[OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection

Takahiko Kawasaki <taka@authlete.com> Sun, 01 March 2020 07:10 UTC

Return-Path: <taka@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87F213A091A for <oauth@ietfa.amsl.com>; Sat, 29 Feb 2020 23:10:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bXRg1TYihbsI for <oauth@ietfa.amsl.com>; Sat, 29 Feb 2020 23:10:28 -0800 (PST)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4FA83A0918 for <oauth@ietf.org>; Sat, 29 Feb 2020 23:10:27 -0800 (PST)
Received: by mail-wr1-x431.google.com with SMTP id t11so2053187wrw.5 for <oauth@ietf.org>; Sat, 29 Feb 2020 23:10:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=QeGGH82X+89nSs46fpGHfT9I9wFGVsx4xBgF9GCRXWY=; b=GG/M9or+cLks+b8Ucc7e5qiXy7GrMro3Qa5IBzxRSBeVgDNjoA1PtoowSHDB5O+yVR vhd9OMfEiEYWzpJ+Yf4oDBDlSeSNaUlTytbxxwvBjIMG4HqISHhFB8tAOg33zS1WQF4P ITgyTE59veGY0X8aeA+tf3ubhIvXXQ2nd9+epTLKQtTqpP6TfPQYDFPpwGmcLdp2jmMD OyGbCQUR/NWfIx6XaRTnSj5sdx+T/RmlzU4z2rdNYlB0WPA00SC3WuC5vAEezIe28eQY WiAnqHzsqi6SM+NNOAmwHT6Z6tPWOJN+oP9WSE+nY6EUC/wIcFA3I1WYzHrRtHd6uis9 4X8A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=QeGGH82X+89nSs46fpGHfT9I9wFGVsx4xBgF9GCRXWY=; b=HxST7HEmvwAH6qB3wEzFJQ5cksM0Mo1s+Symug5WBRF9MaaQ9hoqikY+bO8vfyMq11 on2Osu80q1OCrq9WiJ9j0IwFzQfIemRoNAWX/lXL58j9t14nU2V1YB3+zEzpv+lZABrH rZUXQYaJ8j0+ng7wj5rEXNpV5wlwr/oJubhSOYoByKWCSZF4HOW0HjoqmePcKRoEiA0B /lRtiPiugAmVnWB9zxrZMSp/mWBXKRiOU8uMgl7fikzbL3yh4dXh5bjKJLejhbkZUonK rSC/+O1UkGrb1C6aV6ZpAySQzueNZC6MpWWIdI1CiST8YrlCtyUR5niJ/DmzNqwzR6sS DEdQ==
X-Gm-Message-State: APjAAAWt7F4m2++AbMD1DqJWh+ilz7lqDTUKuRmNMm8L8DH+rNyhsTQ9 MakZtacNgqKITjER5YAiDGgBbE78n6sIC711EQpd4WUeExCaYg==
X-Google-Smtp-Source: APXvYqyIp3SdhPphYocKvDtaAylF3p4SCH6LIBjaqR4Wri5jkwSfCtOiLrceCdt8AkR1+PT0zzFKI4wMuLvx9Bt8zxA=
X-Received: by 2002:a5d:67c7:: with SMTP id n7mr14628624wrw.319.1583046625566; Sat, 29 Feb 2020 23:10:25 -0800 (PST)
MIME-Version: 1.0
From: Takahiko Kawasaki <taka@authlete.com>
Date: Sun, 01 Mar 2020 16:10:38 +0900
Message-ID: <CAHdPCmPCMJqH-aOC2SjFhGd9sjd01xw=VEj5y1jA5nRNRhu4EA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c7b46d059fc5c3b3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/x8nj7bmfFFS1zcLx1q_API4TFJM>
Subject: [OAUTH-WG] Conflicting definitions in JWT Response for OAuth Token Introspection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Mar 2020 07:10:30 -0000

Hello,

I'm wondering if the following conflicts in "JWT Response for OAuth Token
Introspection" (draft 8
<https://tools.ietf.org/html/draft-ietf-oauth-jwt-introspection-response-08>)
have already been pointed out.

RFC 8707 <https://tools.ietf.org/html/rfc8707> (Resource Indicators for
OAuth 2.0) requires that 'aud' in an introspection response hold the values
of the 'resource' request parameters, whereas "JWT Response for OAuth Token
Introspection" says that 'aud' MUST identify the resource server receiving
the token introspection response. The definitions conflict.

RFC 7662 <https://tools.ietf.org/html/rfc7662> (OAuth 2.0 Token
Introspection) requires that 'iat' in an introspection response indicate
when the access/refresh token was issued, whereas "JWT Response for OAuth
Token Introspection" says that 'iat' indicates when the introspection
response in JWT format was issued. The definitions conflict.

Best Regards,
Takahiko Kawasaki
Authlete, Inc.