IETF Logo Mail Archive

Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Petteri Stenius <Petteri.Stenius@ubisecure.com> Mon, 26 March 2018 09:03 UTC

Return-Path: <Petteri.Stenius@ubisecure.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5C51243F6 for <oauth@ietfa.amsl.com>; Mon, 26 Mar 2018 02:03:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ubisecure.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3EHJCLKzBMYI for <oauth@ietfa.amsl.com>; Mon, 26 Mar 2018 02:03:04 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on061b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::61b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35E5A1205F0 for <oauth@ietf.org>; Mon, 26 Mar 2018 02:03:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ubisecure.onmicrosoft.com; s=selector1-ubisecure-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kwrxn/UBSM+g2tQS5AIPYT2k68uresYEIH4A8YMDrIM=; b=Dg1XsP8vwMmEjDi5iq4rRVuiOtg3PC2YKdfctG8M+YybTOwdU8i0kKZ/I8IqadoQFDd1YuAlU73IlrsJOm2bB38RFe3mrj8QUAMAKxyiLT10uKD4NiV7DHNtpexMaCjlquCi2zeZAz5KVcSKibPLomFJOJDYdZrUGtJoNgXOpjc=
Received: from DB5PR05MB1704.eurprd05.prod.outlook.com (10.165.7.10) by DB5PR05MB1416.eurprd05.prod.outlook.com (10.162.153.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.609.10; Mon, 26 Mar 2018 09:02:59 +0000
Received: from DB5PR05MB1704.eurprd05.prod.outlook.com ([fe80::859d:6c62:6195:d058]) by DB5PR05MB1704.eurprd05.prod.outlook.com ([fe80::859d:6c62:6195:d058%13]) with mapi id 15.20.0609.012; Mon, 26 Mar 2018 09:02:59 +0000
From: Petteri Stenius <Petteri.Stenius@ubisecure.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
Thread-Index: AQHTvu/6yA3kQFDT30uYm5/Ds5X/DqPiQ2ag
Date: Mon, 26 Mar 2018 09:02:59 +0000
Message-ID: <DB5PR05MB1704D9C2A95F37D4B5E6F118FAAD0@DB5PR05MB1704.eurprd05.prod.outlook.com>
References: <152140077785.15835.11388192447917251931.idtracker@ietfa.amsl.com> <2A1E98B8-973E-44F0-96F0-E319FD6969A8@lodderstedt.net>
In-Reply-To: <2A1E98B8-973E-44F0-96F0-E319FD6969A8@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Petteri.Stenius@ubisecure.com;
x-originating-ip: [195.197.205.34]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DB5PR05MB1416; 7:jYWRmtr+Yzua3FZv6rtSPK6Pct2M3ypV94axwep1QGHW0nNR6w+KwO2fxeq40Qt2sbI/ipW6k+uWZzUDkgNqSHN4D055fHRTRLfif8XOYVKVkpDZwFtkMVqdv1c86Uazo3iKuLiaUVhrL1xqueWDLgxFcdcKuBN3JYalp3PlUhaIy65keRw3wNIa7Aj+8Yg5zUT/y3KLhLWpoKSuuChLm7B0fV51IBtUz4BXtbBNE4dfXRvPhxhCtEOPDwE5HK+L
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 0e310492-1c3b-4968-58af-08d592f85fa2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(7021125)(5600026)(4604075)(3008032)(4534165)(7022125)(4603075)(4627221)(201702281549075)(7048125)(7024125)(7027125)(7028125)(7023125)(2017052603328)(7153060)(7193020); SRVR:DB5PR05MB1416;
x-ms-traffictypediagnostic: DB5PR05MB1416:
x-microsoft-antispam-prvs: <DB5PR05MB14160783CEF89184C3239AA2FAAD0@DB5PR05MB1416.eurprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(120809045254105)(788757137089)(21748063052155)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231221)(944501327)(52105095)(93006095)(93001095)(6041310)(20161123562045)(2016111802025)(20161123558120)(20161123564045)(20161123560045)(6043046)(6072148)(201708071742011); SRVR:DB5PR05MB1416; BCL:0; PCL:0; RULEID:; SRVR:DB5PR05MB1416;
x-forefront-prvs: 06237E4555
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(39380400002)(39830400003)(366004)(396003)(53754006)(189003)(199004)(377424004)(7696005)(186003)(3660700001)(4326008)(59450400001)(5660300001)(9686003)(97736004)(54896002)(6306002)(236005)(790700001)(105586002)(1680700002)(106356001)(3846002)(6116002)(102836004)(86362001)(6436002)(6506007)(26005)(55016002)(7110500001)(2900100001)(14454004)(25786009)(74316002)(76176011)(10710500007)(316002)(68736007)(11346002)(33656002)(81166006)(446003)(81156014)(99286004)(561944003)(15650500001)(2420400007)(6916009)(6246003)(5250100002)(8936002)(14971765001)(3280700002)(53386004)(66066001)(53936002)(2906002)(8676002)(606006)(7736002)(72206003)(966005)(229853002)(478600001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB5PR05MB1416; H:DB5PR05MB1704.eurprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: ubisecure.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: z5L9UAKf/lmxbtlDGzhJfhtKtiuOD+h20+apX4dQk0volvMVJ6Bs0WrrTAxvuFO/cNybjsw0oHp05ohDxvIo0VgWl4e3Z2cVEDAggmFHS8p1vMj9mnALY+6MfJnqXFj2M6KQkBf2wWL8FmBWsMawnHvsLBEwfxnGPzgFu377wqTqLEA6FKvvVL1lCUTpEjEqYKAfBXceO6he8PCJQutDXlrdjErJkczFXwW7O1bgThCP/2CcUnzVqjq5J8KT18ze0Y2COzjxHlPB6vyyuIVdJS3meyd/E4ix5euTvctByC7QIxp5+u9bguRCyRC7FoN4bdZ0FUAq1QG8Eg9x9emqzQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DB5PR05MB1704D9C2A95F37D4B5E6F118FAAD0DB5PR05MB1704eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ubisecure.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0e310492-1c3b-4968-58af-08d592f85fa2
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Mar 2018 09:02:59.5875 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: feaa1139-6ffc-4422-9c7b-980ad003c1a7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB5PR05MB1416
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gpJ_RClBfmfz2wv7ox-3Fl6FmAI>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Mar 2018 09:03:06 -0000

Hi all,

I want to show my support for this proposal


I believe the two use cases presented at the IETF meeting [1] are important:

1. implementing application level end-to-end integrity protection of the introspection response
2. simple conversion of by-reference access tokens into by-value JWT encoded tokens


This proposal adds three fields to the client metadata. I think there are two issues that should be addressed:

1. Remove double "response" from field names. Replace "introspection_response_signed_response_alg" with "introspection_signed_response_alg". Also address two other fields
2. Add corresponding fields to provider metadata. For client metadata field "introspection_signed_response_alg" there should exist "introspection_signing_alg_values_supported" in provider metadata. The two other fields need corresponding fields as well.


Relationship with OpenID Connect

In OpenID Connect the userinfo endpoint is very similar to introspection endpoint of OAuth. Userinfo supports JWT signing and encryption. Adding JWT signing and encryption to introspection endpoint fills the gap between the two specifications.


Best regards,
Petteri Stenius

[1] https://datatracker.ietf.org/meeting/101/materials/slides-101-oauth-sessb-jwt-introspection-response-01



From: OAuth <oauth-bounces@ietf.org> On Behalf Of Torsten Lodderstedt
Sent: sunnuntai 18. maaliskuuta 2018 21.33
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt

Hi all,

I just submitted a new draft that Vladimir Dzhuvinov and I have written. It proposes a JWT-based response type for Token Introspection. The objective is to provide resource servers with signed tokens in case they need cryptographic evidence that the AS created the token (e.g. for liability).

I will present the new draft in the session on Wednesday.

kind regards,
Torsten.


Anfang der weitergeleiteten Nachricht:

Von: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>
Betreff: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-00.txt
Datum: 18. März 2018 um 20:19:37 MEZ
An: "Vladimir Dzhuvinov" <vladimir@connect2id.com<mailto:vladimir@connect2id.com>>, "Torsten Lodderstedt" <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>>


A new version of I-D, draft-lodderstedt-oauth-jwt-introspection-response-00.txt
has been successfully submitted by Torsten Lodderstedt and posted to the
IETF repository.

Name:                                           draft-lodderstedt-oauth-jwt-introspection-response
Revision:                 00
Title:                       JWT Response for OAuth Token Introspection
Document date:      2018-03-15
Group:                                          Individual Submission
Pages:                                           5
URL:            https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt
Status:         https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
Htmlized:       https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00
Htmlized:       https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response


Abstract:
  This draft proposes an additional JSON Web Token (JWT) based response
  for OAuth 2.0 Token Introspection.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.

The IETF Secretariat

v2.23.0 | Report a Bug | By Email