Hi
On 23/02/16 19:31, Antonio Sanso wrote:
hi Sergey,
just my 2 cents
let’s start from a simple fact that encryption is not authentication. :)
And since then the access tokens are supposed to provide the source
guarantee to the client ? Can you point to any text somewhere suggesting
the clients must expect the access tokens be a set of JWT JWS signed
claims ? (lets put the whole PoP aside for now...)
Now, if the claim sets of a JWS contains only not confidential information JWS
is enough.
You are right - this is close to what I was asking about. My point is
that given that a JWS-signed JWT content can be processed as easily as
Base64 encoded data, the problems will start happening if a given OAuth2
server inadvertently puts more into this JWT container than it should...
Thanks Sergey
See also inline
On Feb 23, 2016, at 6:15 PM, Sergey Beryozkin <sberyoz...@gmail.com> wrote:
Hi
Some OAuth2 providers may return self-contained access tokens which are JWS
Compact-encoded.
I wonder is it really a good idea and would it not be better to only
JWE-encrypt the tokens. I'm not sure JWS signing the claims is necessarily
faster then only encrypting the claims, assuming the symmetric algorithms are
used in both cases.
JWE algorithms are all AEAD AFAIK so is not only symmetric encryption plus there is
the content key "wrap algorithm”.
regards
antonio
For example, my colleague and myself, while dealing with the issue related to
parsing an access token response from a 3rd party provider were able to easily
check the content of the JWS-signed access_token by simply submitting an easily
recognized JWS Compact-formatted value (3 dots) into our JWS reader - we did
not have to worry about decrypting it neither the fact we did not validate the
signature mattered.
But access tokens are opaque values as far as the clients are concerned and if
the introspection is needed then the introspection endpoint does exist for that
purpose...
Thanks, Sergey
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
