Sal, thanks for the valuable note from experience. One of the best things with the new JOSE-based approach that PoP is working towards is that the tokens can be self-contained and long-lived like in PKI or they can be short lived and referential, like is more common in OAuth. There's nothing stopping an OAuth token from acting like a certificate in many ways, you could even use OAuth to ship certificates around if you really wanted to, but the key is that OAuth is flexible for different deployments. There will always be a tradeoff between liveness and network efficiency, which we covered in the introspection RFC: https://tools.ietf.org/html/rfc7662#section-4 Some systems are hard-coded to one side of that tradeoff, but OAuth has been found to be able to live all over the spectrum. -- Justin On 12/1/2015 7:36 AM, Salvatore D'Agostino wrote:
There are benefits to this approach in enabling a number of use cases.
Justin, for what it is worth we designed and delivered systems to do access control that used signed tokens in the possession of clients that were able to access protected resources some years ago that map to most of the flows you show. We used PKI but JWTs are providing pretty much the same crypto capabilities.
The difference is that we allowed the signed key and the relationship they established between the protected resource and the authorization server to be long lived (e.g. not one time) and to cover more than a single resource (we actually established claims based on what you might consider a class or role, it does required the protected resource to have some understanding of this claim). By doing do we eliminated the need for the client authorization and introspection in times 2-(end of token life) in the cases where the protected resources was accessed on multiple occasions by a client.
Regards, Sal
-----Original Message----- From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Justin Richer Sent: Monday, November 30, 2015 11:31 PM To: Michael Schwartz Cc: wg-uma@kantarainitiative.org UMA Subject: Re: [WG-UMA] Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
To be clear: That draft does not define proof of possession. That draft defines embedding a key inside of a JWT such that the protected resource can unpack the key at the far end. It’s one of several options, as shown in the diagram.
The rest of the PoP system is far from done and I would not tie any other recommendations to it. There is not a single implementation that I am aware of that goes end to end (yet).
— Justin
On Nov 30, 2015, at 11:11 PM, Mike Schwartz <mike@gluu.org> wrote:
UMA WG,
This draft for proof of possesion is getting pretty far along: https://datatracker.ietf.org/doc/draft-ietf-oauth-proof-of-possession/
Justin did this nice web sequence diagram: http://gluu.co/oauth-pop-websequence
My question is... do you think we should recommend proof of possesion tokens for the RPT?
- Mike
------------------------------------- Michael Schwartz Gluu Founder / CEO mike@gluu.org _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma