Re: [OAUTH-WG] [Last-Call] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard

Brian Campbell <bcampbell@pingidentity.com> Thu, 27 August 2020 14:45 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D3603A0C49 for <oauth@ietfa.amsl.com>; Thu, 27 Aug 2020 07:45:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zhgdP9c-FdZY for <oauth@ietfa.amsl.com>; Thu, 27 Aug 2020 07:45:01 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD1F3A0C44 for <oauth@ietf.org>; Thu, 27 Aug 2020 07:45:00 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id q8so673187lfb.6 for <oauth@ietf.org>; Thu, 27 Aug 2020 07:45:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lZqF5of2yXmlvWhKVRdpoKle/3s+CWYzsqKVEwuEFyQ=; b=ITyxToFkm+B8kUZw929DAGszuDdZnJ+gardwYDll7BRS/y85drCwZPs20dLOLqrsdP vIMFRRBj4IPD4pjb3L2/kfbG747JcLFcEnRxpDpmG7VBQ4aVtbIUV/hhx3v4PMqC7XNJ KC7jZAiScTGeXVJ4ZeGZrKr7jA5VncRvhZUPhjCASxHmNAFqQLur92QGXkdTbCyVFeHs zEGfqHMljJn2/cFwpe6rQmFkaqFGRr3fjNfDVoxVP5tnBmKg9SHQkhUbUJ/fyFoDyqXd xwH6lbxq4KxtUoKjBZr+xSkY6uXXrVRA82vopV/6gjZoOk0A3+y5fxb/U0aewudx0W43 5hkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lZqF5of2yXmlvWhKVRdpoKle/3s+CWYzsqKVEwuEFyQ=; b=bHmLVdZHoeRVT3cwL5tNUrliYndqs7mUCezuM2WwevPEgsO4e3fDwfkj9ou/j7kyEs Rbq+wAaqhh2Pp23A4BfGHqwHkQjsTWR6t/eZD+UTgoB9IJUs7SF24AknUZpR7NovKQRM 1pz58Xjg/rxqOqjlen3EexIGjB7umkgqGlSNDzy2BWYxQwp7MtDCHoHUeQWfoH5rUIZ7 uiPTvME02rOsmMfjWk9IJ6js6bfnrX+6uFlNl1Gc3mHoQo4EC0/GY9ZJoDwqeZPGaOXv gxxbsWAHC3a0tbjbSYwIbZotPCVINC68sH7EOs1kKW0Kzb/w4NQVn3ATfLfm0vCsq8kx K08Q==
X-Gm-Message-State: AOAM533iXZer/16V+kzaT1x2bJHilEBPH5ejSzPzlORu8foF9GK/UbM1 vHCZhIl52AC66oPnBQnyO7YNVFwME8t3Pd36p1R2ibveOgb95jwlRGOfDKxpVjls0MRvPDBBcvk xZ1FRHYdRXO6PvQ==
X-Google-Smtp-Source: ABdhPJxYeQPGOq4FXYuoqXYC44ACV0drNXKitBUL/FuewOaoqsbt0yc8y1pqU4nF7YHEMrBv0m5s+yQIOvjjgrRvtPQ=
X-Received: by 2002:a19:6e45:: with SMTP id q5mr10125424lfk.104.1598539498917; Thu, 27 Aug 2020 07:44:58 -0700 (PDT)
MIME-Version: 1.0
References: <CH2PR00MB0678DA2BC7234C2AC1CE784DF5541@CH2PR00MB0678.namprd00.prod.outlook.com> <412A63AD-DDE1-4BFE-8234-5A721A0ED88D@lodderstedt.net> <D68FCD40-7365-446A-9F64-2BB59C11B7AE@mit.edu>
In-Reply-To: <D68FCD40-7365-446A-9F64-2BB59C11B7AE@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 27 Aug 2020 08:44:32 -0600
Message-ID: <CA+k3eCSNcp796NtKrXX5EHLdBQcujrX7UapOxsi8QsiSxkZNMg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, oauth <oauth@ietf.org>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, "dick.hardt" <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000fe33a305addcfab8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PbOsf9ZyWYfKXa90mgHn9wMeADY>
Subject: Re: [OAUTH-WG] [Last-Call] Last Call: <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for OAuth Token Introspection) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 14:45:04 -0000

+1

On Thu, Aug 27, 2020 at 8:20 AM Justin Richer <jricher@mit.edu> wrote:

> I would clarify that this doesn’t necessarily say that the user’s there,
> and remove the normative requirement (which doesn’t have enforceable teeth
> in this context):
>
> Implementers should be aware that a token introspection request lets the
> AS know when the client
>     (and potentially the user) is accessing the RS, which *can also
> indicate* when the user is using
>     the client. If this implication is not acceptable, *implementers can
> use other means* to carry
>     access token data, e.g. directly transferring the data needed by the
> RS within the access token.
>
>
>  — Justin
>
> On Aug 27, 2020, at 9:48 AM, Torsten Lodderstedt <
> torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>
> Will the following text work for you?
>
> Implementers should be aware that a token introspection request lets the
> AS know when the client
>     (and potentially the user) is accessing the RS, which is also an
> indication of when the user is using
>     the client. If this impliction is not accepatable, implementars MUST
> use other means to carry
>     access token data, e.g. directly transferring the data needed by the
> RS within the access token.
>
>
> On 26. Aug 2020, at 23:12, Mike Jones <
> Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>
> I agree with Dick’s observation about the privacy implications of using an
> Introspection Endpoint.  That’s why it’s preferable to not use one at all
> and instead directly have the Resource understand the Access Token.  One
> way of doing this is the JWT Access Token spec.  There are plenty of others.
>
> The downsides of using an Introspection Endpoint should be described in
> the Privacy Considerations section.
>
>                                                       -- Mike
>
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Dick Hardt
> Sent: Wednesday, August 26, 2020 9:52 AM
> To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
> Cc: last-call@ietf.org; oauth <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Last Call:
> <draft-ietf-oauth-jwt-introspection-response-09.txt> (JWT Response for
> OAuth Token Introspection) to Proposed Standard
>
>
>
> On Wed, Aug 26, 2020 at 4:37 AM Torsten Lodderstedt <
> torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
> Hi Denis,
>
> On 25. Aug 2020, at 16:55, Denis <denis.ietf@free.fr> wrote:
>
>
> The fact that the AS will know exactly when the introspection call has
> been made and thus be able to make sure which client
> has attempted perform an access to that RS and at which instant of time.
> The use of this call allows an AS to track where and when
> its clients have indeed presented an issued access token.
>
>
> That is a fact. I don’t think it is an issue per se. Please explain the
> privacy implications.
>
> As I see it, the privacy implication is that the AS knows when the client
> (and potentially the user) is accessing the RS, which is also an indication
> of when the user is using the client.
>
> I think including this implication would be important to have in a Privacy
> Considerations section.
>
> /Dick
> ᐧ
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> --
> last-call mailing list
> last-call@ietf.org
> https://www.ietf.org/mailman/listinfo/last-call
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._