Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-introspection-response-09

Roman Danyliw <rdd@cert.org> Fri, 02 October 2020 17:11 UTC

Return-Path: <rdd@cert.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C15623A11F3 for <oauth@ietfa.amsl.com>; Fri, 2 Oct 2020 10:11:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mg5OgvI_oyJn for <oauth@ietfa.amsl.com>; Fri, 2 Oct 2020 10:11:44 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2460B3A11EC for <oauth@ietf.org>; Fri, 2 Oct 2020 10:11:43 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 092HBgQX026324; Fri, 2 Oct 2020 13:11:42 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 092HBgQX026324
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1601658702; bh=dnG6BqVdpTQlNga4nFdf6V/olsAnhOpzmjXhZGwy2X4=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=UWTyM5U4mu8hy5eF9CV3zR+RkS+IbsJZYkwJLdU2zFbtNgpzqz+oySbprMj/SSx43 mp0CsZoavXn4MTkLzDB0rinLV8KMbVX/j24EQ+3tJsEoKZl7aeODv0lHzTlLvGP/1U C+NW/OyhoN9Yk1g5WQWyXRBQ58bSAY5e98EKr8VM=
Received: from MORRIS.ad.sei.cmu.edu (morris.ad.sei.cmu.edu [147.72.252.46]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 092HBflY033071; Fri, 2 Oct 2020 13:11:41 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Fri, 2 Oct 2020 13:11:41 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Fri, 2 Oct 2020 13:11:41 -0400
From: Roman Danyliw <rdd@cert.org>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-introspection-response-09
Thread-Index: AdZ3yNCMMi3AzHwFQQyw6c2oHNRUWAD/NPKAB0YNQFA=
Date: Fri, 2 Oct 2020 17:11:39 +0000
Message-ID: <8dc3552dc8564a549e19171c3306c8ce@cert.org>
References: <8a42a78a8a3645f793b0991e4dd5bb34@cert.org> <428325A0-611A-4E3B-943A-4D848F7BB038@lodderstedt.net>
In-Reply-To: <428325A0-611A-4E3B-943A-4D848F7BB038@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.177]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/QWh5ThkKKqphSGF0fin8FIZzvmM>
Subject: Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-introspection-response-09
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Oct 2020 17:11:46 -0000

Hi Torsten!

Sorry for my tardy response.  Yes, the proposed edits and explanations address my concerns.

Roman

> -----Original Message-----
> From: Torsten Lodderstedt <torsten@lodderstedt.net>
> Sent: Wednesday, August 26, 2020 8:26 AM
> To: Roman Danyliw <rdd@cert.org>
> Cc: oauth@ietf.org
> Subject: Re: [OAUTH-WG] AD Review of draft-ietf-oauth-jwt-introspection-
> response-09
> 
> Hi Roman,
> 
> thanks for your review feedback.
> 
> > On 21. Aug 2020, at 16:43, Roman Danyliw <rdd@cert.org> wrote:
> >
> > Hi!
> >
> > I conducted an another AD review of draft-ietf-oauth-jwt-introspection-
> response-09.  As background, -07 of this document went to IESG Review and
> the document was brought back to the WG to address the DISCUSS points.
> >
> > Below is my feedback which can be addressed concurrently with IETF LC.
> >
> > ** Section 5.  I want to clarify what are the permissible members of
> token_introspection.  The two relevant text snippets seem to be:
> >
> > (a) "token_introspection  A JSON object containing the members of the
> >           token introspection response, as specified in the "OAuth
> >           Token Introspection Response" registry established by
> >           [RFC7662] as well as other members."
> >
> > (b) "Claims from the "JSON Web Token Claims" registry that are
> >           commonly used in [OpenID.Core] and can be applied to the
> >           resource owner MAY be included as members in the
> >           "token_introspection" claim."
> >
> > -- Per (a), Recommend citing the IANA sub-registry directly --
> https://www.iana.org/assignments/oauth-parameters/oauth-
> parameters.xhtml#token-introspection-response (and not the "as specified in
> the "OAuth Token Introspection Response" registry established by [RFC7662]")
> 
> done
> 
> >
> > -- Per (a), "... as well as other members", what members is this referencing?
> Is that (b)?  Recommend being clear upfront on which exact registries are the
> sources of valid members.
> 
> I reworked the whole paragraph (hrefs for registries not shown).
> 
> As specified in section 2.2. of [RFC7662], specific implementations MAY extend
> the token introspection response with service-specific claims. In the context of
> this specification, such claims will be added as top-level members of the
> token_introspection claim. Response names intended to be used across
> domains MUST be registered in the OAuth Token Introspection Response
> registry defined by [RFC7662]. In addition, claims from the JSON Web Token
> Claims registry established by [RFC7519] MAY be included as members in the
> token_introspection claim. They can serve to convey the privileges delegated to
> the client, to identify the resource owner or to provide a required contact
> detail, such as an e-Mail address or phone number. When transmitting such
> claims the AS acts as an identity provider in regard to the RS. The AS
> determines based on its RS-specific policy what claims about the resource
> owner to return in the token introspection response.
> 
> Does this work for you?
> 
> >
> > -- Per (b), "... commonly used in [OpenId.Core]", what are those specifically?
> Is that claims registered in
> https://www.iana.org/assignments/jwt/jwt.xhtml#claims whose reference is
> [OpenID Connect Core 1.0]?  Recommend being unambiguous in which claims
> are permitted by pointing the IANA registry.
> >
> > -- If I'm understanding right that the source comes either from oauth-
> parameters.xhtml#token-introspection-response or jwt.xhtml#claims, what
> happens if it isn't one of those?
> 
> Every implementation is also free to use their own specific claims. This is
> defined in section 2.2. of RFC
> 
> >
> > ** Section 5.  Per " The AS MUST ensure the release of any privacy-sensitive
> data is legally based", recommend also including a forward reference to Section
> 9
> 
> done
> 
> best regards,
> Torsten.
> 
> >
> > Regards,
> > Roman
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth