IETF Logo Mail Archive

Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection

Takahiko Kawasaki <taka@authlete.com> Mon, 02 March 2020 16:31 UTC

Return-Path: <taka@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 416043A0A1C for <oauth@ietfa.amsl.com>; Mon, 2 Mar 2020 08:31:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S52F7-6kMKhH for <oauth@ietfa.amsl.com>; Mon, 2 Mar 2020 08:31:32 -0800 (PST)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEFD23A0AA0 for <oauth@ietf.org>; Mon, 2 Mar 2020 08:31:31 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id r17so484721wrj.7 for <oauth@ietf.org>; Mon, 02 Mar 2020 08:31:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=68GWtKuSGqSzBYVyPchcrCmhhwkE0Qt6Ke/QUzVC0M4=; b=kUoQ8sdPqsMQDeZgPeZPInK7nBrurWLkk8Y7XZH4hVYASkZKLauMBCmAeP5HlE7aqz OTEwUcgXF7jyuBDOlixO1o5l7/ZYetRQgQXhfhWG8Anp65kB00n1fQs+aM4g0zlJlIWh Wv/IgfL3StLqCfbGGZhOdgWJ3eaabKmNBTb/ALNopXPtdWzg7DzKhqryf8udx+wm0e+E KgX/YLGI7X2AAvY04WdqSDKQkt2nMO6eX3OIaa4NlfY0NStlj13c6GTMRpDRvHy0eyvo Zhnp2UiFc1zmSWV5He8DPYsqLtjWtfxHnbaw61rHKGV1ocHZXND7sIK7gvzDqTwHycQi e5Ag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=68GWtKuSGqSzBYVyPchcrCmhhwkE0Qt6Ke/QUzVC0M4=; b=edX6FRTxoiCQDQR1/dbXHEAMveaiTwz/8TtLm1Gltnb1JH7EhGsztni52dmiAUS+CQ 1GjwH/btkaJCyaU7HzrXEa1jCqW9yMzJic8CQMftwq5d1apTnvRv7xOVPkSYmPFSjzuh exHDNAKeci5xMAq6BhoqfWn1KLWLuetRlyonwdnX8+K6y8BMoW3lbBILLOtQPEz/rOkM gmjXRRn08foAp0e0omyymYNzf0f8p2YGctlIu1oX4DfQ+lgU3qlZvKnqghibXtKOPFy8 N7+9lMbOAG8DK3vVmFdeB4bD35gthVMotE2RctlL39/ZoMEKQXiwo1HGAnbOdur+fiDt kvCQ==
X-Gm-Message-State: ANhLgQ0yapvLuqCaR3/v2LWUfiZJN++O03XpJyPH+mZUiSgm/3kpxWL2 mRRe2srSxnMebJRejawuOtSMpJQasaYsF1EnZn9UPkOdV+qzAQ==
X-Google-Smtp-Source: ADFU+vu32dFXQfgivXiDYSKxOusRa8MkGuQD4ABODF+lKBF3znX2ruwnCW1ObvrLiXBVOwXFDDB7ChKafjQMUba3Qwc=
X-Received: by 2002:adf:b601:: with SMTP id f1mr425314wre.103.1583166690254; Mon, 02 Mar 2020 08:31:30 -0800 (PST)
MIME-Version: 1.0
References: <CAHdPCmPCMJqH-aOC2SjFhGd9sjd01xw=VEj5y1jA5nRNRhu4EA@mail.gmail.com> <5514F7A5-D87D-42D8-9DA0-9ADCDD75D989@lodderstedt.net>
In-Reply-To: <5514F7A5-D87D-42D8-9DA0-9ADCDD75D989@lodderstedt.net>
From: Takahiko Kawasaki <taka@authlete.com>
Date: Tue, 03 Mar 2020 01:31:45 +0900
Message-ID: <CAHdPCmO7nfG6jXgo56HdUmmz8iu0O-Dd-sPO3pc_-6MWCheOMQ@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003173ee059fe1b8e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vqgjiABRSWSJH4tzWnT8wUBmUYg>
Subject: Re: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2020 16:31:34 -0000

Hi Torsten,

For example, if an authorization request includes two "resource" request
parameters like below,

resource=https://host1.example.com/resource1
resource=https://host2.example.com/resource2

RFC 8707 expects that the value of "aud" in an introspection response look
like the following.

"aud" : [
  "https://host1.example.com/resource1",
  "https://host2.example.com/resource2",
]

How does the implementation of the introspection endpoint insert the
identifier of the resource server (the API caller?) into the "aud" array
above? In other words, what is the expected resultant value of the "aud"
array in this case?

Taka


On Mon, Mar 2, 2020 at 10:54 PM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> Hi Taka,
>
> > On 1. Mar 2020, at 08:10, Takahiko Kawasaki <taka@authlete.com> wrote:
> >
> > Hello,
> >
> > I'm wondering if the following conflicts in "JWT Response for OAuth
> Token Introspection" (draft 8) have already been pointed out.
> >
> > RFC 8707 (Resource Indicators for OAuth 2.0) requires that 'aud' in an
> introspection response hold the values of the 'resource' request
> parameters, whereas "JWT Response for OAuth Token Introspection" says that
> 'aud' MUST identify the resource server receiving the token introspection
> response. The definitions conflict.
>
> RFC 8707 states
>
> The authorization server may use
>    the exact "resource" value as the audience or it may map from that
>    value to a more general URI or abstract identifier for the given
>    resource.
>
> draft-ietf-oauth-jwt-introspection-response-08 states
>
> The value of the "aud" claims MUST identify the resource server
>    receiving the token introspection response.
>
> So RFC 8707 gives choices of how the resource server might be identified
> and draft-ietf-oauth-jwt-introspection-response-08 says the AS must
> identify the RS without prescribing any particular way. So basically you
> can use the advice given by  RFC 8707 to implement the requirement stated
> by draft-ietf-oauth-jwt-introspection-response-08.
>
> I don’t see a conflict.
>
> >
> > RFC 7662 (OAuth 2.0 Token Introspection) requires that 'iat' in an
> introspection response indicate when the access/refresh token was issued,
> whereas "JWT Response for OAuth Token Introspection" says that 'iat'
> indicates when the introspection response in JWT format was issued. The
> definitions conflict.
>
> I will come back to this issue in an answer to Filip’s post.
>
> best regards,
> Torsten.
>
> >
> > Best Regards,
> > Takahiko Kawasaki
> > Authlete, Inc.
> >
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email