaline.solutions (Postfix) with ESMTPA id BBF27206EB5; Fri, 1 Oct 2021 21:03:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1633122228; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=djVTWYUu+gWyTqzdn4AkJa22KyjOHbZxwtyjUEHjsq0=; b=Wc2vhTkxzEJ4CuNU+aiOM+PcvABghVhXms40vLn+IJQ+SpBn2JStXWxz4pAmHcj//rYoYB yBMXZFYQaIqi312mmCRcUm0yL++97+MEgxFvzuVl65WdR/RXIVgUplAjEGKYrAE9Rz9ezO g0IkRMBIz/9c/M8O2Yh3X5vhV+7fxiM=
From: David Waite <david@alkaline-solutions.com>
Message-Id: <FA113C6E-2A9A-4DFD-A7AB-500955EF9B2E@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DF76F354-75CB-4331-A9F0-A174B64A9601"
Mime-Version: 1.0
Date: Fri, 01 Oct 2021 15:03:46 -0600
In-Reply-To: <CAD9ie-u2MRQygYKCDOHBWvu_xO2p96+-vPHir6E3_SEh5OGbqw@mail.gmail.com>
Cc: toshio9.ito@toshiba.co.jp, oauth@ietf.org
To: Dick Hardt <dick.hardt@gmail.com>
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-sgjUv3fppvTZvPpOyUKXo1H1i9LtkOk2yxzZ1+A+wt6w@mail.gmail.com> <TYCPR01MB56784381BE6799ADAA46E360E5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-tMp44z_b=hG+OWC=Hc83RpC_WZ4AaerRMaOZ8cfEkDSg@mail.gmail.com> <TYCPR01MB56787D963D23F78B0800C6CBE5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-u2MRQygYKCDOHBWvu_xO2p96+-vPHir6E3_SEh5OGbqw@mail.gmail.com>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P3iR3Y0tjDDGTkapgXFZu5K4ZrY>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2021 21:03:57 -0000
> On Oct 1, 2021, at 11:06 AM, Dick Hardt <dick.hardt@gmail.com> wrote: <snip> > If there is really only one service, then there is little value in an AS. I would have the client post a JWT that has the request payload in it, or a detached signature if it is a large payload. Personally, I like sending the request as a JWT as it allows services further down the processing pipeline to independently verify the request from the client. > > This assumes sufficient computing power on the IoT device, and reasonably low call volume. > ᐧ One interpretation of the purpose in the AS is to create tokens based on its authorization decisions, while direct submission of client-authored JWTs would be more in line with having the RS make those decisions directly. Even if they were hosted on the same hardware, I’d still push to use an AS-role component in order to optimize the decision making process and to not have to refactor (or risk duplication) of that logic later. -DW
- [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens Vittorio Bertocci
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Daniel Fett
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Warren Parad
- Re: [OAUTH-WG] self-issued access tokens David Chadwick
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito