Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
Andrii Deinega <andrii.deinega@gmail.com> Thu, 11 February 2021 21:47 UTC
Return-Path: <andrii.deinega@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19C643A0C28 for <oauth@ietfa.amsl.com>; Thu, 11 Feb 2021 13:47:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-P9n6wkN_y0 for <oauth@ietfa.amsl.com>; Thu, 11 Feb 2021 13:47:48 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C295A3A0C20 for <oauth@ietf.org>; Thu, 11 Feb 2021 13:47:47 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id i8so12325149ejc.7 for <oauth@ietf.org>; Thu, 11 Feb 2021 13:47:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VGPGGeV3K6i0mQXHzk/B+y5do/pSTFILzTUssOtOeTI=; b=lCos0jpkRBWwdEI9Sm4af8k3OqtNq+xNuhyOkZhY2HKWG+Eq2Z+WiaLvobsnVXg2Wm rAcvOZeEKZ/4N6bTo64dJ9FjRLSjQkJjeT2ph+3zGsE+kFjXzXuy8hXOug1SWQDiTgcU uWoBD81mXjfxmSFj0fKe7hj0ou3YSPPtLWziQ9T83a7BZfVk3RXFgz005ArW4ct7wmv7 PMm+8HtqXFNygkUfd/kjag1JrPmlYDJEBLUEfp5kxTncM0USCVzfy3vzcnu/0yyLgeHQ L9ZlvD+7olYHf+lfYXAQ6nr+4i5SijUy23NM/+mAfL59RlLIeJgWat0AKTW7SbnEZUK1 qatA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VGPGGeV3K6i0mQXHzk/B+y5do/pSTFILzTUssOtOeTI=; b=bWNQVNuiBspBckBLjM5rtISQx32lidc0cdPyi+UzkEYHJAzNh9HxCeM8gUC41WAoN4 PbxW7xPzXZqZzq8bFBSIcxsU4dNvtyro2/qnLn1wbmAtlIz23uNPBFXU4LNsDVJDpygU AnhdRDhV0O2r1x7ilS6Q6K56FTwlJ9cTlMr2JcpuNJQuBWhfnMcUNyBm+kFqCZXTPjPV IoHifBTGnUEHQND3TUpUAfU4sX0Zb9XWupXrYFo3nEPyBjdWqKMEorilq3fJIpqpUpx+ YBf3vB8mzJA2v4TlQWV03wmZ0ikB7oj//euPNtMOj2WRu7r1fnzDi21ayLnHS8fZNsED OXaA==
X-Gm-Message-State: AOAM531uUUlR8x315S0rca9wmMvlsmv2kW3xCbgIgwxouh9aTI6nHXlD dcy5UshqfOkG6gQT+0DodHl82x/PHK2BCBJn9PfiB3PrUu7j5A==
X-Google-Smtp-Source: ABdhPJyehPkzOdy833N651KvRj8A5g6jAIWex7TKRj88d9egx4YyGYM8wV8LpkdTT4ynU6dK+sAAAaPnXNwRVtQcdYg=
X-Received: by 2002:a17:907:d25:: with SMTP id gn37mr10440863ejc.303.1613080065010; Thu, 11 Feb 2021 13:47:45 -0800 (PST)
MIME-Version: 1.0
References: <CAJot-L05Nb5FQQ_OOgW_s4Mswo0GW3-j7HTTxtbR2OgqESijWg@mail.gmail.com> <579E1C30-107C-43E6-A521-01A674DAB0F3@lodderstedt.net> <CAJot-L1tMjM=JHtn3sHROLtzoxAkOGr33m66mcRH9-Vvss6QRg@mail.gmail.com> <78c83541-0b77-1c16-a302-3e88b2842947@connect2id.com> <CAJot-L0q1MZvW_h=puyu6_htk_y5gx0VhdC4RyaJn_eucO_36Q@mail.gmail.com> <d58fac58-1125-1c0b-d674-b54d122c5939@connect2id.com>
In-Reply-To: <d58fac58-1125-1c0b-d674-b54d122c5939@connect2id.com>
From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Thu, 11 Feb 2021 13:47:34 -0800
Message-ID: <CALkShcvqX6Y59TK95UsKDKMuuA5GX+RmRLBPri13eeaMpwBTCw@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: Warren Parad <wparad@rhosys.ch>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000044f01005bb1678cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZzyijziLg7K1kJd2L2QRcN0PM_E>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 21:47:51 -0000
Hi Vladimir, What would be a value in the aud claim for refresh tokens? Regards, Andrii On Tue, Feb 9, 2021 at 3:06 AM Vladimir Dzhuvinov <vladimir@connect2id.com> wrote: > Hi Warren, > On 08/02/2021 17:59, Warren Parad wrote: > > None of that justified explicitly stating that refresh token introspection > shouldn't be done. At best it suggests that we should explicitly add > language in the draft to directly encourage it. > > Did you mean discourage? > > But if an AS wants to support it, we shouldn't stop them, or suggest that > they can't do it. > > The current draft doesn't mention refresh tokens at all. Its subject is > the introspection of access tokens by authenticated resource servers and > returning the response as a signed JWT. The use of refresh tokens at the > introspection endpoint, per RFC 7662, is not forbidden by the draft. > > > > Allowing refresh tokens to be introspected can also create a conflict with >> the sec recommendation to rotate them > > > Not following, can you explain this further? > > I just double checked the rotation spec. Use that triggers rotation is > clearly specified as "access token response", so there should actually be > no issues with confusing introspection as use. > > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.13.2 > > RFC 7662 also seems to imply that a public client with a refresh token > should not normally be able to introspect it, because it can't authenticate > to the AS. > > https://tools.ietf.org/html/rfc7662#section-2.2 > > To prevent token scanning attacks, the endpoint MUST also require > some form of authorization to access this endpoint, such as client > authentication as described in OAuth 2.0 [RFC6749 <https://tools.ietf.org/html/rfc6749>] or a separate > OAuth 2.0 access token such as the bearer token described in OAuth > 2.0 Bearer Token Usage [RFC6750 <https://tools.ietf.org/html/rfc6750>]. The methods of managing and > validating these authentication credentials are out of scope of this > specification. > > > Vladimir > > > > Warren Parad > > Founder, CTO > Secure your user data and complete your authorization architecture. > Implement Authress <https://authress.io>. > > > On Mon, Feb 8, 2021 at 4:13 PM Vladimir Dzhuvinov <vladimir@connect2id.com> > wrote: > >> At first it may appear that allowing refresh tokens at the introspection >> endpoint may be a logical thing to do, but in practice there are issues >> with that and from an OAuth 2.x perspective it's not easy to justify. >> >> If the point is to let clients check what authorization they have been >> given OAuth 2.0 already provides a std way to do that - in the access token >> response - the "scope" parameter: >> >> https://tools.ietf.org/html/rfc6749#section-5.1 >> >> RAR has a similar parameter: >> >> https://tools.ietf.org/html/draft-ietf-oauth-rar-03#section-3.4.1 >> >> If the point is to find if a refresh token is still valid - this can be >> found out by simply using it. Allowing refresh tokens to be introspected >> can also create a conflict with the sec recommendation to rotate them. So >> thus it may be a better idea to not let clients assume too much about them. >> >> >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.2.2 >> >> If the AS is going to expose refresh token data to a client it will also >> have to make a careful judgement what data it exposes. >> >> https://tools.ietf.org/html/rfc7662#section-2.2 >> >> For instance "sub". OAuth 2.x in the relation between AS and client >> actually has no concept or definition of subject / end-user identifier. And >> this is done for a good reason, because it's not a user authentication >> protocol. OIDC was designed for that. And to prevent tracking of users and >> other privacy issues OIDC also specifies pairwise subject IDs. The plain >> OAuth 2.x world doesn't have this. >> >> Vladimir >> On 08/02/2021 11:07, Warren Parad wrote: >> >> It doesn't work that way. You suggested to add language to the draft, >> that means the burden of proof is on you to justify adding it. >> >> Otherwise I could just say why not? >> >> And I can go stronger, what's the purpose of nho introspection endpoint >> at all, and why encourage sending access tokens to the AS? >> >> Even if you can justify access tokens, there currently isn't evidence >> provided why we should explicity discourage. >> >> >> On Mon, Feb 8, 2021, 03:18 Torsten Lodderstedt <torsten@lodderstedt.net> >> wrote: >> >>> >>> >>> Am 08.02.2021 um 00:56 schrieb Warren Parad <wparad@rhosys.ch>: >>> >>> >>> >>>> I‘m therefore leaning towards explicitly stating in our draft that it >>>> is not intended to be used with refresh tokens. >>> >>> I'm not following, why explicitly state that it isn't intended. If an AS >>> wants to provide a similar JSON response to a query with the refresh token, >>> why not encourage that? >>> >>> >>> Why should we encourage it? >>> >>> >>> Warren Parad >>> >>> Founder, CTO >>> Secure your user data and complete your authorization architecture. >>> Implement Authress >>> <https://www.google.com/url?q=https://authress.io&source=gmail-imap&ust=1613346997000000&usg=AOvVaw267Z448csTGn3F6REIQ9pT> >>> . >>> >>> >>> On Sun, Feb 7, 2021 at 10:58 PM Torsten Lodderstedt <torsten= >>> 40lodderstedt.net@dmarc.ietf.org> wrote: >>> >>>> Hi Andrii, >>>> >>>> Am 07.02.2021 um 21:30 schrieb Andrii Deinega <andrii.deinega@gmail.com >>>> >: >>>> >>>> >>>> Hi Torsten, >>>> >>>> thank you for your response. >>>> >>>> My use case is pretty straight forward >>>> >>>> An OAuth client queries the AS to determine the active state of an >>>> access token and gets the introspection response which indicates that this >>>> access token is active (using RFC7662). >>>> >>>> An OAuth client queries the AS to determine the active state of a >>>> refresh token and gets the introspection response which indicates that this >>>> refresh token is active (using RFC7662). >>>> >>>> An OAuth client queries the AS to determine the active state of an >>>> access token and gets the introspection response (JWT) which indicates >>>> that this access token is active (using this draft). >>>> >>>> Now, an OAuth client queries the AS to determine the active state of a >>>> refresh token (using this draft)... How will the introspection response >>>> look like assuming that the client provides the valid refresh token and >>>> technically, nothing stops it from doing so. >>>> >>>> >>>> why should the state be provided as JWT?I think the plain JSON response >>>> is sufficient in that case. I also think using token introspection for >>>> checking the state of a token from the client side has limited utility. The >>>> definitive decision is always made when the client tries to access a >>>> resource. >>>> >>>> I‘m therefore leaning towards explicitly stating in our draft that it >>>> is not intended to be used with refresh tokens. >>>> >>>> best regards, >>>> Torsten. >>>> >>>> >>>> Regards, >>>> Andrii >>>> >>>> >>>> On Sun, Feb 7, 2021 at 4:14 AM Torsten Lodderstedt < >>>> torsten@lodderstedt.net> wrote: >>>> >>>>> Hi Andrii, >>>>> >>>>> thanks for your post. >>>>> >>>>> The draft is intended to provide AS and RS with a solution to exchange >>>>> signed (and optionally encrypted) token introspection responses in order to >>>>> provide stronger assurance among those parties. This is important in use >>>>> cases where the RS acts upon the introspection response data and wants the >>>>> AS to take liability re the data quality. >>>>> >>>>> I’m not sure whether there are similar use cases if a client >>>>> introspects a refresh token. What is your use case? >>>>> >>>>> best regards, >>>>> Torsten. >>>>> >>>>> > Am 07.02.2021 um 08:41 schrieb Andrii Deinega < >>>>> andrii.deinega@gmail.com>: >>>>> > >>>>> > Hi WG, >>>>> > >>>>> > draft-ietf-oauth-jwt-introspection-response-10 states that "OAuth >>>>> 2.0 Token Introspection [RFC7662] specifies a method for a protected >>>>> resource to query an OAuth 2.0 authorization server to determine the state >>>>> of an access token and obtain data associated with the access token." which >>>>> is true. Although, according to RFC7662, the introspection endpoint allows >>>>> to introspect a refresh token as well. Hence, the question I have is how >>>>> will a token introspection response look like when the caller provides a >>>>> refresh token and sets the "Accept" HTTP header to >>>>> "application/token-introspection+jwt"? >>>>> > >>>>> > I expect there will be no differences, right? >>>>> > >>>>> > If so, I suggest to >>>>> > • replace "a resource server" by "the caller" in section 4 >>>>> (Requesting a JWT Response) >>>>> > • change "If the access token is invalid, expired, revoked" by >>>>> "If a given token is invalid, expired, revoked" in section 5 (JWT Response) >>>>> > If not, my suggestion would be to clarify what the AS should do when >>>>> it asked to introspect the refresh token in general and additionally, what >>>>> should happen in the same case based on the type of the caller from the >>>>> AS's point of view. >>>>> > >>>>> > Regards, >>>>> > Andrii >>>>> > >>>>> >>>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> <https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1613346997000000&usg=AOvVaw3ZHWt08dlcHAgxyfj2hrsX> >>>> >>> >> _______________________________________________ >> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >> >> -- >> Vladimir Dzhuvinov >> >> -- > Vladimir Dzhuvinov > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] JWT Response for OAuth Token Introspec… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Warren Parad
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Warren Parad
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Warren Parad
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Vladimir Dzhuvinov