[OAUTH-WG] self-issued access tokens

toshio9.ito@toshiba.co.jp Wed, 29 September 2021 01:54 UTC

From: toshio9.ito@toshiba.co.jp
To: oauth@ietf.org
Thread-Topic: self-issued access tokens
Thread-Index: Ade01Nk+d5eF4L5tTXCgjU67TgIDjw==
Date: Wed, 29 Sep 2021 01:54:15 +0000
Message-ID: <TYCPR01MB567859999FB3350D6A1C63E5E5A99@TYCPR01MB5678.jpnprd01.prod.outlook.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: aaDTAdTOL592E/xll/5MulLnkCxCeLrhHFmbQWSCnZZIYe9ZtyAJzTlsSC1r2cBjU6IQo6z20wnFUEgN/WznrdujDaP8tCGi4Y6pKqBR65GIw0OaneXlub5ayQupypW7vcX3dBr48lHfuf+6khIllTB+7ExLKp6IbrOLSo7v1D4lLH3LMxOcBmpCaAT3SNmn69KVs5b2t0aDZLyM6VywIrZbgPy6KMDDfpuXAsWVN/Lc8NkpaOKlf35aiNziOm3xL0aoTwLxAG+B6Rm2AD/q+2yDY6Mpz82OOo3FpRZJGA5YCePcvQXOx2shzpGoohp7yL0rgUCu8QM5WBsA7UfaTaRTsfz7iCAx9Cd+67fhZpe7zg+Cx/LViB244DOQkvRjz2IU4vBiQ5uucRm1+yoTqqZXCX9y1MxjTPEz/ZF1R0ecSgteRlcltD5kaq0MxKpjBm6NoXQie+wFcf1CfQLwBHyXUDNC0FPrZZYciNMNjC1b6M8uVDOjZys5ChTjGjVUoE4ivlNXqDSvd7/t2gXg0407LpO61eoUrsGcpt110EtxbNrUhu57RLMnwxMJtpmMSguPb6L7nsHk9mNPpsdjdhDHTVt1jkk7500PREcP9++0wWpU/Fe50nAbLDj6O+UfiyvglaphncJZ4m1KPoAYiwc98pl2IQyJIiZ4T7GBaPuXgMPbOY0A/Xd/V4+jctCvWP3vlm4B7tEbfpu2mgs66USSm2bJYVTpLlHp0wkKEiW3vsCZWsaEARj0B6jtC5KM8u7O7o58cOIh1ei9Nr64Dh61AEz2NlcoioKCiI6O6VmTCwfVrrl91edG0Lb0CXHzlYFr4ziENqW06x3CP3Va+HKpwwwdeUfmMw55qMf2k3Lvf6Drm7QdAika2kaT/G3jrkpUwKVqE1CEjwhH8PmcEQQotdQQ0kYL2jYzbvfgwxO3rSdCnvt8iz8JEATOnW3O0wXJovefIri1xBioYAogchA2aD2U04Qy63qjyd6512E2U0uZ4c7vo+RnM+hRj8wja1RsHIY5DAEz+20T2Ei3sSZynt86zmmBCn63T6pnliHcZ8JxqZltybB5k27/Ut5tB18dx2OUrVh64m9b1oEngpZCFVGW4tC/zE2BGEJA+XsBpFb9aszaIqWSekwtR+xz20zwTO96pVjoFKZv11Rvw1HSWpALF77AHCb7Cnlr4nNmVtYyzFHWqSVSXvxP349abNeU0Oxk0SjHCZx/4riJNKxqqdW0H5x8KpGpFyYrep4aabjrqb9CeHpoFmzrfosPL9k0i45gR4hdHqOdSXUGi2JEEifRzodPw/RbKx8zsz4=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: TYCPR01MB5678.jpnprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2b783175-cbbc-4af0-f0ea-08d982ec0ae4
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Sep 2021 01:54:15.5518 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f109924e-fb71-4ba0-b2cc-65dcdf6fbe4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mdFX0qVoG6aGaJgN1PGvXcbefwRshwtcTwmVXhB33x5tn2/7eB0saKHf0BbFE5S+grgNz5AmJD3mL/Qv5H7P5a/hu4yotwu6bAfm88EIVg8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYYPR01MB6794
MSSCP.TransferMailToMossAgent: 103
X-OriginatorOrg: toshiba.co.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pi8rkr8zdugLArFpxEWvJO4Q-RY>
Subject: [OAUTH-WG] self-issued access tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Sep 2021 01:54:29 -0000

Hi OAuth folks,

I have a question. Is there (or was there) any standardizing effort for
"self-issued access tokens"?

Self-issued access tokens are mentioned in a blog post by P. Siriwardena in 2014
[*1]. It's an Access Token issued by the Client and sent to the Resource Server.
The token is basically a signed document (e.g. JWT) by the private key of the
Client. The Resource Server verifies the token with the public key, which is
provisioned in the RS in advance.

I think self-issued access tokens are handy replacement for Client Credentials
Grant flow in simple deployments, where it's not so necessary to separate AS and
RS. In fact, Google supports this type of authentication for some services
[*2][*3]. I'm wondering if there are any other services supporting self-signed
access tokens.

Any comments are welcome.

[*1]: https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/
[*2]: https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth
[*3]: https://google.aip.dev/auth/4111

-------------
Toshio Ito
Research and Development Center
Toshiba Corporation

[OAUTH-WG] self-issued access tokens toshio9.ito
Re: [OAUTH-WG] self-issued access tokens Dick Hardt
Re: [OAUTH-WG] self-issued access tokens Vittorio Bertocci
Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
Re: [OAUTH-WG] self-issued access tokens Daniel Fett
Re: [OAUTH-WG] self-issued access tokens Sascha Preibisch
Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
Re: [OAUTH-WG] self-issued access tokens David Waite
Re: [OAUTH-WG] self-issued access tokens Nikos Fotiou
Re: [OAUTH-WG] self-issued access tokens toshio9.ito
Re: [OAUTH-WG] self-issued access tokens toshio9.ito
Re: [OAUTH-WG] self-issued access tokens toshio9.ito
Re: [OAUTH-WG] self-issued access tokens Dick Hardt
Re: [OAUTH-WG] self-issued access tokens toshio9.ito
Re: [OAUTH-WG] self-issued access tokens Dick Hardt
Re: [OAUTH-WG] self-issued access tokens David Waite
Re: [OAUTH-WG] self-issued access tokens toshio9.ito
Re: [OAUTH-WG] self-issued access tokens Warren Parad
Re: [OAUTH-WG] self-issued access tokens David Chadwick
Re: [OAUTH-WG] self-issued access tokens Dick Hardt
Re: [OAUTH-WG] self-issued access tokens toshio9.ito