Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth Token Introspection" as an OAuth Working Group Item

[Thomas Broyer <t.broyer@gmail.com>]

One issue with Mike's proposal is that all RSs receiving the token would
know all the scopes the token is valid for.

Imagine an app requesting access to scopes allowing it to see your bank
balance and retrieve your wish lists from another RS. It'll get it in the
form of a Bearer token with those two scopes, and will use it at the wish
list RS.
Now the wish list RS decodes the token and sees it grants access to your
bank balance. Because it's a bearer token, it now knows it can use it at
your bank and see your balance.
With opaque tokens and the introspection endpoint, the endpoint could just
tell the wish list RS the token is valid for it, without leaking the fact
it's also valid at your bank.

I know there are better alternatives but they all involve more complexity
for the clients and/or RSs. You won't believe me if I'd tell you how bad
are some developers at their work. I've seen some sending their client
secret as a parameter to the authorization endpoint and all sort of other
stupid things you'd never imagine a web dev to do. The OAuth dance is
already too complex for many, so adding crypto (PoP) or, e.g., asking them
to manage distinct tokens per RS is not realizable in practice. Not now at
least. And our platform goes live in one month from now and we want to have
an ecosystem of clients and resource servers.

When devs are lazy, wouldn't understand crypto, and treat security and
privacy as an afterthought, an introspection endpoint is the way to go.
Le 30 juil. 2014 03:17, "Phil Hunt" <phil.hunt@oracle.com> a écrit :

> Mike's proposal may be sufficient for Thomas' case given a small token
> lifetime.
>
> The federated cases may have other issues....
>
> How does the RS know who issued the opaque token and what introspection
> point is authoritative?
>
> I am not saying your spec is not the right answer. I am just not prepared
> to limit functionality yet by adopting the draft until we have sufficient
> requirements understood.
>
> Let the rest of us catch up please.
>
> Phil
>
> On Jul 29, 2014, at 18:07, Justin Richer <jricher@mit.edu> wrote:
>
> So you want a service where the RS can call an HTTP endpoint to see if the
> token is alive or not? That sounds like an awesome idea! Very useful for a
> variety of use cases that people have already mentioned on that list. Maybe
> that service should respond in JSON with, say, { "active": true } if it's
> still valid. That's a great start, and that should obviously be MTI.
>
> But while we're there, we probably want to know what else the token is
> for, since this service will probably know that, so let's add in the
> "scope" and "client_id" and whatever other meta-information we have about
> the token. If this endpoint doesn't have that information? Well then, I
> guess it can't return it. So we need to make sure to be flexible about that
> while we define a common core set of semantics. Flexibility like that is
> very powerful and could be used in a variety of protocols and deployments
> across domains and vendors.
>
> You know, this idea is sounding better and better. In fact, I'll do you
> one better. I think this is such a fantastic idea that I wrote it all down
> in RFC format:
>
> http://tools.ietf.org/html/draft-richer-oauth-introspection-06
>
> Glad to have you on board, Phil.
>
>  -- Justin
>
> On 7/29/2014 9:02 PM, Phil Hunt wrote:
>
> I think one alternative to an introspection service is a revocation status
> service.
>
>  But it is often not needed if token lifetimes are small (minutes /
> session life) compared to the refresh token which might last much longer.
>
>  Again having info on the case helps explain the requirements of your
> case and we can tell what the best pattern is.
>
> Phil
>
> On Jul 29, 2014, at 17:55, Thomas Broyer <t.broyer@gmail.com> wrote:
>
>   Try it where? When you're the RS trying to determine whether you should
> accept the token or reject it?
> Le 30 juil. 2014 02:49, "Mike Jones" <Michael.Jones@microsoft.com> a
> écrit :
>
>>  Yes, but that’s the simplest thing to determine – try the token and see
>> whether it works or not.
>>
>>
>>
>> *From:* Thomas Broyer [mailto:t.broyer@gmail.com]
>> *Sent:* Tuesday, July 29, 2014 5:43 PM
>> *To:* Mike Jones
>> *Cc:* <oauth@ietf.org>; George Fletcher; Phil Hunt
>> *Subject:* RE: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
>> Token Introspection" as an OAuth Working Group Item
>>
>>
>>
>> Decoding a token with a specific format wouldn't tell you whether the
>> token is still live: it could have been revoked before its expiration.
>>
>> Le 30 juil. 2014 02:16, "Mike Jones" <Michael.Jones@microsoft.com> a
>> écrit :
>>
>> Did you consider standardizing the access token format within that
>> deployment so all the parties that needed to could understand it, rather
>> requiring an extra round trip to an introspection endpoint so as to be able
>> to understand things about it?
>>
>>
>>
>> I realize that might or might not be practical in some cases, but I
>> haven’t heard that alternative discussed, so I thought I’d bring it up.
>>
>>
>>
>> I also second Phil’s comment that it would be good to understand the use
>> cases that this is intended to solve before embarking on a particular
>> solution path.
>>
>>
>>
>>                                                             -- Mike
>>
>>
>>
>> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *George
>> Fletcher
>> *Sent:* Tuesday, July 29, 2014 3:25 PM
>> *To:* Phil Hunt; Thomas Broyer
>> *Cc:* oauth@ietf.org
>> *Subject:* Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth
>> Token Introspection" as an OAuth Working Group Item
>>
>>
>>
>> We also have a use case where the AS is provided by a partner and the RS
>> is provided by AOL. Being able to have a standardized way of validating and
>> getting data about the token from the AS would make our implementation much
>> simpler as we can use the same mechanism for all Authorization Servers and
>> not have to implement one off solutions for each AS.
>>
>> Thanks,
>> George
>>
>> On 7/28/14, 8:11 PM, Phil Hunt wrote:
>>
>>  Could we have some discussion on the interop cases?
>>
>>
>>
>> Is it driven by scenarios where AS and resource are separate domains? Or
>> may this be only of interest to specific protocols like UMA?
>>
>>
>>
>> From a technique principle, the draft is important and sound. I am just
>> not there yet on the reasons for an interoperable standard.
>>
>>
>>
>> Phil
>>
>>
>> On Jul 28, 2014, at 17:00, Thomas Broyer <t.broyer@gmail.com> wrote:
>>
>>  Yes. This spec is of special interest to the platform we're building
>> for http://www.oasis-eu.org/
>>
>>
>>
>> On Mon, Jul 28, 2014 at 7:33 PM, Hannes Tschofenig <
>> hannes.tschofenig@gmx.net> wrote:
>>
>> Hi all,
>>
>> during the IETF #90 OAuth WG meeting, there was strong consensus in
>> adopting the "OAuth Token Introspection"
>> (draft-richer-oauth-introspection-06.txt) specification as an OAuth WG
>> work item.
>>
>> We would now like to verify the outcome of this call for adoption on the
>> OAuth WG mailing list. Here is the link to the document:
>> http://datatracker.ietf.org/doc/draft-richer-oauth-introspection/
>>
>> If you did not hum at the IETF 90 OAuth WG meeting, and have an opinion
>> as to the suitability of adopting this document as a WG work item,
>> please send mail to the OAuth WG list indicating your opinion (Yes/No).
>>
>> The confirmation call for adoption will last until August 10, 2014.  If
>> you have issues/edits/comments on the document, please send these
>> comments along to the list in your response to this Call for Adoption.
>>
>> Ciao
>> Hannes & Derek
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>
>> --
>> Thomas Broyer
>> /tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>
>>
>>  _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>  _______________________________________________
>>
>> OAuth mailing list
>>
>> OAuth@ietf.org
>>
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>