IETF Logo Mail Archive

Re: [OAUTH-WG] JWS Access Token concerns

Antonio Sanso <asanso@adobe.com> Tue, 23 February 2016 19:32 UTC

Return-Path: <asanso@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 708571AC44E for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 11:32:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60xOc9ceYQFo for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2016 11:32:05 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0642.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::642]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2896E1A89B5 for <oauth@ietf.org>; Tue, 23 Feb 2016 11:32:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gZChGTrQQ5Rx3xY5NtulXWyUSXuSLofStOqUCi3jSK0=; b=wYBs/M1xVV5hGag+IaO+b3LejRMopnhGiOWegIRude2UA0UC2PQv+BietFgbIpo5/z/58ONwAWl0IERX5uR0pXH5jrJYUNmcqlUQxeT5sNIkcQbttJjqNPCLk89FRKqpoCgmRCAQug4BxNIvoyeuTlSsdCGmqpBwTuwJlIzWQ6A=
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com (10.161.203.148) by BY1PR0201MB1031.namprd02.prod.outlook.com (10.161.203.149) with Microsoft SMTP Server (TLS) id 15.1.409.15; Tue, 23 Feb 2016 19:31:41 +0000
Received: from BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) by BY1PR0201MB1030.namprd02.prod.outlook.com ([10.161.203.148]) with mapi id 15.01.0409.024; Tue, 23 Feb 2016 19:31:41 +0000
From: Antonio Sanso <asanso@adobe.com>
To: Sergey Beryozkin <sberyozkin@gmail.com>
Thread-Topic: [OAUTH-WG] JWS Access Token concerns
Thread-Index: AQHRbl3Qw2FgwdW1BkqnxfuXZFeE6586BNyA
Date: Tue, 23 Feb 2016 19:31:41 +0000
Message-ID: <767F14EC-812F-4ACB-95AB-A70651FF0FB3@adobe.com>
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com> <1756F20F-CE42-4523-BE8E-450762D34697@ve7jtb.com> <05af01d16d4a$20230af0$606920d0$@nri.co.jp> <0CD2EAC7-A9B6-44AC-9644-7E20E345464F@ve7jtb.com> <CAAP42hDFiY-YiuAJfs43dyg0WoJH+dBe5CmdwKczirUKoD6fJw@mail.gmail.com> <56CC93AF.1060105@gmail.com>
In-Reply-To: <56CC93AF.1060105@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=adobe.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [188.61.97.101]
x-microsoft-exchange-diagnostics: 1; BY1PR0201MB1031; 5:ztyjev8ebRtYZWKkjHd0inIJdX+VtXCuekAUVoCEYLA0XDTx7CNgwyl+ar/S1OK0hQA+W0CRIcrqZ7wv7yE6PbV14LP/4SZnom/aKPZ3ZDhDamIapQpzKjMUIFL6ue4EWyut7Y25zU1yERnzruXVNg==; 24:1ldYDP1j24LOdP9QiSwoPEHzAGRpHv/D7uCKgf9oiTTVnXRU665tOo005P4dKggjaKgpbe0rYXTiy0FY6RRuyDin2VZseYZb0FvfUYNL78c=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0201MB1031;
x-ms-office365-filtering-correlation-id: 14dc91ac-4c3e-435c-a3e6-08d33c87f4cd
x-microsoft-antispam-prvs: <BY1PR0201MB10319B93D988BFD836D266E6D9A40@BY1PR0201MB1031.namprd02.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:BY1PR0201MB1031; BCL:0; PCL:0; RULEID:; SRVR:BY1PR0201MB1031;
x-forefront-prvs: 08617F610C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(24454002)(164054003)(377454003)(40100003)(87936001)(36756003)(83716003)(10090500001)(122556002)(93886004)(86362001)(76176999)(50986999)(54356999)(189998001)(3280700002)(82746002)(11100500001)(106116001)(99286002)(10400500002)(1220700001)(1411001)(5004730100002)(1096002)(33656002)(5008740100001)(6116002)(3846002)(102836003)(586003)(66066001)(4326007)(3660700001)(15975445007)(19580405001)(5001960100002)(19580395003)(77096005)(2950100001)(2906002)(5002640100001)(2900100001)(92566002)(104396002); DIR:OUT; SFP:1101; SCL:1; SRVR:BY1PR0201MB1031; H:BY1PR0201MB1030.namprd02.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <6E0436845079214E84E98EB34CF56116@namprd02.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2016 19:31:41.2084 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0201MB1031
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/k2lrbpoFvlAj9j8HyztTbFPsLks>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] JWS Access Token concerns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 19:32:08 -0000

hi Sergey,
just my 2 cents
let’s start from a simple fact that encryption is not authentication. :)

Now, if the claim sets of a JWS contains only not confidential information JWS is enough.

See also inline


On Feb 23, 2016, at 6:15 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:

> Hi
> 
> Some OAuth2 providers may return self-contained access tokens which are JWS Compact-encoded.
> I wonder is it really a good idea and would it not be better to only JWE-encrypt the tokens. I'm not sure JWS signing the claims is necessarily faster then only encrypting the claims, assuming the symmetric algorithms are used in both cases.

JWE algorithms are all AEAD AFAIK so is not only symmetric encryption plus there is the content key  "wrap algorithm”.

regards

antonio

> 
> For example, my colleague and myself, while dealing with the issue related to parsing an access token response from a 3rd party provider were able to easily check the content of the JWS-signed access_token by simply submitting an easily recognized JWS Compact-formatted value (3 dots) into our JWS reader - we did not have to worry about decrypting it neither the fact we did not validate the signature mattered.
> 
> But access tokens are opaque values as far as the clients are concerned and if the introspection is needed then the introspection endpoint does exist for that purpose...
> 
> Thanks, Sergey
> 
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email