IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

Sascha Preibisch <saschapreibisch@gmail.com> Wed, 29 September 2021 15:27 UTC

Return-Path: <saschapreibisch@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C62843A1ADA for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 08:27:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SgnkihBsgtJH for <oauth@ietfa.amsl.com>; Wed, 29 Sep 2021 08:27:08 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D88D53A0CDB for <oauth@ietf.org>; Wed, 29 Sep 2021 08:27:07 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id j5so7526820lfg.8 for <oauth@ietf.org>; Wed, 29 Sep 2021 08:27:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=oBnuP8o3FGrK8+K03U2BVgJY064UQhi8rk5D71RWPnM=; b=PGK6dYXJhXP6//IGXLRuoy5m/gXX0xC5KW5aG7nznrc5WkpkRGG/oUcBp+jnjY1wS+ suxYXKhvuU7hIZtew/VTv3jiQbYG06trhz3JItFpQBwqzWQ3+VtZ80wmZj4eRx6kuc/X u1ZhJshff6aBPVgrW1YT8x716+6X/NXNLY65LV94k7GYQaM/yiuGrlFa1vRESTKqx9e8 NTlCpvycUpiW8spGfaoild5eYcgesfnkisWDfVOWgOVw4AeW/SJEB9HxGowoKpVK8PEE k9qWxehdTsFvg6bhYc/5tFH90CIm6iTWUEO4Uli56aDQsMkullXgmgijYa6dKE9Oju25 Z05Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=oBnuP8o3FGrK8+K03U2BVgJY064UQhi8rk5D71RWPnM=; b=k2yR6mhElkX6nqVf2VDoYT1bXPAa5SJ0XmlGykvZsJo5p3oO6SSXJBjoOfndk9dJh4 E/hOIcxawHr4piQMqV4DIoobBxMyOBFeDDHth6Z5WCdtbfbPmck4PVIQLCqiAl65XfdO dec41zhdtpFnplAa3vdjdJ8qKQz3D7P2yrtfbWMHBIr3x3XFt+YDPope9LeicCUod/Rd n1tpPvOFQZe0DWuxkeQhA8HsZDjfoD2LtE7KDVcOTZ+K+yKqUayNSOJoTAdLVaFJoLLQ PazAlNGmMbnO0weE13kyxSfad7FjFsALDf8faDm87FsaT6aj+JqwePdL3x4DNnrwnoL6 LDJQ==
X-Gm-Message-State: AOAM530zeZh23mMnH4os+SlnwfQMV+r2bUA/Or5judDmPbj9TLCFzTJz XlRGd7MqCfCrgNAE8ZQNm3G9P9MSB7ybqJsR4lwNdHEnd+M=
X-Google-Smtp-Source: ABdhPJzrncY9lUpRAnt99hxAR5OwVsLAx7s0yzByY7s69YHAFt/fiXSZPutC0X4eQM0G4AFNtTK7ReMNF27tmrPMEKs=
X-Received: by 2002:a19:6a16:: with SMTP id u22mr294906lfu.444.1632929225903; Wed, 29 Sep 2021 08:27:05 -0700 (PDT)
MIME-Version: 1.0
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com> <CAO_FVe59G=OJ8=51ogVDMe+WWQ8a0xwb_Q6V0vFtH7cLsQNU2w@mail.gmail.com>
In-Reply-To: <CAO_FVe59G=OJ8=51ogVDMe+WWQ8a0xwb_Q6V0vFtH7cLsQNU2w@mail.gmail.com>
From: Sascha Preibisch <saschapreibisch@gmail.com>
Date: Wed, 29 Sep 2021 08:26:54 -0700
Message-ID: <CAP=vD9v1CYBTJLngaAoU0GcEt7A63oGqPSZLYuoYT=QRKLy2WA@mail.gmail.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: toshio9.ito@toshiba.co.jp, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000074121705cd23f686"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ghbYz4bzjOwKhd9XZMr5ebvRKa8>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2021 15:27:14 -0000

Vittorio,

I wrote an approach where a client would receive a grant by the
authorization server but issues the token itself. The post can be found
here:
https://oauth.blog/oauthblog.jsp (fancy name: Serverless Token Issuance) I
presented the idea at IIW right before I wrote the post.

I believe that it would work nicely and would avoid the need for an
authorization servers to manage access_token.

Regards,
Sascha


On Tue, 28 Sept 2021 at 23:13, Vittorio Bertocci <Vittorio=
40auth0.com@dmarc.ietf.org> wrote:

> Hi Toshio,
> The scenario you describe is comparable to
> https://openid.net/specs/openid-connect-self-issued-v2-1_0.html, at least
> in terms of validation logic. Please note that most of the validation
> software in common use today expects to work with just a handful of keys,
> typically one provider and allowance for rotation, hence it might not be
> trivial to repurpose it to perform large table scans in scenarios where you
> have many clients and corresponding keys.
> Also, Prabath's blog makes a statement that, I believe, overstates what
> can be achieved with this approach: he says that this can be a replacement
> for TLS mutual authentication, but it isn't really the case as you are
> still dealing with a bearer token, which can be replayed after issuance
> hence offering less guarantees than mutual TLS.
>
>
> On Tue, Sep 28, 2021 at 6:54 PM <toshio9.ito@toshiba.co.jp> wrote:
>
>> Hi OAuth folks,
>>
>> I have a question. Is there (or was there) any standardizing effort for
>> "self-issued access tokens"?
>>
>> Self-issued access tokens are mentioned in a blog post by P. Siriwardena
>> in 2014
>> [*1]. It's an Access Token issued by the Client and sent to the Resource
>> Server.
>> The token is basically a signed document (e.g. JWT) by the private key of
>> the
>> Client. The Resource Server verifies the token with the public key, which
>> is
>> provisioned in the RS in advance.
>>
>> I think self-issued access tokens are handy replacement for Client
>> Credentials
>> Grant flow in simple deployments, where it's not so necessary to separate
>> AS and
>> RS. In fact, Google supports this type of authentication for some services
>> [*2][*3]. I'm wondering if there are any other services supporting
>> self-signed
>> access tokens.
>>
>> Any comments are welcome.
>>
>> [*1]:
>> https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/
>> [*2]:
>> https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
>> [*3]: https://google.aip.dev/auth/4111
>>
>> -------------
>> Toshio Ito
>> Research and Development Center
>> Toshiba Corporation
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.35.0 | Report a Bug | By Email | System Status