Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-03-18 Thread Rifaat Shekh-Yusef
On Thu, Mar 18, 2021 at 8:07 AM Neil Madden wrote: > > > On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef > wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden > wrote: > >> >> >> On 18 Mar 2021, at 05:33, Andrii Deinega >> wrote: >> >>  >> The Cache-Control header, even with its strongest

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-03-18 Thread Warren Parad
 Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress . On Thu, Mar 18, 2021 at 1:07 PM Neil Madden wrote: > > > On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef > wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden >

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-03-18 Thread Neil Madden
> On 18 Mar 2021, at 11:33, Rifaat Shekh-Yusef wrote: > > On Thu, Mar 18, 2021 at 3:45 AM Neil Madden > wrote: > > >> On 18 Mar 2021, at 05:33, Andrii Deinega > > wrote: >> >>  >> The Cache-Control header, even with its

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-03-18 Thread Rifaat Shekh-Yusef
On Thu, Mar 18, 2021 at 3:45 AM Neil Madden wrote: > > > On 18 Mar 2021, at 05:33, Andrii Deinega wrote: > >  > The Cache-Control header, even with its strongest directive "no-store", is > pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext > Transfer Protocol: Caching). >

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-03-18 Thread Neil Madden
> On 18 Mar 2021, at 05:33, Andrii Deinega wrote: > >  > The Cache-Control header, even with its strongest directive "no-store", is > pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext > Transfer Protocol: Caching). > >> This directive is NOT a reliable or sufficient

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-03-17 Thread Andrii Deinega
The Cache-Control header, even with its strongest directive "no-store", is pretty naive protection... Below is an excerpt from RFC 7234 (Hypertext Transfer Protocol: Caching). This directive is NOT a reliable or sufficient mechanism for ensuring > privacy. In particular, malicious or compromised

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-12 Thread Neil Madden
> On 11 Feb 2021, at 21:43, Andrii Deinega wrote: > >  > Thank you for the response! Unfortunately, I'm still not convinced that there > is no need for nonce. > > Based on the draft, I don't know how it's possible to achieve a “stronger > assurance that the authorizationserver issued the

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-11 Thread Andrii Deinega
Thank you for the response! Unfortunately, I'm still not convinced that there is no need for nonce. Based on the draft, I don't know how it's possible to achieve a “stronger assurance that the authorizationserver issued the token introspection response for an access token, includingcases where

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-10 Thread Neil Madden
> On 9 Feb 2021, at 22:04, Andrii Deinega wrote: > >  > I still don't see how your #1 and #3 points mitigate the replay attack when > an attacker somehow eavesdrops a successful response from an AS (yes, it's > signed by a public key) and then starts to replay it for other requests from >

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-09 Thread Andrii Deinega
I still don't see how your #1 and #3 points mitigate the replay attack when an attacker somehow eavesdrops a successful response from an AS (yes, it's signed by a public key) and then starts to replay it for other requests from the same client. The main problem here is that the client doesn't

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-09 Thread Neil Madden
Three points: 1. In many cases the JWT will be verified using a public key fetched over the same TLS channel. 2. Many proxies can now also produce and consume JWTs for downstream services, so end-to-end JWT is no more guaranteed than end-to-end TLS. 3. The JWT response already contains an

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-09 Thread Andrii Deinega
How can you guarantee that there are always direct TLS connections between a client and an AS hosted say some cloud provider where you have a little control on their infrastructure? Even without all those cloud providers, how can you guarantee the same when there are a bunch of different

Re: [OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-09 Thread Neil Madden
On 9 Feb 2021, at 06:55, Andrii Deinega wrote: > >  > Hi WG, > > I wonder if there are any particular reasons to not make nonce a mandatory > parameter for the current JWT Response for OAuth Token Introspection draft. > Or, at least, force an AS to include the nonce claim in a JWT response

[OAUTH-WG] JWT Response for OAuth Token Introspection and nonce

2021-02-08 Thread Andrii Deinega
Hi WG, I wonder if there are any particular reasons to not make nonce a mandatory parameter for the current JWT Response for OAuth Token Introspection draft. Or, at least, force an AS to include the nonce claim in a JWT response when nonce is presented in the introspection request similar to what