Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 20 July 2018 14:16 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E19C130E0F for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 07:16:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.08
X-Spam-Level:
X-Spam-Status: No, score=0.08 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6R3UIfFAjOa8 for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 07:16:16 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10084.outbound.protection.outlook.com [40.107.1.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F5C31311C8 for <oauth@ietf.org>; Fri, 20 Jul 2018 07:16:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4j0Q1AZk92Nbvq+J/yxfVeXPOQTqAI49sBfS5tuyiJU=; b=T9QigJlq4uKGBGks02riQdhI/c50hVIrkokwub18yPof365vvVdo22oZJsaogwgDTmorksvHMaqEdxlTKXXG0JnwujZl0fzRwXRqDSqK6EPIRBNRmrS1j0pycAqs2Hof/N4rHdDHMO7FcKL+WpqVyjiJrXsgXrDIgQAyFZVxMoY=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1278.eurprd08.prod.outlook.com (10.167.197.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Fri, 20 Jul 2018 14:16:00 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3549:bcde:85fc:e3db%10]) with mapi id 15.20.0952.021; Fri, 20 Jul 2018 14:16:00 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"
Thread-Index: AQHUH4gXdJvYc5Qzg0SLBaEcvWfZcaSYJsAAgAACFGA=
Date: Fri, 20 Jul 2018 14:15:59 +0000
Message-ID: <VI1PR0801MB2112D9BE45C4F852CEAF0E4FFA510@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <CAGL6epJQ7qrdTv+RrNhuJ_GqKHzFRV=YDA1aswtTiE9NmK6LjQ@mail.gmail.com> <DM5PR00MB03898165B0E24AA4A41610E9A6510@DM5PR00MB0389.namprd00.prod.outlook.com>
In-Reply-To: <DM5PR00MB03898165B0E24AA4A41610E9A6510@DM5PR00MB0389.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [31.133.157.45]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1278; 6:kxiTYJuRD2NHEOLBda8Ewivl4mWUiMzm/urkyMdS/k7/XDECziHs6t0hzwKuM1RO9FKjs4kRqDyPEL+HIJxMX1z7EhO4hl3/yEhcsWXxaJi1F00S+/h55iJ1usDNmLXxMV+wwzlL4yNBb5ryHm5v4HlCU64a9iLJO/0ifyGi02xiqa4ePXir0ZdQ7yt9lB7NRbWlQvBw9GxgJOTHfi0pIV5QIAslTxcd2kSmugARokIDlduWw1Lu1cefdTBlbuuBd6AOOMqx6Nsz5/+YF0HkiZlB6Z8kHMKw4YL67yTzGrDa57LYGtoPyhHXk12jCSuIzDlOhK+SDa2x+Cxp2ChrtlO+sIaOskBTG3GHTIGw0pi94NJ41kBkSFZQEnPVaxvR06ZNMWu8k7Ye4ojY66JDJxl0f35DARauOkkCuv4YAKRhHw6olq6cOIPE19HRYEN5qUIC+mkTmTu/z2lTnTacew==; 5:Gf74uPQHVOsLWZn6XmBJMtg5g5ubLWMby+DlwaaghJfqxaLDcokgST3DGoaQStrde0M/NYddWhtnw1EmHJ3YnMgJcLu08Dhfyu1LPQ7sTNouhGgd5uxuPWDvPga7eO+pf24aaPw7FEsMx70q9l0Bz8bUXY05SQNRxX3Uf1/GoNo=; 7:qnClT6E7ZwwXR2vaT5wVR5VW2cB2G1gqB9Svm413vEQ2e36R+FOYXmdMp0FS8Ez+7ZuL3Iu81ofUxLyImNnLNXXiJLyQRpLUto4H1+0WntphpRi5sSQreDBA++tRR5D0TzvBhphoPGIIZPNdGf/9fCqBKjeHgysr0QpZ3X5vMc9R+4Hz6J25SjogahT4h0YexALZ4jwQhNCobRG8k/l7e3k4BBmEom+k4zIvRu4kbSPmYf7BdKTMqvhXQxIKoGG1
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 6e203d82-f21d-4574-626f-08d5ee4b5189
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600067)(711020)(4618075)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1278;
x-ms-traffictypediagnostic: VI1PR0801MB1278:
x-microsoft-antispam-prvs: <VI1PR0801MB127800597A785080A35097A8FA510@VI1PR0801MB1278.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(120809045254105)(192374486261705)(189930954265078)(223705240517415)(219752817060721)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:VI1PR0801MB1278; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB1278;
x-forefront-prvs: 073966E86B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(136003)(396003)(376002)(346002)(53754006)(199004)(40434004)(189003)(86362001)(3846002)(6506007)(14444005)(11346002)(55016002)(76176011)(6436002)(446003)(5024004)(14454004)(54896002)(186003)(476003)(74316002)(7736002)(6116002)(966005)(9686003)(229853002)(6306002)(26005)(236005)(53546011)(256004)(102836004)(68736007)(72206003)(790700001)(81156014)(81166006)(606006)(5660300001)(97736004)(316002)(8936002)(478600001)(33656002)(6246003)(25786009)(99286004)(39060400002)(7696005)(2900100001)(486006)(2906002)(105586002)(66066001)(106356001)(110136005)(8676002)(53936002)(5250100002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1278; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Vbm0u2qDwF+mDeAxVgUnml1kd6X8aP4aYS2U+Q/+8HbO6yduBWduZamJdxAuIBFo4W0ixfQ3TZvbRND1uXBWLM1mFyMRrZ0szCiR9Vkybv0UpmlWusoW9tJWFynvCqyhmGkiUzlL9ndB2d/+ywLYXo94sYLSW9jyDCmElhtI135oZmFBP30fr1JsfU1OatiKYJ2u11IqwYwerX1uPlrSi3k8rtuFM5PgH48DpS2L65emG4RPQzca+/GpVDjWTnkz4wTG7514KkllYWrdybOrQG1wFrQ5TUA5iWbfWRjonWerBBFoNZDEQC97iN6pOwhtZwPnLLtHla92/oSqn0/b60qZCUE5OcFatg5Ak/A2qN4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB2112D9BE45C4F852CEAF0E4FFA510VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e203d82-f21d-4574-626f-08d5ee4b5189
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2018 14:15:59.9227 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1278
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XJKnGlQNFMhZcI9oxx7gcJ7zdNs>
Subject: Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 14:16:31 -0000
There are companies doing token introspection by the client already, see https://backstage.forgerock.com/docs/am/6/oauth2-guide/#sec-standards What security implications do you see? From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Anthony Nadalin Sent: 20 July 2018 10:07 To: Rifaat Shekh-Yusef; oauth Subject: Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection" I’m concerned over the security implications of a client being able to introspect a token, for bearer tokens this can be very problematic, so unless the issues with possible token theft can be addressed I don’t support this as a WG draft From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef Sent: Thursday, July 19, 2018 10:44 AM To: oauth <oauth@ietf.org> Subject: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection" Hi all, This is the call for adoption of the 'JWT Response for OAuth Token Introspection' document following the presentation by Torsten at the Montreal IETF meeting where we didn't have a chance to do a call for adoption in the meeting itself. Here is presentation by Torsten: https://datatracker.ietf.org/meeting/102/materials/slides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fmeeting%2F102%2Fmaterials%2Fslides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=wv8e%2FvGDm9LzeJaGrOBD8oGXgPSquNE%2BRKiEknF8sq4%3D&reserved=0> Here is the document: https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-lodderstedt-oauth-jwt-introspection-response-01&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=cFISOVma8g%2BXdvf2KZdwCZBYlpfN%2FGb2knv8ZD9sKz4%3D&reserved=0> Please let us know by August 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. Regards, Hannes & Rifaat IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [OAUTH-WG] Call for adoption of "JWT Response for… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption of "JWT Response… William Denniss
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption of "JWT Response… John Bradley
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Brian Campbell
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Rob Otto
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Phil Hunt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Mark Dobrinic
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Filip Skokan
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Hans Zandbelt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Rifaat Shekh-Yusef