Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt

George Fletcher <gffletch@aol.com> Fri, 01 June 2018 15:41 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6431F12D94F for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 08:41:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z_WW5X66PDMp for <oauth@ietfa.amsl.com>; Fri, 1 Jun 2018 08:41:08 -0700 (PDT)
Received: from sonic311-14.consmr.mail.bf2.yahoo.com (sonic311-14.consmr.mail.bf2.yahoo.com [74.6.131.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E44312D943 for <oauth@ietf.org>; Fri, 1 Jun 2018 08:41:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1527867667; bh=DQl74s1XITBQ1BBo4XhgXBs9UNuTyHEasGoFIxU4bj8=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=ibtXbtXqDsVLoLbxQo8Yq5/RIa1cYYjEizuqPMZYfwqmN5Z1m4U8bfOexsgKd7V24F1XRBPbQVpMVsjB0c9BnAcFGQicrQ2JBzgoEqP5+Qs1U04zgBPNGN/B1Ry9wRAKI2KdonfdJ/zV73k3YHSRga9o7otdtROo50zmB6mw9t5Y+s8HkPjZHVRMTafRasGKcEltIz0XlSdH1rop6Czvogp+DjWAlXmnQMMk/ISPaZcSmNX2gdrNEOU295Ah9eCddSCpGJXyCrd7exl9WLPZhx7Y6cmP5Br5IjinjThn90FfcBSK1RoyFDz0L44/9Q3pMcLOYH1hhRZ8w6BWCVGe6Q==
X-YMail-OSG: RNAO.pAVM1ndyMfQgD0QYtKSACxUodFoNMJVoRswBvcjK5WAP5pbkaiZPXC.wbl GLyPn80FMzFXf_qwke0ivhSgEK6_imGVwWPs6nMA_eDtRMDxRJ1AnGM1u8MhXBcYZRxGlPbyRJ6f nK07lrlNclNA1cCDToV2McnFQgmv00aFtng4ZYHdRoRlKILKU73kOUr49D2Dsfq6x1F_WSSDt38b _MhuyaPlNWeyi5NvJtvt4508v5ZbFgGpO3Z3Cke7H0LRUUtU3m4mydpFGv59bdMsC6pvt0eUQbmy fK6Nq0gUL8DFQHkpBQhZcoBOPwWFXf7ljeOo_R3TpIlGO55dBVhyurCulZOXGmw60WLaeyTsSKJk nBPwoCNgZpFCfvGfFFwi1VUsUuwkazKeO3WK2DlbyYw9aT1zHOcnbh62D65aXyqe1JL.czggVTIv CEiMgFArjQtk7ELmgDaIFQkUNh6D_kWL3jnk09WeEh98.DYmtNT05cf6fIU.Aes.l9v.TvQ7eWmF gFmbv1FffYhoYtyyPVXyP5vMvd7PpcHcVm2aVFVyqbSpjv2JmbA2LUHBIYG.zjfKAUbghJmjpvzp WxaUNud.2Ep8nsIaovml3Q4ME4rhefLEuWRCSG27CAF6TFjWhlFhp1oKfIOsgkCBEGjlhRnpJQGI T6KYD7VXzCXt4238RBebczU_x
Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.bf2.yahoo.com with HTTP; Fri, 1 Jun 2018 15:41:07 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp405.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 39bc5f9491ac6904422c8abf6a7dd3bc; Fri, 01 Jun 2018 15:41:02 +0000 (UTC)
To: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
References: <152752608213.4961.1659822390005305046.idtracker@ietfa.amsl.com> <4D24E05B-EDC1-458C-A106-662345090399@lodderstedt.net>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <37aa8ce8-c999-57bd-e4d5-387c6e365adc@aol.com>
Date: Fri, 1 Jun 2018 11:41:01 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <4D24E05B-EDC1-458C-A106-662345090399@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------88A8C69C5772D9EF71063C2B"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kwbX7xiaLU4wuabO6ZAskQy78PI>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-lodderstedt-oauth-jwt-introspection-response-01.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 15:41:11 -0000

What is the expectation if the RS requests a signed JWT response but the 
AS doesn't support it? Should getting a signed response require both? 
(meaning the Accept header and an AS config that that RP wants it)? That 
may be the safest from a backward compatibility perspective.

I have some concerns around relying on 'iss' and 'aud' to prevent abuse 
and wonder if a JWT Header claim describing the context of the JWT might 
be better.

Thanks,
George

On 5/28/18 12:58 PM, Torsten Lodderstedt wrote:
> Hi all,
>
> I just published a new revision of the JWT Introspection response 
> draft. Based on the feedback in London, the draft entirely focuses on 
> use cases where the RS requires stronger assurance that the respective 
> AS issued the token, including cases where the AS assumes liability 
> for the token’s content.
>
> We incorporated the following changes:
> • fixed typos in client meta data field names (thanks Petteri!)
> • added OAuth Server Metadata parameters to publish algorithms 
> supported for signing and encrypting the introspection response
> • added registration of new parameters for OAuth Server Metadata and 
> Client Registration
> • added explicit request for JWT introspection response
> • made iss and aud claims mandatory in introspection response (thanks 
> Neil!)
> • Stylistic and clarifying edits, updates references
>
> Thanks to all reviewers!
>
> Vladimir and I are on the fence whether the Introspection Response 
> format should be determined by the AS based on its policy and/or 
> RS-related registration metadata or whether the RS should explicitly 
> request a JWT response by including an Accept header „application/jwt“ 
> in the respective request.
>
> What do you think?
>
> kind regards,
> Torsten.
>
>> Anfang der weitergeleiteten Nachricht:
>>
>> *Von: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>> *Betreff: **New Version Notification for 
>> draft-lodderstedt-oauth-jwt-introspection-response-01.txt*
>> *Datum: *28. Mai 2018 um 18:48:02 MESZ
>> *An: *"Vladimir Dzhuvinov" <vladimir@connect2id.com 
>> <mailto:vladimir@connect2id.com>>, "Torsten Lodderstedt" 
>> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>
>>
>>
>> A new version of I-D, 
>> draft-lodderstedt-oauth-jwt-introspection-response-01.txt
>> has been successfully submitted by Torsten Lodderstedt and posted to the
>> IETF repository.
>>
>> Name:draft-lodderstedt-oauth-jwt-introspection-response
>> Revision:01
>> Title:JWT Response for OAuth Token Introspection
>> Document date:2018-05-28
>> Group:Individual Submission
>> Pages:10
>> URL: 
>> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-01.txt
>> Status: 
>> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/
>> Htmlized: 
>> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01
>> Htmlized: 
>> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response
>> Diff: 
>> https://www.ietf.org/rfcdiff?url2=draft-lodderstedt-oauth-jwt-introspection-response-01
>>
>> Abstract:
>>   This draft proposes an additional JSON Web Token (JWT) based response
>>   for OAuth 2.0 Token Introspection.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of 
>> submission
>> until the htmlized version and diff are available at tools.ietf.org 
>> <http://tools.ietf.org>.
>>
>> The IETF Secretariat
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth