[OCM] Re: Token exchange is missing third party token validation
Giuseppe Lo Presti <Giuseppe.LoPresti@cern.ch> Mon, 18 May 2026 07:44 UTC
Return-Path: <giuseppe.lopresti@cern.ch>
X-Original-To: ocm@mail2.ietf.org
Delivered-To: ocm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 39CECEFE736F for <ocm@mail2.ietf.org>; Mon, 18 May 2026 00:44:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1779090254; bh=HWpvi6d+R2fZIm80WWA2bonPlLWRvqnVTArJjVCQS6Q=; h=Date:Subject:To:References:From:In-Reply-To; b=ygl42LtldtPC/vr7LBMBuKATPsWu/dnqBxYuu4nHy33j9dejMVzrYL15jf4kqk+U5 L4yVjWew7yuuXk/wE371wLVdCwJuG774wGGPR1h8CnNBy8pHjolIw+IU/wceDFhbSh e67CP9SmVy7RxYtnop9aFQKEWT4SPQuPSEUD1pH8=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=cern.ch header.b="asAi4BDq"; dkim=pass (1024-bit key) header.d=cern.ch header.b="asAi4BDq"
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70NXca2uQTeD for <ocm@mail2.ietf.org>; Mon, 18 May 2026 00:44:13 -0700 (PDT)
Received: from ZRZP278CU001.outbound.protection.outlook.com (mail-switzerlandnorthazon11011052.outbound.protection.outlook.com [40.107.167.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id E7EF2EFE736A for <ocm@ietf.org>; Mon, 18 May 2026 00:44:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=M+FwBVo6l40Q9+sP9yZ3DjQDDbJVJjL7vGlHr1NwCHokUTdqPIo2xq0kYHy1AetkbjKRf2ouxrA1GZCLJj9Z8i9mx/K+/ChNNnwt9INgARgOm9E7wuIKTcEEcDkcVhq0ssgNfsOodrjEVZeFLSYhV66iXTKgmgIdPi+jReQrg7/tKw4YiyTqR0m513TmlO7CMCm9DMVKVDnRbXYGbCXKdsi0DSN/NtY/RsxtOIn8vKQ0Ruy8Kj4Mrz2uzxF86waCHyL4S8cYc5sD+tkW7xQ83C0rxfCVxOXU4VFJdPDDwoDCc4BISx74Xu4HT3yqXPIphfm6NnR+6P+F/qZq5bXTaA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8JKOLYq4Adnyx5HpQOs1wOTOQANR+NiI2HSz9XhiYjk=; b=We4IR4HXOC3EYfMPc5/4Ua4Y1rWHoU8NbyyJC2X0orKt2fMkuAIQt9E41aEfknFGoyUKE3jzNM2qAPHTmR/n/YL1jzzpSd3p494Boo5BGjNv7is15NRoxSpZqwhXoll0bIAOVE+Rpa8MWLLeCVY0MZG+yj5JzrqKZgWnqZRq7gB/IMO4d2KsbwBncGZwSnMN3d2Bm15j4Rx54lfIzpK1fq+tkvdIUA6H1a2HNsWQbXeJWaJaB7MYmZBez8uLl7f4v6Swh6mgqrrw4Ri5PBKXE/3biNwwFqM8tKsHZd8jFDQianfY4eUXx+8BJiuy5Aj5enfBtvAo39ej9zh4lluvXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 51.107.2.244) smtp.rcpttodomain=ietf.org smtp.mailfrom=cern.ch; dmarc=pass (p=quarantine sp=none pct=100) action=none header.from=cern.ch; dkim=pass (signature was verified) header.d=cern.ch; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cern.ch; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8JKOLYq4Adnyx5HpQOs1wOTOQANR+NiI2HSz9XhiYjk=; b=asAi4BDq2D+yuKlhelzlfuqKAjH6pE3/2agnn5aWaxNysKvJd6jJJE9/FxmAUCL6YnXYV2dgq52sSXBCxiwj1f9XJdrYQbx7bxTxKmcSoX71e7bjexGZjZr1rKyBdh8BSQ9q82bReY+Ng3y45nIZLQsZSNgoxX68sgfPL3Aw+Uw=
Received: from DU7P190CA0018.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:550::21) by ZR0P278MB0124.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:17::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.23; Mon, 18 May 2026 07:44:00 +0000
Received: from DU2PEPF00028D13.eurprd03.prod.outlook.com (2603:10a6:10:550:cafe::c6) by DU7P190CA0018.outlook.office365.com (2603:10a6:10:550::21) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.25.23 via Frontend Transport; Mon, 18 May 2026 07:43:59 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 51.107.2.244) smtp.mailfrom=cern.ch; dkim=pass (signature was verified) header.d=cern.ch;dmarc=pass action=none header.from=cern.ch;
Received-SPF: Pass (protection.outlook.com: domain of cern.ch designates 51.107.2.244 as permitted sender) receiver=protection.outlook.com; client-ip=51.107.2.244; helo=mx2.crn.activeguard.cloud; pr=C
Received: from mx2.crn.activeguard.cloud (51.107.2.244) by DU2PEPF00028D13.mail.protection.outlook.com (10.167.242.27) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.21.25.13 via Frontend Transport; Mon, 18 May 2026 07:43:59 +0000
Authentication-Results-Original: auth.opendkim.xorlab.com; dkim=pass (1024-bit key; unprotected) header.d=cern.ch header.i=@cern.ch header.a=rsa-sha256 header.s=selector1 header.b=asAi4BDq
Received: from ZR1P278CU001.outbound.protection.outlook.com (mail-switzerlandnorthazlp17012050.outbound.protection.outlook.com [40.93.85.50]) by mx2.crn.activeguard.cloud (Postfix) with ESMTPS id EA3467E42A for <ocm@ietf.org>; Mon, 18 May 2026 09:43:57 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cern.ch; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8JKOLYq4Adnyx5HpQOs1wOTOQANR+NiI2HSz9XhiYjk=; b=asAi4BDq2D+yuKlhelzlfuqKAjH6pE3/2agnn5aWaxNysKvJd6jJJE9/FxmAUCL6YnXYV2dgq52sSXBCxiwj1f9XJdrYQbx7bxTxKmcSoX71e7bjexGZjZr1rKyBdh8BSQ9q82bReY+Ng3y45nIZLQsZSNgoxX68sgfPL3Aw+Uw=
Authentication-Results-Original: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cern.ch;
Received: from ZR0P278MB0537.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:26::5) by ZRAP278MB0143.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:12::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.25.23; Mon, 18 May 2026 07:43:56 +0000
Received: from ZR0P278MB0537.CHEP278.PROD.OUTLOOK.COM ([fe80::5da5:e637:49c9:ba9a]) by ZR0P278MB0537.CHEP278.PROD.OUTLOOK.COM ([fe80::5da5:e637:49c9:ba9a%4]) with mapi id 15.21.0025.022; Mon, 18 May 2026 07:43:55 +0000
Message-ID: <27b9b979-34fe-418f-abb2-eabe87c33ce8@cern.ch>
Date: Mon, 18 May 2026 09:43:54 +0200
User-Agent: Mozilla Thunderbird
To: ocm@ietf.org
References: <023bb8ec-923a-4b1d-b977-352cf25d331e@sunet.se> <015444f3-2df5-4681-9f85-d80af414480c@sunet.se> <da633dc1-95b1-45d3-bbcb-07e0f7f6f1f3@cern.ch> <88665528-B471-404F-89F9-1B01B669E2DF@sunet.se>
Content-Language: en-US
From: Giuseppe Lo Presti <Giuseppe.LoPresti@cern.ch>
In-Reply-To: <88665528-B471-404F-89F9-1B01B669E2DF@sunet.se>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: GV0P278CA0018.CHEP278.PROD.OUTLOOK.COM (2603:10a6:710:26::28) To ZR0P278MB0537.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:26::5)
MIME-Version: 1.0
X-MS-TrafficTypeDiagnostic: ZR0P278MB0537:EE_|ZRAP278MB0143:EE_|DU2PEPF00028D13:EE_|ZR0P278MB0124:EE_
X-MS-Office365-Filtering-Correlation-Id: 38307919-61e1-42a6-b36c-08deb4b13968
X-LD-Processed: c80d3499-4a40-4a8c-986e-abce017d6b19,ExtAddr,ExtAddr
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam-Untrusted: BCL:0;ARA:13230040|786006|376014|366016|1800799024|4022899009|19092799006|11063799003|3023799003|4143699003|22082099003|56012099003|18002099003;
X-Microsoft-Antispam-Message-Info-Original: AdpMkmkAm8zUXm89SYQyIOOWRO1LCpk3E8K4igdGyQF6fa6kgHZS5UIoXFLrxxZCHL6I4GOXsmRDRCJefipZhgeRAxbM9Y1pidAYvnYHqzkBG+ZiUOvI/KttBXjPcvBteWC2I2hGntdPfwham3ug0fLeeXa57uO/g3QOsbEk7h0BPwpRnrxmDXV7hGydvAGJvcqObGIhb0E04nSfD+1webo44uYwQj9MgLicjRuIzwSXgVvZDDn6Wn7rgrozBhLlbdyb53KMGpWIR3IFZGPFAZuXX4/JL08w+d4ylFU9fPabo5hl42qRP3rerjhlQSklWh5iVxKS/bZ7lgAAYjf0k5TMA8WTrwsSTcOP5yhh6a68qZAUdcbQVNxKmnsJzZwfcMqlLAq8SQ65vzFYdTyxZyrD8ebW3kb4Ly182QnZ3lE7YPdnmRBBmRmcvMxmPYhp5L+1f4uw8w9Lctm5KZwCzcDvpWh/RGnFpl/HcvFYiRdukik2uXzZypPktiKgWxXR378NXeXWDTSx8tdqaDpvuus1Z8obzZSRCI9F8Lb3x3hfK0xNyBTQDbzHf2G9yF0PhAHhEBuZUp6nNeD5U9ZIqRZSF54Y9/5Qpvo8i34kLQc45Tgre3s0KrvQIw2CaytGkYEdyCkj/MHHeN2PIbMvbZmNXJUcz0cx7eZ2PckeVihpVgatmRdqjBt2Fszp8Flymquli9wS/I7Fpl4NhBf3ug==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:ZR0P278MB0537.CHEP278.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(786006)(376014)(366016)(1800799024)(4022899009)(19092799006)(11063799003)(3023799003)(4143699003)(22082099003)(56012099003)(18002099003);DIR:OUT;SFP:1101;
X-Exchange-RoutingPolicyChecked: YWxTuTqXkumoR3t2LArGpDM32P7uEwZn2lncTILr3nbOkF2JSd+JP5fMXLlELDKxOEv/AJ8z1asPEwNSj0lXeSds9wn3G1S6esxvtDCplUFu0Ile6AXhsMqOx1GbGgTnBa7mmC7hWrTEPBNYKBU4PevRpTewVykjB4OHKxIC6axGnE1aqbQCqUhiBXdzyzmB/NQuP+nYYPPfy9Pqk4Y2Lyo2coLsgn4p7XPcYileWo72glkvhI0Ac6ZC+xqw+TBl6BQOI6/WbUseY4FYhC/mrd0oND8nwM704fJwnkIKNFDz/1SoiOXloHqaBmb9cu89xfC3KOim6+/CsgeQhhEIdg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZRAP278MB0143
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DU2PEPF00028D13.eurprd03.prod.outlook.com
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id-Prvs: 20a108c5-786d-4bd4-b0f2-08deb4b136ae
X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|19092799006|14060799003|82310400026|4022899009|35042699022|786006|376014|36860700016|13003099007|22082099003|18002099003|56012099003|4143699003|3023799003|11063799003;
X-Microsoft-Antispam-Message-Info: 8B22ng82RSKeqSQTitm1QyxNIL6PGm/U1MmfFmb3cnLrSkJtbWoHtnU3FjUGHnpvG7kBFhC9WBa30l2gVmBdee+80c4oZSzYZj7mch7XcbNI+IikmjRGRNIFR+jDEyRAqvFbXajzm09ev1LlXy6slWrrXrC9gbtWNy5GU+vTlqVJ5HvhS0sz1OqnwO1VlNLLnlfXhk7cl+vVqCpMdHEl4uiK+ikHL0YwuMLRyaZrjY0m258YPzsxmKtVm7mWc/z+/qqoIXIFnVETDaJytLVA+jk8ynX8pUZBDcJMm9sSpmvIruwnMrKOBxUe2UB+SUQrvZZfbfaXEzEKDwVIs49NPtCZXRws28jMs7FINi+HPCogbVeUG7JSxub4HZk9Eo9dzDcb0px9Ec3ityELcyHTCmFYx3F5wG0eGGloHSBdddlLnqQNjbk5p8nX+dDbbbQNoGN5Unfxi8Y0Bo3h+1GWUWUMtJdPCL4S14SBLqH2PssMBeTeFp5YHzS54awXjoIqd2UefKgQGt6Csc2b7/Bpkbh7Z3/Z+I5bIkcUUTATX4eFHeLWf0oGo1NaDQavgpjK/+poK36Gg2JRH11dj1PCPYUFtjrjbycNqDxfAqCz2RHtlu1Khkq9RA9Y4RadZI36VFTmL915h9oa0+LqhOVzPdX21Hj1DKzjTCuMtA9IUcmm5hsA9+iOuo2/MekZ7ps4/YKqasaE7qCCXwTFf9qG6mo7o+cAr9g3q4Nam+0CsUA=
X-Forefront-Antispam-Report: CIP:51.107.2.244;CTRY:CH;LANG:en;SCL:1;SRV:;IPV:CAL;SFV:NSPM;H:mx2.crn.activeguard.cloud;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(1800799024)(19092799006)(14060799003)(82310400026)(4022899009)(35042699022)(786006)(376014)(36860700016)(13003099007)(22082099003)(18002099003)(56012099003)(4143699003)(3023799003)(11063799003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: khqGwcUEdPv537k7Yg5v6ypubgBPLHyYhQpy7SwlSRHD8ZjptqiasagVZgb94hdO6MywPi/5oBqLbZMs9sKCAsozMnWvpAh2zZDDVY0zO1pGhenlNzc5OEH30aAOyIVFM91BT28OzkfMrIaa47aaLAixJqCSRj7UAuSALCS+WeQB0oXmcAtBCQK8Ph1ZKmiwK5c+ZUXhMwCLnC5EGcR4fc1BCieEetFQMLW17GDrVXi7dMW8OwbkDxxSu5bV5nhlv0ZQ5soKXAJVfHylivC81RQyZ6ZOqx74iJnuKVRT/aB0C7P4F3UDn83kg48Pb+sGO9myM+7jwIeafe/CTt3Y1pjBTDH7Drg5ocMLosPC8Di9LHHWfQdsz0crVOnRhsBxyJda+1Yquyem9ZRfcQU067v17GY1u7H0caYfcnToVvNuKpRbpOlT7+zylqwKD6MM
X-OriginatorOrg: cern.ch
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 May 2026 07:43:59.7519 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 38307919-61e1-42a6-b36c-08deb4b13968
X-MS-Exchange-CrossTenant-Id: c80d3499-4a40-4a8c-986e-abce017d6b19
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=c80d3499-4a40-4a8c-986e-abce017d6b19;Ip=[51.107.2.244];Helo=[mx2.crn.activeguard.cloud]
X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D13.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ZR0P278MB0124
Message-ID-Hash: CILGPQIP7I3ZQU3EEC3YEUJ2YQPLFOYX
X-Message-ID-Hash: CILGPQIP7I3ZQU3EEC3YEUJ2YQPLFOYX
X-MailFrom: giuseppe.lopresti@cern.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OCM] Re: Token exchange is missing third party token validation
List-Id: "The Open Cloud Mesh (OCM) protocol enables sharing of resources such as files and applications across different cloud storage systems.," <ocm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ocm/KyLGIaNa_LKVWUQfBDAYbF4rqXc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ocm>
List-Help: <mailto:ocm-request@ietf.org?subject=help>
List-Owner: <mailto:ocm-owner@ietf.org>
List-Post: <mailto:ocm@ietf.org>
List-Subscribe: <mailto:ocm-join@ietf.org>
List-Unsubscribe: <mailto:ocm-leave@ietf.org>
I fully agree this is a 'noble' intent, and at least it would grant an appendix. Your idea of writing separate I-D documents may make sense here. At the same time, the main I-D could still include a recommendation when a given kind of integration is to be achieved, with reference to the separate document (or the appendix), but again not a prescription IMHO. I must say that I didn't like too much our model of a server-side shared secret, but it has its value now that you explain that a JWT would need to become quite large (with potential side effects) to be effective. Do you want to start with an appendix for now, or go with a new document right away? Cheers, Giuseppe On 18.05.2026 09:11, Micke Nordin wrote: > I have started implementation on the Jupyterhub side now, and I can > tell you that the integration will need more information than what is > currently in the JWT, no matter what. Essentially the webapp server > needs to know the entire payload of the share (minus possibly the > sharedSecret). > > So it doesn't matter as much as I thought whether the token is a JWT > or an opaque string. I still need to establish a back channel between > the sending server and the webapp server anyway, unless we stuff a lot > more information into the JWT. > > My point with this PR is to make it easy to write integrations that > will work for any OCM server, so you only need to support the generic > webapp protocol on the OCM server, and add all of the specifics of the > integration on the webapp server side. > > This proposal does not achieve that goal, but I still think it is a > noble goal that we should try to achieve, just because I see alot of > potential in the webapp protocol, and it would be a shame to have alot > of bespoke integrations out there, that needs custom integration code > on the OCM side. > > Essentially we have three options: > > 1. we put a lot of data into the JWT, more or less the entire share > payload, or > 2. we have an introspection endpoint on the OCM server. > 3. we establish an api endpoint on the webapp server that gets a > separate POST with information at the share time, that can be related > to the JWT via the client_id. > > I can see use cases for each of these, and maybe the best thing we > could do is write a separate specification for OCM integrations, and > keep the opaque string as the wording in the core spec. > > That way, you would know what to do if you want to write an > interoperable integration, and if you only want to recieve webapp > shares, you donyhave to care what the token looks like or anything else. > > All the best, > Micke > > > Den 18 maj 2026 08:18:02 CEST, Giuseppe Lo Presti > <Giuseppe.LoPresti=40cern.ch@dmarc.ietf.org> skrev: > > Hi Micke, all, Coming back to this thread a bit late. I have an > "academic" question here, prior to approving/changing the proposed > PR [1]: with all good intentions and the added interoperability, > do we want that the OCM spec prescribes something that is the > internal business of a provider and has no direct impact on the > protocol between providers? Or shall we just recommend it? Maybe > the chairs may suggest what the typical approach within IETF is - > is it preferred to specify more, or should we target the minimal > level to ensure interoperability? My case for why I'd leave it as > a recommendation would be as follows, starting from the example: > > The proposal is meant to increase interoperability by not > requiring extra machinery, that is implementation specific. > When doing a webapp share, the sending server sends a share > notification to the receiving server. Now the user that > received the share wants to access the webapp. The receiving > server then exchanges the sharedSecret for a short lived > access token and posts the access token into an iframe served > by a third party, in this case a JupyterHub server operated by > the same folks that operate the sending OCM server. This > access token is ment to grant access to the webapp resource, > and so the webapp server needs to verify the token. > > Because it's a "server operated by the same folks", one could > imagine that the app server uses an internal trust relationship > with the OCM server (that is the EFSS server), in such a way that > the token shipped into the iframe does not need additional > verification. Our Collabora integration works pretty much like > that, in the sense that it only allows connections from our WOPI > servers, which in turn are in a trust relationship via shared key > with our EFSS servers. Moreover, as you suggested the token > exchange is performed by the EFSS server anyway, not by the webapp > server, and this makes perfect sense in terms of separation of > concerns. But precisely that allows more freedom for such a case. > Cheers, Giuseppe [1] https://github.com/cs3org/OCM-API/pull/365 On > 07.05.2026 16:51, Micke Nordin wrote: > > Sorry! I accendently replied only to Mathias, here is my reply > to all! > ------------------------------------------------------------------------ > Hello! On 5/7/26 2:47 PM, Matthias Kraus wrote: > > Hi, I would make sure the token is opaque to Receiving > Servers. What it contains is up to the SendingServer > Implementation, so the SendingServer is free to use > anything, e.g. a JWT, to allow its Services to > authenticate it. > > The point of the proposal is that anyone with access to the > token, including third parties, should be able to verify that > the token was issued by the sending server by checking the > signature against the sending servers public key. > > Then it's a implementation detail when the webapp service > is configured to send tokens it gets to some (oidc?) > authentication service or to validate the JWT. That way we > minimize complexity across Implementations which would > harm compatibility. > > The proposal is meant to increase interoperability by not > requiring extra machinery, that is implementation specific. > When doing a webapp share, the sending server sends a share > notification to the receiving server. Now the user that > received the share wants to access the webapp. The receiving > server then exchanges the sharedSecret for a short lived > access token and posts the access token into an iframe served > by a third party, in this case a JupyterHub server operated by > the same folks that operate the sending OCM server. This > access token is ment to grant access to the webapp resource, > and so the webapp server needs to verify the token. If we > don't want to specify the format of the token, then it will be > hard to implement the integration with the webapp server. You > would need a token introspection endpoint or you could use a > JWT, with out specifying how it is supposed to be done, > leading to alot of similar, but slightly different > implementations. Siince this is a flow that will need to be > implemented in every single webapp server, I think it makes > sense to specify it. > > I haven't implemented the token flow so far, so tell me if > I've missed something. > > When implementing this in Nextcloud and what Mahdi did in > reva, we both ended up with almost the exact same solution > (but not exactly the same), which tells me that this is the > way to go, and in the interest of interoperability, we should > be explicity on how to do it. It is not complex to do, and > making everyone figure it out on their own, without the > possibility to re use integrations across different vendors is > not good (i.e. Nextcloud would need a different Jupyterhub > integration on the Jupyter side, than what Opencloud what > need, and that would be different from what ownCloud would > need). We can write OCM integration could for many different > webapps, that could then be reused by all OCM servers, which I > think is powerful, at the cost of making everyone write twenty > lines of JWT code. > > Best, Matthias > > All the best, Micke > > Am 6. Mai 2026 01:20:34 GMT-06:00 schrieb Micke Nordin > <kano=40sunet.se@dmarc.ietf.org>: In the so called "code > flow" we specify a /token endpoint where you can exchange > a sharedSecret for an opaque access token in the vain of > OAUTH 2. Now that we are starting to work on webapp > sharing, I notice that we are missing the ability for > third parties to validate an issued access token. User X > on Server A shares a webapp with User Y on Server B. > Server B exchanges the sharedSecret for an access_token at > Server A's token endpoint and posts this access_token into > the webapp servers iframe. The webapp server of Server A > is in this case not the OCM server itself, but rather a > third party such as Jupyterhub or a wopi server. Now the > webapp server needs to validate the access_token with > Server A, but now with the current spec, we are stuck. > There are two ways to solve this: 1. We introduce a token > introspection endpoint: > https://www.oauth.com/oauth2-servers/token-introspection-endpoint/ > 2. We use JWT profile for OAUTH access tokens > https://datatracker.ietf.org/doc/html/rfc9068 Both of > these have some drawbacks: 1. The introspection endpoint > needs either be autheticated with basic auth, or hidden > behind access lists. 2. If we go the JWT route, the token > is no longer opaque. To me it seems like using JWTs with > content we can examine and verify signatures on are the > simplest to implement and makes most sense to me. We > already require servers that use the code flow to sign > requests using http-sig so the key material we need is > already there, so we only need to change the spec to > specify the structure of the JWT access_token. Whats do > you think? All the best, Micke > ------------------------------------------------------------------------ > OCM mailing list --ocm@ietf.org To unsubscribe send an > email toocm-leave@ietf.org > > ------------------------------------------------------------------------ > OCM mailing list -- ocm@ietf.org To unsubscribe send an email > to ocm-leave@ietf.org > > ------------------------------------------------------------------------ > OCM mailing list -- ocm@ietf.org To unsubscribe send an email to > ocm-leave@ietf.org > > > _______________________________________________ > OCM mailing list -- ocm@ietf.org > To unsubscribe send an email to ocm-leave@ietf.org
- [OCM] Token exchange is missing third party token… Micke Nordin
- [OCM] Re: Token exchange is missing third party t… Micke Nordin
- [OCM] Re: Token exchange is missing third party t… Micke Nordin
- [OCM] Re: Token exchange is missing third party t… Matthias Kraus
- [OCM] Re: Token exchange is missing third party t… Micke Nordin
- [OCM] Re: Token exchange is missing third party t… Matthias Kraus
- [OCM] Re: Token exchange is missing third party t… Giuseppe Lo Presti
- [OCM] Re: Token exchange is missing third party t… Giuseppe Lo Presti
- [OCM] Re: Token exchange is missing third party t… Micke Nordin
- [OCM] Re: Token exchange is missing third party t… Micke Nordin
- [OCM] Re: Token exchange is missing third party t… Giuseppe Lo Presti
- [OCM] Re: Token exchange is missing third party t… Micke Nordin
- [OCM] Re: Token exchange is missing third party t… Giuseppe Lo Presti
- [OCM] Re: Token exchange is missing third party t… Micke Nordin