Hi Torsten,
Sorry for the delayed response; it seems this got buried beneath some other
things. Thanks to everyone else for contributing, and I think there's just
one point left that needs a response (inline)...
On Mon, Mar 02, 2020 at 03:19:11PM +0100, Torsten Lodderstedt wrote:
> Hi Ben,
>
> >>
> >>>
> >>> I don't think the new semantics for "jti" in the introspection response
> >>> are compatible with the RFC 7519 definition. Specifically, we say that
> >>> "jti" will be tied to the input access token, but 7519 says that "jti"
> >>> has to change when the contents of the JWT change ("MUST be assigned in
> >>> a manner that ensures that there is a negligible probability that the
> >>> same value will be accidentally assigned to a different data object"),
> >>> and we admit at least the possibility of "active" and "iat" changing.
> >>
> >> I think the key word is “accidentally”. This spec causes the AS to
> >> purposefully issue JWTs with the same “jti” in order to allow replay
> >> detection with respect to the introspected access token. “iat” is changed
> >> in order to give the RS an indication and proof when the introspection
> >> response was minted by the AS.
> >
> > I think "accidentally" is just there to emphasize that there's a risk of
> > accidental collision when using a random string as an identifier, since "of
> > course you wouldn't deliberately reuse a token identifier". This stance
> > seems to supported by "[t]he 'jti' (JWT ID) claim provides a unique
> > identifier for the JWT". It's really hard for me to read that sentence as
> > allowing the use of a single identifier for two different JWT values, since
> > it then ceases to be a *unique* identifier.
> >
> > I seem to have forgotten how this replay detection is supposed to work;
> > would you mind giving me a pointer and/or refresher?
>
> Sure.
>
> 1) Let’s assume a client obtains access token “123456789”, which obviously is
> a handle the RS needs to resolve using Introspection.
> 2) The RS calls the introspection endpoint, the AS looks up the access token
> data and responds with a JWT formatted introspection response (including a
> fresh jti “abc234567”).
> 3) The RS stores the jti in its replay cache (long with the tokens max
> lifetime)
>
> 4) The client calls the RS again using the same token “123456789”
> 5) The RS calls the introspection endpoint again, the AS looks up the access
> token data and responds with a JWT formatted introspection response
> (including a fresh jti “abc8912345”).
> 6) The RS compares the jti with its replay cache, no hit - it thinks all is
> good and performs the requested transaction.
>
> But it just accepted the same token for the 2nd time.
>
> If the AS would have created JWT formatted introspection responses with the
> same jti, the RS would had a cache hit in step (6) and refused the request.
>
> >
> >>
> >> “Active" does not really change, since the introspection response of an
> >> inactive token is empty except the “active” element.
> >
> > I mean, the token artifact still changes. What am I supposed to interpret
> > "the JWT" as meaning if not the actual encoded artifact?
>
> Sorry I don't understand. Can you please elaborate?
I was trying to combine two thoughts here but didn't provide a good
connection. Consider the test from RFC 7519, "The "jti" (JWT ID) claim
provides a unique identifier for the JWT." If we are to claim that the JWT
introspection response is a JWT, then the "jti" value contained therein is
supposed to pose a "unique identifier for the JWT [introspection
response]". But if it is clearly specified that the contents of the
introspection response (a JWT) are to change from having [a bunch of stuff]
to [mostly just "active":false], I can't come up with an interpretation
in which both [a bunch of stuff] and [mostly just "active":false] can be
considered "the same JWT". In a more general sense, I would treat "the
JWT" as the actual encoded artifact with header, claim set, and signature,
and under that assumption it's clear that any change in the encoded
artifact would be a different "JWT".
IIUC this point is now moot based on the direction we seem to be going in,
but hopefully that helps clarify my thinking.
-Ben
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth