Re: [OAUTH-WG] Comments on draft-richer-oauth-introspection-04

Torsten Lodderstedt <> Thu, 24 October 2013 05:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5F5011E814E for <>; Wed, 23 Oct 2013 22:50:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Fwo6+WZv2kgF for <>; Wed, 23 Oct 2013 22:50:14 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 92EBC11E8128 for <>; Wed, 23 Oct 2013 22:50:13 -0700 (PDT)
Received: from [] (helo=[]) by with esmtpsa (TLSv1:RC4-MD5:128) (Exim 4.68) (envelope-from <>) id 1VZDoA-0000VB-NQ; Thu, 24 Oct 2013 07:50:11 +0200
User-Agent: K-9 Mail for Android
In-Reply-To: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----FHOQIQ9EQW8SBANL6JMQZXWT4VWZW4"
From: Torsten Lodderstedt <>
Date: Thu, 24 Oct 2013 07:50:07 +0200
To: Thomas Broyer <>, "Richer, Justin P." <>
Message-ID: <>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "<>" <>
Subject: Re: [OAUTH-WG] Comments on draft-richer-oauth-introspection-04
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Oct 2013 05:50:18 -0000

Hi Thomas,

we generate access tokens per resource server in order to mitigate this and other risks. You must issue those tokens to different audiences (resource server id) and the resource servers must validate if the token is issued for its particular audience. Otherwise a compromised resource server can still abuse the tokens. 

Talking about burden: You need to compare the effort needed to obtain different access tokens to the effort needed to implement proof of possession.

I recommend you to take a look into the OAuth threat model for a discussion of this threat (


Thomas Broyer <> schrieb:
>On Wed, Oct 23, 2013 at 9:22 PM, Richer, Justin P.
>>  Hi Thomas,
>>  You're right in that the introspection process is about getting meta
>> data about a particular token by making an authenticated call. It
>> reveal a lot of information about the token -- because that's exactly
>> point of the protocol. :)
>>  If the PR is compromised, then the attacker would be able to do
>> the PR can do, including reusing any tokens handed to the PR
>> they're bearer tokens).
>Yes, this is the problem with bearer tokens. Is there any spec for
>tokens' besides http-mac?
>As a mean of mitigating the issue, I was thinking about delivering a
>refresh_token and asking Clients to generate (ask the AS) different
>tokens for each PR (or "resource set"). That would of course solve the
>issue with introspection giving too much information (to my taste), but
>puts burden on Client implementors, with no guarantee that they'll
>do it. AFAICT, only a 'proof token' would really solve the issue; it's
>our backlog.
>> This is true without doing introspection at all, since you can just
>> and start broadcasting the token.
>But then the AS could revoke the access token when it detects a high
>of validation/introspection requests from many different PRs,
>many such requests in error!
>Giving the compromised victim the list of scopes for the token would
>severely limits the number of errors and it would be much harder to
>such compromised entities.
>Also, if the PR is compromised, all the data protected at that PR is
>> compromised, so you've got other problems too.
>That's a problem between the PR and the ROs then, unrelated to the AS
>even Clients.
>It becomes a problem with the whole system when compromising one entity
>(other than the AS) gives access to personal data in others.
>>  The "resource_id" parameter is meant to be a service-specific hint
>> the PR can hand to the AS to give context to the transaction. You
>> easily use this field to pass along the list of scopes that you
>> below.
>I had just skimmed through resource-reg and didn't remember the
>set" concept. Now that I re-read it, I better understand what that
>resource_id can be.
>> You can have your AS return no information other than the "valid"
>field in
>> the response and leave out the scopes, subject, client id, and
>> else. All those fields are optional. However, in practice we've found
>> very helpful to reveal to the PR which scopes and audiences that a
>> was issued for so that the PR can use that information to make
>> authorization decisions.
>But aren't authorization decisions the responsibility of the AS?
>If the PR sent the scopes (or resource_id, but that would closely
>the protocol with resource-reg, which I don't think is desirable) to
>AS, then the PR could authorize access based only on a yes/no response
>the "no" response would give information about the "why", to be sent
>directly to the Client)
>> But if all you're after is answering the question "is this token
>> and you don't want any other information, your AS is fully allowed to
>> answer just that question.
>As I said, I do need "more information", or rather, a more "contextual"
>I think I'll just go with my custom protocol for now. Thanks for your
>OAuth mailing list