IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

Dick Hardt <dick.hardt@gmail.com> Fri, 01 October 2021 17:07 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06F153A0E27 for <oauth@ietfa.amsl.com>; Fri, 1 Oct 2021 10:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vgug0YdBgCJ0 for <oauth@ietfa.amsl.com>; Fri, 1 Oct 2021 10:07:29 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 908053A0E47 for <oauth@ietf.org>; Fri, 1 Oct 2021 10:07:28 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id x27so40895230lfa.9 for <oauth@ietf.org>; Fri, 01 Oct 2021 10:07:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9OgZq2cvuNbxnFecVBmjWDqR23grHiFZGu3c9VNi5fc=; b=MD02/WXcAW90pCBFrXyf/1JZPIRE52q28vaeDJ4Spv7QGRtCGeJ5WWY+xaAgKtrPhB c2pZ/qSbF8Yci8fbpqbq+FFuQZg5Sqd5RRZcKd851TFa2NWlSOXp5sB39N/01wbsosy7 H51peyy0mtlxr9xTOsH1ZYcdvxtBX2F8A+k3BiYoCgGjFYiyxOPwP86Jy7eT4W8Wtgm7 G+jjEYuG+RFy57/d9eEiqDmcLA0yeyOhpbbzIMzdQxq9qG3Ny5ittyBMXscL0nC52DxG iR4d24S60T6PUCsF1rlm02IiNQuZ0zkSRyDykuEIjYMW8CsH+uw5TmQQ90CCAOHZT/RA ifZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9OgZq2cvuNbxnFecVBmjWDqR23grHiFZGu3c9VNi5fc=; b=ZAhm44e5Fe5pgXXC8nMD1F8F1JnquoZ3E/G0KomBhvDEzu0vakUDbMYx20TCk/8eY3 mLlT9OZcQKUBUDUAlnB/HVu0qzv3N4/8spBm46qxm/anMTxgI78GeyvkOH5NgM9qIn9h /3FZ4DzVaCBG0LBw22nHOXr0o+QyoWsMcB3kKy49we7gwsBissToGHj3omn9P3JDWgGe KNBXe/TIaQqUR28zbGpj8xrQSy8trlQJZuLsytf3pSsPrwchdZD2lda1NZQkUvin4Kcy kdY46QQcs1ltiPr6If0rVD/jsz3aHoSnJQfAqzFfGjYR7qSzQtt+6577tkRYI1DGq6fw hrcQ==
X-Gm-Message-State: AOAM533Dr9RXmPBlYVegiDyRGS6KUXSywRfogefFikYVZguD/QeVhJcE OxtkfLiw3OveOVnMHsKGfcbniDWx2+08ryU7M8o=
X-Google-Smtp-Source: ABdhPJxzFZ/Qy96fBwFCpmPE9pdNXWgBHiVnFu8sDtbOAq92F8fKEk11OuFQLznnhHl3c8YTL71GHBABO0JVqujgsYU=
X-Received: by 2002:a05:6512:553:: with SMTP id h19mr6568236lfl.7.1633108045609; Fri, 01 Oct 2021 10:07:25 -0700 (PDT)
MIME-Version: 1.0
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-sgjUv3fppvTZvPpOyUKXo1H1i9LtkOk2yxzZ1+A+wt6w@mail.gmail.com> <TYCPR01MB56784381BE6799ADAA46E360E5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-tMp44z_b=hG+OWC=Hc83RpC_WZ4AaerRMaOZ8cfEkDSg@mail.gmail.com> <TYCPR01MB56787D963D23F78B0800C6CBE5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com>
In-Reply-To: <TYCPR01MB56787D963D23F78B0800C6CBE5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 01 Oct 2021 10:06:49 -0700
Message-ID: <CAD9ie-u2MRQygYKCDOHBWvu_xO2p96+-vPHir6E3_SEh5OGbqw@mail.gmail.com>
To: toshio9.ito@toshiba.co.jp
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000f0401d05cd4d9803"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SK4mkLxT7Xcx3Y3UE1UKKsnAppE>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2021 17:07:34 -0000

If it were me, I would be looking at one of two options.

If you have  a number of resource servers, then I would have one AS that
would manage authentication and authorization of the client. This enables
separation of concerns of client authn and authz from the RS, and puts
client blacklisting in one place. The client sends its request to the AS
signed by its key, and the AS returns an access token to be used against
the RS. You could layer on DPoP if needed.

If there is really only one service, then there is little value in an AS. I
would have the client post a JWT that has the request payload in it, or a
detached signature if it is a large payload. Personally, I like sending the
request as a JWT as it allows services further down the processing pipeline
to independently verify the request from the client.

This assumes sufficient computing power on the IoT device, and reasonably
low call volume.
ᐧ

On Thu, Sep 30, 2021 at 9:45 PM <toshio9.ito@toshiba.co.jp> wrote:

> Thanks Dick,
>
>
>
> Our use case is to connect IoT devices to a cloud service. The cloud
> service has
>
> to authenticate those devices. The devices are not operated by humans.
> They run
>
> on its own.
>
>
>
> We want public key-based authentication for those devices. In that case,
> mutual
>
> TLS is a popular option (e.g. AWS IoT Core). However, we don't want to use
>
> mutual TLS for several reasons (e.g. it's too coupled with the transport
> layer).
>
> So, we are seeking a solution that is more in application layer.
>
>
>
>
>
> Toshio Ito
>
>
>
> *From:* Dick Hardt <dick.hardt@gmail.com>
> *Sent:* Friday, October 1, 2021 12:53 PM
> *To:* ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <toshio9.ito@toshiba.co.jp>
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] self-issued access tokens
>
>
>
> Would be useful to understand your use case and what you the goals and
> constraints are
>
>
>
> On Thu, Sep 30, 2021 at 5:58 PM <toshio9.ito@toshiba.co.jp> wrote:
>
> Thanks Dick,
>
>
>
> I agree. The scenario of self-issued access tokens doesn't really follow
> the
>
> model of OAuth.
>
>
>
> So, if we do standardize self-issued access tokens, maybe OAUTH WG is not
> the
>
> right venue. Maybe HTTPBIS or HTTPAPI WGs?
>
>
>
>
>
> Toshio Ito
>
>
>
> *From:* Dick Hardt <dick.hardt@gmail.com>
> *Sent:* Wednesday, September 29, 2021 3:06 PM
> *To:* ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <toshio9.ito@toshiba.co.jp>
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] self-issued access tokens
>
>
>
> If the client is sending a self-signed JWT to the RS, you essentially are
> just authenticating directly to the RS. Not really OAuth as the RS has not
> delegated authorization authority to the AS.
>
>
>
> If the client sends a self-signed JWT (a PAR) to the AS, and gets back an
> access token to present to the RS, you get centralized authorization
> decisions, a key feature of OAuth.
>
>
>
>
>
>
>
>

v2.35.0 | Report a Bug | By Email | System Status