IETF Logo Mail Archive

Re: [OAUTH-WG] self-issued access tokens

Dick Hardt <dick.hardt@gmail.com> Wed, 29 September 2021 06:06 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 997E23A17EE for <oauth@ietfa.amsl.com>; Tue, 28 Sep 2021 23:06:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UycwZA__Gwo for <oauth@ietfa.amsl.com>; Tue, 28 Sep 2021 23:06:27 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48CBC3A17EB for <oauth@ietf.org>; Tue, 28 Sep 2021 23:06:27 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id g41so6188286lfv.1 for <oauth@ietf.org>; Tue, 28 Sep 2021 23:06:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=A+4p7flPDUx2WVSufp3fyIFpq3E20S+EWEFrEbZfHY8=; b=Wf5gOMRp0wSqPK0EVmjIYi1LdTmQr/TNHggt+CnG0N6/3NQAbIUVqFvx9AUlVKKKcd 6scsYE2ye/B2euizpFmASJHTO13OOtOlAIt6oVlLzpOVgm0JwSQ01haCNrZn3erlj5sW BVEx8oBT3d6FyQc7RrOjXR9RTeiziq6Gm5LlPvqbrI1v/4cdlWZq5ZIfiXDr1K46cFYM pUjyvT9/OEvmuzeIzUoO90z3JwenJNHXH8WY9bk/902tgGwjAEGSGk5SS/JRRo5xMhgW zN/kzx+8TfOTr3h9K2LC2tAvoI3YuSz12gcZBZ0YUYIAk5llDjX3fpv+rm4tlJpPGdhs A/og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=A+4p7flPDUx2WVSufp3fyIFpq3E20S+EWEFrEbZfHY8=; b=W0FgnMhEi/Mr86omz1b+SP4M5ErS+q8GmE9FZKYLnRV5IoIQ3E90snkdzTisvXsfJA Ql/5fiPRm2M1vc/xKmaW54Gp22oTdOXgNSDTNg+W+cTuLzopbGdBVP5dq7JjCaEAdDFg yUcojIM6cHsu/ypqkrpKqtJaJJSkWyROhABtIukjBgqCWFBW2QjCjGpe9DNE7y4EXOdk r0wbGeEMSsw9/QodI1F8fe8Z5vvT3uv4w4YprSuizqvqy97qJAKL9nVkGorF2MYa0KTX smABcctnPU7MZ8MRGjI1UkA20wFSVKSqtv4wIMF+y4Kv6mPqghdkrL3ooWDASQV1qQl4 UJoQ==
X-Gm-Message-State: AOAM531JDJ2hFOLx1Pt0FoT8RuJWGAeiwDeKEbqIgzHfQJPLPN5ETleu 72Wxz1thEqEEfrwW5l0hy6+vtG+cFvtbwQJqu4Y=
X-Google-Smtp-Source: ABdhPJxHuXxSG9evUzv+FfBwNMb+XRLI77rWqg7pSEbjwDugmFHtkkkHDr8q1WiUv3O8ZBQnDNQZNk6uHzFX0BeAGj0=
X-Received: by 2002:a2e:98cd:: with SMTP id s13mr4109170ljj.79.1632895584432; Tue, 28 Sep 2021 23:06:24 -0700 (PDT)
MIME-Version: 1.0
References: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com>
In-Reply-To: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 28 Sep 2021 23:05:48 -0700
Message-ID: <CAD9ie-sgjUv3fppvTZvPpOyUKXo1H1i9LtkOk2yxzZ1+A+wt6w@mail.gmail.com>
To: toshio9.ito@toshiba.co.jp
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000043f7d005cd1c21fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kyRdTBEsGq5pfdYZzlfoJy9S_6M>
Subject: Re: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2021 06:06:33 -0000

If the client is sending a self-signed JWT to the RS, you essentially are
just authenticating directly to the RS. Not really OAuth as the RS has not
delegated authorization authority to the AS.

If the client sends a self-signed JWT (a PAR) to the AS, and gets back an
access token to present to the RS, you get centralized authorization
decisions, a key feature of OAuth.

ᐧ

On Tue, Sep 28, 2021 at 6:55 PM <toshio9.ito@toshiba.co.jp> wrote:

> Hi OAuth folks,
>
> I have a question. Is there (or was there) any standardizing effort for
> "self-issued access tokens"?
>
> Self-issued access tokens are mentioned in a blog post by P. Siriwardena
> in 2014
> [*1]. It's an Access Token issued by the Client and sent to the Resource
> Server.
> The token is basically a signed document (e.g. JWT) by the private key of
> the
> Client. The Resource Server verifies the token with the public key, which
> is
> provisioned in the RS in advance.
>
> I think self-issued access tokens are handy replacement for Client
> Credentials
> Grant flow in simple deployments, where it's not so necessary to separate
> AS and
> RS. In fact, Google supports this type of authentication for some services
> [*2][*3]. I'm wondering if there are any other services supporting
> self-signed
> access tokens.
>
> Any comments are welcome.
>
> [*1]:
> https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/
> [*2]:
> https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
> [*3]: https://google.aip.dev/auth/4111
>
> -------------
> Toshio Ito
> Research and Development Center
> Toshiba Corporation
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.35.0 | Report a Bug | By Email | System Status