rafiki icon indicating copy to clipboard operation
rafiki copied to clipboard
verified publisher icon interledger

Validate `/introspect` with RS key instead of client key

Open njlie opened this issue 3 years ago • 3 comments

Bind the RS to the AS in some way, then use that binding to determine if the key submitted in the request belongs to said RS and then validate the signature that was also provided.

njlie avatar Aug 25 '22 15:08 njlie

https://datatracker.ietf.org/doc/html/draft-ietf-gnap-resource-servers#section-3.2

The AS MAY require an RS to pre-register its keys or could allow calls from arbitrary keys in a trust-on-first-use model.

wilsonianb avatar Aug 29 '22 13:08 wilsonianb

It sounds like the RS registering resource sets with the AS can serve as method of pre-registration? https://datatracker.ietf.org/doc/html/draft-ietf-gnap-resource-servers#section-3.4

The request includes:

resource_server (string or object): REQUIRED. The identification used to authenticate the resource server making this call, either by value or by reference as described in Section 3.2.

and the response includes:

instance_id (string): OPTIONAL. An instance identifier that the RS can use to refer to itself in future calls to the AS, in lieu of sending its key by value.

wilsonianb avatar Aug 29 '22 13:08 wilsonianb

This will now only be necessary for auth servers configured to perform httpsig validation on token introspection requests:

  • https://github.com/interledger/rafiki/pull/579

wilsonianb avatar Aug 31 '22 15:08 wilsonianb

Closing as a consequent of the reasoning in https://github.com/interledger/rafiki/issues/576.

Closing for now due to AS-RS being in a trusted zone

njlie avatar Sep 26 '22 17:09 njlie