[OAUTH-WG] OAuth Working Group Meeting at IETF 99 21-Jul-17

Mike Jones <Michael.Jones@microsoft.com> Fri, 21 July 2017 12:59 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DAB6E131CFD for <oauth@ietfa.amsl.com>; Fri, 21 Jul 2017 05:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id DyWcrZYDWooK for <oauth@ietfa.amsl.com>; Fri, 21 Jul 2017 05:59:16 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0093.outbound.protection.outlook.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8147131D1C for <oauth@ietf.org>; Fri, 21 Jul 2017 05:59:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=EfvOoOZRicyfpvDjDyTxebPLkBaagYRSUNE2rnZQH7o=; b=S5FKh1uEPmeLDgmdzTOIEgnyjrJMQG/fMMGf52Aw0840J7LJ4i/JyQIvOx6TRvd0s5Jojz90MQ9eX7+qSDfiyMJl7iMznLooeKF+a4+8yngZE9u75hC5p4+uK4NWDn31n6KBTfydmggyrUpXNLaGC2meXZaLKnS99XZAi2AfjMo=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ( by CY4PR21MB0134.namprd21.prod.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.2; Fri, 21 Jul 2017 12:59:12 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([]) by CY4PR21MB0504.namprd21.prod.outlook.com ([]) with mapi id 15.01.1304.009; Fri, 21 Jul 2017 12:59:12 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: OAuth Working Group Meeting at IETF 99 21-Jul-17
Thread-Index: AdMCIQS/uo4eihLgSNaU9zJwyl9/HA==
Date: Fri, 21 Jul 2017 12:59:12 +0000
Message-ID: <CY4PR21MB0504BECECAE0BFB0E13D906FF5A40@CY4PR21MB0504.namprd21.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [2001:67c:1232:144:4422:9589:299f:2232]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0134; 7:S9gGoqe1YTgEizoY/yNU/rxmJEIdLu1B9FzsyImEgtPxOdeLCJrnUurQfVAZ93Uh9cFwufar0r2EdmyFP+v03hAVuMZ9dO/KYvEWBm53zM17LiQcToF1Hdo0sCjhQw38gYRkOu2S+quIRITcM+6pa8aggchilY4uMg+9zJXFt0GXq03pPJXH9y9thyULeYStyNOnU7Ssdi8qUgQeyPVLJ9dds5p+y75z4DPz68H1TeIXxttOqOeSSpkSgSoiW11iTqdzPAAPau4QuZx0Yd5v77uFQyhLBeeB3Ygzowr5m1BTI+Y2x2WM61MliDU6dBlid091BKRlH95Yp9ZExg8rE/dy0YXNFRvJPN7zq7jQL8fcfWgjWuSGK+EhINy8ChuOTJjhTPFaGFcLUZSzE/N0VfgNLon5BHsEcnVY4VCXAIA7KJlVkoO1hG65fINATOHt/HatU5o9XNg+S+KDeJnZYhYi/pbair6vEe0tgGBq/vqqxGyIb9mwyq49xzXF6MB2Oc339pm9MKfYkO6DK5QhWwzu/ekqGJ/9ZtT4kfuZQD77V6Eq5r5dEOz/Mv8k7mKP6PMMTW6ibqoIITVoE7hn3ZcCVDAjZE++LDY5P5fS9B1wbqdRcsCjFjEmqsoJMemHOlBYndn5LWAD1zuHwF+MSDAzkcCyp75SbkS10M0MF23kdSo3hUnLe8Qgt3ayDBlImqJfOXhCqnxH+tTSo2nQDaoYpURoMc7jHp06pF6VHeM+UHJgtoAnsgDDJbVVoC58UYYSyS3IvIrQ9uLZlx0/xy+IrWXG7RMDrIKQmEWUOm8zFYGWX8u8NNR/hlRKAwkk
x-ms-office365-filtering-correlation-id: 38558e5a-c707-41cd-edd0-08d4d038490e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY4PR21MB0134;
x-ms-traffictypediagnostic: CY4PR21MB0134:
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(26388249023172)(192374486261705)(21748063052155)(151999592597050);
x-microsoft-antispam-prvs: <CY4PR21MB0134963DB6F7891C1BE42064F5A40@CY4PR21MB0134.namprd21.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(61425038)(6040450)(601004)(2401047)(8121501046)(5005006)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123558100)(20161123560025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY4PR21MB0134; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY4PR21MB0134;
x-forefront-prvs: 0375972289
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39400400002)(39860400002)(39450400003)(39410400002)(39840400002)(39850400002)(47760400005)(199003)(189002)(51444003)(2351001)(7696004)(106356001)(3280700002)(3660700001)(54356999)(101416001)(86362001)(86612001)(50986999)(105586002)(2906002)(33656002)(189998001)(230783001)(97736004)(10090500001)(102836003)(790700001)(6116002)(5660300001)(2900100001)(74316002)(6436002)(25786009)(14454004)(99286003)(9686003)(2501003)(6306002)(8936002)(5640700003)(54896002)(5630700001)(1730700003)(8676002)(72206003)(81156014)(81166006)(6916009)(53936002)(68736007)(7736002)(10290500003)(77096006)(6506006)(38730400002)(55016002)(110136004)(478600001)(8990500004)(5005710100001); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0134; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504BECECAE0BFB0E13D906FF5A40CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2017 12:59:12.6043 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0134
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2IMc4QlJK56nCWiOhjiqkt9oNA0>
Subject: [OAUTH-WG] OAuth Working Group Meeting at IETF 99 21-Jul-17
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jul 2017 12:59:21 -0000

OAuth Working Group Meeting at IETF 99 21-Jul-17

William Denniss presented on the Device Flow

Justin Richer discussed a suggestion to add another parameter that he'd made on the list
William Denniss clarified that the client constructs the URL - not the server
Justin withdrew his suggestion
Justin will review the text and suggest clarifications to help people from misunderstanding it in the way that he did

Annabelle Backman suggested that there be a separate parameter that contains the clickable URL
Annabelle suggested that there be a separate parameter for that URL
              Then we don't have to standardize the URL for the user_code
              It would allow the server to use a different URL for that
Dick Hardt suggested that the user code be URL safe
Annabelle:  People implementing clients may not always be reading the specs
David Robin: There's an opportunity to send people straight to the final URL
Nat Sakimura: Our implementation sends both the URL and the user_code

Nat: It's easier to enter Japanese characters than ASCII in Japan
              We should allow the code to be Unicode
Dick Hardt:  Amazon recently looked at what can be entered world wide
              He said that numbers work really well
William:  Maybe we can suggest that numbers be used as a best practice
              I do not want to prevent the use of letters because it would bring our implementation out of compliance
Mike Jones:  Microsoft also uses letters in the codes

Nat:  If we are targeting QR codes, send the QR code directly
              QR codes are used on ATM machines in Singapore and Australia
              If it's going to be an image, it should be a separate parameter

Annabelle:  Trying to tailor the spec to particular delivery mechanisms would take us down a huge rathole
Dick:  It's not clear we're really trying to achieve interop
William:  Justin and I did interop testing with both of our implementations
Dick:  Amazon is using independently written implementations
              In the Alexa world, there are many third parties producing devices that we want to be able to make calls into Alexa

John:  I am influenced by the arguments that having a different endpoint for the pre-composed URL than the user typeable one is a good idea
              I don't know that we should add the QR code directly
              Apps could use introspection to get a QR code or sound files but that doesn't have to be in the standard
              Third party clients operate with YouTube and other services

William:  There are two changes we're discussing
              1.  Having a second endpoint for the pre-composed URL
              2.  Saying that the user code should be URL safe, with numbers recommended

William:  If we make it Unicode, we should use a different URL

Mike Jones:  Adding a separate endpoint is a big change
John:  The change is to have a separate parameter for the composed URL - not a separate endpoint
              Anything internationalized immediately leads us to sending a composed URL
              Using a different endpoint is an implementation choice - not something for the spec
              The client needs to know the script that it's going to display
              A Korean printer might use Korean script in Korea but a different script in South America
Nat:  Numbers are the best choice internationally
Annabelle:  The more complicated we make the display requirements, the more use cases we'll exclude
John:  UTF-8 may not be displayable on all devices and the right fonts might not even be installed
Annabelle:  We are suggesting a new parameter with a URL value - not a new endpoint

Leif Johansson:  Has anyone done a security analysis on this?
              We shouldn't do these changes without another last call

David Robin: Are we deprecating what's shown on the screen or is that option still on the table?
              (On the screen, the client was shown merging the different pieces of information)
              Maybe client composition should never be done
              It's either opaque with the third parameter or you need to do composition the way the draft is now

Annabelle:  The current draft does describe Security Considerations about remote phishing
William:  We try to prevent phishing by asking the user if they have the device in their possession

Lucy Lynch:  These are big enough changes to require another working group last call

William:  There's no requirement that you poll at any particular rate

Mike Jones:  From an engineering perspective, why do people want to do things differently than what's currently specified?
Dick:  We looked at this and saw some of the issues

William:  The other major change being considered is defining new authorization parameters
              device_id, device_model, device_name
              This is to support device revocation
              They are all optional

Annabelle:  This does not seem unique to the device flow
William:  I agree but it's worth solving for the device flow
Annabelle:  If we're overly prescriptive with what information is being sent, we could end up ruling out use cases we haven't thought of
Hannes Tschofenig:  This came up in Chicago
              We might want to do some form of authentication
              These parameters are intended for revocation, but they could be used for authorization as well
William:  I'm not trying to capture every possible parameter for every use case
              Google does have use cases for these parameters
Dick:  The device ID is problematic
              The other two new parameters are useful
William:  The device ID lets the authorization server group requests
Annabelle:  If this is happening at the AS, it could assign an ID on its own
Annabelle:  Model and name present a potential phishing risk
Hannes:  The AS can't infer the device name
Annabelle:  The AS should match the client ID to the device type

William:  If we add these parameters we need to add Security Considerations
William:  We shouldn't enable display of random hacker-generated text

Dick:  The model allows multiple different things on a device
              For instance, enabling Netflix on your Roku - not just enabling the device

John:  Device ID is a correlatable identifier
              Some manufacturers go out of their way to prevent multiple applications from knowing that they're on the same device
              This is its own thing and should be in its own spec
              Let's finish the device spec and consider this a separate add-on
Lucy:  I think that John summarized this correctly
              I could drive a truck through this
Hannes:  The context of this spec made discussing these possible parameters reasonable

Justin Richer:  This loops back to Mike's question about why people are bringing this up now
              People have been implementing something like this for years
              Now people are reviewing the spec and asking if it fits the use cases they've had for years
              We are seeing more and more devices where this functionality makes sense
              I think this should be a separate spec
              I wrote such as spec in 2010 draft-richer-oauth-instance-00
              This has applicability in other places and it's a big ball of wax
              It's too much to try to slip this in at the last minute

Brian Campbell:  Maybe we could accomplish this without device ID
              We would lose grouping but that would alleviate a lot of the privacy concerns
Dick:  You only need a locally scoped identifier
              The global one is the one that's a problem

William:  There is running code
              Google's implementation complies with -06
              MitreID implements it
              Justin and William did some interop
Hannes:  There are other open source implementations


Brian Campbell presented on OAuth Token Exchange

It is a framework enabling token exchange
The participants need to know what kinds of tokens are suitable for their use cases
Draft -09 included small changes to address actionable WGLC feedback
Hannes will review feedback that didn't appear to be actionable
Brian believes it's ready for Hannes' write-up
John:  Write it up


Brian Campbell presented on OAuth Token Binding

Provides proof of possession for OAuth tokens
The 3 core Token Binding specs are very close to the request for publication
The last OAuth Token Binding spec version added introspection language and IANA registrations
Brian added an open issue about the need to allow distributed Web Server clients to opt out of token binding for refresh tokens
              Shared access to a public key may be difficult or impossible problem
              Sharing on demand generated client-side keys is very hard
Dick Hardt:  It's not going to happen
Brian:  The real value is Token Binding the access token
              There are other means of securing the refresh token
There are two ways we could do this
              Toggle the behavior based on client registration metadata
              Or provide a run-time toggle with a parameter
The metadata parameters already largely exist
Mike Jones:  I think the metadata approach is reasonable
              I don't want to think about the security implications of providing a parameter to disable a security feature at runtime
Brian:  I think the metadata approach is reasonable
John Bradley:  I agree with using metadata

John Bradley:  As a separate issue, we may eventually decide we need a parameter to explicitly communicate the referred token binding separately from the Sec-Token-Binding header
              There are more discussions needed on the parties using the bound tokens
William Denniss:  Is this only for confidential clients?
              Brian:  Yes
William:  We don't want to encourage people to opt out very often
John:  We do have a mutual TLS option so there are more than one ways to achieve proof of possession
William:  Authorization servers could say that access token binding is mandatory

Brian:  Should the scope include standardization of Token Binding for JWT Client Authentication for RFC 7523
John:  We should write this down because it's only self-evident how to do this to a very small set of people
Brian:  We would write down how to use the cnf/tbh claim in the context of RFC 7523
Hannes:  Please write this down

Brian:  We need to remove the reference to the expiring resource metadata draft
Brian:  I have ideas how to keep the intent but simplify
              We would still describe how to detect and respond to attacks

Brian:  This is still early
              Client library support is still sparse
              We have things to learn from deployments

Dick:  Is pushing Token Binding through to the end-application after TLS termination in scope?
Brian:  No, but the Token Binding WG just accepted a document about this
Dick:  This doesn't provide the same guarantees as other application-layer PoP mechanisms
Brian:  This relies upon trust between the TLS terminator and the application
Brian:  I don't know a way to tightly bind this end-to-end
Dick:  The verification is happening at the application
Dick:  I believe that Microsoft is encrypting the token
Dick:  The problem is that the TLS terminator is in a different trust domain than the application
              It's trusted to terminate TLS but not to manage the token or do authentication or authorization
Dick:  What's being done in the Token Binding working group doesn't solve this problem

John:  I asked Tony Nadalin to provide information about this
              Including the possible use of additional Token Bindings
Andrei Popov:  I'm not familiar the higher-level functionality being referenced
              If you're terminating TLS, that's where end-to-end ends for TLS functions, such as Token Binding
              You're trusting that the TLS terminator is passing correct information to you
Hannes:  We need to update our OAuth PoP documents
              End-to-end PoP is definitely in scope for the OAuth WG
Dick:  You didn't solve anything
Dirk Balfanz:  It sounds like you already have a proof-of-possession implementation
Dick:  We have a non-standard way in which Amazon API calls are made
              There is a secret, you sign the request, and it's verified at the application level
Hannes:  Is it HTTP signing?
Dick:  Yes
              It prevents a compromised TLS proxy from changing the request
Justin Richer:  I did look at the Amazon spec when writing the OAuth HTTP signing spec
              There were lots of problems with parameters being reordered, etc. in OAuth 1 implementations
Hannes:  I would like Dick to look at the current OAuth HTTP signing spec
              Maybe that will solve the issue that Dick is describing
Dick:  That doesn't build on Token Binding
Justin:  They are orthogonal
              You could do both Token Binding and application-level PoP
Dick:  What I like about Token Binding is that you don't have to do client-side management of a key
              Token Binding lets you get many of the characteristics of PoP without client-side key management
Hannes:  What are the right next steps for this issue?
Dick:  I want Token Binding with end-to-end guarantees
Dick:  Most of our deployments have TLS proxies
Brian:  This isn't in scope for this document because the problem isn't specific to OAuth
Brian:  This is also applicable to Token Bound cookies
              The same issues occur for cookies