Re: [OAUTH-WG] Token Introspection and JWTs
Vladimir Dzhuvinov <vladimir@connect2id.com> Wed, 28 February 2018 09:53 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADBFA1276AF for <oauth@ietfa.amsl.com>; Wed, 28 Feb 2018 01:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CvE605pyjBvx for <oauth@ietfa.amsl.com>; Wed, 28 Feb 2018 01:53:46 -0800 (PST)
Received: from p3plsmtpa07-04.prod.phx3.secureserver.net (p3plsmtpa07-04.prod.phx3.secureserver.net [173.201.192.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FC3A1200B9 for <oauth@ietf.org>; Wed, 28 Feb 2018 01:53:46 -0800 (PST)
Received: from [192.168.0.107] ([78.130.190.73]) by :SMTPAUTH: with SMTP id qyQieaioZkbBXqyQie0y1P; Wed, 28 Feb 2018 02:53:45 -0700
To: oauth@ietf.org
References: <74F11CBE-5ED8-4B2C-B219-F9036E07B3B9@lodderstedt.net>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <1a80c619-51dd-b6cf-8125-057da778ecf0@connect2id.com>
Date: Wed, 28 Feb 2018 11:53:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <74F11CBE-5ED8-4B2C-B219-F9036E07B3B9@lodderstedt.net>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070909050907090202050702"
X-CMAE-Envelope: MS4wfHwo5lO7CGVnlgyvaRmzV1vMAJpYSVnlkpe5/koqqY55YEj+1O2NDx6ydewmklfqu+7oWRDAxQMxsswHChcbQbAw8HUa3Z+sTe57kh58KGnpDzKlGKZ8 /qlJ5UJ6AzSy7OI+7Jef96td/laURf7OC+oCWVR0jCm+kGE3pkXXSocR
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gO8CxrUrytyT2I4InPeLorlgHDg>
Subject: Re: [OAUTH-WG] Token Introspection and JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 09:53:47 -0000
On 28/02/18 09:48, Torsten Lodderstedt wrote: > Hi all, > > I have an use case where I would like to return signed JWTs from the authorization server’s introspection endpoint. In this case, I would like to give the resource server evidence about the fact the AS minted the access token and is liable for its contents (verified person data used to create a qualified electronic signature). > > Although token introspection more or less provides the RS with the content of a JWT, RFC 7662 only supports plain JSON. I talked to Justin and his recommendation was to use use a header “accept: application/jwt” to ask the AS for a signed JWT as response instead of "application/json“. We could do this but clearly it would be a proprietary solution. Justin's suggestion would be relatively easy to implement. The only small downside I see is that it doesn't allow resource servers to choose a crypto algorithm for the issued JWT, which has become the norm for this kind of things in OAuth and OIDC. > I would like to know whether anyone else has the same or similar requirements and whether it would make sense to specify an extension to RFC 7662 for JWT responses. Because of the requirement for resource servers to authenticate (or submit a token authz) when they make an introspection request, we let them register as a client, using std client registration. In that case to let an RS register preferred JWT algs for the introspection response we could have parameters introspection_response_signed_response_alg introspection_response_encrypted_response_alg introspection_response_encrypted_response_enc (naming follows pattern for ID token and UserInfo algs) Vladimir
- [OAUTH-WG] Token Introspection and JWTs Torsten Lodderstedt
- Re: [OAUTH-WG] Token Introspection and JWTs Vladimir Dzhuvinov
- Re: [OAUTH-WG] Token Introspection and JWTs Mark Dobrinic
- Re: [OAUTH-WG] Token Introspection and JWTs Vladimir Dzhuvinov
- Re: [OAUTH-WG] Token Introspection and JWTs Mark Dobrinic