Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
Dominick Baier <dbaier@leastprivilege.com> Thu, 23 July 2020 05:38 UTC
Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F0A83A0808 for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 22:38:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvcWhKbnjXMh for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 22:38:48 -0700 (PDT)
Received: from mail-io1-xd2a.google.com (mail-io1-xd2a.google.com [IPv6:2607:f8b0:4864:20::d2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DED7E3A0807 for <oauth@ietf.org>; Wed, 22 Jul 2020 22:38:47 -0700 (PDT)
Received: by mail-io1-xd2a.google.com with SMTP id v6so5033184iob.4 for <oauth@ietf.org>; Wed, 22 Jul 2020 22:38:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=zDT192MoKH5k0Rjyb+VwTKoOKQZUyps8Lqry7aLYGhs=; b=E2PzxxbUS1pBdlocHkgPMKGrVb0bH/6+Zb4VgnhNkpXO2oullGwCo7ajf/CleqWKh7 AvbHIrhSrZ6jNfy7XxpkOXbXdniBZQiaPkdVSGdlZVaSVX14mvypBf4D4DHHIY8RH8rX os2vPWe7P4nbqs9tcueNHCbee0V5ypBJ838QhnN80QJWVyWJ4lacwXC9OyWdVO8m2c1T a5iNL3OtCnbIFds4ANfJupFRWrgcuQGax8vD+Dxf2j1Bc7mujwyDbe6V1XebcvQYZA0P OzDBCa9wLQ1luhRO3ber6r/tOFFljRxJA29MOpo7CHrmYzRn7+OPtj5CphY7mO/ROIGT 0m8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=zDT192MoKH5k0Rjyb+VwTKoOKQZUyps8Lqry7aLYGhs=; b=UH69ouXEY+jJ+6a3Mzma2GL3ZrmttN1ZhMvbgiSGpNsC7LxMiv3ly0fOyUI8ot+x/y 5BKN3x92Ld7sALxchbCFllc6wGiKnBK7gc8/E3SHMqCjJIPJv5KD7ScvpjJZb/J1RZ9D u2Jc1lS77X8AZULoSMp9WXX+zb9/ibZlc5QjHCasiiC+S9tfbUUspoRWJDRw5w87YG6Q o8gZikVVGMU2DuPkWdK3ai4dn8J7+1OxYHT960TOppYpv+p9OCV1ao42qYcOJTPOZSH5 jffl18jtChdLEdmqJ/Oms0sn30+TLqXcFOs8ix7m50wZ3r0ha4u7VNL5FRdGPbLB5FNb sLDw==
X-Gm-Message-State: AOAM533Fshwp/STNzGa153xo311ofDy5NBwCwGRJoetjcnk4DtfWSxKA ltv0zgSK/+1J+UkWQENsJnTVcvsr9uknak9ArTrs
X-Google-Smtp-Source: ABdhPJzqsfwqo3+gyL4f1I1Q3apN25A2qMEDH4s8dpai9mwRdoZAg2k+df7Sp8MC4f3/CNAxtkYtJoJheDd1XST4408=
X-Received: by 2002:a05:6638:d10:: with SMTP id q16mr3225046jaj.26.1595482727119; Wed, 22 Jul 2020 22:38:47 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 23 Jul 2020 01:38:46 -0400
From: Dominick Baier <dbaier@leastprivilege.com>
In-Reply-To: <CAO7Ng+vgaPsAo7aQ7uXbcf-M9p2uqQDaxtxoJe1_Av=khbdULg@mail.gmail.com>
References: <CA+k3eCRa9gMimtJ3917GaJPdTQGdCBskLEim0kVeh-qeB8EszQ@mail.gmail.com> <CAO7Ng+u16x7G0JTZg=oZnOWj6n3H39w_jk2fKXh2jc70n71KLw@mail.gmail.com> <CA+k3eCSQTkp1gBnuXJv-1i_-9gLkVBGzeSx_XYyhnnF_=bg68g@mail.gmail.com> <CAO7Ng+vgaPsAo7aQ7uXbcf-M9p2uqQDaxtxoJe1_Av=khbdULg@mail.gmail.com>
MIME-Version: 1.0
Date: Thu, 23 Jul 2020 01:38:46 -0400
Message-ID: <CAO7Ng+vUAHtCwnPOh6LMjk4hdmt0T0nhW7b8SywdBttTNatNCA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000032181805ab15454d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3JRozU2JPGgHB09a9ElNyeR4kJY>
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2020 05:38:50 -0000
Even more. Jwsreq should have it. But the authors decided against it. ——— Dominick Baier On 23. July 2020 at 07:38:04, Dominick Baier (dbaier@leastprivilege.com) wrote: Good point. Thanks, Brian. We should retrofit typs everywhere..in hindsight. ——— Dominick Baier On 22. July 2020 at 23:55:20, Brian Campbell (bcampbell@pingidentity.com) wrote: Because it wouldn't actually prevent it in this case due to JWT assertion client authentication (a.k.a. private_key_jwt) having come about well before the JWT BCP and the established concept of using the 'typ' header to prevent cross-JWT confusion. Thus there's no validation rule regarding the 'typ' header defined in RFC 7523 for JWT client authentication. Explicitly typing the request object JWT doesn't do anything to prevent it from being used in the context of previously existing JWT applications like client auth. On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier <dbaier@leastprivilege.com> wrote: > Why not use a typ header as suggested by the JWT BCP? > > ——— > Dominick Baier > > On 22. July 2020 at 17:37:41, Brian Campbell ( > bcampbell=40pingidentity.com@dmarc.ietf.org) wrote: > > The TL;DR here is a somewhat tentative suggestion that a brief security > consideration be added to > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ > <https://datatracker..ietf.org/doc/draft-ietf-oauth-jwsreq/> that > prohibits the inclusion of a 'sub' claim containing the client id value in > the request object JWT so as to prevent the request object JWT (which is > exposed to the user agent) from being erroneously accepted as a valid JWT > for client authentication. > > Some more details and the discussion that led to this here email can be > found at https://github.com/oauthstuff/draft-oauth-par/issues/41 > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited... If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any file > attachments from your computer. Thank you.*_______________________________________________ > > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [OAUTH-WG] swapping a jwsreq/JAR JWT for a client… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Mike Jones
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Benjamin Kaduk