Complexity of Access Token Privileges Introduced by Grant Management

Introduction

RFC 8707 Resource Indicators for OAuth 2.0 (published in February, 2021) introduced the resource parameter in order to tie “resources” to an access token as audience.

Combinedly or Independently?

An access token generated by an authorization request including scope=readand resource=https://rs.example.com/r1 will hold information as shown below.

"scope": "read",
"aud": [ "https://rs.example.com/r1" ],

Introspection Response Format

The following is an example of series of authorization requests with grant management.

  1. Input (authorization request): grant_management_action=update & scope=s2 & resource=https://rs.example.com/r2 & grant_id=g1 / Output (token response): grant_id=g1 & access_token=a2
{
"scopes": [
{ "scope":"s1", "resource":["https://rs.example.com/r1"] },
{ "scope":"s2", "resource":["https://rs.example.com/r2"] }
]
}
"scope": "s1 s2",
"aud": [
"https://rs.example.com/r1",
"https://rs.example.com/r2"
]
"scope": "s2",
"aud": [ "https://rs.example.com/r2" ],
"grant": [
{ "scope":"s1", "resource":["https://rs.example.com/r1"] }
]

Token Response Format

The token response format will encounter a similar problem because privileges accumulated by grant_management_action=update cannot be expressed by the scope response parameter.

  1. Give up embedding information about the inherited privileges in a token response and recommend use of the grant management API.

JWT Access Token Format

The format of JWT Access Token (draft-ietf-oauth-access-token-jwt) also will have to deal with the same issue to support Grant Management.

Discussion

This topic is discussed in the Financial-grade API Working Group of the OpenID Foundation as an issue of Grant Management. Visit “FAPI Issue 455: Impact of grant_management_action=update on AT implementation and introspection” if you are interested.

Co-founder and representative director of Authlete, Inc., working as a software engineer since 1997. https://www.authlete.com/