IETF Logo Mail Archive

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens

Andrii Deinega <andrii.deinega@gmail.com> Thu, 11 February 2021 21:47 UTC

Return-Path: <andrii.deinega@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19C643A0C28 for <oauth@ietfa.amsl.com>; Thu, 11 Feb 2021 13:47:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H-P9n6wkN_y0 for <oauth@ietfa.amsl.com>; Thu, 11 Feb 2021 13:47:48 -0800 (PST)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C295A3A0C20 for <oauth@ietf.org>; Thu, 11 Feb 2021 13:47:47 -0800 (PST)
Received: by mail-ej1-x629.google.com with SMTP id i8so12325149ejc.7 for <oauth@ietf.org>; Thu, 11 Feb 2021 13:47:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VGPGGeV3K6i0mQXHzk/B+y5do/pSTFILzTUssOtOeTI=; b=lCos0jpkRBWwdEI9Sm4af8k3OqtNq+xNuhyOkZhY2HKWG+Eq2Z+WiaLvobsnVXg2Wm rAcvOZeEKZ/4N6bTo64dJ9FjRLSjQkJjeT2ph+3zGsE+kFjXzXuy8hXOug1SWQDiTgcU uWoBD81mXjfxmSFj0fKe7hj0ou3YSPPtLWziQ9T83a7BZfVk3RXFgz005ArW4ct7wmv7 PMm+8HtqXFNygkUfd/kjag1JrPmlYDJEBLUEfp5kxTncM0USCVzfy3vzcnu/0yyLgeHQ L9ZlvD+7olYHf+lfYXAQ6nr+4i5SijUy23NM/+mAfL59RlLIeJgWat0AKTW7SbnEZUK1 qatA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VGPGGeV3K6i0mQXHzk/B+y5do/pSTFILzTUssOtOeTI=; b=bWNQVNuiBspBckBLjM5rtISQx32lidc0cdPyi+UzkEYHJAzNh9HxCeM8gUC41WAoN4 PbxW7xPzXZqZzq8bFBSIcxsU4dNvtyro2/qnLn1wbmAtlIz23uNPBFXU4LNsDVJDpygU AnhdRDhV0O2r1x7ilS6Q6K56FTwlJ9cTlMr2JcpuNJQuBWhfnMcUNyBm+kFqCZXTPjPV IoHifBTGnUEHQND3TUpUAfU4sX0Zb9XWupXrYFo3nEPyBjdWqKMEorilq3fJIpqpUpx+ YBf3vB8mzJA2v4TlQWV03wmZ0ikB7oj//euPNtMOj2WRu7r1fnzDi21ayLnHS8fZNsED OXaA==
X-Gm-Message-State: AOAM531uUUlR8x315S0rca9wmMvlsmv2kW3xCbgIgwxouh9aTI6nHXlD dcy5UshqfOkG6gQT+0DodHl82x/PHK2BCBJn9PfiB3PrUu7j5A==
X-Google-Smtp-Source: ABdhPJyehPkzOdy833N651KvRj8A5g6jAIWex7TKRj88d9egx4YyGYM8wV8LpkdTT4ynU6dK+sAAAaPnXNwRVtQcdYg=
X-Received: by 2002:a17:907:d25:: with SMTP id gn37mr10440863ejc.303.1613080065010; Thu, 11 Feb 2021 13:47:45 -0800 (PST)
MIME-Version: 1.0
References: <CAJot-L05Nb5FQQ_OOgW_s4Mswo0GW3-j7HTTxtbR2OgqESijWg@mail.gmail.com> <579E1C30-107C-43E6-A521-01A674DAB0F3@lodderstedt.net> <CAJot-L1tMjM=JHtn3sHROLtzoxAkOGr33m66mcRH9-Vvss6QRg@mail.gmail.com> <78c83541-0b77-1c16-a302-3e88b2842947@connect2id.com> <CAJot-L0q1MZvW_h=puyu6_htk_y5gx0VhdC4RyaJn_eucO_36Q@mail.gmail.com> <d58fac58-1125-1c0b-d674-b54d122c5939@connect2id.com>
In-Reply-To: <d58fac58-1125-1c0b-d674-b54d122c5939@connect2id.com>
From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Thu, 11 Feb 2021 13:47:34 -0800
Message-ID: <CALkShcvqX6Y59TK95UsKDKMuuA5GX+RmRLBPri13eeaMpwBTCw@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: Warren Parad <wparad@rhosys.ch>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000044f01005bb1678cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZzyijziLg7K1kJd2L2QRcN0PM_E>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 21:47:51 -0000

Hi Vladimir,

What would be a value in the aud claim for refresh tokens?

Regards,
Andrii


On Tue, Feb 9, 2021 at 3:06 AM Vladimir Dzhuvinov <vladimir@connect2id.com>
wrote:

> Hi Warren,
> On 08/02/2021 17:59, Warren Parad wrote:
>
> None of that justified explicitly stating that refresh token introspection
> shouldn't be done. At best it suggests that we should explicitly add
> language in the draft to directly encourage it.
>
> Did you mean discourage?
>
> But if an AS wants to support it, we shouldn't stop them, or suggest that
> they can't do it.
>
> The current draft doesn't mention refresh tokens at all. Its subject is
> the introspection of access tokens by authenticated resource servers and
> returning the response as a signed JWT. The use of refresh tokens at the
> introspection endpoint, per RFC 7662, is not forbidden by the draft.
>
>
>
> Allowing refresh tokens to be introspected can also create a conflict with
>> the sec recommendation to rotate them
>
>
> Not following, can you explain this further?
>
> I just double checked the rotation spec. Use that triggers rotation is
> clearly specified as "access token response", so there should actually be
> no issues with confusing introspection as use.
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.13.2
>
> RFC 7662 also seems to imply that a public client with a refresh token
> should not normally be able to introspect it, because it can't authenticate
> to the AS.
>
> https://tools.ietf.org/html/rfc7662#section-2.2
>
>    To prevent token scanning attacks, the endpoint MUST also require
>    some form of authorization to access this endpoint, such as client
>    authentication as described in OAuth 2.0 [RFC6749 <https://tools.ietf.org/html/rfc6749>] or a separate
>    OAuth 2.0 access token such as the bearer token described in OAuth
>    2.0 Bearer Token Usage [RFC6750 <https://tools.ietf.org/html/rfc6750>].  The methods of managing and
>    validating these authentication credentials are out of scope of this
>    specification.
>
>
> Vladimir
>
>
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress <https://authress.io>.
>
>
> On Mon, Feb 8, 2021 at 4:13 PM Vladimir Dzhuvinov <vladimir@connect2id.com>
> wrote:
>
>> At first it may appear that allowing refresh tokens at the introspection
>> endpoint may be a logical thing to do, but in practice there are issues
>> with that and from an OAuth 2.x perspective it's not easy to justify.
>>
>> If the point is to let clients check what authorization they have been
>> given OAuth 2.0 already provides a std way to do that - in the access token
>> response - the "scope" parameter:
>>
>> https://tools.ietf.org/html/rfc6749#section-5.1
>>
>> RAR has a similar parameter:
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-rar-03#section-3.4.1
>>
>> If the point is to find if a refresh token is still valid - this can be
>> found out by simply using it. Allowing refresh tokens to be introspected
>> can also create a conflict with the sec recommendation to rotate them. So
>> thus it may be a better idea to not let clients assume too much about them.
>>
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.2.2
>>
>> If the AS is going to expose refresh token data to a client it will also
>> have to make a careful judgement what data it exposes.
>>
>> https://tools.ietf.org/html/rfc7662#section-2.2
>>
>> For instance "sub". OAuth 2.x in the relation between AS and client
>> actually has no concept or definition of subject / end-user identifier. And
>> this is done for a good reason, because it's not a user authentication
>> protocol. OIDC was designed for that. And to prevent tracking of users and
>> other privacy issues OIDC also specifies pairwise subject IDs. The plain
>> OAuth 2.x world doesn't have this.
>>
>> Vladimir
>> On 08/02/2021 11:07, Warren Parad wrote:
>>
>> It doesn't work that way. You suggested to add language to the draft,
>> that means the burden of proof is on you to justify adding it.
>>
>> Otherwise I could just say why not?
>>
>> And I can go stronger, what's the purpose of nho introspection endpoint
>> at all, and why encourage sending access tokens to the AS?
>>
>> Even if you can justify access tokens, there currently isn't evidence
>> provided why we should explicity discourage.
>>
>>
>> On Mon, Feb 8, 2021, 03:18 Torsten Lodderstedt <torsten@lodderstedt.net>
>> wrote:
>>
>>>
>>>
>>> Am 08.02.2021 um 00:56 schrieb Warren Parad <wparad@rhosys.ch>:
>>>
>>> 
>>>
>>>> I‘m therefore leaning towards explicitly stating in our draft that it
>>>> is not intended to be used with refresh tokens.
>>>
>>> I'm not following, why explicitly state that it isn't intended. If an AS
>>> wants to provide a similar JSON response to a query with the refresh token,
>>> why not encourage that?
>>>
>>>
>>> Why should we encourage it?
>>>
>>>
>>> Warren Parad
>>>
>>> Founder, CTO
>>> Secure your user data and complete your authorization architecture.
>>> Implement Authress
>>> <https://www.google.com/url?q=https://authress.io&source=gmail-imap&ust=1613346997000000&usg=AOvVaw267Z448csTGn3F6REIQ9pT>
>>> .
>>>
>>>
>>> On Sun, Feb 7, 2021 at 10:58 PM Torsten Lodderstedt <torsten=
>>> 40lodderstedt.net@dmarc.ietf.org> wrote:
>>>
>>>> Hi Andrii,
>>>>
>>>> Am 07.02.2021 um 21:30 schrieb Andrii Deinega <andrii.deinega@gmail.com
>>>> >:
>>>>
>>>> 
>>>> Hi Torsten,
>>>>
>>>> thank you for your response.
>>>>
>>>> My use case is pretty straight forward
>>>>
>>>> An OAuth client queries the AS to determine the active state of an
>>>> access token and gets the introspection response which indicates that this
>>>> access token is active (using RFC7662).
>>>>
>>>> An OAuth client queries the AS to determine the active state of a
>>>> refresh token and gets the introspection response which indicates that this
>>>> refresh token is active (using RFC7662).
>>>>
>>>> An OAuth client queries the AS to determine the active state of an
>>>> access token and gets the introspection response (JWT) which indicates
>>>> that this access token is active (using this draft).
>>>>
>>>> Now, an OAuth client queries the AS to determine the active state of a
>>>> refresh token (using this draft)... How will the introspection response
>>>> look like assuming that the client provides the valid refresh token and
>>>> technically, nothing stops it from doing so.
>>>>
>>>>
>>>> why should the state be provided as JWT?I think the plain JSON response
>>>> is sufficient in that case.  I also think using token introspection for
>>>> checking the state of a token from the client side has limited utility. The
>>>> definitive decision is always made when the client tries to access a
>>>> resource.
>>>>
>>>> I‘m therefore leaning towards explicitly stating in our draft that it
>>>> is not intended to be used with refresh tokens.
>>>>
>>>> best regards,
>>>> Torsten.
>>>>
>>>>
>>>> Regards,
>>>> Andrii
>>>>
>>>>
>>>> On Sun, Feb 7, 2021 at 4:14 AM Torsten Lodderstedt <
>>>> torsten@lodderstedt.net> wrote:
>>>>
>>>>> Hi Andrii,
>>>>>
>>>>> thanks for your post.
>>>>>
>>>>> The draft is intended to provide AS and RS with a solution to exchange
>>>>> signed (and optionally encrypted) token introspection responses in order to
>>>>> provide stronger assurance among those parties. This is important in use
>>>>> cases where the RS acts upon the introspection response data and wants the
>>>>> AS to take liability re the data quality.
>>>>>
>>>>> I’m not sure whether there are similar use cases if a client
>>>>> introspects a refresh token. What is your use case?
>>>>>
>>>>> best regards,
>>>>> Torsten.
>>>>>
>>>>> > Am 07.02.2021 um 08:41 schrieb Andrii Deinega <
>>>>> andrii.deinega@gmail.com>:
>>>>> >
>>>>> > Hi WG,
>>>>> >
>>>>> > draft-ietf-oauth-jwt-introspection-response-10 states that "OAuth
>>>>> 2.0 Token Introspection [RFC7662] specifies a method for a protected
>>>>> resource to query an OAuth 2.0 authorization server to determine the state
>>>>> of an access token and obtain data associated with the access token." which
>>>>> is true. Although, according to RFC7662, the introspection endpoint allows
>>>>> to introspect a refresh token as well. Hence, the question I have is how
>>>>> will a token introspection response look like when the caller provides a
>>>>> refresh token and sets the "Accept" HTTP header to
>>>>> "application/token-introspection+jwt"?
>>>>> >
>>>>> > I expect there will be no differences, right?
>>>>> >
>>>>> > If so, I suggest to
>>>>> >       • replace "a resource server" by "the caller" in section 4
>>>>> (Requesting a JWT Response)
>>>>> >       • change "If the access token is invalid, expired, revoked" by
>>>>> "If a given token is invalid, expired, revoked" in section 5 (JWT Response)
>>>>> > If not, my suggestion would be to clarify what the AS should do when
>>>>> it asked to introspect the refresh token in general and additionally, what
>>>>> should happen in the same case based on the type of the caller from the
>>>>> AS's point of view.
>>>>> >
>>>>> > Regards,
>>>>> > Andrii
>>>>> >
>>>>>
>>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> <https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1613346997000000&usg=AOvVaw3ZHWt08dlcHAgxyfj2hrsX>
>>>>
>>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>> --
>> Vladimir Dzhuvinov
>>
>> --
> Vladimir Dzhuvinov
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email