Re: [OAUTH-WG] DPoP and client registration metadata
George Fletcher <gffletch@aol.com> Thu, 17 February 2022 19:28 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A1713A101A for <oauth@ietfa.amsl.com>; Thu, 17 Feb 2022 11:28:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.714, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8LsVlXKCCIHU for <oauth@ietfa.amsl.com>; Thu, 17 Feb 2022 11:28:09 -0800 (PST)
Received: from sonic316-20.consmr.mail.ne1.yahoo.com (sonic316-20.consmr.mail.ne1.yahoo.com [66.163.187.146]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 349903A102B for <oauth@ietf.org>; Thu, 17 Feb 2022 11:28:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1645126087; bh=Nbb4epPd1mhiFOE79ZQWhVl9BJmYSvk8E3sNWYydInM=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From:Subject:Reply-To; b=Qh4QLJL0/6mZTre8Jo2LX3g4rlTFMdQkuQO/wgG+sZVtHrQft1JPybPCJX0WYzFbyK90Qyktpy+Z5DP+Hi3UNO3L3hWWeliNdg3tMXgHEYEFKRu/WPQj5Ob/yoTZPUXxylg62zYO5/izH7MA/YUP57ttt/J9UQUleArYOcEYO5ENjk1VfAOB0uF/KjgqVBwZ9hWbgYqM7kpU1PRNIDplSNNa0rrFqmcNWhBtDGVNyXzYhzlXMbgTlg9u2+P5k9F0Gl2Q2D0r8RoaQogWSMind+KyLB1l8ljMY9PQUIFNJoWcgHAK5/IPPdQTO7kF39Q0XTJ/T9MrJqztw+r7d3XjJA==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1645126087; bh=0H0ceXXb1cOZFrAcJesClAcI35abrmF8WWMbgr0zUVn=; h=X-Sonic-MF:Date:Subject:To:From:From:Subject; b=oiGSIfY2/FOdowrG8/1fhtHb3m91kQwUfn4LTo7buxuiY/zmxC1ZkDj5AKUTfvjMBSfH4vNBK+n/bhld1GdnrEkMKKPIgEGLTMSqgR2XJjObPySF0UnnncXmF8UMLLG0Yq8nsoZh+RkL4oxEO78PnvK9woGi5FS1o51FwXlpJeVo0Bvp3lP4Kkxu8YdJSvY/5nb3psOD7uGqwzFxMEZeOBPm89x4v47+rEOA7Dyos3k7QXP8OpuE5guXZ9HGycKwLWomPx+qSzBSN2qlS1HvUCnAKQDi84srav2NoiSp2nsJ2yRjP2gMemSMBaTfVjvZhYUkpZmfLmetVzmyxxsvHQ==
X-YMail-OSG: Gi1DvAQVM1kwlRc6.nd2x02ut4JkxJJkZH_OKxogiT.jfv_71840FzIKiRJ4gKB aPFLccWihFugQkq7iPCRVO9dGtHuu3ENtyAL80vQxwwOdKcO2plgEDhKpKNVt0C668eVHggwOS8_ vhZAmVbwa29xBe9eudR4AKuJRlO5TXZvZsZhBxt6zVxaNFe3Gb6bgsNltprPye.FAKtVXqCnzBZo TLKivv4PFd8tH4u4tO7wygec.u6VVRwdMFlAg9tlrhCAajadG9PueIF5WQ_U_eHD4Bhi2P82ZUBE cHFchWeilJ6kv4tczeJvfEWvldi8c9qu87KSocgT3xqyhX1V7rY_VWkZPB.EQI1rUM3v3RJ6o57Z 351sDeZSZXtH04aeiO_SwmPHpmZcgphF.udjQuYimOx3w9VisBTvxajwzMHpo6Q5.JqOxGnPs_qy LlYAnvzkMpt.WlzxDP0nwJGcxRxe.aMFCdJFZRUbX9CP_WdL2mNL3V_WFLkZDJAziWSjNOqja6Er cm2YlDbMsph8DD6MawBsvNlr7VXAMIHZ0FQFxA.qoX7Z10KYbNnNeZOXdAajM5zzg833DEpdwTLA SQ2ycObo5a_Aq7p_wmkRmOhLtagM_i8cL_59rrNggV9TK1E1OAQcNxTF_lTsgfF.13tUnb1gwcNN EpwgHO0wJEn0PR0KZbOv1an.lkJApe60YpmUOsoMrHvO8vOvZ4C3hnksRqWBz9VCA4krm7A2Mti5 vd2yuB_XMZ2MtP4DvEPxIvX41LL047WU5LCaxoewfOY_AG1wINkzaRbZ6cRrbqfKLR1KSN.Bt3Qw gQDSdbGQe3vyL9x6qOZgYRW.atztw4Hdy7O.bJbZfKH9TBP4hr5VqwK5eFVHjp5PHGHVX5rlu1xa .0d3lqVBToF4H6OK.KOm_Ln7_KX9wssbCs6IcmB.8ON6gZME6RgnAowTb4JNuDtHzezqnjhNcIJ7 4R9_f8Fa21JbnKGW62K3n_G9RkmT0IsApGahg1ePKGz7ZxLFJa1MpgFD7.WLJSR6vTr7LphksztA 1IqAyupiK5oKJBxwSJ_nRrezOZrJevbMhrXmWK0n0KeBCRSF9dnLsNolOXdmWQ65GGZe7NU1EtR7 1nRAFSNr76BSdJBUSStYU8J3W87Z8ZE.cmkHzGFYobTk1cE0LAIwcs6W38MIqpALADlXE9UP0RRz gdg38Gwerb1xUqsqrgFc6a50FJuc98cECxMDK0IRIsMTBxUcEUEwUksZoXGIJWZTaMzlm2.HEK9B qfgoFuR1HhKuwomHl2FJoEEsU9PxyvObRQbBZFuBYItJagvrNmudWePaoWGzJDGw7vcZBDGzVrU0 .zgLSYFPVxUC70rNe4nSE.lVuPyEH9cC2HQ02NS8RY6zWGTY2YIZM31_JRUu7MVlWV9mdL.jKAhq D5FxUUwBSaey62l.G7CAbWPgEu9Btp9JdKv9mYIAxsrZo.VGrPm7ucFJUgMleWCB7tLx7oIEJ3vy VCarBy2jFd4sVxVq3kxcn2S6p230FrWL2cAq7mjFYDN1qZPzRJEhMz7KNwd2.jUtu8Ti2eps4AvU uniaKHvUHvftY5yRcBFrKuHg5mU7f7jVgyRda.BpyUEM58EsD2RhjW1RRMd6jI08wQAq61bBzN_x aFLtI2NmCjlR9.Rxlu77rVNygNeCAXhwsoelpGnU_ISvs6iEwuj5qyzYF_9Dq2yoIWFxgjFhJfZl mQV1WKUS2VURU6pB.GFR7V9kp0ad7hUZLpeUjgVBNFTdanf7axCZ9mReaj0igtKjP4DnYUL53HpH lSgNsJAligXuPfjKisrBUlj2CBgCSMLYFO_jb85AWPwONGUKznxtw7u3XciiEQQucHQUmenOtBC6 OPRR7dQvaa7rziSd0wBfbEW_Oh.1vaBteuGMSPiuzggBjR.hH7Rddozs701LGfMSDPYD0V0zDTOj 1ODRkV9jw2sJsNrj0L8z7ppL59yZ8RLmfKy_K6.gGJ6KkzFHzEA6Ra7h_rEUBgyl3R3q557TWMP0 1IVxEE6lwY2QV7jyML.s4SZ1dZ__i_fYzakecojq3YbLWt0vaQxLKrnWiqBppb13Bxx4Rm0Izb9p nzd_K8ypJXzVTGikzcYdHBeViuR5tpZegKSaEqiy5XzACJhZ4JKZjJOjTzvoCGnKkJDK45Evum1h EWkwDQK0youz9AG8yFbdhXGsERUHBKOwrk7XA.ajYa7gx2Tp4pXph2zSF4I18m17sF5Mf5u_lF77 uPMYvRgFpoLanHVYYbw--
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Thu, 17 Feb 2022 19:28:07 +0000
Received: by kubenode550.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID dc77fddb040562e60882e22a29459ac2; Thu, 17 Feb 2022 19:28:02 +0000 (UTC)
Content-Type: multipart/alternative; boundary="------------LrAuidSoIjU760CZ9cyxFxln"
Message-ID: <9b66ac72-19af-974a-d85d-c7ab88f31183@aol.com>
Date: Thu, 17 Feb 2022 14:27:59 -0500
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.6.0
Content-Language: en-US
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
References: <CAOtx8DkFrDBk==_4Yr8JFiNmPSQkhMnVDk09RGhz_Kb52gMMtA@mail.gmail.com> <CA+k3eCSG0-bjJRsVrgAtVocvRBpwY+7fBxr=WPAYdUBd25g=pQ@mail.gmail.com> <CA+k3eCTCjawQx7g8Q+tUwtC7oRCkpev0r-kCuo3n3Xy18XvgVA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
In-Reply-To: <CA+k3eCTCjawQx7g8Q+tUwtC7oRCkpev0r-kCuo3n3Xy18XvgVA@mail.gmail.com>
X-Mailer: WebService/1.1.19724 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0mvgeWGxIMu8h2s1tIEvD0KUK4Y>
Subject: Re: [OAUTH-WG] DPoP and client registration metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2022 19:28:14 -0000
From an authorization server perspective, I think it makes sense to be able to flag certain clients as only supporting DPoP bound tokens and hence rejecting any request without the appropriate proof. Given that the FAPI 2 baseline is requiring either DPoP or MTLS as the sender-constraining methods, I think we need to provide more guidance about how DPoP is used in cases outside of SPAs. Can a mobile app using dynamic client registration via pub/priv key pair generated on the device using the same public key for the DPoP required portions of the flows? Thanks, George On 2/14/22 5:51 PM, Brian Campbell wrote: > This (more or less) has come up again in the from of a github issue: > https://github.com/danielfett/draft-dpop/issues/105 and it has me sort > of maybe reconsidering the idea of introducing some kind of client > metadata that indicates that the client will always do DPoP. So I > wanted to bring it up again here on the list to try and see what folks > had opinions on it. > > On Tue, Oct 26, 2021 at 4:08 PM Brian Campbell > <bcampbell@pingidentity.com> wrote: > > There are no plans to introduce client registration metadata for > DPoP - the requirement to use DPoP is more of a property of a > resource so I don't think registration metadata for a client fits > very well. > > > On Tue, Oct 26, 2021 at 8:53 AM Dmitry Telegin > <dmitryt=40backbase.com@dmarc.ietf.org> wrote: > > For dynamically registered clients, there is currently no way > to indicate the intention to use DPoP. Hence, it's completely > up to the AS whether to enforce DPoP or not on such clients > (for example, using client registration policies). > > Seems like there is no common approach here; for example, RFC > 8705 (OAuth 2.0 Mutual-TLS Client Authentication and > Certificate-Bound Access Tokens) does define client > registration metadata (see section 9.5), whilst RFC 7636 > (PKCE) does not. I guess this is due to PKCE being initially > conceived as a feature that would become mandatory in OAuth 2.1. > > Are there any plans to introduce client registration metadata > for DPoP? > > Regards, > Dmitry > Backbase > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./ > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] DPoP and client registration metadata Dmitry Telegin
- Re: [OAUTH-WG] DPoP and client registration metad… Brian Campbell
- Re: [OAUTH-WG] DPoP and client registration metad… Brian Campbell
- Re: [OAUTH-WG] DPoP and client registration metad… George Fletcher
- Re: [OAUTH-WG] DPoP and client registration metad… Brian Campbell
- Re: [OAUTH-WG] DPoP and client registration metad… George Fletcher