forked from jricher/oauth-spec
-
Notifications
You must be signed in to change notification settings - Fork 0
/
draft-richer-oauth-introspection.xml
273 lines (222 loc) · 11 KB
/
draft-richer-oauth-introspection.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-richer-oauth-introspection-04"
ipr="trust200902">
<front>
<title abbrev="oauth-introspection">OAuth Token Introspection</title>
<author fullname="Justin Richer" initials="J." role="editor"
surname="Richer">
<organization>The MITRE Corporation</organization>
<address>
<email>[email protected]</email>
</address>
</author>
<date day="1" month="May" year="2013"/>
<area>Security</area>
<workgroup>OAuth Working Group</workgroup>
<abstract>
<t>This specification defines a method for a client or protected
resource to query an OAuth authorization server to determine
meta-information about an OAuth token.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>In OAuth, the contents of tokens are opaque to clients. This means
that the client does not need to know anything about the content or
structure of the token itself, if there is any. However, there is still
a large amount of metadata that may be attached to a token, such as its
current validity, approved scopes, and extra information about the
authentication context in which the token was issued. These pieces of
information are often vital to Protected Resources making authorization
decisions based on the tokens being presented. Since OAuth2 defines no
direct relationship between the Authorization Server and the Protected
Resource, only that they must have an agreement on the tokens
themselves, there have been many different approaches to bridging this
gap.</t>
<t>This specification defines an Introspection Endpoint that allows the
holder of a token to query the Authorization Server to discover the set
of metadata for a token. A Protected Resource may use the mechanism
described in this draft to query the Introspection Endpoint in a
particular authorization decision context and ascertain the relevant
metadata about the token in order to make this authorization decision
appropriately.</t>
</section>
<section title="Introspection Endpoint">
<t hangText="instance_name">The Introspection Endpoint is an OAuth 2
Endpoint that responds to HTTP POST requests (and optionally HTTP GET
requests) from token holders, particularly including Resource Servers
and Clients. The endpoint takes a single parameter representing the
token (and optionally further authentication) and returns a JSON
document representing the meta information surrounding the token.</t>
<t hangText="instance_name">The endpoint MUST be protected by TLS or
equivalent.</t>
<section title="Introspection Request">
<t hangText="instance_name"><list style="hanging">
<t hangText="token">REQUIRED. The string value of the token.</t>
<t hangText="resource_id">OPTIONAL. A service-specific string
identifying the resource that the client doing the introspection
is asking about.</t>
<t hangText="token_type_hint">OPTIONAL. A hint about the type of
the token submitted for revocation. Clients MAY pass this
parameter in order to help the authorization server to optimize
the token lookup. If the server is unable to locate the token
using the given hint, it MUST extend its search accross all of its
supported token types. An authorization server MAY ignore this
parameter, particularly if it is able to detect the token type
automatically. Values for this field are defined in <xref
target="Revocation">OAuth Token Revocation</xref>.</t>
</list></t>
<t hangText="instance_name">The endpoint MAY allow other parameters to
provide context to the query. For instance, an authorization service
may need to know the IP address of the Client in order to determine
the appropriateness of the token being presented.</t>
<t hangText="instance_name">The endpoint SHOULD also require some form
of authentication to access this endpoint, such as the Client
Authentication as described in <xref target="RFC6749">OAuth 2 Core
Specification</xref> or a separate OAuth 2.0 Access Token. The methods
of managing and validating these authentication credentials are out of
scope of this specification.</t>
</section>
<section title="Introspection Response">
<t>The server responds with a <xref target="RFC4627">JSON
object</xref> in <spanx style="verb">application/json</spanx> format
with the following top-level members. Specific implementations MAY
extend this structure with their own service-specific pieces of
information.</t>
<t><list style="hanging">
<t hangText="active">REQUIRED. Boolean indicator of whether or not
the presented token is currently active.</t>
<t hangText="exp">OPTIONAL. Integer timestamp, measured in the
number of seconds since January 1 1970 UTC, indicating when this
token will expire.</t>
<t hangText="iat">OPTIONAL. Integer timestamp, measured in the
number of seconds since January 1 1970 UTC, indicating when this
token was originally issued.</t>
<t hangText="scope">OPTIONAL. A space-separated list of strings
representing the scopes associated with this token, in the format
described in Section 3.3 of <xref target="RFC6749">OAuth
2.0</xref>.</t>
<t hangText="client_id">OPTIONAL. Client Identifier for the OAuth
Client that requested this token.</t>
<t hangText="sub">OPTIONAL. Local identifier of the Resource Owner
who authorized this token.</t>
<t hangText="aud">OPTIONAL. Service-specific string identifier or
list of string identifiers representing the intended audience for
this token.</t>
<t hangText="token_type">OPTIONAL. Type of the token as defined in
OAuth 2.0 section 5.1.</t>
</list></t>
</section>
<section title="Non-normative Example">
<t hangText="instance_name">For example, a Protected Resource accepts
a request from a Client carrying an OAuth2 Bearer Token. In order to
know how and whether to serve the request, the Protected Resource then
makes the following request to the Introspection Endpoint of the
Authorization Server. The Protected Resource is here authenticating
with its own Client ID and Client Secret as per <xref
target="RFC6749">OAuth2</xref> Section 2.3.1.</t>
<figure>
<preamble>Following is a non-normative example request (with line
wraps for display purposes only):</preamble>
<artwork><![CDATA[POST /register HTTP/1.1
Accept: application/x-www-form-urlencoded
Host: server.example.com
Authorization: Basic czZCaGRSa3F0Mzo3RmpmcDBaQnIxS3REUmJuZlZkbUl3
token=X3241Affw.4233-99JXJ
]]></artwork>
</figure>
<t>The Authorization Server validates the client credentials and looks
up the information in the token. If the token is currently active, it
returns the following JSON document.</t>
<figure>
<preamble>Following is a non-normative example active token response
(with line wraps for display purposes only):</preamble>
<artwork><![CDATA[HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"active": true,
"client_id":"s6BhdRkqt3",
"scope": "read write dolphin",
"sub": "2309fj32kl",
"aud": "http://example.org/protected-resource/*"
}]]></artwork>
</figure>
<t/>
<t>If the token presented is not currently active (but the
authentication presented is valid), it returns the following JSON
document.</t>
<figure>
<preamble>Following is a non-normative example response to an
inactive or invalid token (with line wraps for display purposes
only):</preamble>
<artwork><![CDATA[HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"active": false
}]]></artwork>
</figure>
<t/>
<t>If the client credentials are invalid or there is another error,
the Authorization Server responds with an HTTP 400 (Bad Request) as
described in <xref target="RFC6749">OAuth 2.0 section 5.2</xref>.</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This document makes no request of IANA.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>If left unprotected and un-throttled, the Introspection Endpoint
could present a means for an attacker to poll a series of possible token
values, fishing for a valid token. Therefore, the Authorization Server
SHOULD issue special client credentials to any protected resources or
clients that need to access the introspection endpoint. These
credentials may be used directly at the endpoint, or they may be
exchanged for an OAuth2 Access token scoped specifically for the
Introspection Endpoint.</t>
<t>Since the introspection endpoint takes in OAuth 2 tokens as
parameters, it MUST be protected by TLS or equivalent. A server MAY
require an HTTP POST method only to the endpoint.</t>
</section>
<section title="Acknowledgements">
<t>Thanks to the OAuth Working Group and the UMA Working Group for
feedback.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml'?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.6749.xml'?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.6750.xml'?>
<?rfc include='http://xml.resource.org/public/rfc/bibxml/reference.RFC.4627.xml'?>
<reference anchor="Revocation">
<front>
<title>OAuth Token Revocation</title>
<author fullname="Torsten Lodderstedt" initials="T."
surname="Lodderstedt">
<organization>Deutsche Telekom AG</organization>
</author>
<date day="15" month="April" year="2013"/>
</front>
</reference>
</references>
</back>
</rfc>