IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Neil Madden <neil.madden@forgerock.com> Fri, 11 January 2019 10:32 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE02912D7EA for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2019 02:32:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5Bvy6J4PLFz for <oauth@ietfa.amsl.com>; Fri, 11 Jan 2019 02:32:21 -0800 (PST)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DC1712872C for <oauth@ietf.org>; Fri, 11 Jan 2019 02:32:20 -0800 (PST)
Received: by mail-wr1-x429.google.com with SMTP id q18so14581240wrx.9 for <oauth@ietf.org>; Fri, 11 Jan 2019 02:32:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dWGViHmS6wUil2O0SDDB75wsk0ic4zhhIwdBT5INvBk=; b=R6zRWlWvlIrHD3PhUi+RiYkBaQ6OoM0T/Xq2FMpfc6WtiovbXCimDkCDGQTyc9cDB3 ZnQQf0Lxtz+NXlP46NgFQbg5gBNORhrg0x3tC9EtRD6ZXFhwsv+ZjVSWMED3lwPJZM1f s2cT9FBjHxu136odGDXXKOA8XmG5PcUX38AEY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=dWGViHmS6wUil2O0SDDB75wsk0ic4zhhIwdBT5INvBk=; b=LrMy156BqBWNGqd+pkuR5uNVsSJuqIJrUR2OZ9XmHCRpblZpNeOQrOxlShIDsxe+Gz ZdgRIfsWuEjmSwi/PbJieQABgyJazI1nRw26TGTJ25zFQzqUkGlxsbIbMuX1RMUDUn/K D5s4G6u9tIglpLEENTVW08T8m7VHQM1Mx+BmtLHR9BgaJyrOU/eV+uOp99VGNu40uhMe 3mrq1Wa5/Mb5r29l8nUqoLFpxRbhbfdWApQS9IpmR4zRRH3YjwedtsSw58uJ1fUxyp5I PxuIoILjcv2azhVMG77E3/VhOkA2zll5hLhEZs2VhibS991AopGbZB+IzwB0h1spBIW1 DC+Q==
X-Gm-Message-State: AJcUukf3TE+kK6pghjsDrhmgxVoTE4+DZ4IxpLgPyMVPuJT+wnwOztjP btS24sHuH/AvT4tqUkHJHOm47w==
X-Google-Smtp-Source: ALg8bN7dKHeOvLVQ+ji9kOx2USV1TRFNzDb6kXJiuGF8v/pJpOsnqupkFztOCX1Q8L6j6BylI5f8NA==
X-Received: by 2002:adf:81b6:: with SMTP id 51mr13578420wra.240.1547202739115; Fri, 11 Jan 2019 02:32:19 -0800 (PST)
Received: from guest2s-mbp.lan (92.150.32.217.dyn.plus.net. [217.32.150.92]) by smtp.gmail.com with ESMTPSA id b7sm55372931wrs.47.2019.01.11.02.32.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Jan 2019 02:32:17 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com>
Date: Fri, 11 Jan 2019 10:32:16 +0000
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1119DDAE-8044-43C9-A6D4-6032B3BB62B8@forgerock.com>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com>
To: David Waite <david@alkaline-solutions.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0B6eOnvJpihgE2xbvB7GTokpiLg>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 10:32:24 -0000

On 9 Jan 2019, at 05:54, David Waite <david@alkaline-solutions.com> wrote:
> 
>> On Dec 28, 2018, at 3:55 PM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>> 
> <snip>
> 
>> All of that is meant as an explanation of sorts to say that I think that things are actually okay enough as is and that I'd like to retract the proposal I'd previously made about the MTLS draft introducing a new AS metadata parameter. It is admittedly interesting (ironic?) that Neil sent a message in support of the proposal as I was writing this. It did give me pause but ultimately didn't change my opinion that it's not worth it to add this new AS metadata parameter.
> 
> Note that the AS could make a decision based on the token endpoint request - such as a policy associated with the “client_id”, or via a parameter in the ilk of “client_assertion_type” indicating MTLS was desired by this public client installation. The AS could then to TLS 1.2 renegotiation, 1.3 post-handshake client authentication, or even use 307 temporary redirects to another token endpoint to perform mutual authentication.

Renegotiation is an intriguing option, but it has some practical difficulties. Our AS product runs in a Java servlet container, where it is pretty much impossible to dynamically trigger renegotiation without accessing private internal APIs of the container. I also don’t know how you could coordinate this in the common scenario where TLS is terminated at a load balancer/reverse proxy?

A 307 redirect could work though as the server will know if the client either uses mTLS for client authentication or has indicated that it wants certificate-bound access tokens, so it can redirect to a mTLS-specific endpoint in those cases.

> Both the separate metadata url and a “client_assertion_type”-like indicator imply that the client has multiple forms of authentication and is choosing to use MTLS. The URL in particular I’m reluctant to add support for, because I see it more likely a client would use MTLS without knowing it (via a device-level policy being applied to a public web or native app) than the reverse, where a single client (represented by a single client_id) is dynamically picking between forms of authentication.

That’s an interesting observation. Can you elaborate on the sorts of device policy you are talking about? I am aware of e.g. mobile device management being used to push client certificates to iOS devices, but I think these are only available in Safari.

— Neil

v2.23.0 | Report a Bug | By Email