Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"
Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 20 July 2018 14:20 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F9B130DE7 for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 07:20:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.629
X-Spam-Level:
X-Spam-Status: No, score=-0.629 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2xsmQh-YIfaA for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 07:20:14 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9057130DCE for <oauth@ietf.org>; Fri, 20 Jul 2018 07:20:13 -0700 (PDT)
Received: from [80.187.105.187] (helo=[10.20.204.47]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1fgWGQ-00015a-0z; Fri, 20 Jul 2018 16:20:10 +0200
Content-Type: multipart/signed; boundary="Apple-Mail-152BF982-4FB9-4AD8-A4AF-D23D2CCFBB67"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (1.0)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: iPhone Mail (15F79)
In-Reply-To: <DM5PR00MB03898165B0E24AA4A41610E9A6510@DM5PR00MB0389.namprd00.prod.outlook.com>
Date: Fri, 20 Jul 2018 16:20:09 +0200
Cc: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <DF03AC66-3A2F-4B9A-B58E-A5B89E8A611A@lodderstedt.net>
References: <CAGL6epJQ7qrdTv+RrNhuJ_GqKHzFRV=YDA1aswtTiE9NmK6LjQ@mail.gmail.com> <DM5PR00MB03898165B0E24AA4A41610E9A6510@DM5PR00MB0389.namprd00.prod.outlook.com>
To: Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vnYUphMVJs9QjenMTGFInRIn8_4>
Subject: Re: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 14:20:18 -0000
> Am 20.07.2018 um 16:06 schrieb Anthony Nadalin <tonynad=40microsoft.com@dmarc.ietf.org>: > > I’m concerned over the security implications of a client being able to introspect a token, for bearer tokens this can be very problematic, so unless the issues with possible token theft can be addressed I don’t support this as a WG draft Hi Tony, I think this an issue for introspection in general and not specific to our extension. If the token content needs to be kept confidential then the AS MUST authenticate the caller of the Introspection endpoint and apply an suitable authz policy. This is possible with Token Introspection and with our draft as well. Additionally, our draft allows to encrypt the token response, adding an extra layer of defense. kind regards, Torsten. > > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef > Sent: Thursday, July 19, 2018 10:44 AM > To: oauth <oauth@ietf.org> > Subject: [OAUTH-WG] Call for adoption of "JWT Response for OAuth Token Introspection" > > Hi all, > > This is the call for adoption of the 'JWT Response for OAuth Token Introspection' document following the presentation by Torsten at the Montreal IETF meeting where we didn't have a chance to do a call for adoption in the meeting itself. > > Here is presentation by Torsten: > https://datatracker.ietf.org/meeting/102/materials/slides-102-oauth-sessa-jwt-response-for-oauth-token-introspection-00 > > Here is the document: > https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-01 > > Please let us know by August 2nd whether you accept / object to the adoption of this document as a starting point for work in the OAuth working group. > > Regards, > Hannes & Rifaat > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Call for adoption of "JWT Response for… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption of "JWT Response… William Denniss
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Anthony Nadalin
- Re: [OAUTH-WG] Call for adoption of "JWT Response… John Bradley
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Hannes Tschofenig
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Brian Campbell
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Rob Otto
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Phil Hunt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Mark Dobrinic
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Filip Skokan
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Hans Zandbelt
- Re: [OAUTH-WG] Call for adoption of "JWT Response… Rifaat Shekh-Yusef