Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)

Takahiko Kawasaki <> Mon, 02 March 2020 17:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9B6823A0DAB for <>; Mon, 2 Mar 2020 09:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tou4T_60KHT6 for <>; Mon, 2 Mar 2020 09:53:07 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A66C73A0DAC for <>; Mon, 2 Mar 2020 09:53:06 -0800 (PST)
Received: by with SMTP id z11so835298wro.9 for <>; Mon, 02 Mar 2020 09:53:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6FAP+jEdbpKiMcGt9ACIwnlxOmMVjOCC4Ngr2S5F6GQ=; b=PbIriPbo+2y9hoNDzvWQ7w2Wuyxx5WA3ixozSMoIJ86qI5xvuzoUD3XY9RMiTcqbFB LnZdUb/z8bvoErXp21dY5Qw8vQXjgRu7gzqUE5cNSy1LlHjJ6vgCBGIgPWnhEGdiJ63n o+3Hr7A8h0Ph3pMO94qp3ZFdKiB8qwJDnWRv4W/t+a3cZjPN54Z02oQMXZwLBBSDqtjt VRaPfOk4F22NcHpn8WdlUIge80cPMlqFSlkJ97M0/xuG0TgQKh/5CQYa0FFsmDY6KZil q3xPCC9Fm2/5MOnatjh4+6aZT8nz7D9+MUtx1e1/nMbqZt6pri5xxUL6afJS+2oXBMR5 57DQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6FAP+jEdbpKiMcGt9ACIwnlxOmMVjOCC4Ngr2S5F6GQ=; b=L7UVvQKFjPl3ptaHx3smYmZvKWiehxz9vres7PYxmFZOJrJmjkJdub6VjExQDZkPRo zFaMACLtTKz+ekXQMCUGNVG2cWEb3XUkX2rtr8xNpYQgGWrOBcLSB0kcgZJJalm6Ka3o OG5vLFGsRG28aTZmY9GHlyjdZTDfKbDD2Yt2l6EsKrfqpeDtwHvDNKccBQZeU0t7u/Zw u7saRfB6TflQUfjVMEyu4sn2W1llCGDCMx1qG6TvtxiToWOeKWMuvalZrX6XC83JEsGf zR41RAh+M7q/TsVRiSByBt2lQIeXVVzfRe6j8yoQvmYhW1cZlxjHMrb657PdYmmrYJ/F 4zpw==
X-Gm-Message-State: ANhLgQ2z8F4g8lO9Bj+njZONG4ST3lH7sqNlnavjBcDQyS5jpBnjO6eI FR6iJTB/xo7NKRLIKbxeqeDs+kv7Kc14HjVWdyVyvw==
X-Google-Smtp-Source: ADFU+vsb+BDUIn8CMerFIZsZsTx4o+Mqt8PPmzMGtS1+a0gMNPevLChsNv1JMtFE1Zv1wzZejA6vJc4YZrLp1XGdPNI=
X-Received: by 2002:a5d:67c7:: with SMTP id n7mr670869wrw.319.1583171585149; Mon, 02 Mar 2020 09:53:05 -0800 (PST)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Takahiko Kawasaki <>
Date: Tue, 03 Mar 2020 02:53:20 +0900
Message-ID: <>
To: Torsten Lodderstedt <>
Cc: Torsten Lodderstedt <>, Benjamin Kaduk <>,, The IESG <>, oauth <>,
Content-Type: multipart/alternative; boundary="000000000000f3aa12059fe2dbfe"
Archived-At: <>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 02 Mar 2020 17:53:09 -0000

Do you mean different requests should have the same jti value for better

It is not good that RFC 7662 has chosen "jti" as a property to hold the
identifier for an access/refresh token although the format of introspection
responses is not JWT but just JSON. If the name were, for instance,
"token_id" or something similar, the problem we are discussing now would
not happen.

Because "jti" has a special meaning in JWT and
draft-ietf-oauth-jwt-introspection-response tries to return introspection
responses in JWT format, the problem occurs.

Not only "jti" but also other properties defined in RFC 7662 that have
special meanings in JWT (that is, "jti", "exp", "iat", "nbf", "sub", "aud"
and "iss") may have problems, too. The namespaces should be separated as
you suggested "underlying_access_token", but because not only access tokens
but also refresh tokens may be passed to the introspection endpoint, a
better name should be chosen.


On Tue, Mar 3, 2020 at 1:55 AM Torsten Lodderstedt <>

> > Am 02.03.2020 um 17:52 schrieb Takahiko Kawasaki <>:
> >
> > The requirement for "jti" described
> > in draft-ietf-oauth-jwt-introspection-response-08 is problematic.
> I think having different jti values for different requests is a security
> risk.