search

oauth-wg / oauth-identity-chaining

Draft specification for Identity Chaining
https://drafts.oauth.net/oauth-identity-chaining/draft-ietf-oauth-identity-chaining.html
Other
5 stars 3 forks source link

authorization grant type can't be the same as the issued token type #61

Closed aaronpk closed 10 months ago

aaronpk commented 1 year ago

Section 2.4.3 says this:

The issued_token_type parameter in the response indicates the type and SHOULD be passed into the assertion request.

However, if the authorization grant is a JWT (which it always should be, but see #45 for details), then RFC7523 defines the grant type of the request to be:

urn:ietf:params:oauth:grant-type:jwt-bearer

The other implication of this is that the only way to distinguish the type of JWT assertion is in the JWT itself, which can be done using the typ field in the JWT header.

bc-pi commented 1 year ago

Per RFC8693 issued_token_type is an "identifier [...] for the representation of the issued security token" and I think it's admittedly a bit odd but perfectly reasonable to use the URN of the grant type that the token is intended for as the value conveying the representation that token.

bc-pi commented 1 year ago

With that said however, I do kinda think that'd it be better to limit to JWT authz grant only (a la #45) and not tie the issued_token_type to the grant type.

aaronpk commented 10 months ago

My point was more about the grant type of the request as described by RFC7523.

To use a Bearer JWT as an authorization grant, the client uses an access token request as defined in Section 4 of the OAuth Assertion Framework [RFC7521] with the following specific parameter values and encodings.

The value of the "grant_type" is "urn:ietf:params:oauth:grant-type:jwt-bearer".

So if the request contains a JWT, then the grant type value has to be urn:ietf:params:oauth:grant-type:jwt-bearer. Which means according to Section 2.4.3 of this spec the issued_token_type "SHOULD" be urn:ietf:params:oauth:grant-type:jwt-bearer, which is silly.

So my proposal is to remove the "and SHOULD be passed into the assertion request" part, so that issued_token_type can be a value that makes sense, and use urn:ietf:params:oauth:grant-type:jwt-bearer as the grant type. As I said in the original comment, the implication is then that the JWT header itself would need to include something that indicates the type of JWT it is, otherwise all token exchange requests look the same.

bc-pi commented 10 months ago

I might argue that it's not actually silly but I won't b/c it'll be moot as PR #72 addresses this with the removal of the "issued_token_type parameter in the response indicates the type and SHOULD be passed into the assertion request" https://github.com/oauth-wg/oauth-identity-chaining/pull/72/files#diff-e5caa2dbf96b2e1e809b4a7c4197220c2a302ecd0b0d9c4a5c47968d6e8c94b7L171