Re: [OAUTH-WG] JWS Access Token concerns
Antonio Sanso <asanso@adobe.com> Tue, 23 February 2016 19:32 UTC
Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 708571AC44E for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 11:32:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60xOc9ceYQFo for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 11:32:05 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0642.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::642]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2896E1A89B5 for <oauth@ietf.org>; Tue, 23 Feb 2016 11:32:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gZChGTrQQ5Rx3xY5NtulXWyUSXuSLofStOqUCi3jSK0=; b=wYBs/M1xVV5hGag+IaO+b3LejRMopnhGiOWegIRude2UA0UC2PQv+BietFgbIpo5/z/58ONwAWl0IERX5uR0pXH5jrJYUNmcqlUQxeT5sNIkcQbttJjqNPCLk89FRKqpoCgmRCAQug4BxNIvoyeuTlSsdCGmqpBwTuwJlIzWQ6A=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1031.namprd02.prod.outlook.com (10.161.203.149) with Microsoft SMTP Server (TLS) id 15.1.409.15; Tue, 23 Feb 2016 19:31:41 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0409.024; Tue, 23 Feb 2016 19:31:41 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Thread-Topic: [OAUTH-WG] JWS Access Token concerns
Thread-Index: AQHRbl3Qw2FgwdW1BkqnxfuXZFeE6586BNyA
Date: Tue, 23 Feb 2016 19:31:41 +0000
Message-ID: <767F14EC-812F-4ACB-95AB-A70651FF0FB3@adobe.com>
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com> <1756F20F-CE42-4523-BE8E-450762D34697@ve7jtb.com> <05af01d16d4a$20230af0$606920d0$@nri.co.jp> <0CD2EAC7-A9B6-44AC-9644-7E20E345464F@ve7jtb.com> <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com> <56CC93AF.1060105@gmail.com>
In-Reply-To: <56CC93AF.1060105@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [188.61.97.101]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1031; 5:ztyjev8ebRtYZWKkjHd0inIJdX+VtXCuekAUVoCEYLA0XDTx7CNgwyl+ar/S1OK0hQA+W0CRIcrqZ7wv7yE6PbV14LP/4SZnom/aKPZ3ZDhDamIapQpzKjMUIFL6ue4EWyut7Y25zU1yERnzruXVNg==; 24:1ldYDP1j24LOdP9QiSwoPEHzAGRpHv/D7uCKgf9oiTTVnXRU665tOo005P4dKggjaKgpbe0rYXTiy0FY6RRuyDin2VZseYZb0FvfUYNL78c=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1031;
x-ms-office365-filtering-correlation-id: 14dc91ac-4c3e-435c-a3e6-08d33c87f4cd
x-microsoft-antispam-prvs: <BY1PR0201MB10319B93D988BFD836D266E6D9A40@BY1PR0201MB1031.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:BY1PR0201MB1031; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1031;
x-forefront-prvs: 08617F610C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(24454002)(164054003)(377454003)(40100003)(87936001)(36756003)(83716003)(10090500001)(122556002)(93886004)(86362001)(76176999)(50986999)(54356999)(189998001)(3280700002)(82746002)(11100500001)(106116001)(99286002)(10400500002)(1220700001)(1411001)(5004730100002)(1096002)(33656002)(5008740100001)(6116002)(3846002)(102836003)(586003)(66066001)(4326007)(3660700001)(15975445007)(19580405001)(5001960100002)(19580395003)(77096005)(2950100001)(2906002)(5002640100001)(2900100001)(92566002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1031; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <6E0436845079214E84E98EB34CF56116@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2016 19:31:41.2084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1031
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/k2lrbpoFvlAj9j8HyztTbFPsLks>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS Access Token concerns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 19:32:08 -0000
hi Sergey, just my 2 cents let’s start from a simple fact that encryption is not authentication. :) Now, if the claim sets of a JWS contains only not confidential information JWS is enough. See also inline On Feb 23, 2016, at 6:15 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote: > Hi > > Some OAuth2 providers may return self-contained access tokens which are JWS Compact-encoded. > I wonder is it really a good idea and would it not be better to only JWE-encrypt the tokens. I'm not sure JWS signing the claims is necessarily faster then only encrypting the claims, assuming the symmetric algorithms are used in both cases. JWE algorithms are all AEAD AFAIK so is not only symmetric encryption plus there is the content key "wrap algorithm”. regards antonio > > For example, my colleague and myself, while dealing with the issue related to parsing an access token response from a 3rd party provider were able to easily check the content of the JWS-signed access_token by simply submitting an easily recognized JWS Compact-formatted value (3 dots) into our JWS reader - we did not have to worry about decrypting it neither the fact we did not validate the signature mattered. > > But access tokens are opaque values as far as the clients are concerned and if the introspection is needed then the introspection endpoint does exist for that purpose... > > Thanks, Sergey > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fixing the Authorization Server Mix-Up… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hans Zandbelt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Phil Hunt (IDM)
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Antonio Sanso
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Daniel Fett
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] JWS Access Token concerns Antonio Sanso
- Re: [OAUTH-WG] JWS Access Token concerns Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Roland Hedberg
- Re: [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… George Fletcher
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Brian Campbell
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Donald F. Coffin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Torsten Lodderstedt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov