Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection

Hi Taka,

I see, the audience is multi value. In my impression both specs assume a single value audience. 

But I think we can handle this as follows: Since the caller of the introspection respect is a single RS, the AS first needs to map & check the resources associated with the underlying access token against that caller. The RS is authenticated at the introspection endpoint using a client_id (and some credential), so the AS needs to map the client_id to resource identifier. If the result is in the set of the resources associated with the underlying access token, the AS can create an Introspection Response, which only contains this particular resource. 

What do you think?

best regards,
Torsten. 

> On 2. Mar 2020, at 17:31, Takahiko Kawasaki <taka@authlete.com> wrote:
> 
> Hi Torsten,
> 
> For example, if an authorization request includes two "resource" request parameters like below,
> 
> resource=https://host1.example.com/resource1
> resource=https://host2.example.com/resource2
> 
> RFC 8707 expects that the value of "aud" in an introspection response look like the following.
> 
> "aud" : [
>   "https://host1.example.com/resource1",
>   "https://host2.example.com/resource2",
> ]
> 
> How does the implementation of the introspection endpoint insert the identifier of the resource server (the API caller?) into the "aud" array above? In other words, what is the expected resultant value of the "aud" array in this case?
> 
> Taka
> 
> 
> On Mon, Mar 2, 2020 at 10:54 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> Hi Taka, 
> 
> > On 1. Mar 2020, at 08:10, Takahiko Kawasaki <taka@authlete.com> wrote:
> > 
> > Hello,
> > 
> > I'm wondering if the following conflicts in "JWT Response for OAuth Token Introspection" (draft 8) have already been pointed out.
> > 
> > RFC 8707 (Resource Indicators for OAuth 2.0) requires that 'aud' in an introspection response hold the values of the 'resource' request parameters, whereas "JWT Response for OAuth Token Introspection" says that 'aud' MUST identify the resource server receiving the token introspection response. The definitions conflict.
> 
> RFC 8707 states 
> 
> The authorization server may use
>    the exact "resource" value as the audience or it may map from that
>    value to a more general URI or abstract identifier for the given
>    resource.
> 
> draft-ietf-oauth-jwt-introspection-response-08 states
> 
> The value of the "aud" claims MUST identify the resource server
>    receiving the token introspection response.
> 
> So RFC 8707 gives choices of how the resource server might be identified and draft-ietf-oauth-jwt-introspection-response-08 says the AS must identify the RS without prescribing any particular way. So basically you can use the advice given by  RFC 8707 to implement the requirement stated by draft-ietf-oauth-jwt-introspection-response-08.
> 
> I don’t see a conflict. 
> 
> > 
> > RFC 7662 (OAuth 2.0 Token Introspection) requires that 'iat' in an introspection response indicate when the access/refresh token was issued, whereas "JWT Response for OAuth Token Introspection" says that 'iat' indicates when the introspection response in JWT format was issued. The definitions conflict.
> 
> I will come back to this issue in an answer to Filip’s post.
> 
> best regards,
> Torsten. 
> 
> > 
> > Best Regards,
> > Takahiko Kawasaki
> > Authlete, Inc.
> > 
> > 
> > 
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 

Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection

Attachment: smime.p7s