Support introspection of ID tokens #410
Comments
|
Is there an open standard to this? I don't quite remember but I think some OpenID Connect spec was covering this. Maybe it would make sense to go down that road? The okta solution seems to be "proprietary" to their API. |
|
So rfc7662 just covers access and refresh tokens, others are out of the scope. But it is dealing only with OAuth anyway. I could not find anything about ID token introspection in OpenID Connect specs. But that is a bit strange, given that OIDC adds a new token type. So not sure what to do about this. |
|
The rationale is that there is no need to do introspection if the token is not opaque and you have access to the keys. This seems to be really dependent on the provider, Google has the tokeninfo endpoint for that which doesn't follow any IETF or OID convention. |
|
For my use case, it is more about validation than introspection. One can always decode it, but to check if token was not revoked, you have to call introspection endpoint, no? So it is about trusting the authorization server to do the validation instead of you doing it locally. For some use cases where you do not care so much about extra round trip time, this might be OK. See also this spec. This is not exactly the same thing as we are discussing here, but has some of similar rationale for it:
This is similar to what I am thinking. I want the server to tell me that everything is OK. That it is not the client making this decision, which might have the clock wrong (on purpose or by mistake) to have token expiration badly checked. And client cannot check that the token was revoked. Is there any other endpoint to check if an ID token has been revoked? |
ID Tokens can not be revoked. They are proof that someone logged in and is who they say they are with a timestamp of when that happened. ID Tokens do not establish a shared "login" session between the RP and OP. |
|
You are right. There is whole set of other specs about session management and ways to logout. In fact, checking with |
|
Yup - so I take it this can be closed then? |
|
I mean, I would still like to have this in, like Okta does, so that one can call it to verify the token, like I wrote above:
It is true that this does not check for revocation, as you cannot revoke ID tokens, as you explained to me. But the rest, that you can offload token validation to server, I find it still useful. (For example, I use Kong and have a Kong plugin, so if I can just call my server to validate the token it seems much easier than encoding token validation in the plugin.) |
|
The core problem I see is that the OAuth2 Token Introspection spec is targeted at Resource Servers. So when a Resource Server receives a token, it checks against the Authorization Server if the token is (still) valid and what its payload is. The payload is typical internal session state and might contain things like roles, permissions, and so on. Because this stuff is "internal" and confidential in 99% of use cases, Introspection is typically not exposed to the outside world. For me at least I don't know any big OAuth2 Providers (not talking about IDaaS like Auth0) where this is implemented according to spec. Some providers do have a check token endpoint though. That's why Hydra exposes this endpoint at the Admin API only! However, ID Tokens are external readable state (per definition because JWT). It therefore - for me - contradicts what OAuth2 Token Introspection solves and may confuse people into exposing the OAuth2 Token Introspection to the outside world. Keep in mind that the Access Token is something that's only useful on the Resource Server side. The client doesn't really care what it's content is as long as it gives access to something. This is different from what an ID Token represents. I think Google has an endpoint to decode/verify ID Tokens - maybe they follow some spec? |
|
You are right, they have tokeninfo endpoint. It is mentioned here as well. That looks to me like introspect endpoint in fact, like what I am requesting here, if I just open https://oauth2.googleapis.com/tokeninfo I get: But I do not see any standard being referenced anywhere. It just returns parsed ID token it seems (if validated). Thanks for explaining more here though. I completely agree with everything you wrote. I see this really just as a debug tool and something one can quickly use to make sure things work. Calling this endpoint on regular basis is unnecessary load anyway. |
Sorry, after rereading your comment I realized that I forgot about my initial motivation behind this issue and focused on my current motivation (frontend development). I have currently addressed this need by in meantime implementing my own handler which does something similar, so I forgot about that. So the reason why I opened this issue in the first place was in fact for this "internal" use. Our frontend obtains ID token for the user, when user signs-in, and then we pass that ID token in In addition to this use case, I think it is useful for debugging by clients/frontend, as I described above. |
|
I am aware that we could also obtain access token, but ID token has some useful information (like subject) in JWT which then allows us to just map the token without additional database query. |
|
I thought about this more and I think this is very dangerous. An ID Token is fundamentally different from an access token. The former can not be revoked while the latter can (in real time). The former is proof of authentication, the latter proof of authorization. The introspection spec does not return the concrete token type (only This is already problematic for |
Unless the latter is JWT as well and use use stateless introspection. Which we do support. (With a big warning.)
I think this just shows that if you are using introspection endpoint to validate tokens (to check if they should be accepted) then you should also pass So my proposal would be:
|
This is problematic because |
|
Same holds for current |
|
(For everyone reading this, see also this thread for initial discussion before it was moved here.) |
|
I am marking this issue as stale as it has not received any engagement from the community or maintainers in over half a year. That does not imply that the issue has no merit! If you feel strongly about this issue
We are cleaning up issues every now and then, primarily to keep the 4000+ issues in our backlog in check and to prevent maintainer burnout. Burnout in open source maintainership is a widespread and serious issue. It can lead to severe personal and health issues as well as enabling catastrophic attack vectors. Thank you for your understanding and to anyone who participated in the issue! 🙏✌️ If you feel strongly about this issues and have ideas on resolving it, please comment. Otherwise it will be closed in 30 days! |
github-actions
bot
added
the
stale
|
So I am still interested in this, but there was no conclusion if this should be implemented. See my proposal above. |
|
I re-read the points and still stand by my initial comment. Introspection is very clearly defined as:
That, by definition, excludes ID Tokens for the already mentioned issues. I think the userinfo endpoint might be able to handle this iirc. |
|
So are you then planing to remove Also, I would like to point out that it says:
Not OpenID Connect token, but any OAuth 2.0 token, ID tokens are OAuth 2.0 tokens, no? So to determine if it is active and determine meta-information about the token, you should be able to use introspection endpoint? |
|
There is a difference between doing something dangerous (using proof of authentication in the context of protected resources which need proof of authorization) and adding convenience features (token is only valid if it also has this scope).
OpenID Connect ID Tokens are for sure no OAuth2 tokens and they have a totally different intent and meaning.
|
|
Thank you for replying here. I will try my last time to explain why I think my proposal is a good change and what exactly is my proposal, because it has evolved since the initial description of the issue. My current proposal is: Introspection endpoint gets an optional This addresses few issues:
To me it follows (and we might disagree here) that:
So the original topic of this issue would be in my view opt-in, if you pass In my view, |
|
Thank you for the explanation, I understand your proposal better now. I do agree with your idea that it improves the approach as you need to provide the audience, which makes the check explicit. But I disagree that the ID token‘s purpose is aligning with the definition of introspection:
So this proposal contradicts several pieces of the specification in my understanding, regardless of how we work around it. And true, for JWT strategies this is an issue and also why we discourage use of JWTs for access tokens! We should anyhow add something like |
|
Should I open another issue for adding And I hear you what you say about a strict interpretation of the spec. But I think what I am asking for is a logical extrapolation, because the spec you are citing is OAuth spec and not OpenID Connect spec. Which is also one many other implementations do:
Anyway, I said I will not drill here more so I am stopping. :-) |
or even a PR! :)
I think Google's approach makes sense as that endpoint is there solely for ID Token introspection! I looked through the specs because It hought |
|
BTW, OpenID Connect working group aligns with your perspective: https://bitbucket.org/openid/connect/issues/1350/support-for-id-tokens-in-introspection |
|
Thank you for following up! |
Is your feature request related to a problem? Please describe.
It looks like introspection of ID tokens does not work through the introspect handler?
Describe the solution you'd like
That it does.
Describe alternatives you've considered
I could validate ID tokens locally by myself, but it is also useful to have an API endpoint to do so.
Additional context
Okta does so: https://developer.okta.com/docs/reference/api/oidc/
The text was updated successfully, but these errors were encountered: