IETF Logo Mail Archive

[OAUTH-WG] Re: DPoP-bound JWT Authorization Grant

Brian Campbell <bcampbell@pingidentity.com> Wed, 29 October 2025 19:23 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 89BA47E46F52 for <oauth@mail2.ietf.org>; Wed, 29 Oct 2025 12:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVpfTOx3saR4 for <oauth@mail2.ietf.org>; Wed, 29 Oct 2025 12:23:53 -0700 (PDT)
Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D3F6D7E46F21 for <oauth@ietf.org>; Wed, 29 Oct 2025 12:23:53 -0700 (PDT)
Received: by mail-ua1-x92c.google.com with SMTP id a1e0cc1a2514c-932cf836259so113850241.3 for <oauth@ietf.org>; Wed, 29 Oct 2025 12:23:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1761765833; x=1762370633; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=nsPelSj30hQ0eokqESZDMc++RpztA7ETplNahRiulqI=; b=XXDIxlDgqeNztgOzOPwlso4ufs6zvD82scQzHpxQ74V8oTWlpiGSrMAxoDP+zYurSj 2huc6SbX4hB1diPv1a2iuPHGvraLMZmAJvza6X8NSIMUn0WzgMq9H3GYws8BunRnx4pM FYkO18YEdGcafnH164MSTboM24sm//D7LqsY9cdaxMWTEZN/Vg6+rGe01LTljetd6Bhj 7nzZGUmm/jizG1JS3f1QL3TqH18nUNd8G0sLKdLMynfNzRNjvXKwVMV+3Fi+sTG9W/9P LTM5VekmKpKdh2vF0MqKQjam5CIN7hABJG1GeP4+1hHSgyViOXeZSKu7mwyWo6isyVr9 ccaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761765833; x=1762370633; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=nsPelSj30hQ0eokqESZDMc++RpztA7ETplNahRiulqI=; b=TI/OTp+QYiMmHpQWzRaAGEns6p6ddi4aPgF8vRX8qsAS+DYPefv2+qseVW3YQIDv1k M2x/CUZRWKXCvKqrbtT/U21JqIMLrr7arEp9MDerFcOce7qzplVy6mP8wLY0KLkILd2w d4isAsH3NCSSFu64nMbVryw12Th3pKgRiEX0OpH1qlO8yJ7apseXx5F95frqiDIN+Frp 2Itd8cq4h1Zea41QqjqkAJELuuV39hbufR9OBtw6yUiv9dq3RLLdEOKDOvvNocX+YBBa /OYcAFxH87APJ4mt2l8wCwQ7I1L5KDOPGzBbnLtYa8kVT8vJTBCZZSDB3JF5vjzy3RCG IZyA==
X-Forwarded-Encrypted: i=1; AJvYcCXAdAXowpMYj46ydZ4b4TYZUxUlGMNjZqLL7KmL3a0inFyijCn3i6mmgmIZYx7GbwKJaKBP7A==@ietf.org
X-Gm-Message-State: AOJu0YzbzMtvskk22aCcoy9pUoWrzy6uTqnAoi7rtDm+nPk36D16T9td bvDG3oD4DN8W0L3Q2Is4lP9xOOmrKhZZ/6brtS8sdPhlz9zY9bgkBh/NJnTqYkXXvzkBKHgMi/g BJ8mggiZdLGF62d4S9zaV1br6ljkyL0JxkSxbDugLk97UEcfWCDNJfRV5AXAvi6Pvr/uayUyLWZ ZNFELOCUu21KEVDpivCqfbVYx9S0qflw==
X-Gm-Gg: ASbGnctoHMq2W1Os8vyB5PMTDsWKMINltI+GMp/HPRtnsHZzYWoa8px1uAczgpG88j0 O8lP4B4QhePBbR5tg+mzH/Ls7AEzwtML+2DPl4wQCk5vX6zMxtRQ5AUlOt3RggdYxNY0lsFDG5p BEtvTSoksw+/3QJh2xPJo1MhGKnqKTwvVS8f9rRtleN5x4FaubY1E5LQQjuvPJe02mJUd5icy1Y Rp4rqjpGaNyL3/FEIYk488KYkMQfdqgrxYveCU075AP+Xa4n/74g5Z0I68Xag==
X-Google-Smtp-Source: AGHT+IFHXxflZJ489o7nMM0Tc2RAD/dgcsEJoaDPp5EKdbQKfVjXPYdjr6t+xoKlSG9UYXcE3tM8ZqWMrOrU4ploTaA=
X-Received: by 2002:a05:6122:d0d:b0:541:fdc4:2547 with SMTP id 71dfb90a1353d-558140dbf9cmr1621383e0c.4.1761765833230; Wed, 29 Oct 2025 12:23:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjqbwG2+DMENHCSQ1Cevy32DOxChNr8=NLG_Te5VfFrKnQ@mail.gmail.com> <CAKCQpynCfHFtbvSsczYkTN-VgYAds7XrE1GmJtuBzib9de88aQ@mail.gmail.com> <CA+k3eCTnD9wjWHAV1W4gxz7t9g9LKjUjMUakysY3DJSD-P=cZA@mail.gmail.com> <CAGBSGjotDqzHnKhQjk-xzs5xhd9HyQ_q-qWrWxNjUdtGCqhbKA@mail.gmail.com>
In-Reply-To: <CAGBSGjotDqzHnKhQjk-xzs5xhd9HyQ_q-qWrWxNjUdtGCqhbKA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 29 Oct 2025 13:23:27 -0600
X-Gm-Features: AWmQ_blVfZRYjxyLSWo_J3JofeS6mg7-Mz5CgZ5uRUmhw45Y1Zw5axmQMjKCHok
Message-ID: <CA+k3eCSsxAD=XGKz2XjCfcoU1nkWPthcO-s=sk5p9bU5aC8Tsw@mail.gmail.com>
To: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aae0830642511256"
Message-ID-Hash: 2UY72Y5YA62MOXJ76MFJ62LDFZAVNQ6Z
X-Message-ID-Hash: 2UY72Y5YA62MOXJ76MFJ62LDFZAVNQ6Z
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Nikos Fotiou <nikosft@gmail.com>, OAuth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: DPoP-bound JWT Authorization Grant
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gUHY8_Tnkx8JoJvc1D6aaVH1QdQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

To be clear, either one should work just fine. So it's kinda a trivial
subjective preferences thing. But primary thinking behind using cnf.jkt in
the access token (or extrapolate to whatever thing is bound to the
key, like a JAG) is that the DPoP proof itself already contains the full
public key so it's somewhat redundant to also have the full public key in
the access token. In most cases cnf.jkt will save some space, which is
probably less important with a JAG. There's probably reasonable cases to be
made both ways for which method of comparison is more straightforward or
more mistake prone. Avoiding the dependency on a particular hash probably
isn't a bad thing though.

On Tue, Oct 28, 2025 at 7:38 PM Aaron Parecki <aaron=
40parecki.com@dmarc.ietf.org> wrote:

> hmm, interesting question. The JWT Authorization Grant is not a JWT Access
> Token so it's not immediately apparent that it should use the semantics
> defined for JWT Access Tokens. That said, it might still make more sense to
> use jkt instead of jwk. What are some practical reasons for one over the
> other?
>
>
> On Tue, Oct 28, 2025 at 3:10 PM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> DPoP does indeed use cnf.jkt to bind the access token to the DPoP key.
>> Unless there's a compelling reason to do differently (is there?), the JWT
>> Authorization Grant should probably use the same mechanism.
>>
>> On Tue, Oct 28, 2025 at 12:20 PM Nikos Fotiou <nikosft@gmail.com> wrote:
>>
>>> Dear Aaron,
>>> In Section 4, you are saying
>>> "[...] 3. The authorization server MUST verify that the JWT assertion
>>> contains a cnf claim as defined in [RFC7800].  This cnf claim
>>>  MUST contain a jwk property representing a public key"
>>>
>>> However, DPoP RFC defines the following in section 6.1:
>>> "When access tokens are represented as JWTs [RFC7519
>>> <https://www.rfc-editor.org/rfc/rfc9449.html#RFC7519>], the public key
>>> information is represented using the jkt confirmation method member
>>> defined herein." Then it defines jkt which is the base64url encoded of the
>>> sha-256 thumbprint of the JWK.
>>>
>>> I believe that section 4 of your draft should be adapted accordingly.
>>>
>>> Best,
>>> Nikos
>>>
>>>
>>>
>>> On Sat, Oct 18, 2025 at 7:05 PM Aaron Parecki <aaron=
>>> 40parecki.com@dmarc.ietf.org> wrote:
>>>
>>>> In considering how to add DPoP binding into the Identity Assertion JWT
>>>> Authorization Grant, we realized the current RFC7523 defines JWT
>>>> Authorization Grants as bearer tokens, requiring the use of
>>>> `grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`
>>>>
>>>> https://datatracker.ietf.org/doc/html/rfc7523#section-2.1
>>>>
>>>> This seemingly precludes the use of DPoP since it would no longer be a
>>>> JWT bearer token.
>>>>
>>>> To resolve this, I wrote a small draft that defines
>>>> `urn:ietf:params:oauth:grant-type:jwt-dpop` and adds DPoP processing rules
>>>> on top of RFC7523. You can find the new draft here:
>>>>
>>>> https://datatracker.ietf.org/doc/draft-parecki-oauth-jwt-dpop-grant/
>>>>
>>>> ---
>>>> Aaron Parecki
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list -- oauth@ietf.org
>>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.40.4 | Report a Bug | By Email | System Status