One problem we've discovered when returning the client_id value as "sub" is client impersonation. That is, in a system where a user can self-register, it's possible that the user could register an id/sub value that is the same as the client_id value, and thus be granted the same privileges as the application principal based on the introspection response.
We're leaning towards returning the grant_type in the introspection response to disambiguate this case. i.e. if grant_type == "client_credentials" then you know that the bearer represents the app principal. http://tools.ietf.org/html/draft-richer-oauth-introspection-04 expired last Nov. Were you thinking of picking it up? I'm recalling that Nat Sakimura expressed an interest a while back. Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) [email protected] From: Justin Richer <[email protected]> To: Todd W Lainhart/Lexington/IBM@IBMUS, IETF oauth WG <[email protected]>, Date: 05/22/2014 10:45 AM Subject: Re: [OAUTH-WG] For a client credentials grant, what are you returning as the value of the "sub" element in an introspection response? We return the client_id of the client that the token was issued to. -- Justin On 5/22/2014 10:08 AM, Todd W Lainhart wrote: For folks who have implemented the client credentials grant and introspection, I'm interested to know what you're returning for the value of "sub" in the token introspection response ( http://tools.ietf.org/html/draft-richer-oauth-introspection-04#section-2.2 ). The "client_id" value requesting the grant, or some other client registration metadata value? Todd Lainhart Rational software IBM Corporation 550 King Street, Littleton, MA 01460-1250 1-978-899-4705 2-276-4705 (T/L) [email protected] _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
