Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?

David Skaife <> Fri, 28 February 2020 14:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2E92F3A1924 for <>; Fri, 28 Feb 2020 06:55:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jvovHbPtLkav for <>; Fri, 28 Feb 2020 06:55:08 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4CACE3A0B1E for <>; Fri, 28 Feb 2020 06:55:04 -0800 (PST)
Received: by with SMTP id dm3so3690173edb.1 for <>; Fri, 28 Feb 2020 06:55:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oLqzG0LkT9jxtKE59A0kruZ9OwZOTiX2uxvioYWJJE0=; b=mhzp7XgT6g7Nrs4ZvcLuItNXWOProphN04Ooi4G3FJayUjwaZpK4HQEpmuo8O9YIkV kmxvFW0SHMADTKEZ7KHB+hw4XKoI9vQ1GIQlAy6EB2WauUXgetjxkhti+U/zlMPn0sJS L10G3rOkXOXnTXcbIL8/yQCXfG6P7aVmZ8dZbf89PsgWkRebrOOyB7WVOwF7HEiF855m aditkIED52xytyLifdYeVAGss9NdQ9ax09zpuuQ5JEzw1pJuPaYzM27r/B/iMH0LkS2q mHHGkKXiJIqzghufG/WaRGjt1v/MdVZqbFA4saFE/9dn8tPoxyPVW95sSeALqCDVxbDs Hgug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oLqzG0LkT9jxtKE59A0kruZ9OwZOTiX2uxvioYWJJE0=; b=rYgCA5fwA6UfmIMSC9TiahjPErGyajFzkwW7XgiReriSgXPoqXdQKjvXCB9U5B31I4 cEmXluGUZPX68VdK4y3qhdzLdQJw+aR5v2JFx2l6v1I24NOx5bbtTTOJHwOQTzEkwbuX 7YwowxJgn1DVU4XSudU7khwmi2CdgdCz2uXuqJh2mHlAD+URCmQSqXmaWaG9i1HnV+d1 8Qjizo5oxGVur4bbOmNFLB/YJr23fDAbI89ITewj8HSMFSkUOW9/RRBd2OoAmAAf6Ftd Tm/Yt0BsbOy1h0HsRsUPpmI6WzlnoogSULvUl0fyG5W9ukVuJc3fzM2gMKYsCGHSY7Ht Nq0w==
X-Gm-Message-State: APjAAAVipUW+yHd8eaEexg7VyVHnD+pokXRt9WRcKSj4Qz3k0SMecJBI BCdTpQaxHs20IMe62YhnE1New9Nc31NjXt6FfK5u6nH8hT4=
X-Google-Smtp-Source: APXvYqwS6CUildrjCFyGR0MP//0PLZNWBtDQz2tS5qLQwTWyhnzbgDn33YcY1y34aqC0hnG183kXBrMqP/QDcsU7tC4=
X-Received: by 2002:aa7:d747:: with SMTP id a7mr4658223eds.82.1582901702763; Fri, 28 Feb 2020 06:55:02 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: David Skaife <>
Date: Fri, 28 Feb 2020 14:54:53 +0000
Message-ID: <>
To: Bill Jung <>
Content-Type: multipart/alternative; boundary="000000000000b535ba059fa405a0"
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Token Introspection in RFC7662 : Refresh token?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 28 Feb 2020 14:55:10 -0000


In additional to Bill's query, the use of the term "protected resource" in
the context of RFC7662 is quite confusing. As defined by RFC6749 (which
RFC7662 defers to for definition of the terms), the term "protected
resource" is defined as an "access-restricted resource" that a client can
request. In the context of RFC7662, it doesn't make sense for an
"access-restricted resource" to be making any requests to the introspection
endpoints - surely it is the resource server that is the intended consumer
of the introspection endpoints? This is also backed up by Section 4
(Security Considerations) of RFC7662 which reverts to using the term
"resource server" as the consumer of the introspection endpoints.
For example, in these quotes:
"However, since resource servers using token introspection rely on the
server to determine the state of a token.." and
"...the authorization server MUST determine whether or not the token can be
used at the resource server making the introspection call"

Apologies if I've misinterpreted something here, but if RFC7662 has a
different meaning for the term "protected resource" from RFC6749 then it
should be stated clearly within that document. I also agree with Bill's
observation that it doesn't make sense for a refresh token to passed into
an introspection request as a refresh token should only be accessible to
the client and the authorization server (neither of which are intended
consumers of the introspection endpoints).

Many thanks,
David Skaife

On Fri, Feb 28, 2020 at 9:59 AM Bill Jung <bjung=> wrote:

> Hello, hopefully I am using the right email address.
> Simply put, can this spec be enhanced to clarify "Who can use the
> introspection endpoint for a refresh token? A resource provider or a client
> app or both?"
> RFC7662 clearly mentions that the user of introspection endpoint is a
> 'protected resource' and that makes sense for an access token. If we allow
> this to client apps, it'll give unnecessary token information to them.
> However, the spec also mentions that refresh tokens can also be used
> against the endpoint.
> In case of refresh tokens, user of the endpoint should be a client app
> because refresh tokens are used by clients to get another access token.
> (Cannot imagine how/why a resource server would introspect a refresh token)
> Is it correct to assume that the endpoint should be allowed to client apps
> if they want to examine refresh token's expiry time? Then the RFC should
> clearly mention it.
> Thanks in advance.
> *<Details from the spec>*
> In
> In '1.  Introduction' section says,
> *"This specification defines a protocol that allows authorizedprotected
> resources to query the authorization server to determinethe set of metadata
> for a given token that was presented to them byan OAuth 2.0 client."*
> Above makes clear that user of the endpoint is a "protected resource".
> And under 'token' in '2.1.  Introspection Request' section says,
> *"For refresh tokens,this is the "refresh_token" value returned from the
> token endpointas defined in OAuth 2.0 [RFC6749], Section 5.1."*
> So looks like a refresh token is allowed for this endpoint.
> <>[image: Ping Identity]
> <>
> Bill Jung
> Manager, Response Engineering
> w: +1 604.697.7037
> Connect with us: [image: Glassdoor logo]
> <,24.htm> [image:
> LinkedIn logo] <> [image: twitter
> logo] <> [image: facebook logo]
> <> [image: youtube logo]
> <> [image: Blog logo]
> <>
> <>
> <>
> <>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list