Re: [OAUTH-WG] Question regarding draft-ietf-oauth-jwt-introspection-response-05

"Schaar, R.M. (Remco) - Logius" <> Mon, 26 August 2019 07:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C98D4120111 for <>; Mon, 26 Aug 2019 00:42:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7nKDhtdDqPal for <>; Mon, 26 Aug 2019 00:42:55 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7765312010F for <>; Mon, 26 Aug 2019 00:42:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=Selector2; t=1566805375; x=1598341375; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version:content-transfer-encoding; bh=8otYwTngUSOmZD4hilkJjAR66GBWRACLy2b/V2RMQ9M=; b=DKhdIqiDcm0pBdSTybhDi72ls0VPPrzDs0XKt8Pb86pqYh53pDFtdV2p 9+D7aYNTmovHS1nEhdfmC2q02voFo2GBOzS2GEV2zVUCWHX5PsSuGZCha dtf/YbHFOz0ziNaxS98cCKZSSmdbZFqp+at74KrvYwzJtLtyOmhA7zwWT phl7LL4+p0GykGHJZVDf0DBq7vSNquHuIUNh3kW/3xY2Goy6DPRwvQ3q1 g2uWTyX+IzQFTQqOwerdiAeZ7nqYkq1GzQ3GcYQ4J132CVIkEhtXeLx7U o3M+7oxnwdff2F8druQSjmLMoPH88sbZhEUaCk2+5WL8pc4uLKp27SxxT w==;
IronPort-SDR: Xol7tYQj8l87HhhW8HMqCM8M7+NJ/ClCrSscPVkq2G6295QgdKkZG9LIWQAHJO3j8mrjk6r0X1 1969LqhVjI3Q==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=McAfee;i="6000,8403,9360"; a="14195008"
X-IronPort-AV: E=Sophos;i="5.64,431,1559512800"; d="scan'208";a="14195008"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
From: "Schaar, R.M. (Remco) - Logius" <>
To: 'Torsten Lodderstedt' <>
CC: "''" <>
Thread-Topic: [OAUTH-WG] Question regarding draft-ietf-oauth-jwt-introspection-response-05
Thread-Index: AQHVVPNIj99CrYifUEuqB+4o77upAKcHR81A
Date: Mon, 26 Aug 2019 07:42:51 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: nl-NL, en-US
Content-Language: nl-NL
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Archived-At: <>
X-Mailman-Approved-At: Mon, 26 Aug 2019 03:48:43 -0700
Subject: Re: [OAUTH-WG] Question regarding draft-ietf-oauth-jwt-introspection-response-05
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Aug 2019 07:42:59 -0000

Hello Thorsten,

Thank you for your response. I have a few more questions/comments as

You state that RFC7519 and RFC7662 "just" define different representations
for token data. If the draft RFC would refer to RFC 7515 (JWS), I would
agree. However, RFC7519 (JWT) explicitly adds semantics to some specific
parameters (e.g. aud, jti and iat). RFC7662 has different semantics for
the several of the same parameters.
For instance the 'iat', is the moment of issuance of the JWT in RFC7519. In
RFC7662 that is the "when this token was originally issued". This time will
vary in use cases without immediate introspection of an access token.

For the use case of the resource server relying on verifiable data, as
described in the introduction of the draft RFC, the time of the introspection
is critical. In particular when combined with revocation, the time of
introspection and the 'active' status can differ between two subsequent calls
for introspection.

If the draft RFC just produces a JWT representation of the access token,
including 'active' would not make sense as the JWT will expire without
updating it to false. Leaving 'active' out would make it incompatible with
RFC7662 introspection responses.
Similar, not including a unique 'jti' per introspection response would make
the resource server vulnerable to replay attacks. Or the resource server
would mistakenly refer to non-unique tokens, making the responses unsuitable
for accountability and audit purposes.

As to why someone would want to distinguish a JWT access token from an
introspection response: several use cases come to mind.

First of all, even if one is using standalone interpretable JWT access tokens,
one may want to combine that with revocation checking using introspection. The
interpretation and meaning of the JWT and the introspection response than do
differ and matter.

Another use case would be a mixed ecosystem with resource servers relying on
introspection while others do parse JWT access tokens. A single, uniform
implementation for the AS would than mix both as well.

A last use case could be exchanging access tokens with a subset of the full
set of applicable parameters, to reduce the size of access tokens. Additional
information can be exchanged via introspection, resulting in mixed JWT access
tokens and introspection as well.

Kind regards,
Remco Schaar

-----Oorspronkelijk bericht-----
Van: Torsten Lodderstedt <> 
Verzonden: zaterdag 17 augustus 2019 14:00
Aan: Schaar, R.M. (Remco) - Logius <>
Onderwerp: Re: [OAUTH-WG] Question regarding draft-ietf-oauth-jwt-introspection-response-05

Hi Remco,

> On 6. Aug 2019, at 16:01, Schaar, R.M. (Remco) - Logius <> wrote:
> Hello,

RFC 7519 and RFC 7662 “just” define different representations for token data. In RFC 7519 the data is carried in the token itself (which also means the format of the token is well-defined and know to the RS) whereas RFC 7662 defines a way to inspect tokens via an API provided by the AS. The latter is typically used in conjunction with opaque tokens, i.e. the RS does not have a clue how to parse and interpret the token. The token might just be a handle to a database entry at the AS in this case. 

This also means a JWT (RFC 7662) and the Introspection Response are conceptually the same from a RSs perspective.


> The ‘jti’ parameter however will always be ambiguous. As it is an identifier, it should differ for the introspected token and the introspection response by definition. Hence the semantics of ‘jti’ in a JWT introspection response is unclear. The same can apply to the ‘iat’, ‘nbf’ and ‘exp’ claims in a JWT introspection response.

I don’t understand the difference you are making. All before mentioned claims are related to the (abstract) access token. You may think of the Introspection Response as _the_ JWT representation of the access token produced by the AS for the RS.

> Can someone clarify the semantics of claims in an introspection response JWT that are defined in both RFC7662 and RFC7519?
> Furthermore, the introspection response should use the ‘iss’ and ‘aud’ claims to avoid cross-JWT confusion (section 6.1). The ‘iss’ and ‘aud’ of an introspected token will typically be the same as those of the introspection response. Hence a JWT access token cannot be distinguished from an introspection response using ‘iss’ and ‘aud’ as suggested in the draft..
> Introspection refers to JWT best-current-practice. The draft BCP recommends using explicit typing of JWTs, however the draft JWT response for introspection does not apply this recommendation and uses the generic ‘application/jwt’ instead... The BCP has other recommendations in section 3.12, but these may be insufficient to distinguish a JWT access token from a JWT introspection response.

Good point. The reason why the BCP recommends explicit typing is to prevent replay in other contexts. In the end typing is a compelling concept unfortunately not broadly used in the wild.

So the JWT Introspection Response draft copes with that attack angle by making iss and aud mandatory. 

> How would people suggest to best distinguish a JWT (access) token from a JWT introspection response?

Why should you? One reason why we extended the Introspection Response was to eliminate the difference between JWTs directly used as access tokens and Introspection Responses.

best regards,

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.