IETF Logo Mail Archive

Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Neil Madden <neil.madden@forgerock.com> Thu, 29 March 2018 16:41 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9182C12DA12 for <oauth@ietfa.amsl.com>; Thu, 29 Mar 2018 09:41:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id noHwbtjAIA11 for <oauth@ietfa.amsl.com>; Thu, 29 Mar 2018 09:41:54 -0700 (PDT)
Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D3F9127522 for <oauth@ietf.org>; Thu, 29 Mar 2018 09:41:53 -0700 (PDT)
Received: by mail-wm0-x234.google.com with SMTP id a20so31001632wmd.1 for <oauth@ietf.org>; Thu, 29 Mar 2018 09:41:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version; bh=r5ym7bJYHsdSGRmCr6FEpq9/KfJhXTEtLi/rv0WPoZ8=; b=T1TCr7cFHOH7FFOBZb8obl+/zaC0dybQ37WgnCR/EJ3YZ3KCk3LhbkkbzHHvNJt6vi Bl3lMmgX2Hce9fCT8z9f8vfW+THqW7xxvO6cPhYfjhJ3b16XaZhzi5y6QgJhgOu2FCMG 9TMmr9odUJy1xCv5Riz78M7UBZFGv1eJLucDw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version; bh=r5ym7bJYHsdSGRmCr6FEpq9/KfJhXTEtLi/rv0WPoZ8=; b=tQje6uFsgSrA0xzNTzJkLSa9hYN/O2t8AJrfcd7ZfWyoY+xgkHjDMqOJQTKM8wpSBp tAirDQBd2xZSH0vD5zOh0CIwMNdMFIkO7QQvvX179vW3wg5SVvejMxKwI2uj34vbouZt ROKaeV9iBng5IfB/VTckM8T3ymVjZKGA9x9dDDgGcyCwXEb4265bFqn043dnDRNdQAOH 0PRH+45wtqGCR8Hgxy7TlmS/M8G6+KsQwC3NoQ2SqLmiu6DkOXxe61KEAX1YFUikr+3J tPYxsGYLukS7fR/7FtPvSJ5OPpw6XfrE/De5KccDeGJ1tZIDVlhFRSkCmqHijuWAVqvb i3dA==
X-Gm-Message-State: AElRT7GZZ27I0LirNUHhVWLNjv9XKMHtud6qWBHQx0EiZYws79NFlt+s CS7n9umAsl1AKZ2Qg/6vRqnmFrP9RKY=
X-Google-Smtp-Source: AIpwx49fy+QDHYgd0d6QU8uYBrPhE7lxuDoO4f4g6CBEr14/6xCxodtSbXRmBustwRIRtf/ApDzd7g==
X-Received: by 10.28.158.10 with SMTP id h10mr362638wme.105.1522341711838; Thu, 29 Mar 2018 09:41:51 -0700 (PDT)
Received: from [192.168.1.81] (148.199.93.209.dyn.plus.net. [209.93.199.148]) by smtp.gmail.com with ESMTPSA id t8sm2915050wmc.20.2018.03.29.09.41.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 29 Mar 2018 09:41:50 -0700 (PDT)
Date: Thu, 29 Mar 2018 17:41:48 +0100
From: Neil Madden <neil.madden@forgerock.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Message-ID: <6395c148-6b46-4964-b56b-e9e3fd2839d1@Canary>
In-Reply-To: <1452DCC9-3D8A-42E5-94A4-87B5D2B291AC@forgerock.com>
References: <152140077785.15835.11388192447917251931.idtracker@ietfa.amsl.com> <2A1E98B8-973E-44F0-96F0-E319FD6969A8@lodderstedt.net> <1452DCC9-3D8A-42E5-94A4-87B5D2B291AC@forgerock.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="5abd174d_625558ec_2e4d"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Z9qAO-SCNSb7ErfNlCww7uSdzDc>
Subject: Re: [OAUTH-WG] New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2018 16:41:58 -0000

I’ve just realised that “crit” is for headers while the “scope” claim is in the payload, so a different approach would be needed in that case (or the scope would need to be duplicated into the headers).

Kind regards,

Neil

--

> On Wednesday, Mar 28, 2018 at 4:41 pm, Neil Madden <neil.madden@forgerock.com (mailto:neil.madden@forgerock.com)> wrote:
> I like this draft, but I want to clarify if it is intended that the response JWT could be interpreted as an OpenID Connect ID Token? As the set of claims can overlap (in particular, all required ID token claims are valid token introspection response fields) and it seems highly likely that an AS will use the same keys for signing both (and it definitely will when the client_secret is used for signing), the signed response JWT could well be indistinguishable from an ID token (for the resource owner) with some additional claims.
>
> If this is not the case, then maybe consider adding a “crit”: [“scope”] claim to the response (https://tools.ietf.org/html/rfc7515#section-4.1.11) to indicate that the scope claim must be understood.
>
> I can think of one potential use-case (I’ll let you decide the merits of it) where it might actually be useful to explicitly allow the response to be an ID Token. Consider an application (RS) that uses a traditional authorization model: it authenticates a user, sets a cookie, and then based on who that user is makes dynamic access control decisions to see what they are allowed to do (e.g., ACLs, RBAC, whatever). An easy way to upgrade this app to modern standards would be to replace the home-spun authentication system with OIDC, but leave the rest in place. Now the system uses OIDC to authenticate the user, sets the ID token as the cookie, and then still applies the same access control decisions that it always has done.
>
> Now imagine that a new requirement comes in to support OAuth 2.0 access tokens to allow delegation to third-party apps. A really simple way to achieve that would be to put a filter/reverse proxy in front of the RS that extracts access tokens coming in, performs signed JWT token introspection against the AS to validate the token and then checks the the scopes are appropriate for the request. It can then simply replace the access token in the original request with the signed token introspection response (as ID token) and forward it on to the original RS server. As the introspection response is a valid ID token for the resource owner, the RS will then apply all its normal access control checks to ensure that the resource owner actually has the permissions that they have delegated to the client.
>
> I think potentially that is quite an interesting application of this draft, but I don’t think it was intended! I think probably a decision should be made as to whether that kind of usage should be allowed and explicitly adjust the draft to either allow or deny it. If it is allowed, then possibly there should be a way for the caller to hint that they want the response to be a valid ID token.
>
> Kind regards,
>
> Neil
>
> > On 18 Mar 2018, at 19:33, Torsten Lodderstedt <torsten@lodderstedt.net (mailto:torsten@lodderstedt.net)> wrote:
> > Hi all,
> >
> > I just submitted a new draft that Vladimir Dzhuvinov and I have written. It proposes a JWT-based response type for Token Introspection. The objective is to provide resource servers with signed tokens in case they need cryptographic evidence that the AS created the token (e.g. for liability).
> >
> > I will present the new draft in the session on Wednesday.
> >
> > kind regards,
> > Torsten.
> >
> > > Anfang der weitergeleiteten Nachricht:
> > > Von: internet-drafts@ietf.org (mailto:internet-drafts@ietf.org)
> > > Betreff: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> > > Datum: 18. März 2018 um 20:19:37 MEZ
> > > An: "Vladimir Dzhuvinov" <vladimir@connect2id.com (mailto:vladimir@connect2id.com)>, "Torsten Lodderstedt" <torsten@lodderstedt.net (mailto:torsten@lodderstedt.net)>
> > >
> > >
> > > A new version of I-D, draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> > > has been successfully submitted by Torsten Lodderstedt and posted to the
> > > IETF repository.
> > >
> > > Name: draft-lodderstedt-oauth-jwt-introspection-response
> > > Revision: 00
> > > Title: JWT Response for OAuth Token Introspection
> > > Document date: 2018-03-15
> > > Group: Individual Submission
> > > Pages: 5
> > > URL: https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
> > > Status: https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
> > > Htmlized: https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
> > > Htmlized: https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
> > >
> > >
> > > Abstract:
> > > This draft proposes an additional JSON Web Token (JWT) based response
> > > for OAuth 2.0 Token Introspection.
> > >
> > >
> > >
> > >
> > > Please note that it may take a couple of minutes from the time of submission
> > > until the htmlized version and diff are available at tools.ietf.org (http://tools.ietf.org/).
> > >
> > > The IETF Secretariat
> > >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org (mailto:OAuth@ietf.org)
> > https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email