Re: [OAUTH-WG] OAuth 2.0 Introspection RFC Issues

Michael Ciarlillo <> Tue, 03 November 2015 00:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 14B601A92F4 for <>; Mon, 2 Nov 2015 16:24:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RfHfZXxwPm9B for <>; Mon, 2 Nov 2015 16:24:22 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B69831A92F1 for <>; Mon, 2 Nov 2015 16:24:22 -0800 (PST)
Received: by pabfh17 with SMTP id fh17so1067812pab.0 for <>; Mon, 02 Nov 2015 16:24:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:mime-version:to:cc:from:subject:date:in-reply-to :references:content-type; bh=MCe7IsAxfu9r1vVbxWXjB/HyK5ElBHzJX5fOTo3nsns=; b=bE5Kst7AftjQ9vV6pPklRYVfrOzkEfZ6mWhk6D8VFC8B4YyExqMj1Tb02z8y/V5bQ+ xOQRxqjNV55x5NDZ9kIjw9pUMf4WhK1Zc2Tkme+hC1MvBOnxEmdfkxXIXXcXN6dju15E d8DODwiatSRLJ0gKA18L5apCTc35ba+v9pFN4Er7RrIXHy0hoqUIQExRKsJAuFgYtRuu 5NMdDYFqkeQn2df65dpGd72N8zDO65/DgQzP+cpq2c2938sTsYTFHkGf9wdKhR5Ohzw4 Y3LrmCtNMJ6BByOTlVRErXRHtiMkscGLsdcS0BHEPynm9NA1RS5JOxFGZfE5C+WAx+cV EVPg==
X-Received: by with SMTP id hf10mr30547375pac.16.1446510262375; Mon, 02 Nov 2015 16:24:22 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id ix1sm26127599pbd.40.2015. (version=SSLv3 cipher=RC4-SHA bits=128/128); Mon, 02 Nov 2015 16:24:21 -0800 (PST)
Message-ID: <>
MIME-Version: 1.0
To: William Denniss <>, Justin Richer <>
From: Michael Ciarlillo <>
Date: Mon, 02 Nov 2015 19:24:17 -0500
In-Reply-To: <>
References: <> <> <>
Content-Type: multipart/alternative; boundary="_284A694B-C6FA-4D04-86A4-A214D635F9A4_"
Archived-At: <>
X-Mailman-Approved-At: Tue, 03 Nov 2015 06:15:44 -0800
Cc: "<>" <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Introspection RFC Issues
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Nov 2015 00:24:26 -0000

Thanks for the feedback.

I agree that the spec is not badly designed over all. I just think that the MUST is a bit too restrictive, especially with how none of the OAuth grants requires authentication to begin with except when a client is Confidential or when using Client Credential flow (for obvious reasons).

I don't believe that simply using a token to determine its validity is a good course of action. There may very well be unintended side-effects (like the issuance of a new refresh/access token when using a refresh token at the Token endpoint, or one-time use access tokens). One use case presented by Kévin Chalet is when a client might need to determine and what users it has been authorized access on behalf of and possibly remove those that are no longer valid. Another might be something like determining if an initial one-time use access token for registration requests is still active and available to use for client registration.

Not having available resources or libraries to validate JWTs or other tokens on the client was another use case mentioned in discussions we had. I'm glad others have had similar discussions for this scenario.

That being said, the idea of using the token itself for authentication intrigues me, though doesn't that inherently break the entire point of having the authentication be a MUST in the spec to begin with? How might an Authorization Server mitigate inherent security risks with this approach for any type of tokens?

-----Original Message-----
From: "William Denniss" <>
Sent: ‎11/‎2/‎2015 6:58 PM
To: "Justin Richer" <>; "Michael Ciarlillo" <>
Cc: "<>" <>
Subject: Re: [OAUTH-WG] OAuth 2.0 Introspection RFC Issues

We had a debate on that MUST at the last IETF, but the spec was too far along to change. The workaround is to treat the token you are introspecting as the authentication. With that workaround, the spec is quite usable for non-confidential clients, even if resource servers were the primary target.

Google currently runs an introspection endpoint of sorts for clients, named "tokeninfo", and the latest version (v3) is close to the spec (coincidence - it's a good design pattern). Aimed mostly at debugging use-cases or if you don't have a JWT decoding library handy. 

On Tue, Nov 3, 2015 at 1:43 AM Justin Richer <> wrote:

Hi Michael,

Thanks for the comments. First off, the text of an RFC is fixed and cannot be changed. The spec can only be altered with a new document that obsoletes RFC7662, which would have to go through the working group process again from the very beginning.

Authentication is required but we’re open to how it happens. The introspection spec is targeted at resource servers, not clients, since a client can always just *use* the token in order to see if it’s valid or not. Why bother with the extra round trip to check if the token is good before trying it, since trying it will also tell you if the token’s good? The recovery process for a failed token is the same in either state. We initially had this written for either clients or protected resources, but that’s not how people were using it and restricting its focus helped clarify the spec immensely.

ID tokens are a slightly different case as they’re an assertion targeted at the client itself, but in those cases an ID token is really meant to be self-contained as a JWT, and generally has a short validity period. If you’re looking to introspect an old ID token to check an OIDC session status, then you might be better served implementing one of the OIDC session spec components for that purpose.

Also, we didn’t mandate a specific authentication technology. Most people are going to use either client authentication or a specific OAuth token designed for this purpose. The latter of these is technically available for public clients, but then you have the question of if you want to check the status of *that* token too. Still, I think that for any clients (including public ones) the right thing to do is just use the token and see if it works. 

To the other comment, HTTP POST is the only defined verb and we’re silent on the use of other verbs. That said, many HTTP implementation frameworks don’t differentiate between verbs for requests and so a POST with body form parameters and a GET with query parameters would come out the same. We don’t outright prohibit this behavior, but it’s off-label and there are security considerations for its use.

Hope this helps,
 — Justin

On Nov 2, 2015, at 3:17 AM, Michael Ciarlillo <> wrote:

Hello all,

I have a couple of comments/issues with the RFC at

According to Section 2.1 (Introspection Request) says that "To prevent token scanning attacks, the endpoint MUST also require some form of authorization to access this endpoint..." This might make sense for token introspection requests only coming from Resource Servers, but to many implementers it makes sense to allow Clients access to the introspection endpoint since it would serve the same purpose (token validity checking, particularly for refresh tokens, but also for access tokens, or identity tokens in OpenID Connect, or possibly other token types in UMA and other specs). Unfortunately, this means that public clients should be accounted for in some way, as refresh tokens don't have an explicit requirement in the OAuth 2.0 spec that they be issued only to Confidential Clients. As such, many implementers don't feel like the Introspection spec fits well for Client consumption because of the "MUST" requirement on authentication, when public clients won't have a Client Secret to authenticate with. Further, token scanning attacks would not be mitigated for authenticated callers (be they Resource Servers or Clients).

An example of a real-world implementer discussion talking about this topic is one I had with Kévin Chalet:

We are not the only ones who see this as a problem with the spec, and there do not seem to be many concrete reasons for this endpoint ONLY being for Resource Servers themselves. Can some insight into why this is the case? Can the MUST be changed to a SHOULD with the Security Considerations section expanded to talk about the issue? If not, is there another spec or draft out there somewhere for OAuth token validity for which the intent is explicitly client consumption? Any and all feedback on this would be greatly appreciated as we develop the ASOS middleware project.

Another (small) comment on the spec: Section 2.1 (Introspection Request) currently says that requests be HTTP POST method requests, however Section 4 (Security Considerations) mentions Authorization Servers explicitly disallowing the GET method due to server logs. What is the requirement here? POST with optional GET or explicitly only allowing POST requests?

Michael Ciarlillo
OAuth mailing list

OAuth mailing list