IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)

Thomas Broyer <t.broyer@gmail.com> Wed, 01 September 2021 13:58 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D6ED3A12D5 for <oauth@ietfa.amsl.com>; Wed, 1 Sep 2021 06:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A7VZLzi2XRXE for <oauth@ietfa.amsl.com>; Wed, 1 Sep 2021 06:58:23 -0700 (PDT)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CB333A12C4 for <oauth@ietf.org>; Wed, 1 Sep 2021 06:58:23 -0700 (PDT)
Received: by mail-yb1-xb36.google.com with SMTP id z18so5252800ybg.8 for <oauth@ietf.org>; Wed, 01 Sep 2021 06:58:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LHoVjMzS6Bg+C9cuBEiv2+0lnHqnYlNkPgcL2+Npq24=; b=iQxB1N/LZikQ03PYAvBkTQOd9uQWqhrqgeHxNieMb7pSd6wrNwOJzQBig4/ioYxICo 53Vk6ABV2F/CSxiIWyzXoo3ih8chsxv5KUDx7u+pAVhZ9r1fV6K6M/rzSqtgcFYs66mw qvUCUfpqIOfYW26vG5L2SwW/1hnRy5MnbfvsZVHMab1XD3IGlYKvTawdQlX73FnL1pdW pNiV0VQ5nvcVDaFC1nue2nGgLnopdWIKGA5c1cI6ZJdCvutbge8Nu1eHDYDYtd7Vlndq Os+FqvoVl3JCn1DUUB/+z3Iuz/cR5dnGXO4Yx4EKQPFQiHgt6SI38GHdJIW7D6RhlQAW iFSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LHoVjMzS6Bg+C9cuBEiv2+0lnHqnYlNkPgcL2+Npq24=; b=CU92onQsjG13bLPATAwNAoxoaOw9dkAhQecBExUiCy2XZL99/5z6Mzul667KMlhIKz NWT7vm6eIZTB6imkZM6OVB+oh/enNoHDslJRrA1cNNoJwhfWdLI9GJoXnbQahud6dEjB B0I9g1FLZnCHyv8ECjeR0mH9zvrKnHIPxCzT1PVxpV4U4W2ppyGZ1Ys0WajFRm47yRJm nrF+r/bj/dl0LAOrwaHhJXAmlhW+Iai0i1nlzVjIGFQt9f+7AE0EcA35xXyh5BnJB27i jh2iY9a90gjOGpGla/PKJQmlgM7ExxWA5xtlqtIT5WpaI976HSHH9FmJwUxyrHCkzHsn RfiQ==
X-Gm-Message-State: AOAM531YNObD8yKA01eau8tUfJsdxlU8CJ1NsHpY3beW83eZ8kzMaK1Y 4WYE0VhrzHYvtbppwQjp+cqGv/dMbugi+53/xFsfDQitOxQ=
X-Google-Smtp-Source: ABdhPJzo2qa3fo5o+tcgOLhuXiJIRqU4nveiZxv5JxwXRdvi1dPNgKZAbCFnLmm4afbb59jlBQBbyfjBnXJRQP9UEiM=
X-Received: by 2002:a25:5b06:: with SMTP id p6mr37381393ybb.217.1630504702311; Wed, 01 Sep 2021 06:58:22 -0700 (PDT)
MIME-Version: 1.0
References: <20210822091434.93EFCF40723@rfc-editor.org> <80CE09CD-E462-4CB6-B4CC-EF4A7BE9F854@mit.edu>
In-Reply-To: <80CE09CD-E462-4CB6-B4CC-EF4A7BE9F854@mit.edu>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Wed, 01 Sep 2021 15:58:11 +0200
Message-ID: <CAEayHEP1Jg-WPo-4B5k5JVA_zDOL7m1tWq9q2yWSS_deRcP6Fw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: IETF oauth WG <oauth@ietf.org>, mscurtescu@google.com, sdronia@gmx.de, ashvinnarayanan@gmail.com
Content-Type: multipart/alternative; boundary="00000000000096031f05caef7500"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3I821NPRoIavn0n9DdrhaHxQAWQ>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Sep 2021 13:58:44 -0000

I agree with you Justin.

While there probably is a need for an errata to this RFC wrt public
clients, it wouldn't be the one proposed here.

Wrt public clients, section 5 states:

   According to this specification, a client's request must contain a
   valid client_id, in the case of a public client, or valid client
   credentials, in the case of a confidential client.

but actually nowhere in the specification is defined how a public client
would pass its client_id in the request.

As an errata, this section should probably be reworded to remove any
mention of public clients.
And then the RFC should possibly be obsoleted with a new one properly
supporting the public clients' use case (and then I would argue just adding
a client_id parameter alongside token and token_type_hint)

As far as the currently proposed change is concerned, there's no point in
accepting as authorization the same access token that would be revoked, as
this would be exactly the same, security-wise, as not having authentication
at all.

On Mon, Aug 23, 2021 at 9:42 PM Justin Richer <jricher@mit.edu> wrote:

> I personally don’t agree with this errata. Token Revocation was never
> meant to act as a protected resource, but rather as a function of the AS.
> The client is known to the AS and so authentication is expected here.
>
>  — Justin
>
> > On Aug 22, 2021, at 5:14 AM, RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
> >
> > The following errata report has been submitted for RFC7009,
> > "OAuth 2.0 Token Revocation".
> >
> > --------------------------------------
> > You may review the report below and at:
> > https://www.rfc-editor.org/errata/eid6663
> >
> > --------------------------------------
> > Type: Technical
> > Reported by: Ashvin Narayanan <ashvinnarayanan@gmail.com>
> >
> > Section: 2.1
> >
> > Original Text
> > -------------
> > The client constructs the request by including the following
> >   parameters using the "application/x-www-form-urlencoded" format in
> >   the HTTP request entity-body:
> >
> >   token   REQUIRED.  The token that the client wants to get revoked.
> >
> >   token_type_hint  OPTIONAL.  A hint about the type of the token
> >           submitted for revocation.  Clients MAY pass this parameter in
> >           order to help the authorization server to optimize the token
> >           lookup.  If the server is unable to locate the token using
> >           the given hint, it MUST extend its search across all of its
> >           supported token types.  An authorization server MAY ignore
> >           this parameter, particularly if it is able to detect the
> >           token type automatically.  This specification defines two
> >           such values:
> >
> >           * access_token: An access token as defined in [RFC6749],
> >             Section 1.4
> >
> >           * refresh_token: A refresh token as defined in [RFC6749],
> >             Section 1.5
> >
> >           Specific implementations, profiles, and extensions of this
> >           specification MAY define other values for this parameter
> >           using the registry defined in Section 4.1.2.
> >
> >   The client also includes its authentication credentials as described
> >   in Section 2.3. of [RFC6749].
> >
> >   For example, a client may request the revocation of a refresh token
> >   with the following request:
> >
> >     POST /revoke HTTP/1.1
> >     Host: server.example.com
> >     Content-Type: application/x-www-form-urlencoded
> >     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
> >
> >     token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
> >
> >   The authorization server first validates the client credentials (in
> >   case of a confidential client) and then verifies whether the token
> >   was issued to the client making the revocation request.  If this
> >   validation fails, the request is refused and the client is informed
> >   of the error by the authorization server as described below.
> >
> > Corrected Text
> > --------------
> > The client calls the revocation endpoint using an HTTP
> >   POST [RFC7231] request with the following parameters sent as
> >   "application/x-www-form-urlencoded" data in the request body:
> >
> >   token   REQUIRED.  The token that the client wants to get revoked.
> >
> >   token_type_hint  OPTIONAL.  A hint about the type of the token
> >           submitted for revocation.  Clients MAY pass this parameter in
> >           order to help the authorization server to optimize the token
> >           lookup.  If the server is unable to locate the token using
> >           the given hint, it MUST extend its search across all of its
> >           supported token types.  An authorization server MAY ignore
> >           this parameter, particularly if it is able to detect the
> >           token type automatically.  This specification defines two
> >           such values:
> >
> >           * access_token: An access token as defined in [RFC6749],
> >             Section 1.4
> >
> >           * refresh_token: A refresh token as defined in [RFC6749],
> >             Section 1.5
> >
> >           Specific implementations, profiles, and extensions of this
> >           specification MAY define other values for this parameter
> >           using the registry defined in Section 4.1.2.
> >
> >   The client MUST also include in the request, the access token it
> received
> >   from the authorization server. It must do so in the same way as it
> would
> >   when accessing a protected resource, as describe in [RFC6749], Section
> 7.
> >
> >   The following is a non-normative example request in which the client
> uses
> >   its access token to revoke the associated refresh token:
> >
> >     POST /revoke HTTP/1.1
> >     Host: server.example.com
> >     Content-Type: application/x-www-form-urlencoded
> >     Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
> >
> >     token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
> >
> >   The following is a non-normative example request in which the client
> uses
> >   its access token to revoke the same access token:
> >
> >     POST /revoke HTTP/1.1
> >     Host: server.example.com
> >     Content-Type: application/x-www-form-urlencoded
> >     Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
> >
> >     token=czZCaGRSa3F0MzpnWDFmQmF0M2JW&token_type_hint=access_token
> >
> >   The authorization server MUST validate the access token used by the
>
> >   client to authorize its call to the revocation endpoint, including
> >   ensuring that it is not expired or revoked.
> >   Additionally, the authorization server MUST also validate whether the
> >   access token used for authorization is part of the same grant  as the
> >   token being revoked. If validation fails, the request is  refused and
> >   the client is informed of the error by the authorization server.
> >   In the case of a bearer token, the authorization server SHOULD
> respond
> >   with an HTTP 401 code as described in OAuth 2.0 Bearer Token Usage
> >   [RFC6750], Section 3.
> >   Errors based on other types of tokens are beyond the scope of this
> >   specification.
> >
> >
> > Notes
> > -----
> > It appears as though the authors of RFC7009 have failed to consider that
> requests to revoke are likely to come from non-confidential clients and
> such, would lack authentication credentials. Regardless of the type of
> client however, authentication should not be required. The OAuth 2.0
> specification (RFC6749) does not specify verifying that the access token
> belongs to the client accessing protected resources, of which revocation is
> one. It is the role of the access token alone to signify authorization
> required to make requests to protected resources. If this is an issue for
> revocation, then it is an issue for all protected resources and counter
> measures may be proposed in a separate RFC rather than broadening the scope
> of this particular RFC. As per the original text itself, "This
> specification in general does not intend to provide countermeasures against
> token theft and abuse." Additionally, "If an attacker is able to
> successfully guess a public client's client_id and one of their tok
> > ens, or a private client's credentials and one of their tokens, they
> could do much worse damage by using the token elsewhere than by revoking
> it.  If they chose to revoke the token, the legitimate client will lose its
> authorization grant and will need to prompt the user again.  No further
> damage is done and the guessed token is now worthless."
> > Note that the client_id is not meant to be private information to begin
> with, so relying on an attacker "guessing" it should not be seen as a
> security countermeasure. This section of RFC7009 will be referenced in a
> subsequent errata.
> >
> > Instructions:
> > -------------
> > This erratum is currently posted as "Reported". If necessary, please
> > use "Reply All" to discuss whether it should be verified or
> > rejected. When a decision is reached, the verifying party
> > can log in to change the status and edit the report, if necessary.
> >
> > --------------------------------------
> > RFC7009 (draft-ietf-oauth-revocation-11)
> > --------------------------------------
> > Title               : OAuth 2.0 Token Revocation
> > Publication Date    : August 2013
> > Author(s)           : T. Lodderstedt, Ed., S. Dronia, M. Scurtescu
> > Category            : PROPOSED STANDARD
> > Source              : Web Authorization Protocol
> > Area                : Security
> > Stream              : IETF
> > Verifying Party     : IESG
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Thomas Broyer
/tɔ.ma.bʁwa.je/ <http://xn--nna.ma.xn--bwa-xxb.je/>

v2.23.0 | Report a Bug | By Email