[OAUTH-WG] oauth-jwt-introspection-response and RFC 7797

Andrii Deinega <andrii.deinega@gmail.com> Sun, 07 February 2021 09:56 UTC

Return-Path: <andrii.deinega@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E97853AFB6B for <oauth@ietfa.amsl.com>; Sun, 7 Feb 2021 01:56:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0vjNFrRiBnTa for <oauth@ietfa.amsl.com>; Sun, 7 Feb 2021 01:56:19 -0800 (PST)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07F103AFB6A for <oauth@ietf.org>; Sun, 7 Feb 2021 01:56:19 -0800 (PST)
Received: by mail-ed1-x529.google.com with SMTP id s26so8892280edt.10 for <oauth@ietf.org>; Sun, 07 Feb 2021 01:56:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=zWR+PqhyEXJpDA5JGqVZoushakk8X/Cjc2//a0wYpy8=; b=ElqTO+KR7tYm/gkmTfWH5paPuoGY1deVGBTc0dkwtM0KKy7HksLwEpC375HEue/zUv 3CbF5k5vssnREonqGXLQhBROYNfP1+7VHa/q1OQFjIfPLDJm++uLSqx+aVo/88uF1wiy xPy6/eojxHg9NtyeSL4WSnGtvICNqGpvGgPzO4ewsM8jxlBfCR6aI4VMqJDkAO0+eEi8 7IXQU6jaZt40NKMCCjUjhOpneFIt7tLdLuhf2m3YD19a+Gjgdw4eTV2DFmQuDcms93Je lPbzwQh28E3id0j0orJIRhdNAn6CIy5w1lWhv+vGY03mGPsuFI6ZNymXDnWtrsR49e7c PEGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=zWR+PqhyEXJpDA5JGqVZoushakk8X/Cjc2//a0wYpy8=; b=c0J2TiKYTGDLnoqsg+Pqc5qTTc9DwW7s27XhLnajQ15p8FzWkOS4mSD7TP4T91XfKO 0BNev27T+fyGESCVcA5mZwDU/mhkV40FmwrMSzpwCgG2xjraMna2HiTZXbcPwuRSAHtP vfK0QNwziThF80t0KDynzDRmClQmN+sNPeQDKgl8KrYQ/r3o/HgTh+VNG5BYI8zExj1J omKFcuco6g/AoT5QOIfgAFfAxhuO/D+gB7R9m20pYhaEpgr72AmMc35rqNWxBHCXedYq VMphCtrnIWZCxyI1NWLCLiQkpNnu1VUCHsvo+rwjgyc9Db4aowEbMClTSMf//SJKM5cI FoVA==
X-Gm-Message-State: AOAM533ke5xGchkKQ5HCYNfy6IncBSOjR3qfel9313Uuw7WAa3qGQO+7 lDQi6rTQRLDnCxq+vV4VP+JSQzo77H4A0nZ6GcYy2xV+o8A=
X-Google-Smtp-Source: ABdhPJwIUjsJxGKKkVPbatYgBJyCTRlmvKVfX6d5InRs1fXI1doXmOUi/esBij06a2UrSdJcKupTwKadbyqlaFA/toI=
X-Received: by 2002:a05:6402:1589:: with SMTP id c9mr12282660edv.282.1612691777149; Sun, 07 Feb 2021 01:56:17 -0800 (PST)
MIME-Version: 1.0
From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Sun, 7 Feb 2021 01:56:06 -0800
Message-ID: <CALkShcs5iY9WRYzC2Zub7LZQ5=YMHPuovYZkWOhXOiJUaTgN0g@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000825c6d05babc103e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/s-qKpOYuMReZiyc8ajm97iHAIKk>
Subject: [OAUTH-WG] oauth-jwt-introspection-response and RFC 7797
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 09:56:21 -0000

Hi WG.

draft-ietf-oauth-jwt-introspection-response-10 proposes to return signed
JWTs as a response from the introspection endpoint... which is making
me wonder if there are any particular reasons to not avail JSON Web
Signature (JWS) Unencoded Payload Option (RFC 7797) and the X-JWS-SIGNATURE
HTTP header in order to achieve the same goals?

Pros would be

   1. a token introspection response remains to be exactly the same as it
   was before with an exception for a JWT in the X-JWS-SIGNATURE HTTP header
   (where a detached payload is the actual token introspection response)
   2. the AS can safely enable it for all responses from the introspection
   endpoint so clients who don't require or just aren't aware of this header
   will continue to work as before and accordingly, the clients who require
   some stronger assurance will require and check a JWT in X-JWS-SIGNATURE
   HTTP header
   3. the same approach could also work for other endpoints such as the
   revocation and OIDC UserInfo endpoints

What do you think?

Regards,
Andrii