IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"

Anthony Nadalin <tonynad@microsoft.com> Fri, 20 July 2018 14:06 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F987130DE7 for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 07:06:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.02
X-Spam-Level:
X-Spam-Status: No, score=-0.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id poqQlsqv6hGT for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 07:06:55 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-bl2nam06on0115.outbound.protection.outlook.com [104.47.53.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5742130DD8 for <oauth@ietf.org>; Fri, 20 Jul 2018 07:06:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jGCoqVNhhhE83hzFFhhfap3uFwTBV/zukBuI/Oh/oT0=; b=eriRoQzC55SuJAvkpJy0XeoaiJ9PaU6aVOlrS6eHvn1yPiuktTCmUe++Yr9R4gRc0bbErwAP0TZM+BEHMrFzF2znybh61X3FNlFTBTe8q0qkCHnO7EPb852/NF5onf0SBt+3sKAn8KCAUZjouk2/iKcgSXur4pctkHeFCzvHOnw=
Received: from DM5PR00MB0389.namprd00.prod.outlook.com (52.132.129.25) by DM5PR00MB0358.namprd00.prod.outlook.com (52.132.128.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1014.0; Fri, 20 Jul 2018 14:06:52 +0000
Received: from DM5PR00MB0389.namprd00.prod.outlook.com ([fe80::5d46:7952:6aa0:e10a]) by DM5PR00MB0389.namprd00.prod.outlook.com ([fe80::5d46:7952:6aa0:e10a%3]) with mapi id 15.20.1019.000; Fri, 20 Jul 2018 14:06:52 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"
Thread-Index: AQHUH4gZ4YlaG/gRw0eQMEg8QI9R2aSYJicA
Date: Fri, 20 Jul 2018 14:06:52 +0000
Message-ID: <DM5PR00MB03898165B0E24AA4A41610E9A6510@DM5PR00MB0389.namprd00.prod.outlook.com>
References: <CAGL6epJQ7qrdTv+RrNhuJ_GqKHzFRV=YDA1aswtTiE9NmK6LjQ@mail.gmail.com>
In-Reply-To: <CAGL6epJQ7qrdTv+RrNhuJ_GqKHzFRV=YDA1aswtTiE9NmK6LjQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [31.133.149.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0358; 6:lOjv2fESWcj+PW1N9wEO+bHNwoaKZ+juKWjTlfH9LB5mEi+xF+Fa/6Twl4IhHiNqS+zXBjFOGAgOa548wdsNBQfGgimM6CdVrjoRiu9UqnwLm/+Vc1prOZWBSqZ08M0GQrjgxeqj0Wr479A1xUMn/G/mbmk7UN3F11Gt+fRF+ytJtF3zyFe/PDQcX1MJ++yZXC7c3vfAQlpThg6pNRmF3UMWOMfaNgkrdii+1TKkbXWBms8D9aZCSXezyn4tk+UJ5Oxg4Oa8dm65GEnw2hKlOBYrrNpaKIBntNqa/QJRIuYXURagTTjyDScCJ4pcrYslRC4ICYYXkJkIdu0wKLzxNq02eYYXeQUOSj5d1TJPwDh4E+5otRlysd5JbQuoxb5FUnAmI8+t2ZoiB4b79+uPknRjPLXvggmqeOOdWDYiCKdGdpCsX9M5VgorR6sttEdP9zUsHMDgol9pgdLwv9SlFQ==; 5:4Q3JssTJuEA0FH3hOvtPPoRQHWcpqyHKiPMc40vV2hgezwbSgyTxgy9g2g2LBAHBBmOqx7rq9NBLGQ7QsaFESEREjdfoWzqRsAH6FfcF4c+ZvzeOsQdVRxhZQ9pRkscBaJr/oU7JcrCGVvTUaocsrVy40WOxlbSaILjYllcxTCU=; 7:t/H1lWXisjEWMVviasRGyHckMNOP1VuJ5KW+u0A3GyyMOFnOCTaXGS2/utJi5oDBbcbQtgZRJcrrqN1caDZ2FccSlcrYHeTy0JhSPo8e78RlvJ3sTJl/288doO2Zj7XvaGanklcYTQPpDIW9YZz/AKwkri+t+XNDXPZHl9mnsp8mfh7xZ9BbmywnRlsZFaVyzC9UB2b2orPawQhcraIK5sPvoNv4+XfRLxGmw+9JegfW8Lzl/hoSGdDPgeaT2Xi5
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f132ec62-a069-42ce-edb5-08d5ee4a0b33
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600067)(711020)(4618075)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7193020); SRVR:DM5PR00MB0358;
x-ms-traffictypediagnostic: DM5PR00MB0358:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tonynad@microsoft.com;
x-microsoft-antispam-prvs: <DM5PR00MB0358358D6721DCD9A760DBBAA6510@DM5PR00MB0358.namprd00.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(120809045254105)(192374486261705)(189930954265078)(219752817060721)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(10201501046)(3002001)(93006095)(93001095)(3231311)(944501410)(52105095)(2018427008)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:DM5PR00MB0358; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0358;
x-forefront-prvs: 073966E86B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(376002)(396003)(136003)(39860400002)(53754006)(189003)(199004)(9686003)(6306002)(229853002)(486006)(66066001)(478600001)(110136005)(14454004)(966005)(316002)(476003)(606006)(81156014)(8676002)(33656002)(99286004)(10290500003)(22452003)(81166006)(8936002)(2906002)(76176011)(10090500001)(11346002)(8990500004)(14444005)(54896002)(256004)(25786009)(2900100001)(86362001)(26005)(186003)(6246003)(7696005)(68736007)(53546011)(6506007)(790700001)(236005)(6436002)(55016002)(6116002)(19609705001)(3846002)(39060400002)(106356001)(446003)(105586002)(7736002)(86612001)(97736004)(5660300001)(5250100002)(74316002)(102836004)(53936002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0358; H:DM5PR00MB0389.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: azChls5IthFeTr34yjDo97KJyKtHww3WXPdWauHxJCrfGsjlj2Q6Lzq/mKuf+GOQrapvDlQgLl9EmUoF1iO0fSbT/rIBEuBJtVX/UDjazMq2YsyHh6ipDB8J93sG8FWqEODm4XF870dMxFiKLC70lnxqQJiiyntLYLvctiGG8TpFR/E0eXU0vujSuckyHZwB0IzwL7w/rnb6Q0ka4vCc6nPoLlRE3mHPptrqACS9N2EkT3wTt5IR7wndFAdovnRn1CdVPn1LyeOYQmErSRMr+vUe+/2fxEuPVpiN5iirj3ehaxuHMLmfIibvWxkWBb3YlWv+W5iI33VTseWm4A3S3cnb3EIM0yuEIAExBoK0KQM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR00MB03898165B0E24AA4A41610E9A6510DM5PR00MB0389namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f132ec62-a069-42ce-edb5-08d5ee4a0b33
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2018 14:06:52.4215 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0358
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dFH3SkXO7qFJl0PnKMVwW856MUM>
Subject: Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 14:06:58 -0000

I’m concerned over the security implications of a client being able to introspect a token, for bearer tokens this can be very problematic, so unless the issues with possible token theft can be addressed I don’t support this as a WG draft

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
Sent: Thursday, July 19, 2018 10:44 AM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"

Hi all,

This is the call for adoption of the 'JWT Response for OAuth Token Introspection' document following the presentation by Torsten at the Montreal IETF meeting where we didn't have a chance to do a call for adoption in the meeting itself.

Here is presentation by Torsten:
https://datatracker.ietf.org/meeting/102/materials/slides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fmeeting%2F102%2Fmaterials%2Fslides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=wv8e%2FvGDm9LzeJaGrOBD8oGXgPSquNE%2BRKiEknF8sq4%3D&reserved=0>

Here is the document:
https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-lodderstedt-oauth-jwt-introspection-response-01&data=02%7C01%7Ctonynad%40microsoft.com%7C5bb4d12618944cc8da4b08d5ed9f386b%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636676190478079368&sdata=cFISOVma8g%2BXdvf2KZdwCZBYlpfN%2FGb2knv8ZD9sKz4%3D&reserved=0>

Please let us know by August 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group.

Regards,
Hannes & Rifaat

v2.23.0 | Report a Bug | By Email