IETF Logo Mail Archive

Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01

Justin Richer <jricher@mit.edu> Wed, 03 December 2014 01:05 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1103C1A1AF1 for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 17:05:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.71
X-Spam-Level:
X-Spam-Status: No, score=-3.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URI_NOVOWEL=0.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GY13joTjQjvw for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 17:04:55 -0800 (PST)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D73B31A1A69 for <oauth@ietf.org>; Tue, 2 Dec 2014 17:04:53 -0800 (PST)
X-AuditID: 1209190f-f79716d000000d1a-fa-547e61b3e070
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-4.mit.edu (Symantec Messaging Gateway) with SMTP id 0D.6E.03354.3B16E745; Tue, 2 Dec 2014 20:04:51 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id sB314pGi020744; Tue, 2 Dec 2014 20:04:51 -0500
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id sB314n74029090 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 2 Dec 2014 20:04:50 -0500
Message-ID: <547E61AC.4040100@mit.edu>
Date: Tue, 02 Dec 2014 20:04:44 -0500
From: Justin Richer <jricher@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: Phil Hunt <phil.hunt@oracle.com>
References: <46D29E35-5A69-4687-BC44-45462DEA8D47@mitre.org> <580238515.3962316.1417548302668.JavaMail.yahoo@jws10646.mail.bf1.yahoo.com> <EA29FCAC-B690-40D3-A6EF-345F4483856E@mitre.org> <BA5E5445-7B45-4798-A462-154A76152A4A@ve7jtb.com> <E82E18D9-9A3F-4810-A05B-C90F9FD7D0B6@xmlgrrl.com> <AEDCFD5D-9006-4C65-A42F-8AF4254C235C@ve7jtb.com> <C62B7206-4F9F-4FB2-A7AE-6C2EB55C09D1@mitre.org> <D02648C5-63D3-47B5-899A-AEF421229FC1@oracle.com>
In-Reply-To: <D02648C5-63D3-47B5-899A-AEF421229FC1@oracle.com>
Content-Type: multipart/alternative; boundary="------------030109050803020601030007"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUixCmqrLs5sS7EYNEhc4uTb1+xWSyY38ju wOSxZMlPJo+PT2+xBDBFcdmkpOZklqUW6dslcGVM+LCateD4HOaKLRNOszYw/l/I2MXIySEh YCIxYf4kVghbTOLCvfVsXYxcHEICi5kkNq5rYIRwNjBKTJ/YxArh3GKS+LO5lwWkhVdATeLx unYwm0VAVeLkn7fsIDYbkD19TQsTiC0qECVx51I/K0S9oMTJmU/A6kUEVCS+Xb0OdgYzUP36 1RfB6oUFnCVuzDzDArFsC7NE8+PnYEM5BewkVtw5yQrRECZxZ+VKxgmMArOQzJ2FJDWLkQPI tpb4trsIIiwvsf3tHGYIW1tiVe9ZJmTxBYxsqxhlU3KrdHMTM3OKU5N1i5MT8/JSi3RN9HIz S/RSU0o3MYLDXpJ/B+O3g0qHGAU4GJV4eB9E14UIsSaWFVfmHmKU5GBSEuVdnQAU4kvKT6nM SCzOiC8qzUktPsQowcGsJMKbZweU401JrKxKLcqHSUlzsCiJ8276wRciJJCeWJKanZpakFoE k5Xh4FCS4J0IMlSwKDU9tSItM6cEIc3EwQkynAdo+HqQGt7igsTc4sx0iPwpRkUpcd5wkIQA SCKjNA+uF5aWXjGKA70izPsPpIoHmNLgul8BDWYCGny2oRZkcEkiQkqqgVGUYUV/ksH2Kz82 ZG9w/y59lI/3lFiINHfHN7UzAcbVAvcKVoiqvnGwcIhb/9Ru9vq/T3bNvOXffXZixfnUVod6 t/Itbrcfpz6Rf5KiIHu0hLXuY9rx95JBuXoOgfFpv3tOMbz6utT++r5VtTcdgs44P1ML5OEz rj3P/u35rxZpqcsmtk8WvFFiKc5INNRiLipOBADu/Fs7JgMAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/q3aQ-ViHmGTF_CqjviPWsApc3KY
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Dec 2014 01:05:01 -0000

Nothing says you need to pack the same information inside the JWT that 
you return from introspection. In our specific case, we don't put scopes 
or client IDs inside the JWT, just basic signature/identifier type 
stuff, so you need to call introspection to get back this other 
information. But the information inside the JWT includes an "iss" claim 
which the client can use to figure out *which* introspection endpoint to 
call.

This is just one of many different ways you could handle multiple AS at 
a single resource, and so it's definitely orthogonal to the basic 
introspection concept.

  -- Justin

On 12/2/2014 6:38 PM, Phil Hunt wrote:
> I am confused. Why would you call the introspection endpoint if you 
> were not expecting new information to be disclosed?
>
> Phil
>
> On Dec 2, 2014, at 14:26, Richer, Justin P. <jricher@mitre.org 
> <mailto:jricher@mitre.org>> wrote:
>
>> I agree that there's some use in this (and in fact I've deployed a 
>> version that uses a signed JWT to indicate its authorization server), 
>> but it should remain outside the scope of this spec. It's a service 
>> discovery problem, it's orthogonal.
>>
>>  -- Justin
>>
>>
>> On Dec 2, 2014, at 5:13 PM, John Bradley <ve7jtb@ve7jtb.com 
>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>
>>> Yes,  but unless there is something new the introspection endpoint 
>>> in UMA is tied to the resource.
>>>
>>> In some cases having the token indicate the introspection endpoint 
>>> may be useful.
>>>
>>> John B.
>>>
>>> Sent from my iPhone
>>>
>>> On Dec 2, 2014, at 10:02 PM, Eve Maler <eve@xmlgrrl.com 
>>> <mailto:eve@xmlgrrl.com>> wrote:
>>>
>>>> FWIW, UMA goes ahead and standardizes a good deal about the trust 
>>>> establishment between the RS and the AS, and (of course) profiles 
>>>> and wraps the token introspection spec as part of the resulting 
>>>> "authorization API" that the AS presents to the RS. A big part of 
>>>> the motivation for this is to support an n:n relationship between 
>>>> AS and RS entities.
>>>>
>>>> EVe
>>>>
>>>>> On 2 Dec 2014, at 12:14 PM, John Bradley <ve7jtb@ve7jtb.com 
>>>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>>>
>>>>> Many of the proprietary introspection protocols in use return 
>>>>> scope, role or other meta data for the RS to make its access 
>>>>> policy decision on.
>>>>> One of the reasons for using opaque tokens rather than JWT is to 
>>>>> prevent leakage of that info.
>>>>>
>>>>> Making authentication to the introspection endpoint a MUST if 
>>>>> additional attributes are present is OK,  I might even be inclined 
>>>>> to say that authentication of some sort is always required, but 
>>>>> that might be going a bit far for some use cases.
>>>>>
>>>>> We have a lot of proprietary ways to do this from IBM, Layer 7, 
>>>>> Ping etc.  It would be nice if we could standardize it.   
>>>>> Precluding other attributes would not be helpful for adoption.
>>>>>
>>>>>
>>>>> One issue that we haven't addressed in this spec is what happens 
>>>>> if there are multiple AS for the RS and how it would decide what 
>>>>> introspection endpoint to use.
>>>>> Perhaps that needs to be a extension, leaving this for the simple 
>>>>> case.
>>>>>
>>>>> However having more than on e AS per RS is not as unusual as it 
>>>>> once was in larger environments.
>>>>>
>>>>> John B.
>>>>>
>>>>>
>>>>>> On Dec 2, 2014, at 4:56 PM, Richer, Justin P. <jricher@mitre.org 
>>>>>> <mailto:jricher@mitre.org>> wrote:
>>>>>>
>>>>>> Agreed, which is why we've got space for the "sub" and "user_id" 
>>>>>> fields but not anything else about the user, and we've got a 
>>>>>> privacy considerations section for dealing with that. If you can 
>>>>>> help make the wording on that section stronger, I'd appreciate it.
>>>>>>
>>>>>>  -- Justin
>>>>>>
>>>>>> On Dec 2, 2014, at 2:25 PM, Bill Mills <wmills_92105@yahoo.com 
>>>>>> <mailto:wmills_92105@yahoo.com>> wrote:
>>>>>>
>>>>>>> If introspection returns any other user data beyond what is 
>>>>>>> strictly required to validate the token based solely on 
>>>>>>> possession of the public part it would be a mistake.
>>>>>>>
>>>>>>>
>>>>>>> On Tuesday, December 2, 2014 11:13 AM, "Richer, Justin P." 
>>>>>>> <jricher@mitre.org <mailto:jricher@mitre.org>> wrote:
>>>>>>>
>>>>>>>
>>>>>>> That's all fine -- it's all going over TLS anyway (RS->AS) just 
>>>>>>> like the original token fetch by the client (C->AS). Doesn't 
>>>>>>> mean you need TLS *into* the RS (C->RS) with a good PoP token.
>>>>>>>
>>>>>>> Can you explain how this is related to "act on behalf of"? I 
>>>>>>> don't see any connection.
>>>>>>>
>>>>>>>  -- Justin
>>>>>>>
>>>>>>> On Dec 2, 2014, at 2:09 PM, Bill Mills <wmills_92105@yahoo.com 
>>>>>>> <mailto:wmills_92105@yahoo.com>> wrote:
>>>>>>>
>>>>>>>> Fetching the public key for a token might be fine, but what if 
>>>>>>>> the introspection endpoint returns the symmetric key?  Data 
>>>>>>>> about the user?  Where does this blur the line between this and 
>>>>>>>> "act on behalf of"?
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tuesday, December 2, 2014 11:05 AM, "Richer, Justin P." 
>>>>>>>> <jricher@mitre.org <mailto:jricher@mitre.org>> wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> The call to introspection has a TLS requirement, but the call 
>>>>>>>> to the RS wouldn't necessarily have that requirement. The 
>>>>>>>> signature and the token identifier are two different things. 
>>>>>>>> The identifier doesn't do an attacker any good on its own 
>>>>>>>> without the verifiable signature that's associated with it and 
>>>>>>>> the request. What I'm saying is that you introspect the 
>>>>>>>> identifier and get back something that lets you, the RS, check 
>>>>>>>> the signature.
>>>>>>>>
>>>>>>>>  -- Justin
>>>>>>>>
>>>>>>>> On Dec 2, 2014, at 1:40 PM, Bill Mills <wmills_92105@yahoo.com 
>>>>>>>> <mailto:wmills_92105@yahoo.com>> wrote:
>>>>>>>>
>>>>>>>>> "However, I think it's very clear how PoP tokens would work. ..."
>>>>>>>>>
>>>>>>>>> I don't know if that's true.  POP tokens (as yet to be fully 
>>>>>>>>> defined) would then also have a TLS or transport security 
>>>>>>>>> requirement unless there is token introspection client auth in 
>>>>>>>>> play I think.  Otherwise I can as an attacker take that toklen 
>>>>>>>>> and get info about it that might be useful, and I don't think 
>>>>>>>>> that's what we want.
>>>>>>>>>
>>>>>>>>> -bill
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>> Eve Maler http://www.xmlgrrl.com/blog
>>>> +1 425 345 6756 http://www.twitter.com/xmlgrrl
>>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.35.0 | Report a Bug | By Email | System Status