IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and in-browser clients using the token endpoint

"Richard Backman, Annabelle" <richanna@amazon.com> Sat, 02 February 2019 00:03 UTC

Return-Path: <prvs=929907b47=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E90213102E for <oauth@ietfa.amsl.com>; Fri, 1 Feb 2019 16:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -19.052
X-Spam-Level:
X-Spam-Status: No, score=-19.052 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s7WL-SW7PyyU for <oauth@ietfa.amsl.com>; Fri, 1 Feb 2019 16:03:26 -0800 (PST)
Received: from smtp-fw-9101.amazon.com (smtp-fw-9101.amazon.com [207.171.184.25]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC6C6130EC2 for <oauth@ietf.org>; Fri, 1 Feb 2019 16:03:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1549065805; x=1580601805; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=8L7ZXL2ftUfa/lYo5owwniACLBeuQxoWGuOIIsDsVEE=; b=AeIaBkuwPPRlTo1zAYyJ6gwk7DDmNAWXfDlYhOrj3LoG2QlhKBC0Q1YJ wfN+08DlIms8mNkOl42pRS/JJecGTnIg/n8yxUL0vkTqXTU7jqTSvWzF1 ov5FG9FVdtqmps4tFRxd4jyGnD9VQ3gBiB8aUviWa4bmmtDH5vTiWpsxX U=;
X-IronPort-AV: E=Sophos;i="5.56,550,1539648000"; d="scan'208,217";a="785123023"
Received: from sea3-co-svc-lb6-vlan3.sea.amazon.com (HELO email-inbound-relay-1a-821c648d.us-east-1.amazon.com) ([10.47.22.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 02 Feb 2019 00:03:23 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162]) by email-inbound-relay-1a-821c648d.us-east-1.amazon.com (8.14.7/8.14.7) with ESMTP id x1203IPF098381 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 2 Feb 2019 00:03:21 GMT
Received: from EX13D11UWC002.ant.amazon.com (10.43.162.174) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sat, 2 Feb 2019 00:03:20 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC002.ant.amazon.com (10.43.162.174) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Sat, 2 Feb 2019 00:03:20 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Sat, 2 Feb 2019 00:03:20 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
CC: George Fletcher <gffletch@aol.com>, oauth <oauth@ietf.org>
Thread-Topic: [UNVERIFIED SENDER] Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
Thread-Index: AQHUlkcL/yDmEBVqa0adnr6fSi/LlqWUfw6AgABVLoCAEb7YgIADcjUAgACW8wCABNeIgIAAwlgAgABPYwCAGzgkgIAAAIsA//+HHICAAJZugP//hwYA
Date: Sat, 02 Feb 2019 00:03:20 +0000
Message-ID: <CC05C965-3308-4449-A1E2-EDA0119BE5D2@amazon.com>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com> <1119DDAE-8044-43C9-A6D4-6032B3BB62B8@forgerock.com> <9D007408-3BCC-4165-BCA4-083BD7602E7D@alkaline-solutions.com> <CA+k3eCQi1sz2bDOMEATpN9ZvXd+VJydQXG03WKuLczG5kz2z+Q@mail.gmail.com> <CAP-T6TTD-nLGoPHqJ042SzotLorb2mzoWgLxsausWHhRPZr8xA@mail.gmail.com> <CA+k3eCQtgku68usoCFsTeHVnNOLqWs6NweOgpQKsa7_9=wK7Vw@mail.gmail.com> <99d38517-0e25-789f-83ae-9f33e5620475@aol.com> <CA+k3eCQVL4DeRqHWYu6=xXjBK2RnukQ5RxFzRjGZYr4au8bBkQ@mail.gmail.com> <F5841CEA-BA74-4F17-977A-A78922CDC68C@amazon.com> <CA+k3eCT+mPu0=9TDKtuVqXy=zStEWTS5aVOsc2TuJcYQ2cvE6A@mail.gmail.com>
In-Reply-To: <CA+k3eCT+mPu0=9TDKtuVqXy=zStEWTS5aVOsc2TuJcYQ2cvE6A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.0.180812
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.162.169]
Content-Type: multipart/alternative; boundary="_000_CC05C96533084449A1E2EDA0119BE5D2amazoncom_"
MIME-Version: 1.0
Precedence: Bulk
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1V-Ye7zJfXzjlV46uJkrkCkQ-xM>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Feb 2019 00:03:29 -0000

Confusion from the AS’s perspective:

  1.  If I only support mTLS, do I need to include both token_endpoint_uri and mtls_endpoints? Should I omit token_endpoint_uri? Or set it to the empty string?
  2.  What if I only support mTLS for the token endpoint, but not revocation or user info?
  3.  How do I specify authentication methods for the mTLS token endpoint? Does token_endpoint_auth_methods apply to both the mTLS and non-mTLS endpoints?
  4.  I’m using the OAuth 2.0 Device Flow. Do I include a mTLS-enabled device_authorization_endpoint under mtls_endpoints?

Confusion from the client’s perspective:

  1.  As far as I know, I’m a public client, and don’t know anything about mTLS, but the IT admins installed client certs in their users’ browsers and the AS expects to use that to authenticate me.
  2.  My AS metadata parser crashed because the mTLS-only AS omitted token_endpoint_uri.
  3.  My AS metadata parser crashed because it didn’t expect to encounter a JSON object as a parameter value.
  4.  The mTLS-only AS didn’t provide a value for mtls_endpoints, what do I do?
  5.  I don’t know what that “m” means, but they told me to use HTTPS, so I should use the one with “tls” in its name, right?

Yes, you can write normative text that answers most of these. But you’ll have to clearly cover a lot of similar-but-slightly-different scenarios and be very explicit. And implementers will still get it wrong. The metadata change introduces opportunities for confusion and failure that do not exist now, and forces them on everyone who supports mTLS. In contrast, the 307 redirect is only required when an AS wants to support both, and is unambiguous in its behavior and meaning.

--
Annabelle Richard Backman
AWS Identity


From: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Date: Friday, February 1, 2019 at 3:17 PM
To: "Richard Backman, Annabelle" <richanna@amazon.com>
Cc: George Fletcher <gffletch@aol.com>, oauth <oauth@ietf.org>
Subject: [UNVERIFIED SENDER] Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

It doesn't seem like that confusing or large of a change to me - if the client is doing MTLS and the given endpoint is present in `mtls_endpoints`, then it uses that one.  Otherwise it uses the regular endpoint. It gives an AS a lot of flexibility in deployment options. I personally think getting a 307 approach deployed and working would be more complicated and error prone.

It is a minority use case at the moment but there are forces in play, like the push for increased security in general and to have javascript clients use the code flow, that suggest it won't be terribly unusual to see an AS that wants to support MTLS clients and javascript/spa clients at the same time.

I've personally wavered back and forth in this thread on whether or not to add the new metadata (or something like it). With my reasoning each way kinda explained somewhere back in the 40 or so messages that make up this thread.  But it seems like the rough consensus of the group here is in favor of it.




On Fri, Feb 1, 2019 at 3:18 PM Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org<mailto:40amazon.com@dmarc.ietf.org>> wrote:
This strikes me as a very prominent and confusing change to support what seems to be a minority use case. I’m getting a headache just thinking about the text needed to clarify when the AS should provide `mtls_endpoints` and when the client should use that versus using `token_endpoint.` Why is the 307 status code insufficient to cover the case where a single AS supports both mTLS and non-mTLS?

--
Annabelle Richard Backman
AWS Identity


From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> on behalf of Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org<mailto:40pingidentity.com@dmarc.ietf.org>>
Date: Friday, February 1, 2019 at 1:31 PM
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org<mailto:40aol.com@dmarc..ietf.org>>
Cc: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Yes, that would work.

On Fri, Feb 1, 2019 at 2:28 PM George Fletcher <gffletch=40aol.com@dmarc.ietf.org<mailto:40aol.com@dmarc.ietf.org>> wrote:
What if the AS wants to ONLY support MTLS connections. Does it not specify the optional "mtls_endpoints" and just use the normal metadata values?
On 1/15/19 8:48 AM, Brian Campbell wrote:
It would definitely be optional, apologies if that wasn't made clear. It'd be something to the effect of optional for the AS to include and clients doing MTLS would use it when present in AS metadata.

On Tue, Jan 15, 2019 at 2:04 AM Dave Tonge <dave.tonge@momentumft.co.uk<mailto:dave.tonge@momentumft.co.uk>> wrote:
I'm in favour of the `mtls_endpoints` metadata parameter - although it should be optional.

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf..org/mailman/listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email