Re: [OAUTH-WG] Listing OAuth Access Token Metadata
Warren Parad <wparad@rhosys.ch> Wed, 06 April 2022 08:23 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A2323A173E for <oauth@ietfa.amsl.com>; Wed, 6 Apr 2022 01:23:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hTkR6hYxF4W for <oauth@ietfa.amsl.com>; Wed, 6 Apr 2022 01:23:54 -0700 (PDT)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 742DB3A1748 for <OAuth@ietf.org>; Wed, 6 Apr 2022 01:23:54 -0700 (PDT)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-2eb680211d9so17773977b3.9 for <OAuth@ietf.org>; Wed, 06 Apr 2022 01:23:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z/ooYEa5UJgZ4sahLYP1dC8enbldjZy22Azo59PUyE4=; b=HJD8mC2Iws2K0QlycRlysfHZ3oDFQyK8uyt0MLsxVf/ioVQ8xxULmh8JY8z3PXouXw RlkJ3qQRbBy0u30TWMkubHVBSP6IeY7U2k4MFI/x/Zc4i5eUGbEU0yZ3YUo2PpNxTJDZ tzr/wrQDeSzcxWhVzKEBV4wbZw5ERwO3zswPesIeeJk9t7HfjV88j8aK9XHLE/qYgmth qaQ8SYkyyeV515tPkOXgbpZVaLyo0KpMHSSvMlcCXn1NkYodOis/1cdeK0/AAvh5EQKc aEzOpXa+lLo0t6Pz9wZARtWmuWiRdi82WPebC+bYPyG1fp1ZYGcdUxdP+zeP9fsPJiLM CAHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z/ooYEa5UJgZ4sahLYP1dC8enbldjZy22Azo59PUyE4=; b=WskUsR+VPC/Gq2PM2r/+7W3Lo5Vmr0j3jJKffY2/T3GvPPlTeQysfATzpXNJalHzKR K9MWq7eMX/aegr+gPPcB/cQbCxfiXjiEbqtzVRLs2FgPUgx+BJlocWCnhqAR2/Rxyndo 6qEcypBlxQk0Fl08D4lG1lwGtsz823gQ2gE7eoXIbhJkEDaTGnmgLDfm0nUqvJVEk9Eu GeKYsOJltEjPOzCY3AiPTt0VpEL7xGDru7A1FZwdj24pgQ8rdvMqTPyte5xNS1UEPNeA YHGepihdf06s2+bcM5XSZDDVBi0bmiVxzUMV7xr1K7dSnUkjWptH1uJj9vqBz+fPcGu3 8U/g==
X-Gm-Message-State: AOAM530mQa7MhGGRu09734L300ROucsLeNULvZSCh67KIy48DLjdZNvC DYfzjVoez5AtvxQEqi/eEL0vLr7rWPvF9Cb8E0Fw
X-Google-Smtp-Source: ABdhPJyijedktHUDOEwjGDdIqNpvLj247rqAliAKnotbw7jLdKPp4QR5ioD9Zkad9cgP75et4FXgJUxsZi9BCDwPnj4=
X-Received: by 2002:a81:c703:0:b0:2d0:cc6b:3092 with SMTP id m3-20020a81c703000000b002d0cc6b3092mr5911754ywi.449.1649233432841; Wed, 06 Apr 2022 01:23:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAL4nJSZSAEQQOy0dEwwD88Ne+vsQfTmj_RM7MPAFHnd18D7wMA@mail.gmail.com> <CF00B22F-0F92-4578-82DA-7EBF0208F4C6@alkaline-solutions.com> <CAHdPCmNx28rHgBaLtvRKWg9NyVbtJvA2DAs0aNHOoK5h8NvXdQ@mail.gmail.com> <CAJot-L0Q-aA_9CcCDaeLieoqfFPn7S0vKDAXdO5jnwfUDu72FA@mail.gmail.com> <CAL4nJSbnhSpnaJ+wuO6kteUngqa3Wjt45wuq0fY6Ga-+NB1N5w@mail.gmail.com>
In-Reply-To: <CAL4nJSbnhSpnaJ+wuO6kteUngqa3Wjt45wuq0fY6Ga-+NB1N5w@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 06 Apr 2022 10:23:40 +0200
Message-ID: <CAJot-L3ORfYbKmAcbsqXmup-Sk1R3BBSfwAv0yvkd-gysG+D4w@mail.gmail.com>
To: Dhaura Pathirana <dhaurapathirana@gmail.com>
Cc: oauth <OAuth@ietf.org>, Takahiko Kawasaki <taka@authlete.com>, David Waite <david@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="000000000000eaaa5605dbf814c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qrnNTloIe7I-5LUtxP_aye9tg2c>
Subject: Re: [OAUTH-WG] Listing OAuth Access Token Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2022 08:24:00 -0000
For the listing of all the user's toke, there isn't a standard for that. Additionally these should still be OAuth flow generated tokens via that third party. OAuth tokens are for clients on behalf of users, your use case directly matches with the expectation of OAuth. Lastly, if you want to add an alias or anything else to these, you can definitely add some additional methods no your AS, but I would recommend instead labeling these tokens as what they will be used for, i.e. the name and Id of the relevant third party client, and not a custom alias. I think if the best way to get advice in this area would be to stipulate why your business use cases are the way they are. There's pretty straight forward ways to solve what you seem to want using OAuth without anything off spec, if there's a real use case missing that should be improved by rev-ing the spec, it's best to talk about the core problems rather than trying to introduce a new flow which con be rife with issues. - Warren On Wed, Apr 6, 2022, 05:49 Dhaura Pathirana <dhaurapathirana@gmail.com> wrote: > Thank you all for the quick replies and I really appreciate the > suggestions. > > One thing that I want to clarify is that, in this use case, the > requirement is to list all the access tokens (metadata) (that belong to a > single owner) issued for the custom grant but in the introspection > specification only metadata can be listed for a given access token. > > Here, we need PATs rather than a standard OAuth grant type because the > token should be issued to a user (not a client) and the user will use this > token to access certain APIs through another third-party application (which > could be a simple automation script). And also, there are some attributes > like alias and description that should be stored with the PAT as they are > required for token identification purposes (Those attributes are not common > with other standard OAuth grant types). Furthermore, the user should be > able to revoke any of his PATs at any time. > > In the ID token suggestion, it is mentioned to look into OIDC ID token > specification. Does it imply that an ID token should be used as a Personal > Access Token, instead of an OAuth2 access token, or is it proposed to > extract user information? > > Thank You. > Kind Regards, > > Dhaura Pathirana > > On Mon, 4 Apr 2022 at 00:13, Warren Parad <wparad@rhosys.ch> wrote: > >> I'm tempted to say user created PATs are incompatible with OAuth, and >> OAuth already has a solution which avoids the user having to manually >> create these sorts of tokens. Is there a reason OAuth wouldn't be able to >> handle the specific use case. >> >> Warren Parad >> >> Founder, CTO >> Secure your user data with IAM authorization as a service. Implement >> Authress <https://authress.io/>. >> >> >> On Sun, Apr 3, 2022 at 7:56 PM Takahiko Kawasaki <taka@authlete.com> >> wrote: >> >>> Dear Dhaura, >>> >>> My recommendation to you (undergraduate? LinkedIn says so) is to >>> investigate the following as the first step. >>> >>> >>> - ID Token (OpenID Connect Core 1.0, Section 2) >>> - UserInfo Endpoint (OpenID Connect Core 1.0, Section 5.3) >>> >>> >>> In general, inventing a new grant type should be the last resort. >>> >>> Best Regards, >>> Takahiko Kawasaki >>> >>> >>> On Sun, Apr 3, 2022 at 3:35 PM David Waite <david= >>> 40alkaline-solutions.com@dmarc.ietf.org> wrote: >>> >>>> >>>> On Apr 1, 2022, at 3:24 AM, Dhaura Pathirana <dhaurapathirana@gmail.com> >>>> wrote: >>>> >>>> I would like to know if anyone has seen this (listing token metadata) >>>> as a common use case in OAuth2 and a standard way of doing it had been >>>> proposed before? >>>> >>>> >>>> OAuth Token Introspection (RFC 7662) defines a way to query for active >>>> state and meta-info. >>>> >>>> However, its use is defined only for protected resources, and not the >>>> resource owner or the client the token was issued to. >>>> >>>> -DW >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>
- [OAUTH-WG] Listing OAuth Access Token Metadata Dhaura Pathirana
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata David Waite
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Takahiko Kawasaki
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Warren Parad
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Dhaura Pathirana
- Re: [OAUTH-WG] Listing OAuth Access Token Metadata Warren Parad