IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

toshio9.ito@toshiba.co.jp Mon, 04 October 2021 23:56 UTC

Return-Path: <toshio9.ito@toshiba.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4760A3A0C5F for <oauth@ietfa.amsl.com>; Mon, 4 Oct 2021 16:56:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rWeY1ufrf818 for <oauth@ietfa.amsl.com>; Mon, 4 Oct 2021 16:56:41 -0700 (PDT)
Received: from mo-csw.securemx.jp (mo-csw1114.securemx.jp [210.130.202.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 154C13A0D4F for <oauth@ietf.org>; Mon, 4 Oct 2021 16:56:40 -0700 (PDT)
Received: by mo-csw.securemx.jp (mx-mo-csw1114) id 194NuVXQ017666; Tue, 5 Oct 2021 08:56:31 +0900
X-Iguazu-Qid: 2wGrVQwHFtx7sC9CvE
X-Iguazu-QSIG: v=2; s=0; t=1633391790; q=2wGrVQwHFtx7sC9CvE; m=68A7KR8qrQhmwLoT3GMY90I/HBXjnFmdYn8QCN7iRZ0=
Received: from imx12-a.toshiba.co.jp (imx12-a.toshiba.co.jp [61.202.160.135]) by relay.securemx.jp (mx-mr1111) id 194NuUaw003433 (version=TLSv1.2 cipher=AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 5 Oct 2021 08:56:30 +0900
Received: from enc02.toshiba.co.jp (enc02.toshiba.co.jp [61.202.160.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by imx12-a.toshiba.co.jp (Postfix) with ESMTPS id 126291000D1; Tue, 5 Oct 2021 08:56:30 +0900 (JST)
Received: from hop101.toshiba.co.jp ([133.199.85.107]) by enc02.toshiba.co.jp with ESMTP id 194NuRkq021929; Tue, 5 Oct 2021 08:56:29 +0900
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QwvXK4r/hC4R234EzT0aptTjOSD3DeF5Vj8rjyBuvIp+8S/ejBnoWo684Tc0uELC8CskSz9qNLio0f3X0ZJ+5FpWa8IHEWi0eAp2j6v8rjsFepulSTeoDgEJRlXVvim8MvxeHSs4kh9gXnc95H3+MLw4n/pBDZvAg2PkgGK9UereT542fAtdsj/mLZTu/9eYGCL0CMsiQvJMnNcGg+iVTVTL9pjKm/aDKShS9BGBbgWwZqkZq7IeDBmxgfFfYNCGybd01t3q3j4RHZywtQ8Ut/9I91JVmIxq2L/5Xx6icvA+rToJBH/3BueVpCwm0XObTDmL1KrLMk9lxgonCrn5VA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Oe06Y4exI/S4r288eW+OUF+WjgcysnrVvGNZEiiSIis=; b=HkVTsZI6WgD8PEw2j3vTtkQfSGT+D+OjDZj1+myA9Unb4egiXBUzRDEGnxtuLhZiKcMTnby5IRzlSN9fQXZ3XpQk1wo9SzeVYHaJXsMk+hj7R7y7wWbyvRdSrv7FirXbTLJSS8DCMBArh5gxrf+cWmKKhqeU1VcwdIhhzHCkEZVwqBXp2jmE4lf8j72QHHVFXrkTRESi1qIXYLRCnB++a9NXNCGe57aYIVb6TXiVkdjjSrL35l2nUYjjCBZsJNoBkNvwWjVCz8JnQWjxHPFW6Jd8HdXD4nsTHAsNpKwyKB44HwiCdS/onMYB4phiSs/f3ljRN25jKzDSuJHPuiV9og==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=toshiba.co.jp; dmarc=pass action=none header.from=toshiba.co.jp; dkim=pass header.d=toshiba.co.jp; arc=none
From: toshio9.ito@toshiba.co.jp
To: dick.hardt@gmail.com
CC: david@alkaline-solutions.com, oauth@ietf.org
Thread-Topic: [OAUTH-WG] self-issued access tokens
Thread-Index: Ade01Nk+d5eF4L5tTXCgjU67TgIDjwAIzLwAAFmdA8AABlM7gAABzSyAABntvoAACEZ/AABv1sHAABvZ8wAAETKEkA==
Date: Mon, 04 Oct 2021 23:56:26 +0000
X-TSB-HOP: ON
Message-ID: <TYCPR01MB5678F48EE223130C0725646EE5AE9@TYCPR01MB5678.jpnprd01.prod.outlook.com>
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-sgjUv3fppvTZvPpOyUKXo1H1i9LtkOk2yxzZ1+A+wt6w@mail.gmail.com> <TYCPR01MB56784381BE6799ADAA46E360E5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-tMp44z_b=hG+OWC=Hc83RpC_WZ4AaerRMaOZ8cfEkDSg@mail.gmail.com> <TYCPR01MB56787D963D23F78B0800C6CBE5AB9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-u2MRQygYKCDOHBWvu_xO2p96+-vPHir6E3_SEh5OGbqw@mail.gmail.com> <FA113C6E-2A9A-4DFD-A7AB-500955EF9B2E@alkaline-solutions.com> <TYCPR01MB56784DD748F0977AEA0C0AA9E5AE9@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAD9ie-te9E6o3sTeYyasp4KUtMLijWR2y5EHdZDFhKOkKFu_cQ@mail.gmail.com>
In-Reply-To: <CAD9ie-te9E6o3sTeYyasp4KUtMLijWR2y5EHdZDFhKOkKFu_cQ@mail.gmail.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach: yes
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=toshiba.co.jp;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e04bfba5-ccdc-4d67-22b8-08d9879293ef
x-ms-traffictypediagnostic: TY2PR01MB4044:
x-microsoft-antispam-prvs: <TY2PR01MB4044B7DC6B132DC1BEF8D4D4E5AE9@TY2PR01MB4044.jpnprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2958;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: nLdIQuagWYd1piAZTsSkSZJyMPqpa64DgitXDhbbm56cPGS4FLhF23FgRvsdP15Ol/0MA26FjKHs6yIYMCwSa+MDYWpIWnOnTtSPEpNt0pZrORJm3Lqe2wzK8tMKE0Vq3gisM9eWkw9yQVh3pHJybF8yYgMWauUcb3VEBX82zbyr/FXKz/KY+2OlhL1uswYmKiYGMjnR7HgBFFAslcln4lPFyXpCfBWs63GhoPmyzdZpprEVzxbkhe3fDBP2NTus8TLn/HcdEx2zPJVV0CP3VK8X3dLRYyqi3ugE+5YcW6JjKvnAL+tddr4AgJ5C9Jv900NSSG/fBCxr4FZjgQwlCFXsqqR84bPreMT+1YdpdQSWFkbhbObOVuJV0lIdnZMsOf349QiAu0FnV+MZttY/DxNQM3DrJiRjXM93+aJd+a+k5mv58iir864WIqJpnOYU8GahMrrUrfA1D9iHHfUAwFhjMQPfRICZw2oVYXoMSBebqCILhjS0igR4nyxv2t42hGsOagIk16ZtV8uUMfskE2tTabDhzCBmuYrKOdSLfODapCPpsOu0mUQnE2jpImE+vjt/CetEveyo1OJfN3sKDavDjfqls9Lo4zjcLZRK1o2+Wrd34z8YwesEWkEjJMwccbyPVQfOkv1PSeJsSXpfgn99YcLE32abjZkV70KEkYXY4qcrn2k+5TliXjZSwS9LuqxViM/sHX6BJMu+lztgSQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:TYCPR01MB5678.jpnprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(9686003)(99936003)(508600001)(66446008)(122000001)(71200400001)(5660300002)(8936002)(4326008)(54906003)(316002)(86362001)(38070700005)(8676002)(53546011)(6506007)(186003)(7696005)(6916009)(66476007)(26005)(52536014)(76116006)(66556008)(64756008)(66946007)(83380400001)(33656002)(2906002)(38100700002)(55016002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /sfI85stetD38edbxETxNyZ7H7sbGMJrQQ3hplQ7A560eJtf4rW21QMSVq2mL7SZHSVxh229vgmuY+WVEZYVIU/kGZV1BAp3lQv9NNRSoaNMme1Iwz85f/yTOpUOjCNpgnNRIPgFJHAPMOxKWM2MGA2NTva89YVBL+ZPj3JOGbf31b5/oSw7YvqHMdYBqpp951IZSm8PCvvqAS6+X2bE5OtzV/QaDU4C+Xr7n8Wmxu6JdB5WWYuUiLRwUOND0CVuxbTd4zUzeRXiiUMkQoIQSgFsp6jTITZEw+zIHp/sp/ojvPge1qkzT9Gg1P1KNyAgnZF88q3BKuAll4/AQuxO1452o5JU9/UyOtcuXGU2llLR1zOMox12HvBV7OZfSPUTdTeKT/LxV+bE/sBmc6xZgxRB84Oj7GiNAbSRh75YP67xrawGUvlMwC2gHQWEWL4dkOqN2W3QCKtlrqpqZfiR0fnJYtIbfyGaTTL8cqSHLK6Q+DpU5RNkvacQ+HIQEYc83TdwfJZV0zpKwN1t2pbejVxWzWa9H3jjelb0mbDIYh39NPKQgSGzpeOC5Lmdnhg9l94O9wUe/X0zbaSmcyEKrFCmZZoNOVU9QHwg2vbxR4UING4FHMkd1Ylu7yrkn27k5x6jmygIuBfWGnTT3wNLNNymFpwg/svvYmFbqqyTQ/AfAJkYv+Y+ktgIC50G5YdlXXmcsOYmUmc6qbkBkFejYV9ZUdDxcQ85L/fMHujkCYRCUwJS4MRr/TuT901nNT1sGefkkhkZNhjQdPWA7fTJgE6VaF8E3qFsNShr2rgOlLWyi+p503pa2uKru7kinaWX/mjuhtytMBozOvNVCwe70WPyWjmK73dVtSNLm+eQ5o1JAtb5w7h8Sgo1Kz7nEt+wSUuiIIRP1dccEcGzqAmYsJDgxBV/tG5tVQBs1AEIOA+suOatqoVz8g1wm/aQoeXlBUWqwSg+IvD6PQULkATFHCZHEQ3gzrII8GsKmjGtAiIeTHCaijwdm2o7GsYn2oDIzAJACIhgZ4fLsHkBpWgYXOzUvUIA7nbkSxBiq3e3jOKNcLw39AChVPtssjn38qGOtveUkS24JFiqWcWeFCFof3l9Jfpqc5Lk8kHeTXh0xmyRr/TmDTlJ/9Kgr/s0S6+jdkO2vgdasVkdEklH8nzh5j4BHU9aExeraVUVcwjVeVZf7p3lgcEvc6ZtC1qwuJ4y/5GgwVwqoNEePqHKZyV/hhchoMPv00/XcMnDWDUpMRv6uX6jk7ZDqDlaL7IxxrAYeXbtQVzJfpR8H23ANz8aum1E6+52qgXEfoQXpREHkWHi/qR5OUIg4BSuoK0c1uO9
x-ms-exchange-transport-forked: True
Content-Type: multipart/related; boundary="_004_TYCPR01MB5678F48EE223130C0725646EE5AE9TYCPR01MB5678jpnp_"; type="multipart/alternative"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TYCPR01MB5678.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e04bfba5-ccdc-4d67-22b8-08d9879293ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Oct 2021 23:56:26.5737 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f109924e-fb71-4ba0-b2cc-65dcdf6fbe4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8Y9QClH+kgA1lKy00SVkdxKS8f5NcKCFc+416XxfCuhBfugGPZiLWPnkpSm7M+/hxtlzqu00R88Oy11+ac4Rv7kVkMBi0ARoXh3hiwKRgoc=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY2PR01MB4044
MSSCP.TransferMailToMossAgent: 103
X-OriginatorOrg: toshiba.co.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cpUq6R9Gk05ZkzsfllQflTfgWUA>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Oct 2021 23:56:47 -0000

Thanks Dick,

I understand. If the protocol flow is closed within our system, there is little
value in standardization.

Maybe what I really need is not exactly a standard about self-issued access
tokens. Rather, I look for recommendations, best practice documents or
implementations about it. If it were such things, we could just reuse that and
apply to our system.


Toshio Ito

From: Dick Hardt <dick.hardt@gmail.com>
Sent: Tuesday, October 5, 2021 12:44 AM
To: ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <toshio9.ito@toshiba.co.jp>
Cc: david@alkaline-solutions.com; oauth@ietf.org
Subject: Re: [OAUTH-WG] self-issued access tokens

Toshio, unless your system needs to interoperate with third party systems, I don't see the value in a standardized JWT. The JWT standard provides a standard token format. What you put in the payload is application specific.

You can do a separation of concerns behind your API endpoint for validating the JWT. If it were me, I would not set up an AS. You won't have to set up the endpoint and the extra call in your client.

On Sun, Oct 3, 2021 at 7:26 PM <toshio9.ito@toshiba.co.jp<mailto:toshio9.ito@toshiba.co.jp>> wrote:
Thanks Dick,

Our use case is basically the option 2. There is only one RS. So, to simplify
the architecture, we want to omit the round-trip of getting an access token from
AS.

I agree with your idea of using JWTs to convey client's signature. So my
original question was if there was a standardized profile of a JWT for that
purpose. From the responses to this thread so far, I think the answer is no.


Thanks for comment, David,

Yeah, maybe it's wise to have AS anyway for better extensibility.


Toshio Ito

From: David Waite <david@alkaline-solutions.com<mailto:david@alkaline-solutions.com>>
Sent: Saturday, October 2, 2021 6:04 AM
To: Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>
Cc: ito toshio(伊藤 俊夫 ○RDC□IT研○CNL) <toshio9.ito@toshiba.co.jp<mailto:toshio9.ito@toshiba.co.jp>>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] self-issued access tokens



On Oct 1, 2021, at 11:06 AM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
<snip>
If there is really only one service, then there is little value in an AS. I would have the client post a JWT that has the request payload in it, or a detached signature if it is a large payload. Personally, I like sending the request as a JWT as it allows services further down the processing pipeline to independently verify the request from the client.

This assumes sufficient computing power on the IoT device, and reasonably low call volume.
[イメージは差出人によって削除されました。]ᐧ

One interpretation of the purpose in the AS is to create tokens based on its authorization decisions, while direct submission of client-authored JWTs would be more in line with having the RS make those decisions directly.

Even if they were hosted on the same hardware, I’d still push to use an AS-role component in order to optimize the decision making process and to not have to refactor (or risk duplication) of that logic later.

-DW

[イメージは差出人によって削除されました。]ᐧ

v2.34.0 | Report a Bug | By Email | System Status