Hi Toshio, The scenario you describe is comparable to https://openid.net/specs/openid-connect-self-issued-v2-1_0.html, at least in terms of validation logic. Please note that most of the validation software in common use today expects to work with just a handful of keys, typically one provider and allowance for rotation, hence it might not be trivial to repurpose it to perform large table scans in scenarios where you have many clients and corresponding keys. Also, Prabath's blog makes a statement that, I believe, overstates what can be achieved with this approach: he says that this can be a replacement for TLS mutual authentication, but it isn't really the case as you are still dealing with a bearer token, which can be replayed after issuance hence offering less guarantees than mutual TLS.
On Tue, Sep 28, 2021 at 6:54 PM <toshio9....@toshiba.co.jp> wrote: > Hi OAuth folks, > > I have a question. Is there (or was there) any standardizing effort for > "self-issued access tokens"? > > Self-issued access tokens are mentioned in a blog post by P. Siriwardena > in 2014 > [*1]. It's an Access Token issued by the Client and sent to the Resource > Server. > The token is basically a signed document (e.g. JWT) by the private key of > the > Client. The Resource Server verifies the token with the public key, which > is > provisioned in the RS in advance. > > I think self-issued access tokens are handy replacement for Client > Credentials > Grant flow in simple deployments, where it's not so necessary to separate > AS and > RS. In fact, Google supports this type of authentication for some services > [*2][*3]. I'm wondering if there are any other services supporting > self-signed > access tokens. > > Any comments are welcome. > > [*1]: > https://wso2.com/library/blog-post/2014/10/blog-post-self-issued-access-tokens/ > [*2]: > https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth > [*3]: https://google.aip.dev/auth/4111 > > ------------- > Toshio Ito > Research and Development Center > Toshiba Corporation > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
