Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
Takahiko Kawasaki <taka@authlete.com> Mon, 02 March 2020 06:52 UTC
Return-Path: <taka@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44C353A0E1D for <oauth@ietfa.amsl.com>; Sun, 1 Mar 2020 22:52:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOWixmYrH4Sv for <oauth@ietfa.amsl.com>; Sun, 1 Mar 2020 22:52:29 -0800 (PST)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 032653A0E18 for <oauth@ietf.org>; Sun, 1 Mar 2020 22:52:28 -0800 (PST)
Received: by mail-wm1-x330.google.com with SMTP id f15so9752164wml.3 for <oauth@ietf.org>; Sun, 01 Mar 2020 22:52:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=IZv8GKdJx2NK27zY4gqrOu+1X9S6SeuvcWX0BAvOQaI=; b=K+3SnAuhR6lxCsM8vEjQaF8muNOXp0QRdCiudh9VmOed6CSrT+VMsC+p2cdDXjYd70 XEmbuL0PW8eYrBQUXyOR+1Llh1S5vC0WyUO0xCHX1LnwP6orAMRDLt76MBBEeGkAVtk1 LPL458qGoAExPqK0Ar9pukewgWhMlRTFeti3BjpWJUCyvWUzZGMNw4WgeljI/WiazfIn +6koWtRz7wRfCst0RmVtiv/as1E5tQd2Vg2dpGPvRFe/sEErnDKDXrykkQC+rJtP2bo5 EBWJ9cIBbYzbgytt8k6bI3lvhC0g3A94IJwS77RMGFjCnSZGgd0RWX5RJoQ3teJu1RNp CE+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=IZv8GKdJx2NK27zY4gqrOu+1X9S6SeuvcWX0BAvOQaI=; b=eQcqH/k7THIwQlY1rAbRSLq8gD/wb+hJ878BfAJ9BSmc9syk1yQ+JSW5F04cIAMnQS i8VosPWFVERYgfdi+WsaoEKBuBHBKDrqkyPmc3BGQhdkioKRsiv2c6VD8mUhPF3Ox9sm yF2FL9kZsBX+Ch7fYpCzR8QMBS/zWcWitgTLp3M8NqsTH67BA5acMZBoGYj24emieAMp 8UaQzcOWD/thvSMLZMBNl2HYZiOk1KSxJJBfgGl2ZBRLAyO84NquGrwMScxK0c9O5/Qq B/gQxOrumqHexp2Y7qfueeGvrF6r3Y5AYrDmS46NdToagZJJesF8Lqf90x4qqsXMeODL kndQ==
X-Gm-Message-State: ANhLgQ3IvCNoBU0TK3TASQOI4tUJXnfkwbX8O7HAN3LGGm8I5UTNtWvy eqWlIjSyGqPbWmMbkOjafk/xwBi9rk0gNDa48Kktk5KxEhYclA==
X-Google-Smtp-Source: ADFU+vtE6mGzovdUzvxWfH/lR6Iup+Pdj1ruNQ965jwvagA2FGUnSnGywfj98Iyv5MjC+IZyojEdzuuOv4wISSqr4A0=
X-Received: by 2002:a1c:7f87:: with SMTP id a129mr7214586wmd.160.1583131946789; Sun, 01 Mar 2020 22:52:26 -0800 (PST)
MIME-Version: 1.0
References: <CAHdPCmPCMJqH-aOC2SjFhGd9sjd01xw=VEj5y1jA5nRNRhu4EA@mail.gmail.com>
In-Reply-To: <CAHdPCmPCMJqH-aOC2SjFhGd9sjd01xw=VEj5y1jA5nRNRhu4EA@mail.gmail.com>
From: Takahiko Kawasaki <taka@authlete.com>
Date: Mon, 02 Mar 2020 15:52:41 +0900
Message-ID: <CAHdPCmMP5=wQSq_YW3+honto==s_bZpCas+=bxJqfqJh24gTzQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000523f50059fd9a11b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vbl2c1CaJJlVB94-K8txnkEheg8>
Subject: Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 06:52:32 -0000
Thank you, Tatsuo Kudo, for showing me that Justin Richer expressed the same concerns in this mailing list about 6 months ago (on Sep. 4, 2019). RFC 8707 didn't exist then, though. *Re: [OAUTH-WG] Question regarding draft-ietf-oauth-jwt-introspection-response-05* https://mailarchive.ietf.org/arch/msg/oauth/LmMAxd35gW5Yox0j4MmU2rI_eUA/ A JWT puts both (a) information about itself and (b) other data in its payload part. When the "other data" have the same claim names as are used to express information about the JWT itself, conflicts happen. Also, it should be noted that Ben pointed out in other thread that the requirement for "jti" in draft-ietf-oauth-jwt-introspection-response, which says "jti" is a unique identifier for the access token that MUST be stable for all introspection calls, contradicts the definition of "jti", which should be unique for each JWT. *Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-08: (with DISCUSS and COMMENT)* https://mailarchive.ietf.org/arch/msg/oauth/S4q7cF0TMZMzFO61I5M4QXCUWCM/ draft-ietf-oauth-jwt-introspection-response needs to be modified to solve the conflicts. Taka On Sun, Mar 1, 2020 at 4:10 PM Takahiko Kawasaki <taka@authlete.com> wrote: > Hello, > > I'm wondering if the following conflicts in "JWT Response for OAuth Token > Introspection" (draft 8 > <https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08>) > have already been pointed out. > > RFC 8707 <https://tools.ietf.org/html/rfc8707> (Resource Indicators for > OAuth 2.0) requires that 'aud' in an introspection response hold the values > of the 'resource' request parameters, whereas "JWT Response for OAuth Token > Introspection" says that 'aud' MUST identify the resource server receiving > the token introspection response. The definitions conflict. > > RFC 7662 <https://tools.ietf.org/html/rfc7662> (OAuth 2.0 Token > Introspection) requires that 'iat' in an introspection response indicate > when the access/refresh token was issued, whereas "JWT Response for OAuth > Token Introspection" says that 'iat' indicates when the introspection > response in JWT format was issued. The definitions conflict. > > Best Regards, > Takahiko Kawasaki > Authlete, Inc. > > > >
- [OAUTH-WG] Conflicting definitions in JWT Respons… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Filip Skokan
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Justin Richer
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Justin Richer
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Justin Richer
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Filip Skokan
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Filip Skokan
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Torsten Lodderstedt
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Takahiko Kawasaki
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Conflicting definitions in JWT Res… Benjamin Kaduk