IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

Daniel Fett <fett@danielfett.de> Wed, 29 September 2021 15:42 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA5503A1B0E for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 08:42:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o_SYiCt-6o93 for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 08:42:23 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 994393A1B0A for <oauth@ietf.org>; Wed, 29 Sep 2021 08:42:22 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 7567B150D3 for <oauth@ietf.org>; Wed, 29 Sep 2021 15:42:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1632930136; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6hUyMeYhXh+20r501J2HGYkr5Zih4VAjty7ligEUiTc=; b=h1e/KLYr87T2jgheWDP5gUzssCmg8CBpht37nHSB/Cor1ciITskILFVOJzgz5S3gNyy4e3 z3F2D79NuZ9OYhTxXQtMcPWpkETlF5hNOTq6Y8tdbG5VGWBeZ6y8CUTdL4h8kND78oy0p8 5D6YxOuE7CPzYJh/P9xhXYY2DZMtXDI=
To: oauth@ietf.org
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <581ea93b-ab52-e4e2-ec53-c776060e99d1@danielfett.de>
Date: Wed, 29 Sep 2021 17:42:15 +0200
MIME-Version: 1.0
In-Reply-To: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------25A068A1E99B970C49786697"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1632930136; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=6hUyMeYhXh+20r501J2HGYkr5Zih4VAjty7ligEUiTc=; b=remWL5q50P9bXogCxfKF7PWCMxF70GprnhF2viNUzyirzC2mkiNSb/Wz3zDYuKSFunrdA3 dNeYcHtF4dkLqv2fzvHtUB8R5zg/BiQrhdjnIqghGUTr+q+FQkntfwDR/OB0tW922lYWjJ MncFEZaLbks8hBG89ZPxtZx1AWOV1WY=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1632930136; a=rsa-sha256; cv=none; b=IwZSt3yvMrxXXR6tUFJM3NmvYrUY3CEX5esnwMlZjMXo+BeZMqNs0CTSJIBLBAkUKYzNWr S9Qpza8kEqcUn0uZMjZ2yCIidGGU5x4JhGOiAGHy2AQSKfxMTKxBm8KI+1JJNbxHM+wPcW dQNbASDXa2VI6KmflWOTfuTJOsYFWjc=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TurjT-UlZcjr1rM-gsqAjivKN1s>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2021 15:42:29 -0000

That very much sounds like a static string as the access token plus DPoP.

-Daniel

Am 29.09.21 um 03:54 schrieb toshio9.ito@toshiba.co.jp:
> Hi OAuth folks,
>
> I have a question. Is there (or was there) any standardizing effort for
> "self-issued access tokens"?
>
> Self-issued access tokens are mentioned in a blog post by P. Siriwardena in 2014
> [*1]. It's an Access Token issued by the Client and sent to the Resource Server.
> The token is basically a signed document (e.g. JWT) by the private key of the
> Client. The Resource Server verifies the token with the public key, which is
> provisioned in the RS in advance.
>
> I think self-issued access tokens are handy replacement for Client Credentials
> Grant flow in simple deployments, where it's not so necessary to separate AS and
> RS. In fact, Google supports this type of authentication for some services
> [*2][*3]. I'm wondering if there are any other services supporting self-signed
> access tokens.
>
> Any comments are welcome.
>
> [*1]: https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/
> [*2]: https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
> [*3]: https://google.aip.dev/auth/4111
>
> -------------
> Toshio Ito
> Research and Development Center
> Toshiba Corporation
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


-- 
https://danielfett.de

v2.35.0 | Report a Bug | By Email | System Status