Re: [OAUTH-WG] Token Introspection and JWTs
Mark Dobrinic <mdobrinic@cozmanova.com> Wed, 28 February 2018 17:51 UTC
Return-Path: <mdobrinic@cozmanova.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27289126BF7 for <oauth@ietfa.amsl.com>; Wed, 28 Feb 2018 09:51:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z-zphsGQVsDv for <oauth@ietfa.amsl.com>; Wed, 28 Feb 2018 09:51:01 -0800 (PST)
Received: from lb1-smtp-cloud9.xs4all.net (lb1-smtp-cloud9.xs4all.net [194.109.24.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFD88124319 for <oauth@ietf.org>; Wed, 28 Feb 2018 09:51:00 -0800 (PST)
Received: from speedym.d444x ([IPv6:2a02:a446:bd2c:1:f5c0:66aa:9cd6:954]) by smtp-cloud9.xs4all.net with ESMTPA id r5sXe5EpjleHLr5sYezKSO; Wed, 28 Feb 2018 18:50:58 +0100
To: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth@ietf.org
References: <74F11CBE-5ED8-4B2C-B219-F9036E07B3B9@lodderstedt.net> <1a80c619-51dd-b6cf-8125-057da778ecf0@connect2id.com> <b76ea6de-7392-2845-f106-f2cba1da0eb1@cozmanova.com> <a5ff099e-5f64-fcda-3a9d-950c11141134@connect2id.com>
From: Mark Dobrinic <mdobrinic@cozmanova.com>
Message-ID: <11cb31a3-20aa-7790-7d2b-40a0c2069dc6@cozmanova.com>
Date: Wed, 28 Feb 2018 18:50:57 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <a5ff099e-5f64-fcda-3a9d-950c11141134@connect2id.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfPJ8R2sMh71cUqfUeLKCH6XY9/QbB/XSCACcjEiFomUap6Ow1V/P3h1gYSctaY7tkRbzyh/GPgcXSmaQKIdlCmhHP9+EaYQop8dNhuSKgPDd8kyOXXP2 BTymNr4BqeGI2FrCBf5j6nk1Dokz789eeXaSFITkDnixfmXNEYlG7kkYagl8KJxoO9fhCFVh7t1HpmCygTKmTJEOyK82N7rkzhwKBfl2PSg8r5S0c+MGBJ6C VtKiAEfvzv219HXCMryB0L3kv8LVJ2hhdciM913JtY8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jJxeKDysN5ZCr7gXWeOV4-G_v4E>
Subject: Re: [OAUTH-WG] Token Introspection and JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Feb 2018 17:51:03 -0000
Hi Vladimir, Yes, the settings that the AS uses to create that JWT are established out-of-band. Being the issuer of the token in the first place, I'd like to see it being authoritative in choosing a secure way of doing so. Thinking of it, the suggestion to advertise those cryptographic properties of signed or encrypted tokens could be a good follow up for this, so a client can inform itself of what to expect. Negotiating which cryptographic properties to use on a per-client basis for a client-authenticated request to the introspection endpoint could also be something to consider (maybe as a property for dynamically registered clients?) but we haven't felt the urge to take that plunge just yet. If we are be missing out on some insights there, I'd love to hear more on that. And thanks for those compliments, I'll pass them on my colleague who wrote that! Cheers, Mark On 28/02/18 17:16, Vladimir Dzhuvinov wrote: > Hi Mark, > > The Nginx module is superbly documented, well done! > > I suppose there's a set JWS alg for the issued tokens, which is agreed > in advance? > > Vladimir > > On 28/02/18 12:49, Mark Dobrinic wrote: >> Having the introspect endpoint support a response Content-Type of >> `application/jwt` is exactly what we're doing in Curity. We actually >> gave it a cool name in the process, a Phantom Token ;) >> >> Doing things this way has proven highly useful in usecases where >> customers have high throughput requirements, and is a perfect fit in the >> HTTP model. As such, it wouldn't need any more discoverable endpoints, >> but piggybacks a AS-specific JWT token issuance setup. >> >> It's actually super simple to achieve, and as such we're planning to >> write it down as an extension to the RFC and submit that to the >> workgroup. Reason for that would be to have a standardized way of >> switching from reference- to self-contained token format, something we >> see valuable enough time to justify that. >> >> Here's what we already did with that: >> https://github.com/curityio/nginx_phantom_token_module >> https://curity.io/product/token-service/#phantom_tokens >> >> >> On 28/02/18 10:53, Vladimir Dzhuvinov wrote: >>> On 28/02/18 09:48, Torsten Lodderstedt wrote: >>>> Hi all, >>>> >>>> I have an use case where I would like to return signed JWTs from the authorization server’s introspection endpoint. In this case, I would like to give the resource server evidence about the fact the AS minted the access token and is liable for its contents (verified person data used to create a qualified electronic signature). >>>> >>>> Although token introspection more or less provides the RS with the content of a JWT, RFC 7662 only supports plain JSON. I talked to Justin and his recommendation was to use use a header “accept: application/jwt” to ask the AS for a signed JWT as response instead of "application/json“. We could do this but clearly it would be a proprietary solution. >>> Justin's suggestion would be relatively easy to implement. The only >>> small downside I see is that it doesn't allow resource servers to choose >>> a crypto algorithm for the issued JWT, which has become the norm for >>> this kind of things in OAuth and OIDC. >>> >>>> I would like to know whether anyone else has the same or similar requirements and whether it would make sense to specify an extension to RFC 7662 for JWT responses. >>> Because of the requirement for resource servers to authenticate (or >>> submit a token authz) when they make an introspection request, we let >>> them register as a client, using std client registration. In that case >>> to let an RS register preferred JWT algs for the introspection response >>> we could have parameters >>> >>> introspection_response_signed_response_alg >>> introspection_response_encrypted_response_alg >>> introspection_response_encrypted_response_enc >>> >>> (naming follows pattern for ID token and UserInfo algs) >>> >>> Vladimir >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> > >
- [OAUTH-WG] Token Introspection and JWTs Torsten Lodderstedt
- Re: [OAUTH-WG] Token Introspection and JWTs Vladimir Dzhuvinov
- Re: [OAUTH-WG] Token Introspection and JWTs Mark Dobrinic
- Re: [OAUTH-WG] Token Introspection and JWTs Vladimir Dzhuvinov
- Re: [OAUTH-WG] Token Introspection and JWTs Mark Dobrinic