Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
Vladimir Dzhuvinov <vladimir@connect2id.com> Mon, 15 February 2021 11:46 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00F023A11B2 for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 03:46:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.012
X-Spam-Level:
X-Spam-Status: No, score=0.012 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TKEnDved8huU for <oauth@ietfa.amsl.com>; Mon, 15 Feb 2021 03:46:55 -0800 (PST)
Received: from p3plsmtpa11-04.prod.phx3.secureserver.net (p3plsmtpa11-04.prod.phx3.secureserver.net [68.178.252.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 429983A11AF for <oauth@ietf.org>; Mon, 15 Feb 2021 03:46:55 -0800 (PST)
Received: from [192.168.88.211] ([94.155.17.31]) by :SMTPAUTH: with ESMTPSA id BcL6l0fAamLOfBcL7lbXKQ; Mon, 15 Feb 2021 04:46:54 -0700
x-spam-cmae: v=2.4 cv=L9fY/8f8 c=1 sm=1 tr=0 ts=602a5f2e p=_Y5QVBCcAAAA:8 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=__SxRlIrAAAA:8 a=48vgC7mUAAAA:8 a=PzzBoh6yAAAA:8 a=1XWaLZrsAAAA:8 a=pGLkceISAAAA:8 a=qP_WgVGEIEcTGspHoc8A:9 a=QEXdDO2ut3YA:10 a=lvNDOE9i95YA:10 a=k5j4i2vlAAAA:20 a=ENpFjlsUdC_nJagxT18A:9 a=lxLXS0ixPy8Fkpkr:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=H5r4HjhRfVyZ-DhAOYba:22 a=w1C3t2QeGrPiZgrLijVG:22 a=L62bugPwxnpkHHKveAwe:22 a=IdGyktwZ2tr74praB_5u:22
x-spam-account: vladimir@connect2id.com
x-spam-domain: connect2id.com
X-CMAE-Analysis: v=2.4 cv=L9fY/8f8 c=1 sm=1 tr=0 ts=602a5f2e p=_Y5QVBCcAAAA:8 a=+I3yL00+yDwT8KNLgfs+4A==:117 a=+I3yL00+yDwT8KNLgfs+4A==:17 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=__SxRlIrAAAA:8 a=48vgC7mUAAAA:8 a=PzzBoh6yAAAA:8 a=1XWaLZrsAAAA:8 a=pGLkceISAAAA:8 a=qP_WgVGEIEcTGspHoc8A:9 a=QEXdDO2ut3YA:10 a=lvNDOE9i95YA:10 a=k5j4i2vlAAAA:20 a=ENpFjlsUdC_nJagxT18A:9 a=lxLXS0ixPy8Fkpkr:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=H5r4HjhRfVyZ-DhAOYba:22 a=w1C3t2QeGrPiZgrLijVG:22 a=L62bugPwxnpkHHKveAwe:22 a=IdGyktwZ2tr74praB_5u:22
X-SECURESERVER-ACCT: vladimir@connect2id.com
To: Andrii Deinega <andrii.deinega@gmail.com>
Cc: Warren Parad <wparad@rhosys.ch>, oauth <oauth@ietf.org>
References: <CAJot-L05Nb5FQQ_OOgW_s4Mswo0GW3-j7HTTxtbR2OgqESijWg@mail.gmail.com> <579E1C30-107C-43E6-A521-01A674DAB0F3@lodderstedt.net> <CAJot-L1tMjM=JHtn3sHROLtzoxAkOGr33m66mcRH9-Vvss6QRg@mail.gmail.com> <78c83541-0b77-1c16-a302-3e88b2842947@connect2id.com> <CAJot-L0q1MZvW_h=puyu6_htk_y5gx0VhdC4RyaJn_eucO_36Q@mail.gmail.com> <d58fac58-1125-1c0b-d674-b54d122c5939@connect2id.com> <CALkShcvqX6Y59TK95UsKDKMuuA5GX+RmRLBPri13eeaMpwBTCw@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Autocrypt: addr=vladimir@connect2id.com; prefer-encrypt=mutual; keydata= mQENBFQZaoEBCACnP2YMDex9fnf+niLglTHGKuoypUSVKPQeKDHHeFQVzhRke+HBEZBwmA9T kZ+kEhyrNqibDPkPYVPmo23tM8mbNcTVQqpmN7NwgMpqkqcAqNsIyBtt09DjWOQVm57A3K+y uXI7SdNErdt79p2xQseOhqSC9+LgWuyh+mZsl2oFD4glFFfKSCMp2jATXrAMeGzigTnW+Xe0 tRzrwFN9zqykKxhUq9oHg1cNvoDtfxgsc9ysVHbxM/PM8o9lgj3YTQwKMBcCFclTqohji7ML fQ08eQo+acKTwC1WRzeLt9PknGt3C4TmvdCl0c1BQTTTNiF96Hu4kbaiBIbsfxJOR8+VABEB AAG0LFZsYWRpbWlyIER6aHV2aW5vdiA8dmxhZGltaXJAY29ubmVjdDJpZC5jb20+iQE+BBMB AgAoBQJUGWqBAhsjBQkJZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAZ0vUyOqri Ql62B/wOO0s2JC/QvO6w9iSsRhCOa/JZi+wO+l01V7eGCQ1cYf1W26Y7iKiUlY4/Kz+cr69D pMtkv3UpDTGejKEfspLUxz5Vo3T4oAKbTtNtVIZL/XxH3/JhJ719Jj4eLoe9/djKkGYTX2O5 bMk8TpO1DDjbIw4r9XKI9ZIk96zlKnZvrg7Ho7oOl0ZIf8AzcvdqZEUogDwyr8uwOU+jIyux mOTthepBzXCNjjBjnc8I1//9YppAIaGJ5nnXelVVD1/dyOszogervzFNANEIOvNvCd9G5u4e s7qkDKWKY7/Lj1tF+tMrDTrOh6JqUKbGNeTUB8DlPvIoNyqHUYfBELdpw1Nd
Organization: Connect2id Ltd.
Message-ID: <de5cc45a-2814-a6fa-65a4-4dff9e2610d3@connect2id.com>
Date: Mon, 15 Feb 2021 13:46:52 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <CALkShcvqX6Y59TK95UsKDKMuuA5GX+RmRLBPri13eeaMpwBTCw@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060204020405050605080107"
X-CMAE-Envelope: MS4xfPBnTJA+kXoG3z15HvALstGUSRXKCp0JM3LxgGAhIdBOtmRzgjvLBwjn+mFJmKHATeSKR95nKm+o0THb89QiAZJgOecwGJBSZUsrCHaEFG75lxmFGGhJ T7MKVv6KLNHTQUFbOnH68TCTWSqRptyq0f9+bOUxSt0fp/bxkRKqVWEwQfG3guZj+uUhtBxs0PP5C4obfFuR0FLebjDhrj0a3Z2p++j7Cy0VTLG9MkV4pscX I6jOL9Hf79ykVN+rLCEZcQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/taZ2Lfjjl5zZIB-_SNHesD9DStQ>
Subject: Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and types of tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2021 11:46:58 -0000
RFC 7662 is not explicit on the refresh token "aud". Omitting the "aud" value or setting it to the AS, the ultimate consumer, appears valid here. Vladimir On 11/02/2021 23:47, Andrii Deinega wrote: > Hi Vladimir, > > What would be a value in the aud claim for refresh tokens? > > Regards, > Andrii > > > On Tue, Feb 9, 2021 at 3:06 AM Vladimir Dzhuvinov > <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote: > > Hi Warren, > > On 08/02/2021 17:59, Warren Parad wrote: >> None of that justified explicitly stating that refresh token >> introspection shouldn't be done. At best it suggests that we >> should explicitly add language in the draft to directly encourage >> it. > > Did you mean discourage? > >> But if an AS wants to support it, we shouldn't stop them, or >> suggest that they can't do it. > > The current draft doesn't mention refresh tokens at all. Its > subject is the introspection of access tokens by authenticated > resource servers and returning the response as a signed JWT. The > use of refresh tokens at the introspection endpoint, per RFC 7662, > is not forbidden by the draft. > > >> >> Allowing refresh tokens to be introspected can also create a >> conflict with the sec recommendation to rotate them >> >> >> Not following, can you explain this further? > > I just double checked the rotation spec. Use that triggers > rotation is clearly specified as "access token response", so there > should actually be no issues with confusing introspection as use. > > https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.13.2 > > RFC 7662 also seems to imply that a public client with a refresh > token should not normally be able to introspect it, because it > can't authenticate to the AS. > >> https://tools.ietf.org/html/rfc7662#section-2.2 >> To prevent token scanning attacks, the endpoint MUST also require >> some form of authorization to access this endpoint, such as client >> authentication as described in OAuth 2.0 [RFC6749 <https://tools.ietf.org/html/rfc6749>] or a separate >> OAuth 2.0 access token such as the bearer token described in OAuth >> 2.0 Bearer Token Usage [RFC6750 <https://tools.ietf.org/html/rfc6750>]. The methods of managing and >> validating these authentication credentials are out of scope of this >> specification. > > Vladimir > > >> >> >> >> Warren Parad >> >> Founder, CTO >> >> Secure your user data and complete your authorization >> architecture. Implement Authress <https://authress.io>. >> >> >> On Mon, Feb 8, 2021 at 4:13 PM Vladimir Dzhuvinov >> <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote: >> >> At first it may appear that allowing refresh tokens at the >> introspection endpoint may be a logical thing to do, but in >> practice there are issues with that and from an OAuth 2.x >> perspective it's not easy to justify. >> >> If the point is to let clients check what authorization they >> have been given OAuth 2.0 already provides a std way to do >> that - in the access token response - the "scope" parameter: >> >> https://tools.ietf.org/html/rfc6749#section-5.1 >> >> RAR has a similar parameter: >> >> https://tools.ietf.org/html/draft-ietf-oauth-rar-03#section-3.4.1 >> >> If the point is to find if a refresh token is still valid - >> this can be found out by simply using it. Allowing refresh >> tokens to be introspected can also create a conflict with the >> sec recommendation to rotate them. So thus it may be a better >> idea to not let clients assume too much about them. >> >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.2.2 >> >> If the AS is going to expose refresh token data to a client >> it will also have to make a careful judgement what data it >> exposes. >> >> https://tools.ietf.org/html/rfc7662#section-2.2 >> >> For instance "sub". OAuth 2.x in the relation between AS and >> client actually has no concept or definition of subject / >> end-user identifier. And this is done for a good reason, >> because it's not a user authentication protocol. OIDC was >> designed for that. And to prevent tracking of users and other >> privacy issues OIDC also specifies pairwise subject IDs. The >> plain OAuth 2.x world doesn't have this. >> >> Vladimir >> >> On 08/02/2021 11:07, Warren Parad wrote: >>> It doesn't work that way. You suggested to add language to >>> the draft, that means the burden of proof is on you to >>> justify adding it. >>> >>> Otherwise I could just say why not? >>> >>> And I can go stronger, what's the purpose of nho >>> introspection endpoint at all, and why encourage sending >>> access tokens to the AS? >>> >>> Even if you can justify access tokens, there currently isn't >>> evidence provided why we should explicity discourage. >>> >>> >>> On Mon, Feb 8, 2021, 03:18 Torsten Lodderstedt >>> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> >>> wrote: >>> >>> >>> >>>> Am 08.02.2021 um 00:56 schrieb Warren Parad >>>> <wparad@rhosys.ch <mailto:wparad@rhosys.ch>>: >>>> >>>> >>>> >>>> I‘m therefore leaning towards explicitly stating in >>>> our draft that it is not intended to be used with >>>> refresh tokens. >>>> >>>> I'm not following, why explicitly state that it isn't >>>> intended. If an AS wants to provide a similar JSON >>>> response to a query with the refresh token, why not >>>> encourage that? >>> >>> Why should we encourage it? >>> >>>> >>>> >>>> >>>> Warren Parad >>>> >>>> Founder, CTO >>>> >>>> Secure your user data and complete your authorization >>>> architecture. Implement Authress >>>> <https://www.google.com/url?q=https://authress.io&source=gmail-imap&ust=1613346997000000&usg=AOvVaw267Z448csTGn3F6REIQ9pT>. >>>> >>>> >>>> On Sun, Feb 7, 2021 at 10:58 PM Torsten Lodderstedt >>>> <torsten=40lodderstedt.net@dmarc.ietf.org >>>> <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote: >>>> >>>> Hi Andrii, >>>> >>>>> Am 07.02.2021 um 21:30 schrieb Andrii Deinega >>>>> <andrii.deinega@gmail.com >>>>> <mailto:andrii.deinega@gmail.com>>: >>>>> >>>>> >>>>> Hi Torsten, >>>>> >>>>> thank you for your response. >>>>> >>>>> My use case is pretty straight forward >>>>> >>>>> An OAuth client queries the AS to determine the >>>>> active state of an access token and gets the >>>>> introspection response which indicates that this >>>>> access token is active (using RFC7662). >>>>> >>>>> An OAuth client queries the AS to determine the >>>>> active state of a refresh token and gets the >>>>> introspection response which indicates that this >>>>> refresh token is active (using RFC7662). >>>>> >>>>> An OAuth client queries the AS to determine the >>>>> active state of an access token and gets the >>>>> introspection response (JWT) which indicates that >>>>> this access token is active (using this draft). >>>>> >>>>> Now, an OAuth client queries the AS to determine >>>>> the active state of a refresh token (using this >>>>> draft)... How will the introspection response look >>>>> like assuming that the client provides the valid >>>>> refresh token and technically, nothing stops it >>>>> from doing so. >>>> >>>> why should the state be provided as JWT?I think the >>>> plain JSON response is sufficient in that case. I >>>> also think using token introspection for checking >>>> the state of a token from the client side has >>>> limited utility. The definitive decision is always >>>> made when the client tries to access a resource. >>>> >>>> I‘m therefore leaning towards explicitly stating in >>>> our draft that it is not intended to be used with >>>> refresh tokens. >>>> >>>> best regards, >>>> Torsten. >>>> >>>>> >>>>> Regards, >>>>> Andrii >>>>> >>>>> >>>>> On Sun, Feb 7, 2021 at 4:14 AM Torsten Lodderstedt >>>>> <torsten@lodderstedt.net >>>>> <mailto:torsten@lodderstedt.net>> wrote: >>>>> >>>>> Hi Andrii, >>>>> >>>>> thanks for your post. >>>>> >>>>> The draft is intended to provide AS and RS >>>>> with a solution to exchange signed (and >>>>> optionally encrypted) token introspection >>>>> responses in order to provide stronger >>>>> assurance among those parties. This is >>>>> important in use cases where the RS acts upon >>>>> the introspection response data and wants the >>>>> AS to take liability re the data quality. >>>>> >>>>> I’m not sure whether there are similar use >>>>> cases if a client introspects a refresh token. >>>>> What is your use case? >>>>> >>>>> best regards, >>>>> Torsten. >>>>> >>>>> > Am 07.02.2021 um 08:41 schrieb Andrii >>>>> Deinega <andrii.deinega@gmail.com >>>>> <mailto:andrii.deinega@gmail.com>>: >>>>> > >>>>> > Hi WG, >>>>> > >>>>> > >>>>> draft-ietf-oauth-jwt-introspection-response-10 >>>>> states that "OAuth 2.0 Token Introspection >>>>> [RFC7662] specifies a method for a protected >>>>> resource to query an OAuth 2.0 authorization >>>>> server to determine the state of an access >>>>> token and obtain data associated with the >>>>> access token." which is true. Although, >>>>> according to RFC7662, the introspection >>>>> endpoint allows to introspect a refresh token >>>>> as well. Hence, the question I have is how >>>>> will a token introspection response look like >>>>> when the caller provides a refresh token and >>>>> sets the "Accept" HTTP header to >>>>> "application/token-introspection+jwt"? >>>>> > >>>>> > I expect there will be no differences, right? >>>>> > >>>>> > If so, I suggest to >>>>> > • replace "a resource server" by "the >>>>> caller" in section 4 (Requesting a JWT Response) >>>>> > • change "If the access token is >>>>> invalid, expired, revoked" by "If a given >>>>> token is invalid, expired, revoked" in section >>>>> 5 (JWT Response) >>>>> > If not, my suggestion would be to clarify >>>>> what the AS should do when it asked to >>>>> introspect the refresh token in general and >>>>> additionally, what should happen in the same >>>>> case based on the type of the caller from the >>>>> AS's point of view. >>>>> > >>>>> > Regards, >>>>> > Andrii >>>>> > >>>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> <https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1613346997000000&usg=AOvVaw3ZHWt08dlcHAgxyfj2hrsX> >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >> >> -- >> Vladimir Dzhuvinov >> > -- > Vladimir Dzhuvinov > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > -- Vladimir Dzhuvinov
- [OAUTH-WG] JWT Response for OAuth Token Introspec… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Warren Parad
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Torsten Lodderstedt
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Warren Parad
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Warren Parad
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Andrii Deinega
- Re: [OAUTH-WG] JWT Response for OAuth Token Intro… Vladimir Dzhuvinov