You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-identity-assertion-authz-grant.md
+150Lines changed: 150 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,6 +47,8 @@ normative:
47
47
RFC8693:
48
48
RFC8707:
49
49
RFC8725:
50
+
RFC7800:
51
+
RFC9449:
50
52
I-D.ietf-oauth-identity-chaining:
51
53
IANA.media-types:
52
54
IANA.oauth-parameters:
@@ -79,6 +81,7 @@ informative:
79
81
RFC9470:
80
82
RFC9728:
81
83
I-D.ietf-oauth-client-id-metadata-document:
84
+
I-D.parecki-oauth-jwt-dpop-grant:
82
85
83
86
--- abstract
84
87
@@ -543,6 +546,153 @@ TBD: It may make more sense to request the Identity Assertion JWT Authorization
543
546
544
547
This specification is intended for cross-domain uses where the Client, Resource App, and Identity Provider are all in different trust domains. In particular, the Identity Provider MUST NOT issue access tokens in response to an ID-JAG it issued itself. Doing so could lead to unintentional broadening of the scope of authorization.
545
548
549
+
## Sender Constraining Tokens
550
+
551
+
### Proof-of-Possession
552
+
553
+
Identity Assertion JWT Authorization Grant may support key binding to enable sender-constrained tokens as described in {{Section 4 of I-D.ietf-oauth-identity-chaining}} and {{I-D.parecki-oauth-jwt-dpop-grant}}. This provides additional security by binding tokens to a specific cryptographic key, preventing reuse by parties that do not have access to the private key.
554
+
555
+
Proof-of-possession is demonstrated by the client presenting a DPoP proof JWT (as defined in {{RFC9449}}) in a `DPoP` HTTP header. The DPoP proof demonstrates that the client possesses the private key corresponding to a public key. This public key can be bound to tokens, ensuring that only the holder of the private key can use those tokens.
556
+
557
+
The `cnf` (confirmation) claim, as defined in {{RFC7800}}, is used to bind a public key to a JWT. When an ID-JAG contains a `cnf` claim with a `jwk` property, it indicates that the ID-JAG is bound to that specific public key, and proof of possession of the corresponding private key MUST be demonstrated when using the ID-JAG.
558
+
559
+
The following sections describe the processing rules for proof-of-possession at two stages: during the Token Exchange (when requesting an ID-JAG from the IdP) and during the ID-JAG exchange (when exchanging the ID-JAG for an access token at the Resource Authorization Server).
560
+
561
+
#### Proof-of-Possession During Token Exchange
562
+
563
+
When a client requests an ID-JAG from the IdP Authorization Server via Token Exchange, the client MAY include a DPoP proof in the request. This demonstrates possession of a key that can be bound to the ID-JAG.
564
+
565
+
The client generates a key pair and includes a DPoP proof JWT in the `DPoP` header of the Token Exchange request:
The IdP Authorization Server processes the request as follows:
581
+
582
+
1. If a DPoP proof is present, the IdP MUST validate it according to {{Section 4 of RFC9449}}. The `htm` claim MUST be `POST`, and the `htu` claim MUST match the token endpoint URL.
583
+
584
+
2. If the DPoP proof is valid, the IdP MAY include a `cnf` claim in the issued ID-JAG containing the public key from the DPoP proof's `jwk` header parameter. The `cnf` claim format follows {{RFC7800}}:
3. The token exchange response does not indicate whether key binding was performed (since `token_type` is fixed to `N_A`). The client must inspect the ID-JAG to determine if a `cnf` claim is present.
607
+
608
+
4. If no DPoP proof is presented, the IdP issues an ID-JAG without a `cnf` claim.
609
+
610
+
#### Proof-of-Possession During ID-JAG Exchange
611
+
612
+
When a client exchanges an ID-JAG for an access token at the Resource Authorization Server, the processing rules depend on whether the ID-JAG contains a `cnf` claim and whether the client presents a DPoP proof.
613
+
614
+
##### ID-JAG Contains `cnf` Claim and DPoP Proof is Presented
615
+
616
+
If the ID-JAG contains a `cnf` claim and the client presents a DPoP proof, the Resource Authorization Server MUST:
617
+
618
+
1. Validate the DPoP proof according to {{Section 4 of RFC9449}}.
619
+
620
+
2. Extract the public key from the `jwk` header parameter of the DPoP proof.
621
+
622
+
3. Extract the public key from the `jwk` property of the `cnf` claim in the ID-JAG.
623
+
624
+
4. Compare the two public keys. They MUST match exactly. If they do not match, the request MUST fail with an `invalid_grant` error.
625
+
626
+
5. If the keys match, the Resource Authorization Server MAY issue a sender-constrained access token (e.g., a DPoP-bound token) per the Resource Server configuration. The issued access token SHOULD be bound to the same key.
Example successful response with DPoP-bound token:
639
+
640
+
HTTP/1.1 200 OK
641
+
Content-Type: application/json;charset=UTF-8
642
+
Cache-Control: no-store
643
+
Pragma: no-cache
644
+
645
+
{
646
+
"token_type": "DPoP",
647
+
"access_token": "2YotnFZFEjr1zCsicMWpAA",
648
+
"expires_in": 86400,
649
+
"scope": "chat.read chat.history"
650
+
}
651
+
652
+
##### ID-JAG Contains `cnf` Claim but DPoP Proof is Not Presented
653
+
654
+
If the ID-JAG contains a `cnf` claim but the client does not present a DPoP proof, the Resource Authorization Server MUST reject the request with an `invalid_grant` error, as the ID-JAG requires proof of possession.
655
+
656
+
Example error response:
657
+
658
+
HTTP/1.1 400 Bad Request
659
+
Content-Type: application/json
660
+
Cache-Control: no-store
661
+
662
+
{
663
+
"error": "invalid_grant",
664
+
"error_description": "Proof of possession required for this authorization grant"
665
+
}
666
+
667
+
##### ID-JAG Does Not Contain `cnf` Claim and DPoP Proof is Presented
668
+
669
+
If the ID-JAG does not contain a `cnf` claim but the client presents a DPoP proof, the Resource Authorization Server:
670
+
671
+
1. MUST validate the DPoP proof according to {{Section 4 of RFC9449}}.
672
+
673
+
2. MAY issue a sender-constrained access token (e.g., a DPoP-bound token) per the Resource Server configuration at the Authorization Server, binding the access token to the key demonstrated in the DPoP proof.
674
+
675
+
3. The access token response will indicate the token type (e.g., `DPoP` for DPoP-bound tokens, or `Bearer` for unconstrained tokens).
676
+
677
+
##### ID-JAG Does Not Contain `cnf` Claim and DPoP Proof is Not Presented
678
+
679
+
If the ID-JAG does not contain a `cnf` claim and the client does not present a DPoP proof:
680
+
681
+
1. The Resource Authorization Server MAY issue an unconstrained Bearer token.
682
+
683
+
2. However, if the Resource Server configuration at the Authorization Server requires constrained tokens for that Resource Server, the request MUST fail with an `invalid_grant` error.
684
+
685
+
Example error response when constrained tokens are required:
686
+
687
+
HTTP/1.1 400 Bad Request
688
+
Content-Type: application/json
689
+
Cache-Control: no-store
690
+
691
+
{
692
+
"error": "invalid_grant",
693
+
"error_description": "Sender-constrained tokens required for this resource server"
0 commit comments