We explicitly want the token (JSON object) to be signed not the HTTP response. I think using JWS is the most generic way to achieve that goal.
> Am 19.03.2018 um 09:57 schrieb Phil Hunt <phil.h...@oracle.com>: > > This draft has similar issues to > https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01 > <https://tools.ietf.org/html/draft-richer-oauth-signed-http-request-01> > > Rather than *try* sign HTTP, a signed JWT object is more reliably returned. > > Phil > > >> On Mar 19, 2018, at 8:25 AM, LARMIGNAT Louis <louis.larmig...@wavestone.com >> <mailto:louis.larmig...@wavestone.com>> wrote: >> >> Hi, >> >> The draft Signing HTTP Messages <> >> (https://tools.ietf.org/html/draft-cavage-http-signatures-09 >> <https://tools.ietf.org/html/draft-cavage-http-signatures-09>) could not >> meet this requirement in a more generic way ? >> >> Regards, >> Louis >> >> De : OAuth <oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>> De la >> part de Brock Allen >> Envoyé : dimanche 18 mars 2018 20:40 >> À : Torsten Lodderstedt <tors...@lodderstedt.net >> <mailto:tors...@lodderstedt.net>>; oauth@ietf.org <mailto:oauth@ietf.org> >> Objet : Re: [OAUTH-WG] Fwd: New Version Notification for >> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >> >> Why is TLS to the intospection endpoint not sufficient? Are you thinking >> there needs to be some multi-tenancy support of some kind? >> >> -Brock >> >> On 3/18/2018 3:33:16 PM, Torsten Lodderstedt <tors...@lodderstedt.net >> <mailto:tors...@lodderstedt.net>> wrote: >> >> Hi all, >> >> I just submitted a new draft that Vladimir Dzhuvinov and I have written. It >> proposes a JWT-based response type for Token Introspection. The objective is >> to provide resource servers with signed tokens in case they need >> cryptographic evidence that the AS created the token (e.g. for liability). >> >> I will present the new draft in the session on Wednesday. >> >> kind regards, >> Torsten. >> >> >> Anfang der weitergeleiteten Nachricht: >> >> Von: internet-dra...@ietf.org <mailto:internet-dra...@ietf.org> >> Betreff: New Version Notification for >> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >> Datum: 18. März 2018 um 20:19:37 MEZ >> An: "Vladimir Dzhuvinov" <vladi...@connect2id.com >> <mailto:vladi...@connect2id.com>>, "Torsten Lodderstedt" >> <tors...@lodderstedt.net <mailto:tors...@lodderstedt.net>> >> >> >> A new version of I-D, >> draft-lodderstedt-oauth-jwt-introspection-response-00.txt >> has been successfully submitted by Torsten Lodderstedt and posted to the >> IETF repository. >> >> Name: draft-lodderstedt-oauth-jwt-introspection-response >> Revision: 00 >> Title: JWT Response for OAuth Token Introspection >> Document date: 2018-03-15 >> Group: Individual Submission >> Pages: 5 >> URL: >> https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt >> >> <https://www.ietf.org/internet-drafts/draft-lodderstedt-oauth-jwt-introspection-response-00.txt> >> Status: >> https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/ >> >> <https://datatracker.ietf.org/doc/draft-lodderstedt-oauth-jwt-introspection-response/> >> Htmlized: >> https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00 >> >> <https://tools.ietf.org/html/draft-lodderstedt-oauth-jwt-introspection-response-00> >> Htmlized: >> https://datatracker.ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response >> >> <https://datatracker..ietf.org/doc/html/draft-lodderstedt-oauth-jwt-introspection-response> >> >> >> Abstract: >> This draft proposes an additional JSON Web Token (JWT) based response >> for OAuth 2.0 Token Introspection. >> >> >> >> >> Please note that it may take a couple of minutes from the time of submission >> until the htmlized version and diff are available at tools.ietf.org >> <http://tools.ietf.org/>. >> >> The IETF Secretariat >> >> >> The information transmitted in the present email including the attachment is >> intended only for the person to whom or entity to which it is addressed and >> may contain confidential and/or privileged material. Any review, >> retransmission, dissemination or other use of, or taking of any action in >> reliance upon this information by persons or entities other than the >> intended recipient is prohibited. If you received this in error, please >> contact the sender and delete all copies of the material. >> >> Ce message et toutes les pièces qui y sont éventuellement jointes sont >> confidentiels et transmis à l'intention exclusive de son destinataire. Toute >> modification, édition, utilisation ou diffusion par toute personne ou entité >> autre que le destinataire est interdite. Si vous avez reçu ce message par >> erreur, nous vous remercions de nous en informer immédiatement et de le >> supprimer ainsi que les pièces qui y sont éventuellement jointes. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth