Re: [OAUTH-WG] self-issued access tokens
Vittorio Bertocci <Vittorio@auth0.com> Wed, 29 September 2021 06:13 UTC
Return-Path: <vittorio.bertocci@auth0.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDEC33A1852 for <oauth@ietfa.amsl.com>; Tue, 28 Sep 2021 23:13:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auth0.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jopZkvu6zTn8 for <oauth@ietfa.amsl.com>; Tue, 28 Sep 2021 23:13:23 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E54E93A1851 for <oauth@ietf.org>; Tue, 28 Sep 2021 23:13:22 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id b82so2979154ybg.1 for <oauth@ietf.org>; Tue, 28 Sep 2021 23:13:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=auth0.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IIZE3IcHfRL45Pi+hEqmloqa86JywUiMJxu+kB69zOg=; b=dQX/iV2mqv73uFtoftT/hB+LUygDR41L7h/4MVeHLLiVSAPQTO5wPvTfI98CPuJ82+ +x/r/RFsKNKBjJbvVuw1xeVqMbnpWwGoAZxkRS0QkUNPWpOGkpTsL3zoyxxJ5cHWrrOP ozqy2bvgCvm2E7Dp80mEwEp0tVp1uAENAQuAlbYRpZtHx6Yofl/51Psfbm8T5WVRPAx4 cDlosei1KxsbJnJNsJ++hODSLKgosRr820/MlY5wD67RwmTqCaeP8ksL4EyrrTawS+zq AWxBdOpr2FDcdmGtR84dFAvye7mRqP1ftjvyaEt2DOKdTRNaicm51C/7Ydfsz3DoQAuf 0aiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IIZE3IcHfRL45Pi+hEqmloqa86JywUiMJxu+kB69zOg=; b=6IdUKKCJN7LduWIp/S9rdGSxF1g+2jYAM7tQns8XaocS9FeldcRJ4nBa27LeI05LO7 F2ZgbEaOab9uDSW1vnplb8K63HXLDFO4XuKkXBAcL8j+oFyM0LtgJaktJCSO+Soiurub avHdrThsufbGwSA8qxn6N0IPzbdP9DqmM0ywUDThh4iUlb+GV53CX5aPS5+sx5ZunBXC U4RwaB5kx1+JprVrSj4riwx4NDPgf2mlDKCjy7/z/QhkMrL9/xCdaWJ0s/zhbvutzpKR r6a5lOd5JzVdoAHeq+RhdO86wL6VtqogqfF3zp4PoGyrvqUcrTeGnzbYnzpM8RRUNCZs Naog==
X-Gm-Message-State: AOAM531+GEJxXxNtb5bG3t0tig+JHg/e38BD1CccAwY42kCzBzTjkNYK /oflNGO8xrhZ+SBXHeT/ejkXRgRr0n4fP7o4q4wf6w==
X-Google-Smtp-Source: ABdhPJwLJL7w0bO0yxxrLioPGhcbM6qB6Wv7T11o3xEbxON/CZFtxySO7nlx6iZdA/nZi6zHo4FXutNU+mrHva+GThg=
X-Received: by 2002:a25:3891:: with SMTP id f139mr11970471yba.54.1632896001631; Tue, 28 Sep 2021 23:13:21 -0700 (PDT)
MIME-Version: 1.0
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com>
In-Reply-To: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com>
From: Vittorio Bertocci <Vittorio@auth0.com>
Date: Tue, 28 Sep 2021 23:13:10 -0700
Message-ID: <CAO_FVe59G=OJ8=51ogVDMe+WWQ8a0xwb_Q6V0vFtH7cLsQNU2w@mail.gmail.com>
To: toshio9.ito@toshiba.co.jp
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000022080105cd1c3aa9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k-zcOyiI5c8QgOVajrTtfandD0c>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2021 06:13:28 -0000
Hi Toshio, The scenario you describe is comparable to https://openid.net/specs/openid-connect-self-issued-v2-1_0.html, at least in terms of validation logic. Please note that most of the validation software in common use today expects to work with just a handful of keys, typically one provider and allowance for rotation, hence it might not be trivial to repurpose it to perform large table scans in scenarios where you have many clients and corresponding keys. Also, Prabath's blog makes a statement that, I believe, overstates what can be achieved with this approach: he says that this can be a replacement for TLS mutual authentication, but it isn't really the case as you are still dealing with a bearer token, which can be replayed after issuance hence offering less guarantees than mutual TLS. On Tue, Sep 28, 2021 at 6:54 PM <toshio9.ito@toshiba.co.jp> wrote: > Hi OAuth folks, > > I have a question. Is there (or was there) any standardizing effort for > "self-issued access tokens"? > > Self-issued access tokens are mentioned in a blog post by P. Siriwardena > in 2014 > [*1]. It's an Access Token issued by the Client and sent to the Resource > Server. > The token is basically a signed document (e.g. JWT) by the private key of > the > Client. The Resource Server verifies the token with the public key, which > is > provisioned in the RS in advance. > > I think self-issued access tokens are handy replacement for Client > Credentials > Grant flow in simple deployments, where it's not so necessary to separate > AS and > RS. In fact, Google supports this type of authentication for some services > [*2][*3]. I'm wondering if there are any other services supporting > self-signed > access tokens. > > Any comments are welcome. > > [*1]: > https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/ > [*2]: > https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth > [*3]: https://google.aip.dev/auth/4111 > > ------------- > Toshio Ito > Research and Development Center > Toshiba Corporation > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens Vittorio Bertocci
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Daniel Fett
- Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens David Waite
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito
- Re: [OAUTH-WG] self-issued access tokens Warren Parad
- Re: [OAUTH-WG] self-issued access tokens David Chadwick
- Re: [OAUTH-WG] self-issued access tokens Dick Hardt
- Re: [OAUTH-WG] self-issued access tokens toshio9.ito