Re: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding state into the JWT
Prabath Siriwardena <prabath@wso2.com> Fri, 08 May 2020 02:29 UTC
Return-Path: <prabath@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07D63A0C16 for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 19:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LygCwkw70kcW for <oauth@ietfa.amsl.com>; Thu, 7 May 2020 19:29:19 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 261963A00D4 for <oauth@ietf.org>; Thu, 7 May 2020 19:29:18 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id m24so179681vsq.10 for <oauth@ietf.org>; Thu, 07 May 2020 19:29:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0aVNoNhm5yNsSSSKH3L+xZNw3Fme3uBVwKXYtz31nrI=; b=TZ6jf41KcDu+zhf1PdSpljP72lRaRpDjfj8LFMA4iU1s1axGIzu7KUdPuXofwOwqqQ ZKz1btFiTneJ9YT2Bs+0QDA8KWI/iN2DO+yiJuozkUssbO/hO15vCn6fl6xHjzk8tqEq h3bjX/EGg9R57xrmUi8a+AD59JIq+onprYTto=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0aVNoNhm5yNsSSSKH3L+xZNw3Fme3uBVwKXYtz31nrI=; b=DC4x7srlM+FESZEhviT1eUq2EPKlvJuybVGDuxGm1aQtUnwwLyOc/TlJ5hr8kNxyaV XpoAar04Nny1MaOLHXj+sBA2waO1bujb2Vnpj4zipAAGAl7hNZgNBR9GXEfijYvhcg/P 7ou+9lwyz+ZjOkArPBxU/HPL8mlvP1sV0Aq/gElRZYvWg0+xLmea4SqDh6yQo3EeBjW+ Ijw1sPvAdKlHnfdYLnIW7TMJmXNmye83m/epTp0AsG5+DV4lfAXFg/fwhMR3u+WT0uMM HrZEaVDeANUZusPXFkdG4yzk59nui237rQvOyIw3diQd7a8NlCk1vpa5y52xa/A+AgMM MZbA==
X-Gm-Message-State: AGi0PuaINFbAkWv9/6BBXBXelPRuEkGv3ocliMxTA8fvIxP8U++2ZJGp FF/0I7HIy5z4SqB7JcBtsotmYOPLtjVVv/Db/YB0hg==
X-Google-Smtp-Source: APiQypKqsvsdjWdKpC+2UGqwEf6N+TsxMb8BmESsNmQWt1pLSFU+08nq7mqf+OaIoaHz8BfulPOFq2axrd80eYxgs3w=
X-Received: by 2002:a67:7f89:: with SMTP id a131mr242405vsd.184.1588904957762; Thu, 07 May 2020 19:29:17 -0700 (PDT)
MIME-Version: 1.0
References: <CAGL6epKZhnketE3=XbSBvyBSk8NH_c1c0Pay6+QjL7HKa=fsJQ@mail.gmail.com> <CAJV9qO8Ve9mwpF5FU4OYzfqBTkZ=b5dUOo=RwWBbchTM-WRY4Q@mail.gmail.com> <MWHPR19MB15017968B740A220A3896A7AAEA50@MWHPR19MB1501.namprd19.prod.outlook.com>
In-Reply-To: <MWHPR19MB15017968B740A220A3896A7AAEA50@MWHPR19MB1501.namprd19.prod.outlook.com>
From: Prabath Siriwardena <prabath@wso2.com>
Date: Thu, 07 May 2020 19:29:08 -0700
Message-ID: <CAJV9qO9x+n37ujWGUoK8uC82gDNHAY_hesjs5j7tk6ZedFpSXA@mail.gmail.com>
To: Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000096f47505a519c3c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PlrNkC8my4WntTUCBnQJGxpiR9U>
Subject: Re: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding state into the JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 May 2020 02:29:25 -0000
Thanks Vittorio for your thoughts! On Thu, May 7, 2020 at 1:29 PM Vittorio Bertocci <vittorio.bertocci= 40auth0.com@dmarc.ietf.org> wrote: > Hi Prabath, > > Thanks for your comment! Here are my thoughts. > > I don’t believe embedding the state in the AT would help. The state is > generated (hence verified, if used for protection) by the client, but the > content of the AT is really meant for the RS, which has no direct knowledge > of what the state value should be, not in the first nor all the subsequent > uses of the AT within its validity period. Also, the client itself is > forbidden to inspect the content of the access token- you can find the > details behind that in recent discussions on the list. > > I’ll add to this that the implicit grant is on its way out of the grants > stage, hence doing major changes to accommodate its quirks wouldn’t give a > lot of ROI. > > HTH > > Thanks! > > V. > > > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Prabath Siriwardena > <prabath=40wso2.com@dmarc.ietf.org> > *Date: *Thursday, May 7, 2020 at 11:56 > *To: *Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org> > *Subject: *[OAUTH-WG] [JWT Profile for OAuth 2.0 Access Tokens] Adding > state into the JWT > > > > Hi all, > > > > Can we say in [1], that the AS should add the value of *state* parameter > from the authorization request (if present), to the JWT access token it > generates? > > > > This will help to address token injection issue [2], with respect to the > implicit grant type. > > > > Appreciate your thoughts on this. > > > > [1]: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 > > [2]: > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.6 > > > > Thanks > > -Prabath > > > > On Tue, May 5, 2020 at 11:19 AM Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> > wrote: > > Hi all, > > > > This is a 3rd working group last call for "JSON Web Token (JWT) Profile > for OAuth 2.0 Access Tokens". > > > > Here is the document: > > https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-07 > > > > Please send your comments to the OAuth mailing list by May 12, 2020. > > > > Regards, > > Rifaat & Hannes > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] A *Short* 3rd WGLC on "JSON Web Token … Rifaat Shekh-Yusef
- [OAUTH-WG] [JWT Profile for OAuth 2.0 Access Toke… Prabath Siriwardena
- Re: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access … Vittorio Bertocci
- Re: [OAUTH-WG] [JWT Profile for OAuth 2.0 Access … Prabath Siriwardena