Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt
George Fletcher <gffletch@aol.com> Fri, 01 June 2018 15:41 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6431F12D94F for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 08:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_WW5X66PDMp for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 08:41:08 -0700 (PDT)
Received: from sonic311-14.consmr.mail.bf2.yahoo.com (sonic311-14.consmr.mail.bf2.yahoo.com [74.6.131.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E44312D943 for <oauth@ietf.org>; Fri, 1 Jun 2018 08:41:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1527867667; bh=DQl74s1XITBQ1BBo4XhgXBs9UNuTyHEasGoFIxU4bj8=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=ibtXbtXqDsVLoLbxQo8Yq5/RIa1cYYjEizuqPMZYfwqmN5Z1m4U8bfOexsgKd7V24F1XRBPbQVpMVsjB0c9BnAcFGQicrQ2JBzgoEqP5+Qs1U04zgBPNGN/B1Ry9wRAKI2KdonfdJ/zV73k3YHSRga9o7otdtROo50zmB6mw9t5Y+s8HkPjZHVRMTafRasGKcEltIz0XlSdH1rop6Czvogp+DjWAlXmnQMMk/ISPaZcSmNX2gdrNEOU295Ah9eCddSCpGJXyCrd7exl9WLPZhx7Y6cmP5Br5IjinjThn90FfcBSK1RoyFDz0L44/9Q3pMcLOYH1hhRZ8w6BWCVGe6Q==
X-YMail-OSG: RNAO.pAVM1ndyMfQgD0QYtKSACxUodFoNMJVoRswBvcjK5WAP5pbkaiZPXC.wbl GLyPn80FMzFXf_qwke0ivhSgEK6_imGVwWPs6nMA_eDtRMDxRJ1AnGM1u8MhXBcYZRxGlPbyRJ6f nK07lrlNclNA1cCDToV2McnFQgmv00aFtng4ZYHdRoRlKILKU73kOUr49D2Dsfq6x1F_WSSDt38b _MhuyaPlNWeyi5NvJtvt4508v5ZbFgGpO3Z3Cke7H0LRUUtU3m4mydpFGv59bdMsC6pvt0eUQbmy fK6Nq0gUL8DFQHkpBQhZcoBOPwWFXf7ljeOo_R3TpIlGO55dBVhyurCulZOXGmw60WLaeyTsSKJk nBPwoCNgZpFCfvGfFFwi1VUsUuwkazKeO3WK2DlbyYw9aT1zHOcnbh62D65aXyqe1JL.czggVTIv CEiMgFArjQtk7ELmgDaIFQkUNh6D_kWL3jnk09WeEh98.DYmtNT05cf6fIU.Aes.l9v.TvQ7eWmF gFmbv1FffYhoYtyyPVXyP5vMvd7PpcHcVm2aVFVyqbSpjv2JmbA2LUHBIYG.zjfKAUbghJmjpvzp WxaUNud.2Ep8nsIaovml3Q4ME4rhefLEuWRCSG27CAF6TFjWhlFhp1oKfIOsgkCBEGjlhRnpJQGI T6KYD7VXzCXt4238RBebczU_x
Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.bf2.yahoo.com with HTTP; Fri, 1 Jun 2018 15:41:07 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp405.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 39bc5f9491ac6904422c8abf6a7dd3bc; Fri, 01 Jun 2018 15:41:02 +0000 (UTC)
To: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
References: <152752608213.4961.1659822390005305046.idtracker@ietfa.amsl.com> <4D24E05B-EDC1-458C-A106-662345090399@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <37aa8ce8-c999-57bd-e4d5-387c6e365adc@aol.com>
Date: Fri, 01 Jun 2018 11:41:01 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <4D24E05B-EDC1-458C-A106-662345090399@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------88A8C69C5772D9EF71063C2B"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kwbX7xiaLU4wuabO6ZAskQy78PI>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 15:41:11 -0000
What is the expectation if the RS requests a signed JWT response but the AS doesn't support it? Should getting a signed response require both? (meaning the Accept header and an AS config that that RP wants it)? That may be the safest from a backward compatibility perspective. I have some concerns around relying on 'iss' and 'aud' to prevent abuse and wonder if a JWT Header claim describing the context of the JWT might be better. Thanks, George On 5/28/18 12:58 PM, Torsten Lodderstedt wrote: > Hi all, > > I just published a new revision of the JWT Introspection response > draft. Based on the feedback in London, the draft entirely focuses on > use cases where the RS requires stronger assurance that the respective > AS issued the token, including cases where the AS assumes liability > for the token’s content. > > We incorporated the following changes: > • fixed typos in client meta data field names (thanks Petteri!) > • added OAuth Server Metadata parameters to publish algorithms > supported for signing and encrypting the introspection response > • added registration of new parameters for OAuth Server Metadata and > Client Registration > • added explicit request for JWT introspection response > • made iss and aud claims mandatory in introspection response (thanks > Neil!) > • Stylistic and clarifying edits, updates references > > Thanks to all reviewers! > > Vladimir and I are on the fence whether the Introspection Response > format should be determined by the AS based on its policy and/or > RS-related registration metadata or whether the RS should explicitly > request a JWT response by including an Accept header „application/jwt“ > in the respective request. > > What do you think? > > kind regards, > Torsten. > >> Anfang der weitergeleiteten Nachricht: >> >> *Von: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> >> *Betreff: **New Version Notification for >> draft-lodderstedt-oauth-jwt-introspection-response-01.txt* >> *Datum: *28. Mai 2018 um 18:48:02 MESZ >> *An: *"Vladimir Dzhuvinov" <vladimir@connect2id.com >> <mailto:vladimir@connect2id.com>>, "Torsten Lodderstedt" >> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> >> >> >> A new version of I-D, >> draft-lodderstedt-oauth-jwt-introspection-response-01.txt >> has been successfully submitted by Torsten Lodderstedt and posted to the >> IETF repository. >> >> Name:draft-lodderstedt-oauth-jwt-introspection-response >> Revision:01 >> Title:JWT Response for OAuth Token Introspection >> Document date:2018-05-28 >> Group:Individual Submission >> Pages:10 >> URL: >> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-01.txt >> Status: >> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/ >> Htmlized: >> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01 >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response >> Diff: >> https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-jwt-introspection-response-01 >> >> Abstract: >> This draft proposes an additional JSON Web Token (JWT) based response >> for OAuth 2.0 Token Introspection. >> >> >> >> >> Please note that it may take a couple of minutes from the time of >> submission >> until the htmlized version and diff are available at tools.ietf.org >> <http://tools.ietf.org>. >> >> The IETF Secretariat >> > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: New Version Notification for draf… Torsten Lodderstedt
- Re: [OAUTH-WG] Fwd: New Version Notification for … George Fletcher
- Re: [OAUTH-WG] New Version Notification for draft… Torsten Lodderstedt