[GNAP] RS validation of access tokens
Justin Richer <jricher@mit.edu> Sat, 29 July 2023 04:42 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 485A1C14CE42 for <txauth@ietfa.amsl.com>; Fri, 28 Jul 2023 21:42:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.108
X-Spam-Level:
X-Spam-Status: No, score=-1.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_DOTEDU_SHORT=1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cm25006o__RS for <txauth@ietfa.amsl.com>; Fri, 28 Jul 2023 21:42:35 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26B09C14CE40 for <txauth@ietf.org>; Fri, 28 Jul 2023 21:42:34 -0700 (PDT)
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 36T4gWUh013737 for <txauth@ietf.org>; Sat, 29 Jul 2023 00:42:33 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1690605753; bh=QwueWAcxDJGXtw2z7u6Qtazg+VpWwnLfjtZ23Q3Xtaw=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=VYjSXSEpguz/38T5f0/qLwR3tZW9sfhttAOs2KgI65OFs+ciLMJbvmCMAIBnrC2TD 1FVizbE9trqpYmU++fAtL/E9GT+lPaajUj9FHwu6YSZdHufBGKJYcdQJzr8FBWQ46Z BQjjSH1YI0hAhICVSErV6vS4Y/0+BXGsW6FsSOwK8x9aM8ru00U5YnxnQpMOnMXrXC s4hFKRW7YFx6MzVQtZsHBs+I2/4rx7H8IYMg6b9haHiWjmBYeislZtdnH2Z1ZANf7e LDhDU0bl80r4KV82qlJpKWEgzXPCLjIxLBwnjMAmNuk8c7NYKzk+EYugCJb8KjRJo3 CGR+bGZUy2LqA==
Received: from oc11expo31.exchange.mit.edu (18.9.4.104) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Sat, 29 Jul 2023 00:42:08 -0400
Received: from oc11exhyb7.exchange.mit.edu (18.9.1.112) by oc11expo31.exchange.mit.edu (18.9.4.104) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Sat, 29 Jul 2023 00:42:32 -0400
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (104.47.73.172) by oc11exhyb7.exchange.mit.edu (18.9.1.112) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Sat, 29 Jul 2023 00:42:32 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by PH0PR01MB6246.prod.exchangelabs.com (2603:10b6:510:b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6631.29; Sat, 29 Jul 2023 04:42:28 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835%4]) with mapi id 15.20.6631.026; Sat, 29 Jul 2023 04:42:28 +0000
From: Justin Richer <jricher@mit.edu>
To: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: RS validation of access tokens
Thread-Index: AQHZwdcTjMRRb73EeEuPfpW+aeinow==
Date: Sat, 29 Jul 2023 04:42:27 +0000
Message-ID: <9963D12E-D52D-424B-82A4-854BCABE6CF9@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|PH0PR01MB6246:EE_
x-ms-office365-filtering-correlation-id: df316fc9-7250-4c8e-10ea-08db8fee3648
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sqvRvej3kpp9Yk0+F7MmtC5lk/UL+TkdRG34MPO9JL/MSS8t0d+WXeErkPQ/KcN2p2IclxB21r/t2C7qZ6nZr/emK+9olZ2RaqcbuPPg4cKNO0mpXnGNFTtOdnHv4Eqga7UxsR5/3svUb+ZRipRm3IEaOEQBL9fre8NQHKaAwGmUkglZUtOPaSeU+GgUk0fL94VqIfax0PUaq5PAUBgaO4E6MzwZHk5abXDPmsIlnER6esYdSgFdB7tUUPA2xmwxj3Hp+1EyH6L6qDdNQpl06KHdocDf+FI9Y3SUGw7dEBqX92SfIT7ZOtdCHs9P/ST4LSg9YNw0CPvgZDMvirW5uC+Qjw4SGmzgyLKulmsmHM743eoEgUzVhGPNH6J0fJgL7xgs43FOZdO9rTBLc9111dvMowMTyz0BzmhpSxvH22HjvXoxKQyPLNQGonh190TxuoWQORMjSvxvS6m/ek7V9Z8+JTLYj4ik/IEjm6F9TyJYFomTRAdq1j563cZqoq0QThQ3f0BowI04WKNkmGe7zFuopjLoVMNYeU8Ukm/jnFWuh4orwN92/dYDzAzRzTpfXly6FqNTbTXZ57rfXIZJt0QYLE70/++ZdVelpxWqFWo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(136003)(346002)(396003)(39860400002)(366004)(451199021)(41300700001)(2906002)(75432002)(4744005)(786003)(8676002)(316002)(8936002)(33656002)(36756003)(38070700005)(86362001)(5660300002)(166002)(966005)(6512007)(26005)(6506007)(71200400001)(478600001)(6486002)(83380400001)(186003)(2616005)(38100700002)(76116006)(6916009)(91956017)(122000001)(66556008)(66476007)(66446008)(66946007)(64756008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eox/AC40qk23GHofowmtG1ySrSbs/azCMv6HirvBeKg6/1icRmNVZWi2Gl1bvt2FJEDc0Oj9gzXv5DK1eGB5Bx2hqRU6DswWEAQzuesl7GN03lPoBoF4ZjXakBYCGqa0Zc73ZyMSV65GpvGL+3ins3PV8RV0Oydynqq4GwTgRoYMsWTbhTkSdIDV/Lqs7Gf8I7DizoQ7pVAzx9gy5ufhZ4hKGhXnRJiQxu0vwgnn56gtQvRiWKlDEjN9ewVJ8sxasS6C0X/mSTlLHlW72tQXkXVb3IShamkxtlHh4zqrbtOGrenSZSuJz/kUNquCXhrk6O/I0P0pi3ahKRX+b/70K9/bG+9xDfKfB0Vb7nPrrO5k+yjxypHf1bptEFjyY5yg0gcX9ENgHnITR2ENmf+9/Q/Xphc0D32sJ2AvRqVPChTZUfcfnT3J7AJMDw7a9RUQoVln+SO+u1wfDUOBn+UBh7pf1uA3kpSP/aoW6vRqdwq+1ba8HBnaHZfGnG5TMav72mALGcRfuGREVqjTIvJqBqrgL3ovS3pcga1ibOMn+bU98/Wuh2aTVtOc6rWJ3Na8kvJ9tdsRByw9WMCEUtEB6ChF7VuucWEi/no3+xtU1w687LFV1Mtr34XqtX3YEvRTwSsxe7WTDSdni3XQp285pNHc36tZ4x0xcoyuvu95pcFVZZsEl12qGsV1Vp2/pUyt5C5nhnix/2sr5RdJI+aosEDf6NsjvOzcq3++KNg1Dgb4wXHZdp/FBxtXK50LnKG2KrLyDYkXHTmh53+inufYg3Y134KW86ZQzcaYXJVhVoSNpepoTGRXTwFhOdesps6yOfXM/wfukgLX6Ji1eo3eKmymjDLnrOmV2tBj5A4iXfz4Orq4/12u8RwBo189HXTsejNOCafKHE/BdTnidYq9adDwgWoOoeAbVNX6T6XFviUJ1cEnN5WKw2RwldzYidxuZiRkhD7N7xsm29MQERXoiZ4ZG9pVJah3Vx44s+uRBe8a/SLAkS5IVz6+WeNd8cIX2qcB0fapxIdhp8hAOAcf/IJBkOQ5fWxs6VI8wWjUQZ9K5Q2TtJelyoSnjidBuyXlffzxiQ/oG0ad4vvLZBnLutVUO0ZLlvfDeO/CzYGH6oPOVax3zipMcyOLQ9yndHhjETnQvACbI4It38el+sw1vHDTaWyTsUvPbs79O42//7ooL/a2vbQsjUc0u15A2KQRAfP8pjmejioXJJnGwWQK+Jv/HW40RNvC9d7vidGENrOaV7XPeucLbN1rBOgz3DsqtZ8Gxu2Jxck0fnbXynx5BM72TOAW9CBKpURK5hBx0XDrNv+2EhlAUioqWbQ5xG8dQNOWtnynBm+cVMNDTdThF/mvDa/8dTJLng100JxM5/gNAUMp/AoGxrY9CspNGJeDo0LApmP4uonkrmhMDfCbQY8wGvbwIz1eFsv3ouVWpO+d2U5GSqLoh4COSeK10NaSQf2KOjWydlj+dvWxRAH5f7MhnApe4Uvn912j/B1c7XEJLgaAWvwkAI1Q+GafXztfVmLAnfddhNYSlnNAe2vQZ2FLLBY6s8QpOMsmx+QWgdW1dK747277BPYagdGJX1Bn
Content-Type: multipart/alternative; boundary="_000_9963D12ED52D424B82A4854BCABE6CF9mitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: df316fc9-7250-4c8e-10ea-08db8fee3648
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2023 04:42:27.8134 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WYW/PH55IrOt+WIVFISt7RKXhNsKeiBIxAaLjSWz+2CaE6fZ+qiMHpqeDomC1tDr
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6246
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Uwf7xosjnNLYJ1i_2s2-P1nHUNE>
Subject: [GNAP] RS validation of access tokens
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2023 04:42:37 -0000
As discussed at the meeting today, the following issue raises the possibility of an RS signaling to an AS whether an access token should be revoked: https://github.com/ietf-wg-gnap/gnap-resource-servers/issues/52 The discussion in the room was that while this feature is potentially useful, there is not a strongly compelling demand from implementors or use cases to add it to the draft. Furthermore, it could be handled by an extension to the RS/AS relationship, probably something alongside token introspection. Therefore, the proposal is to close the issue without action. Please comment here or on the list if you’d like to add the conversation. — Justin
- [GNAP] RS validation of access tokens Justin Richer