I still don't see how your #1 and #3 points mitigate the replay attack when
an attacker somehow eavesdrops a successful response from an AS (yes, it's
signed by a public key) and then starts to replay it for other requests
from the same client.
The main problem here is that the client doesn't have
Three points:
1. In many cases the JWT will be verified using a public key fetched over the
same TLS channel.
2. Many proxies can now also produce and consume JWTs for downstream services,
so end-to-end JWT is no more guaranteed than end-to-end TLS.
3. The JWT response already contains an iat
How can you guarantee that there are always direct TLS connections between
a client and an AS hosted say some cloud provider where you have a little
control on their infrastructure?
Even without all those cloud providers, how can you guarantee the same when
there are a bunch of different (software
Find bellow my review of the draft:
1. Redactional changes:
2.2. Authorization Data Types
Interpretation of the value of the "type" parameter, and the object
elements that the "type" parameter allows => allowed
9. Metadata
which is an
JSON array. => which is a JSON array
1
Hi Warren,
On 08/02/2021 17:59, Warren Parad wrote:
> None of that justified explicitly stating that refresh token
> introspection shouldn't be done. At best it suggests that we should
> explicitly add language in the draft to directly encourage it.
Did you mean discourage?
> But if an AS wants
Hi Benjamin,
Thanks a lot for your comments.
We discussed them and applied several changes to the draft to address them.
Those changes can be previewed here:
https://github.com/oauthstuff/draft-ietf-oauth-jwt-introspection-response/compare/address-comments-benjamin-kaduk-2021-01-26
Further com
On 9 Feb 2021, at 06:55, Andrii Deinega wrote:
>
>
> Hi WG,
>
> I wonder if there are any particular reasons to not make nonce a mandatory
> parameter for the current JWT Response for OAuth Token Introspection draft.
> Or, at least, force an AS to include the nonce claim in a JWT response wh
