IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

Nikos Fotiou <fotiou@aueb.gr> Thu, 30 September 2021 21:40 UTC

Return-Path: <fotiou@aueb.gr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5A283A14D3 for <oauth@ietfa.amsl.com>; Thu, 30 Sep 2021 14:40:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aueb.gr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTej1R81OH6z for <oauth@ietfa.amsl.com>; Thu, 30 Sep 2021 14:40:33 -0700 (PDT)
Received: from blade-b3-vm-relay.servers.aueb.gr (blade-b3-vm-relay.servers.aueb.gr [195.251.255.106]) by ietfa.amsl.com (Postfix) with ESMTP id 6143D3A14D2 for <oauth@ietf.org>; Thu, 30 Sep 2021 14:40:32 -0700 (PDT)
Received: from blade-a1-vm-smtp.servers.aueb.gr (blade-a1-vm-smtp.servers.aueb.gr [195.251.255.217]) by blade-b3-vm-relay.servers.aueb.gr (Postfix) with ESMTP id 5176FEEB; Fri, 1 Oct 2021 00:40:29 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aueb.gr; s=201901; t=1633038029; bh=h6uWORVL4ans0d4cCpWEayfXeEpeTVqnnxBL4sxU2q8=; h=From:To:Cc:References:In-Reply-To:Subject:Date:From; b=Y7n2B5MGYijrBwFGxSeqzZkfiQvUW2n6dLO0Y2FlTcmWrTGv6yB4mtnxhTH61U74v sc9TIkbql3qmDvNMDO4UNSmBlroHPpwa5MN9y/J77zeRJu9t/2IOiNEyyOo1yCqDLy B4or78aMFNnqkRyzMKGW61FUs2obkF81S+2IeRL8pRSychX47ykRhLPy0nDguI5U0f 23fnQcvTNJUhtSMkEI3OG+2zrLRUaktqtbKi4D2I73URhHYdi0dWBCr+VOtqP2MLiC 3SC4Nc5/6eLq5+01eKXy7u9CvYMnP4gzNse4+Aw474dEcq1Nh6w4ZQCDcOcUE9os0y vkmbdsoPO3myA==
Received: from Desktop (ppp-2-86-52-197.home.otenet.gr [2.86.52.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou@aueb.gr) by blade-a1-vm-smtp.servers.aueb.gr (Postfix) with ESMTPSA id 60F1362C; Fri, 1 Oct 2021 00:40:28 +0300 (EEST)
From: Nikos Fotiou <fotiou@aueb.gr>
To: 'David Waite' <david@alkaline-solutions.com>
Cc: 'Daniel Fett' <fett@danielfett.de>, oauth@ietf.org
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <581ea93b-ab52-e4e2-ec53-c776060e99d1@danielfett.de> <09C675DC-1DC8-4860-A4DD-CE70B1FD5577@aueb.gr> <DF934801-CDCF-4653-A5ED-0A9F3E26652E@alkaline-solutions.com>
In-Reply-To: <DF934801-CDCF-4653-A5ED-0A9F3E26652E@alkaline-solutions.com>
Date: Fri, 01 Oct 2021 00:40:14 +0300
Message-ID: <03ee01d7b643$c175dcf0$446196d0$@aueb.gr>
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJHvEqUsGilElT6hyA9kc7dS79kMgIK+/1wAiXbS/UCLWtg2KqqGE+A
Content-Language: el
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"; boundary="----=_NextPart_000_03E9_01D7B65C.E5D69210"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_htW6cL0bSt8m-T09zwVNZMvSh4>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 21:40:39 -0000

> Are you using DPoP at issuance of the credential and embedding the public
key as the means to verify the subject? 
Exactly. We are using "client credentials" as grant type. The credential
used as grant is client's public key and we are using DPoP to prove
possession. Then the public key is embedded in the VC (which is encoded as a
JWT). 

 > Are you going so far as using DPoP in lieu of Verifiable Presentation
wrappers?
Yes. Since our VCs are encoded in JWT, they are included in the
Authorization header of HTTP  requests and we are using DPoP to prove
possession. So we do not use Verifiable Presentations at all.

Best,
Nikos

> On Sep 30, 2021, at 12:47 AM, Nikos Fotiou <fotiou@aueb.gr> wrote:
> 
> FYI, this is exactly what we are doing in [1] to manage Verifiable
Credentials using OAuth2.0. The AS issues a verifiable credential that stays
(for long time) in the client. The client uses DPoP to prove ownership of
the credential. We just started a new project funded by essif [2] that will
further develop this idea and provide implementations.
> 
> Best,
> Nikos
> 
> [1] N. Fotiou, V.A. Siris, G.C. Polyzos, "Capability-based access 
> control for multi-tenant systems using Oauth 2.0 and Verifiable 
> Credentials," Proc. 30th International Conference on Computer 
> Communications and Networks (ICCCN), Athens, Greece, July 2021 
> (https://mm.aueb.gr/publications/0a8b37c5-c814-4056-88a7-19556221728c.
> pdf)
> [2]https://essif-lab.eu
> --
> Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou Researcher - Mobile 
> Multimedia Laboratory Athens University of Economics and Business 
> https://mm.aueb.gr

v2.35.0 | Report a Bug | By Email | System Status