IETF Logo Mail Archive

Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00

George Fletcher <gffletch@aol.com> Thu, 04 April 2019 19:17 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61E6A120151 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 12:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CEoYgaFvYojC for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2019 12:17:31 -0700 (PDT)
Received: from sonic315-14.consmr.mail.bf2.yahoo.com (sonic315-14.consmr.mail.bf2.yahoo.com [74.6.134.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27DA3120126 for <oauth@ietf.org>; Thu, 4 Apr 2019 12:17:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1554405449; bh=6MtPVj8LLfX3ghkMUMUhfftrBA8EjyMKrib7C7UXAFg=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=IiATmqwXN/EHfp/nc7qPqt8KixE/mBBhqZmHtSgdqLXKiwtn16gcRxpPMFtCR3h/KPS83LjLEshl1q3xA04rhocFR5SbakHPCJuUlyMbQSR4l5XveWAQ5ipn5eoBgCrn8Zt4+fD7K0OsjCIVSm9Cwxm5QwoZpqgCQO6CTChS+d+WLH2I+kXP+FDKFvi9zk+LP35csdNUeID+n4Yi+LM8uOvQPbbyTY60R5jf65d0KMcMMb/5Ky1J3mcvZBC+yYOlcAjSC6BTDVAhiI8ojyLskhDk4UUKq1TROwbvnc6PEx01PjmbyoVbOrnZWrSXvRvzfa+DhDNh2DBi1DrdZ+X8qQ==
X-YMail-OSG: 0n9hQn0VM1lMrZflrBrzw7UNEzJe.5mdAUO627jxZ645dMi_U4Bx7TtMI5Mv5DN 5S6iTqIo6ZL5_Tq6yCFH.ZVzjKBq4SWe0t.6BoRfxo.E9DnCMdsX1XWcPH1.MylqlfFdun5kzINa HSMjdeeh_d2aZDxjK3_2Ra.hiGSchrPi3wlnqN1NCrhoLKPyLJB69DOjAl3cXmDgnPSivzsO1SaK 6DLIX40tO8sX9fCgEmijTPjCuYrmiYEj3kh2jkj.TRUTxB..lqKvYHBCcANA8mhfQ5WSWLDCwwNI PBg7SAXfVyHLXDCwcfL8.PUQWuX4eFgwcHkJJ26i2_4g68ZwhkEcV7Bd5ma0yVYLYhHTptJRXmcn Fbt6uMfwYckkgKwfwHmUiq_JnC5D_kBcxlpzr7ujm_868uySdYdQwer1GUHY1navPozNnWvv6aqE J8zgSIbo.bCxEYSkTS5pj4O9n3wblToAa11247MUBFYXzKufjDRUrp6j52Mpr8m3K3DAcQlC_YZC GbHwaMi20ecY_j4OTkBeZ8nBL31PksrF2oemxPLR.kN4RMc1y0gRdf6I6C3QDOC6M4tc1vA7QjfH rKlEda8pbAz14b84QSv6sT_NuZOBQ.fo0jXbL2od7NCTKVJAiLkc5dhrEmjXN97wVuB4VkTiZlJ_ TT01He8XRLDwonfUR57PpocmAdpbaMqJYhWIcGqZO5arUAZxDKlFLuGVV8EFPycd4L558hubjtzh LAf42c4OJD1OST42ApdIZLUMpiylXg7gZ8v5pye6_IhkjQaFwPiHLeuHfLJmSZyZ.aRVKSYllfVo vpGRPiG.pfFKetG.q1O6iRVO.OSNgERyTyQ77D3HcrgGpIs5wZXywe6SbFr.2t3YKNconyENYdk2 vu6nuL2a3x6DPf.uVQWoqswST2lT_gEK73fw6DXjp70kETmW4yi2u9ex6HSsXK3ZVxWEPdfO1ja2 sziPWWIpKY9iAinl8FrmbjrTFiIsV1Q1lWv5Ha9QNuFP_fn6y5x9cw1Owej9I52prBJ9lXnaLhqj GQLOxn.klWWrtbroJVebeZFyZ2qrbtmkft2tOucrjot.c0N.Ci.awcAhKnTBmcF9OGfuqdAw-
Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.bf2.yahoo.com with HTTP; Thu, 4 Apr 2019 19:17:29 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp412.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID ddf554ab16ab89152fe76dc55583239f; Thu, 04 Apr 2019 19:17:27 +0000 (UTC)
To: Vittorio Bertocci <Vittorio@auth0.com>
Cc: IETF oauth WG <oauth@ietf.org>
References: <CAO_FVe6eWy3zppQAij7qxD+ycYL8ebqGJKG0y-A7GhN+0=kb4g@mail.gmail.com> <62e62afb-891d-f7d8-8b39-793254dadf7b@aol.com> <CAO_FVe7jnEiYLmX71B2mFD9srJAxD8XGG875JF4bOLsvVMEw4A@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <b00729c9-95e8-92e9-d1cb-354ab4289d78@aol.com>
Date: Thu, 04 Apr 2019 15:17:26 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <CAO_FVe7jnEiYLmX71B2mFD9srJAxD8XGG875JF4bOLsvVMEw4A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------7E1BA5F47718B01A0AA3000D"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/obCGwh0Iucv5SWG4MVmdR3ordE0>
Subject: Re: [OAUTH-WG] draft-bertocci-oauth-access-token-jwt-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2019 19:17:34 -0000

I get your 1st party use case and if you think about a company that 
might have multiple endpoints on different domains that provide API 
services all invoked by a mobile app... requiring the mobile app to 
effectively downscope (or resource indicator bind) tokens means a lot of 
chatter between the mobile app to the AS to obtain appropriate tokens. 
And all this over a connection that does have latency issues.

That said, having a single token that is authorized to access all those 
services has it's own risks.

I'm not sure about a structure like...
    https://user.example.com
       scope: profile
    https://mail.example.com
       scope: mail-write
    https://cal.example.com
       scope: calendar-write

User Managed Access (UMA) [1] explicitly defines this structure but it's 
not embedded in the UMA access token.

[1] 
https://docs.kantarainitiative.org/uma/wg/oauth-uma-federated-authz-2.0-05.html#permission-endpoint

I suppose a need to support multiple audiences within a given access 
token kind of necessitates the need to bind the scopes with the 
audience/resource.

On 4/4/19 1:34 PM, Vittorio Bertocci wrote:
>
>     I think for most implementations this would amount to... define an
>     audience that covers all the resource services where the access
>     token can be returned and set that as the audience (e.g.
>     urn:x-mydomain:apis). Which is perfectly legal but maybe not in
>     the spirit of the spec:) I am receiving feedback from developers
>     that binding access tokens narrowly to the resource where they
>     will be presented is concerning from a chattiness perspective
>     (latency issues) and general load on the deployed AS infrastructure.
>
> This is an interesting point. In my experience, the main boundary used 
> to define a resource is either reflecting an underlying, *actual* 
> resource that exists independently of the API facade slapped on top of 
> it (say a VM) or it is the context within a certains et of scopes 
> makes sense (say an API facading access to a bunch of documents).
> Some of that criterion is reflected in the rationale for sigle value 
> audiences. Do you think it should be made more explicit? Perhaps in a 
> dedicated section?
[rest of thread snipped]

v2.23.0 | Report a Bug | By Email