Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bradley-stateless-oauth-client
Brian Campbell <bcampbell@pingidentity.com> Sun, 03 November 2013 18:26 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3BB21E809F for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2013 10:26:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.879
X-Spam-Level:
X-Spam-Status: No, score=-5.879 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id We6pO69R0nZ4 for <oauth@ietfa.amsl.com>; Sun, 3 Nov 2013 10:26:37 -0800 (PST)
Received: from na3sys009aog114.obsmtp.com (na3sys009aog114.obsmtp.com [74.125.149.211]) by ietfa.amsl.com (Postfix) with ESMTP id 13E0E11E82CD for <oauth@ietf.org>; Sun, 3 Nov 2013 10:26:36 -0800 (PST)
Received: from mail-ie0-f173.google.com ([209.85.223.173]) (using TLSv1) by na3sys009aob114.postini.com ([74.125.148.12]) with SMTP ID DSNKUnaVXNwyAqfxDPSMDAcsyuF1ZYvbAe7i@postini.com; Sun, 03 Nov 2013 10:26:37 PST
Received: by mail-ie0-f173.google.com with SMTP id u16so11133141iet.32 for <oauth@ietf.org>; Sun, 03 Nov 2013 10:26:36 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=GwnPB0oIIzrZSqKo5FBZjYAmPpIyFrGlRZmNnPKEjzw=; b=bzOXnULts8DDp+pfVrq9R4zuy5Y4jgWZ4nUiGWq0pKMPBsUeRYy7WSNabKOcqUSpxu RK9PHCq2cd5gw/HSNsJ76Gy0u1WP9ElDj58Ve77/HuS/59wmeydYLLZ+pIRrP9z5zwNG x6nwsy2NShWXdNh4G6xX+bI1KnGtH6qe9Alr0eF6kieMdpOxdYNLvoGOWsupeEsub84Q dkK2qEwIMWmBqR+1qEfoKvcL/kl5u+gB6iB6uvLgiJpl1CoDTxoHseeVh9bsueoYqXq7 mRgcmT310msIb0BWhq3CqF7X/Dy/yUVK1ekEAl4r5YNGLmQkjOB9kWH4dRMFnrafX2Zs A3WQ==
X-Gm-Message-State: ALoCoQk7D6dVMivnBJakpCKIrAkkvvegpU1dPNpU3kRaKDCWG6RQGG29tLLrGkYGvCqwLsdqJPFyHbdY5hOzlU9bn78DYPQ0I1VuMk/mPjHIz20Jee436wazylrg7VYArD/EV90qlLeCqV/iu9FOBIw12HTSVipspQ==
X-Received: by 10.50.126.74 with SMTP id mw10mr9575366igb.24.1383503196413; Sun, 03 Nov 2013 10:26:36 -0800 (PST)
X-Received: by 10.50.126.74 with SMTP id mw10mr9575357igb.24.1383503196267; Sun, 03 Nov 2013 10:26:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.245.233 with HTTP; Sun, 3 Nov 2013 10:26:06 -0800 (PST)
In-Reply-To: <E4A70B26-1CD7-409F-8A17-AC2A28E3F884@ve7jtb.com>
References: <CA+k3eCSR+hVFsYnbOzvmxc771kHpe8k1V_Lfo+LFVOy34J=7ow@mail.gmail.com> <E4A70B26-1CD7-409F-8A17-AC2A28E3F884@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 03 Nov 2013 10:26:06 -0800
Message-ID: <CA+k3eCQkGE+kvN+D_NsbPZ=HxMkd3gh4w+n9ROkD8eVD66BYQA@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "<openid-specs-ab@lists.openid.net>" <openid-specs-ab@lists.openid.net>, oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bradley-stateless-oauth-client
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Nov 2013 18:26:41 -0000
inline below... On Sun, Nov 3, 2013 at 9:04 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > YEs in my other response to Hannes I noted that in the simple case of a one > to one relationship between a AS and a registration server AES_CBC_HMAC_SHA2 > is probably the best way to do integrity(must not say signing or the crypto > wonks go nuts) and confidentiality if a symetric secret is included in the > JWT. I think we agree on this. But the text in -00 of the document doesn't reflect that situation very well. > The need for confidentiality goes away if the client is using a asymmetric > key to authenticate. > > Separately I have been dealing with several OAuth clients (Websites) that > have been compromised and lost all of there OAuth 1 tokens and secrets as > well as all of there Oauth 2 tokens. > We can put it down to bad security, but having long lived access tokens and > there secrets hanging around in databases is a tempting target. > It is also challenging for a client to protect there symmetric client secret > in these cases as it is typically in some file on the disk. > > There may at some point be a push to use asymmetric keys from a HSM to > secure access to the token endpoint and keep the lifetime of the access > tokens short. That's all potential true but symmetric secretes aren't going to just go away so they need to be considered accordingly. > One thing that is a limitation of encoding information in the client_id is > that we don't currently allow the client_id to change during updated in > client registration. > If we did then the JWT could contain some fixed id for the client that the > AS would use as the key for authorizations. Yes, that's pretty much what I was thinking. True, it's a change to registration but registration is still in progress so now is a good time. And the main implication is that clients would need to be able to handle the client_id changing along with other parameters. > I was trying to stay inside the scope of the current drafts. Understood. But I think some kind of life-cycle support for update etc. is needed for this to work beyond just simple set up and test scenarios. So I'd like to consider potential changes to other drafts in order to accommodate. > Our options are to allow client_id to change this requires only a change in > dynamic registration, and not the rest of the client logic, or to crate a > separate parameter for client_assertion that would contain the signed > information including the client_id sending the client_id twice. In a vacuum I think that a separate parameter is a cleaner solution. But with RFC 6749 already out there, I don't think it's particularly viable at this point. > I think allowing the client_id to be reference or assertion as determined > by the AS is more in keeping with what we are doing with access tokens. > I don't think that should require any change to clients, though it would > require change to server logic to treat the incoming client_id as a > reference or assertion to the actual client identifier rather than always > being a literal. Yes but the wire protocol of RFC 6749 is unchanged and I think it's perfectly reasonable to expect an AS that wants stateless clients to make those kinds of changes. > I think it is worth discussing. Thanks, I'll see you in a few hours... > > On Nov 3, 2013, at 8:36 AM, Brian Campbell <bcampbell@pingidentity.com> > wrote: > > Some musings on > http://tools.ietf.org/html/draft-bradley-stateless-oauth-client-00 > > Abstract: "... allowing for fully stateless operation." --> saying that the > statelessness is on the AS side might avoid some confusion. The client is > still going to have to maintain state. > > The kid is header rather than a claim. > > "The issuer SHOULD sign the JWT with JWS ... issuer MAY encrypt the JWT > with JWE." --> this text seems a little off given that the most common case, > I'd think, would be an AS who issues these client id JWTs only for its own > consumption using JWE's AES_CBC_HMAC_SHA2 which gives encryption and > integrity protection. > > Does the relationship between the "iat" and "exp" claims here and the > "client_secret_expires_at" and "client_id_issued_at" parameters of dyn reg > need to be explained or explored more? Strikes me as potentially > problematic. > > And what happens when one of these JWT client ids expires or needs to be > updated? Or the keys used to create or verify them expire? I know the answer > thus far has been that the client will just have to get a new one. But I > feel like that might be too limiting in practice. I'd like to further pursue > understanding/defining how these kinds of client ids might be used in > conjunction with a longer lived way to identify the client that allows the > client id (i.e. the metadata) to change but can allow correlation across > such changes (the sub claim in this doc even suggests that a client might > have such an identifier). > > As was pointed out in another review, there's a difference between > documenting how it's possible for an AS to issue "stateless" client ids for > its own use and defining something that allows for some other party to issue > such ids. It may make sense to discuss them in the same document but I > believe it'd be valuable to have the doc acknowledge and address the > difference more. > > > > > > _______________________________________________ > Openid-specs-ab mailing list > Openid-specs-ab@lists.openid.net > http://lists.openid.net/mailman/listinfo/openid-specs-ab > >
- [OAUTH-WG] -00 of draft-bradley-stateless-oauth-c… Brian Campbell
- Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bra… John Bradley
- Re: [OAUTH-WG] [Openid-specs-ab] -00 of draft-bra… Brian Campbell