IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

Sascha Preibisch <saschapreibisch@gmail.com> Thu, 30 September 2021 04:56 UTC

Return-Path: <saschapreibisch@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A55973A11FA for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 21:56:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e0o3HX93q7_H for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 21:56:03 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC53A3A11F9 for <oauth@ietf.org>; Wed, 29 Sep 2021 21:56:03 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id x27so20134877lfu.5 for <oauth@ietf.org>; Wed, 29 Sep 2021 21:56:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uzTQ1Xh3JsmskPtaA+GEQPHEZpcz/YE3k+wRahOpt4A=; b=OIobvHcq1Wg+9SYzAsTNOx/eYmEhDGdVvCfpU898a2A5qmgFauIIQZrtmwY/k6eVCJ xZPgfWThiRdXl9NdJYx4PFTqcwu5Z3ZCvE0wY49DuYOsTI7QXrpUC9tfi+GMPCgUiwu0 G0GV4ytm2jiRPReeh15/Z6kcgwRqE9vjqoEGsJ6UtorNtNm5rjTmrOWL1UP+AAj0o5fm sASvycbB+4QlT2f3KYy7V25pFnNhYAxZxBcv6MILB0FQbVs/G2K+ER3WO2BNT1/+fNjq gyYXlxvguc+0CzJTYDLDOvjp9JLxKZuuEyW5kYEfI+4lU9Ra9A9ukEg1/vl0cEy0uSST iyyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uzTQ1Xh3JsmskPtaA+GEQPHEZpcz/YE3k+wRahOpt4A=; b=rmEpgy4VHVwjgqvX168MKRwaZv2bgDtlSnhBMrz1xvkDgZjE6KpQSpvE+srM0tVarg 8d/8oRRJH6DWXJtNJgCbr3nXuevenqAtPPL7fOegv9Whw4KR61k2fxLthpfgDU4Wnsj8 ZtqZF5iDnTD1wxMMj8cJKG8uZ42jckdQRQRJ/jZNZHFcK2YEf0LtMVRWsvXVHcAsAqrc /S1pyE3j3luynJG08jbVq7QC1F9qGM91JkpcsD+Ko1wZYY1/rwlk5FUiOdrsRxXX7Vgl xM85ryP+QgIHdddOL1fpPB0q0qwhiivOSDTQa3K0n5Fb57x+HJwZ1+AfEe6jvMu3PYjm UuRw==
X-Gm-Message-State: AOAM530qDOguzHBRjGdk0gkxW72+Fy02iSee5Z6gxZvoPBdtvcfBWqct sJuMCN/doN91liKB+/u1FlTlFZhjHXAj7supKzc=
X-Google-Smtp-Source: ABdhPJzxEd0ZjMtjxCxjGfXsXLg6DEjT11QZ0njAE93krmKYPi+JpcL/VFykEzS5LxRoKYNvLJCYQmL5TelK9ZGmOs0=
X-Received: by 2002:a05:6512:39d6:: with SMTP id k22mr3652643lfu.258.1632977761071; Wed, 29 Sep 2021 21:56:01 -0700 (PDT)
MIME-Version: 1.0
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <581ea93b-ab52-e4e2-ec53-c776060e99d1@danielfett.de>
In-Reply-To: <581ea93b-ab52-e4e2-ec53-c776060e99d1@danielfett.de>
From: Sascha Preibisch <saschapreibisch@gmail.com>
Date: Wed, 29 Sep 2021 21:55:50 -0700
Message-ID: <CAP=vD9uCLgyOwGTFNu5WoY+yH7-RvFFyesmXZ8ygWCunPRE6gQ@mail.gmail.com>
To: Daniel Fett <fett@danielfett.de>
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000060764605cd2f437f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gWxqG-Isdtv1MYHdUK0nKsHljN0>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Sep 2021 04:56:09 -0000

Yeah, Daniel,

I remember we spoke about it. I do think my version is slightly different
as there is no access_token issued by the server.

Regards,
Sascha

On Wed, 29 Sept 2021 at 08:42, Daniel Fett <fett@danielfett.de> wrote:

> That very much sounds like a static string as the access token plus DPoP.
>
> -Daniel
>
> Am 29.09.21 um 03:54 schrieb toshio9.ito@toshiba.co.jp:
>
> Hi OAuth folks,
>
> I have a question. Is there (or was there) any standardizing effort for
> "self-issued access tokens"?
>
> Self-issued access tokens are mentioned in a blog post by P. Siriwardena in 2014
> [*1]. It's an Access Token issued by the Client and sent to the Resource Server.
> The token is basically a signed document (e.g. JWT) by the private key of the
> Client. The Resource Server verifies the token with the public key, which is
> provisioned in the RS in advance.
>
> I think self-issued access tokens are handy replacement for Client Credentials
> Grant flow in simple deployments, where it's not so necessary to separate AS and
> RS. In fact, Google supports this type of authentication for some services
> [*2][*3]. I'm wondering if there are any other services supporting self-signed
> access tokens.
>
> Any comments are welcome.
>
> [*1]: https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/
> [*2]: https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
> [*3]: https://google.aip.dev/auth/4111
>
> -------------
> Toshio Ito
> Research and Development Center
> Toshiba Corporation
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> -- https://danielfett.de
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.35.0 | Report a Bug | By Email | System Status