IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

toshio9.ito@toshiba.co.jp Fri, 01 October 2021 01:07 UTC

Return-Path: <toshio9.ito@toshiba.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBFC73A0ADE for <oauth@ietfa.amsl.com>; Thu, 30 Sep 2021 18:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3_8WYlQvB8r for <oauth@ietfa.amsl.com>; Thu, 30 Sep 2021 18:07:11 -0700 (PDT)
Received: from mo-csw.securemx.jp (mo-csw1114.securemx.jp [210.130.202.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EB153A0AAB for <oauth@ietf.org>; Thu, 30 Sep 2021 18:07:11 -0700 (PDT)
Received: by mo-csw.securemx.jp (mx-mo-csw1114) id 191175x7007032; Fri, 1 Oct 2021 10:07:06 +0900
X-Iguazu-Qid: 2wHHhCFIJ3aIANaj7M
X-Iguazu-QSIG: v=2; s=0; t=1633050425; q=2wHHhCFIJ3aIANaj7M; m=O40DX/g6R5JnOuME1OhpHrwT75IYZXxID7dYkacwVuU=
Received: from imx2-a.toshiba.co.jp (imx2-a.toshiba.co.jp [106.186.93.35]) by relay.securemx.jp (mx-mr1111) id 1911741a037048 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Fri, 1 Oct 2021 10:07:05 +0900
Received: from enc01.toshiba.co.jp (enc01.toshiba.co.jp [106.186.93.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by imx2-a.toshiba.co.jp (Postfix) with ESMTPS id A9C5E100122; Fri, 1 Oct 2021 10:07:04 +0900 (JST)
Received: from hop001.toshiba.co.jp ([133.199.164.63]) by enc01.toshiba.co.jp with ESMTP id 1911745g028040; Fri, 1 Oct 2021 10:07:04 +0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VjNXhHR/8SwIiEoNwtkm56w1kTdGtBsixrtR8SB3M4Gc1S+As3Jti2LI16urbEEgxHooyBdae5GkFxUSH9i2YT/Z1aIZBuQlkpWcQoIlrKWU3WecZGW1ish1DFATBMJZSBPGKHpdP4mTXQteMVPadv/NRA3yaKNf2EZtB3d76xx6MQJI96grWDjJ8xcNYndCOmJ8P1/Y/zmKYUlojL493WU+MYFaatgr1h17H+H2Bob74O6XmyjrKXon5488Hw3er1hlqH4I98YJjNXIJPQyTXbj7jSKaVn5oQLbfC8RYeakVq88aWKgCp8eIK6sAkdLAHKVyadrTnLxFwd8ay9qhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lk5rDGuOmDfT7bVw56QjPIV1spzy9MXDdiTY8SyzJVw=; b=QH5lDb90gldpK7TCtJDhBZ2Nt0YtmIXTcfmQGvW6BdUmEpCRHaDMfmRGF5c8ZvEcSOWqDS8Ki9qhnobenUaO923BJhwyiJG/FcB9waRlBfHnRrrxAKZNrXTp+1WQboeJAwA10wTVR6yLDciwozPj278TDIOBeWbtmc/Uy5CKwdMNZ6biwDSrnglMQtGHcBxAPOj26swgM5ajqiyMaE+ybkooe0nPK0fgFKZ/4DHSeU4TtmCVWSzkCfp+S3VphxZd2QlrZw5pg8oop59cRgnFdgmMh6MgCmIV0rvfVgefDwKLSuyiaI6GUs0oyRf/K7UXgWh/tCw2NJePUSOSfUSfkA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=toshiba.co.jp; dmarc=pass action=none header.from=toshiba.co.jp; dkim=pass header.d=toshiba.co.jp; arc=none
From: toshio9.ito@toshiba.co.jp
To: saschapreibisch@gmail.com, Vittorio=40auth0.com@dmarc.ietf.org
CC: oauth@ietf.org
Thread-Topic: [OAUTH-WG] self-issued access tokens
Thread-Index: Ade01Nk+d5eF4L5tTXCgjU67TgIDjwAJDpkAABNWwwAARlm3oA==
Date: Fri, 01 Oct 2021 01:07:00 +0000
X-TSB-HOP: ON
Message-ID: <TYCPR01MB5678C7E6F314225FE6BA1765E5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com>
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAO_FVe59G=OJ8=51ogVDMe+WWQ8a0xwb_Q6V0vFtH7cLsQNU2w@mail.gmail.com> <CAP=vD9v1CYBTJLngaAoU0GcEt7A63oGqPSZLYuoYT=QRKLy2WA@mail.gmail.com>
In-Reply-To: <CAP=vD9v1CYBTJLngaAoU0GcEt7A63oGqPSZLYuoYT=QRKLy2WA@mail.gmail.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=toshiba.co.jp;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 544eab6c-a785-48ab-048e-08d98477c608
x-ms-traffictypediagnostic: TY2PR01MB2233:
x-microsoft-antispam-prvs: <TY2PR01MB22338D17D104996EEA396F1CE5AB9@TY2PR01MB2233.jpnprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /JBe1e81jYCg5sRKnS0rfEMKUhDP0bFsVWBkAbMwqin9C4Km/5IKTE1bn+F8PRiIvWjH7j4S7fw1vrPcXEprGFA/dcZAdCG4KuNAhu1kb2diLGwHVIEFff9DFfrN5dnPQZMCYxG5mbAHgS2img4esmrivWHVS01ChpFooaF5M52yStN2ZrK3UUfIvIJcbojoAqnm1q6wlbKtQbekaEhfi4DqNymzq3jRzMrHrvN10Vz/31/hMLi78mhe1iY+pViYGokqVPgf7Q4Pfxxzb2DRgasn9tGqVYCQ0yrvUxjS4qz1SlNi4whQ+Un9uAFVUmmF+fTuGg4EFm+zfYFMZAWyCBnBSrAUPpmxp9FliFIwMsJ6cQlg1zQt3a3JF2h9R2oMnLDv/d0uft4/1jNYkb1O+LJ8g5CJXIjgBnhIJv/7f9o7V9MC4QP57TU6qNKyTZ+x3Puz4wv0P5Vx+W2Xbl1VBAQHTtXQo0ncrMHYY2MAwa8phqtr5e1zvSDwxEYdlcbiYUDPZIzl0wX2SvG+x0/s9rpkcLLrDHfNzMjl/UuAibUc/my2NaAsj4endkLL4F0h6O2CeJIRetAvZmgug47gmcDF8Y8EzMG2vnSUR5yuzxPAQJxA5Ce7pzf5MDw27ajpGwj17EdpimB3aG8b8taG3IPK6rrdNl9prY8UtxagjxLXrIBNx8MHdH90AGLNOZfR6Lna58KHWyp9tRpxMlnl9aO0Sjq18AkDFPbp9pcrrW9jbJJT2FTkPyQ3RUWKFN46ZkUUqtB1MuqIQC0dNaq2nauhnqzPA8jaLTyp8MngJV4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:TYCPR01MB5678.jpnprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(4326008)(5660300002)(7696005)(8936002)(8676002)(110136005)(166002)(2906002)(508600001)(316002)(186003)(966005)(66476007)(21615005)(6506007)(53546011)(52536014)(26005)(33656002)(66446008)(64756008)(76116006)(66556008)(66946007)(38070700005)(86362001)(38100700002)(122000001)(9686003)(71200400001)(55016002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 50QtlODK9qdnI8qsM2XQuAgRUvn+scc5ivFEJEgSi1sZ4c4d8HwbUgbZwmBC8bdqA1M7E1ZEMVG53edPXrSNMJoUakmKRZJRvCaZLxW07Q0rwtGO5sCPZt7r1+jazhcSWS7WrGpJFKf42nuxSNDtnlbj993YR4NmWcFKevBwEce4XQ6mgLovSSLFdJ+kbj6D86xAC2tHIcamvAuR5F+7EsQbF/Pk1Yz55uTR9kt1mr+LmZCPIy1Q/e16z3me/lFUyf4r+bwAYHk36zt0r7O6fj2sxnt9OBci47u9jbnn4qoSRHYqHnSsj+ltf3rnaDSiz+0moNRZXOJcohdsIsgavy81UbyBtkIHb+dVA+RWM6eMIFJFsJ36YVn3B51rbKZnjFZXjTdoG1z3FQOJhYFbued5BxdU0Mj4TMo1kJTGACGABvCRuiNIg+DUrya1w5yeDxrkyObz/330J1mijYRhFBXks8Ji8xpHN1pBCX3uMu2FJzaouVP/hMDYwL4nDyeDFBwmPDdsU8qagwQ+fRJ4bhqc1j28++py7D800t+Veeg/4EBuQQuNoppX6HWEbsBYlktyWIoCU+RzE6+d8aq78LAUc7j+WkoQo0+cnF18MBAaNkUz/YyVI4Mdd+frrx0CBP8/gqJJAatYsS4rjXR0P99AH6MhQAKRV91Pe/92281vc2XSGyXvSanRG6Kcee7oOwAw5nFilmOs7sNYy9H1RfhMNHf4XdIX6xomhDHg9w4ToL5qakXskv+Q4fnsE2R4QemqY5WQqdg2+fvmPqTKu03amcJkVlgMxyo6n1BZFEB9eg7P2HXgSdkr/qUkLfgiZIoO29eIHiNGUKMQrHA7uT/e/L5CGFsdZTAnJPyRGP20atERWPFcy3VQRDOqvc0HhtxkPz1weBHU6y61wEE3Gd8Seonlxwlc/51O/3LtSP/Gp7up01j3CpPpf3JCJ4hAD9zA0whV34ce3xhtf8mJRFB9eg0fTdm9Fnts9iOTBdY1mn6rVDs+xCj7s1GAu9Yz5p67ToqPADjK04YcaL9zYbLo/2lOmTFsafKGoLh4YTE+Fiofv61KDBrE5SppPnsFECm4saQgRxSpEEROu9tlrWIe0Fb4LNyRmKIkco36pswgHKNnyhPO1MHQhywRrX2G6vKIHDgyDF4xoGkFdBJ1OOiRwp++j1mvL5JvtZMhQZbxx5xeVBsRNdovLnMfexgsHVXPJr7BwnsucgCq9T42gt1liHPsI4R6g1oPrtdWOzgjx28g98mP/N78FSJkTE+QRA0H/j4PGr5ZYX+uoHGl4e2ESBzQyeWk69wPw1+e1VE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_TYCPR01MB5678C7E6F314225FE6BA1765E5AB9TYCPR01MB5678jpnp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TYCPR01MB5678.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 544eab6c-a785-48ab-048e-08d98477c608
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2021 01:07:00.7068 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f109924e-fb71-4ba0-b2cc-65dcdf6fbe4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jmBZ2kvO0l7mSDOqzx8fkDXEMRg8atwTjjWudfB0IQF88daqTuAbUt5iWuFZQ0bB2Ytgo7Si6fq13iMWZd8Qn7ANbFGfkaZlidXcYJMaBw0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY2PR01MB2233
X-OriginatorOrg: toshiba.co.jp
MSSCP.TransferMailToMossAgent: 103
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_3grvKm1FFL-vzmQwq1-IBESfMk>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2021 01:07:17 -0000

Thanks for comment, Vittorio,

Yes, we need to be careful about replay attacks on self-issued access tokens. I
think DPoP Proof provides a good (if not perfect) protection against it because
it contains rich context about the request.


Thanks for the pointer, Sascha,
I'll look at it.


Toshio Ito

From: Sascha Preibisch <saschapreibisch@gmail.com>
Sent: Thursday, September 30, 2021 12:27 AM
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <toshio9.ito@toshiba.co.jp>; IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] self-issued access tokens

Vittorio,

I wrote an approach where a client would receive a grant by the authorization server but issues the token itself. The post can be found here:
https://oauth.blog/oauthblog.jsp (fancy name: Serverless Token Issuance) I presented the idea at IIW right before I wrote the post.

I believe that it would work nicely and would avoid the need for an authorization servers to manage access_token.

Regards,
Sascha


On Tue, 28 Sept 2021 at 23:13, Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org<mailto:40auth0.com@dmarc.ietf.org>> wrote:
Hi Toshio,
The scenario you describe is comparable to https://openid.net/specs/openid-connect-self-issued-v2-1_0.html, at least in terms of validation logic. Please note that most of the validation software in common use today expects to work with just a handful of keys, typically one provider and allowance for rotation, hence it might not be trivial to repurpose it to perform large table scans in scenarios where you have many clients and corresponding keys.
Also, Prabath's blog makes a statement that, I believe, overstates what can be achieved with this approach: he says that this can be a replacement for TLS mutual authentication, but it isn't really the case as you are still dealing with a bearer token, which can be replayed after issuance hence offering less guarantees than mutual TLS.


On Tue, Sep 28, 2021 at 6:54 PM <toshio9.ito@toshiba.co.jp<mailto:toshio9.ito@toshiba.co.jp>> wrote:
Hi OAuth folks,

I have a question. Is there (or was there) any standardizing effort for
"self-issued access tokens"?

Self-issued access tokens are mentioned in a blog post by P. Siriwardena in 2014
[*1]. It's an Access Token issued by the Client and sent to the Resource Server.
The token is basically a signed document (e.g. JWT) by the private key of the
Client. The Resource Server verifies the token with the public key, which is
provisioned in the RS in advance.

I think self-issued access tokens are handy replacement for Client Credentials
Grant flow in simple deployments, where it's not so necessary to separate AS and
RS. In fact, Google supports this type of authentication for some services
[*2][*3]. I'm wondering if there are any other services supporting self-signed
access tokens.

Any comments are welcome.

[*1]: https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/
[*2]: https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
[*3]: https://google.aip.dev/auth/4111

-------------
Toshio Ito
Research and Development Center
Toshiba Corporation



_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.35.0 | Report a Bug | By Email | System Status