IETF Logo Mail Archive

Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery

Brian Campbell <bcampbell@pingidentity.com> Fri, 11 March 2016 23:16 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC8B12DDCC for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 15:16:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.711
X-Spam-Level:
X-Spam-Status: No, score=-0.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rUrdp_RJKQwB for <oauth@ietfa.amsl.com>; Fri, 11 Mar 2016 15:15:55 -0800 (PST)
Received: from mail-ig0-x233.google.com (mail-ig0-x233.google.com [IPv6:2607:f8b0:4001:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD4CC12DDC2 for <oauth@ietf.org>; Fri, 11 Mar 2016 15:11:49 -0800 (PST)
Received: by mail-ig0-x233.google.com with SMTP id ig19so23922092igb.0 for <oauth@ietf.org>; Fri, 11 Mar 2016 15:11:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=PJ75ZyBZg0K0C+xIEwN/UNAus6hlBywM42ecaM0Vdd4=; b=UlqiUr//XrCfF8ejfqB917peO3wxCsGvI2DOgMCS4eFOQrKY2/bGpi6CMJD7syQLKw 6Umm3oLqVPIoVA4nh1xX+FgBUA6+solK4/C9rx/NPvDIJ7bM6AgRLExy0250NeJtWso3 4bUJ3DOOn5hlxecU+7LUqKBwT+kKwUg3rOYfw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=PJ75ZyBZg0K0C+xIEwN/UNAus6hlBywM42ecaM0Vdd4=; b=Ya3jJgD289pbIDFMqrxaZAxlUjZj+2JQKXgKKEjL6cEjPgEBJMEcf32GLz/bWp8aLj Wfu4ic5v34G64sY6ZEdKzRKlLYtPt0Yu2yQy19/lJUqH6UKeG1b6Ysiu1SgdBeHq0rSZ PBUaFhuGmAPcaWnrRn5cWHD7GrWzDlxJ8+Aoc9APaLF6PQqQ8bNtNAGD6zpWfqpIke5b 0rR6sEH8tQzyhCot1RhaMjD/LyeCt3m9kFhhl99gVb4CIK0O0VAJTkoFS1VXgJDeOnti ip3AVGKDwjrgimMDsNFQF29v22nRfNA7VhqtP7TPqDFLI57WTcbcofSzHlkcLXUp1jXG aduQ==
X-Gm-Message-State: AD7BkJI5cxELw+iOIR7BrRPbxBtrNCQrafHGKdRA3vjgsviceyjckh9HH41tDrgxNOUrbinnAw+yNMnV7eiY171/
X-Received: by 10.50.85.14 with SMTP id d14mr6820179igz.49.1457737909040; Fri, 11 Mar 2016 15:11:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.28.196 with HTTP; Fri, 11 Mar 2016 15:11:19 -0800 (PST)
In-Reply-To: <1CD23C2D-98EC-4FF9-AE43-F3D2453B3EB3@ve7jtb.com>
References: <56C5C9D5.6040703@gmx.net> <D5D8B85B-68E6-4E88-89F7-88E6851381E4@adm.umu.se> <CA+k3eCQOX6DgiJFp4b0A8R0boVQxVwGJP2-dY8_TbrCpJowOtw@mail.gmail.com> <56E19B6D.6060509@connect2id.com> <64D743EA-3F8D-403B-B05E-74539124A847@oracle.com> <CABzCy2D0P0NZW573g6NG3yYtbdVBifio=4hZi4QkYc3EKxOV5Q@mail.gmail.com> <BN3PR0301MB1234BFC8070FAC8CD5B3135FA6B50@BN3PR0301MB1234.namprd03.prod.outlook.com> <A3114947-499A-4B79-924E-D65E466B3466@ve7jtb.com> <091CB09C-1552-4777-ABF1-5E50DBC45437@oracle.com> <1CD23C2D-98EC-4FF9-AE43-F3D2453B3EB3@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 11 Mar 2016 16:11:19 -0700
Message-ID: <CA+k3eCRnNP3MWCfCmSvE825aGLipk9VwoLaVn62jL2Mw-Q9pMQ@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="089e013c71003ec3b2052dce0e57"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/4kswMJ8qgDMA0UqKgGihabpFQEM>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 23:16:00 -0000

I tend to agree with John that addressing the concerns Phil raises should
be part of (extension to) the core protocol.  And that those kinds of
concerns don't manifest in the way OAuth is typically deployed now.

The hopefully soon to be named "OAuth 2.0 Authorization Server Metadata"
should keep it's scope to the publishing of authorization server metadata.
The act of doing discovery is beyond its scope and so is trying to prevent
a client from presenting a token to someplace it shouldn't.



On Fri, Mar 11, 2016 at 9:08 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> Inline
>
> On Mar 11, 2016, at 12:13 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
> wrote:
>
> John
>
> In many case all the AS has to check is the domain name component to check
> for mitm.
>
> POP and the other solns are dramatically more complex than a simple check.
>
>
> I was proposing ding that check at the authorization endpoint or token
> endpoint as part of AT issuance.
>
> It is up to the AS how much of the path to validate and or put in the aud
> or dst.
>
>
>
> I see it as part of the discovery(bad name aside) problem because we
> discussed that if a client finds app.example.com how do we ensure it gets
> a complete set of oauth endpoints as a valid set of endpoints--that a
> hacker has not inserted one of their own endpoints. The most important
> endpoint to get right is ensuring the resource server (and optionally the
> path) is the correct one. We can't really define resource discovery but we
> can validate it to some degree.
>
> I think it is part of core protocol security and should/must not require
> discovery.
>
> What is app.example.com ?
>
> If it is the resource then the client would be preconfigured for it’s AS
> out of band or optionally would do discovery on the issuer uri that you
> admit needs to be configured out of band some way (note discovery is
> optional)
>
> In the AS meta-data draft it would do a get on a well known file that
> would have configuration for the AS, but not the RS, though some API may
> optionally list a API endpoint like connect has.
>
> The client then makes a authorization request (after registering out of
> band or dynamically).
> As part of the authorization request for implicit it could provide the
> aud/dst that it wants the token for.
> If that is not sent then the aud/dst are implicit in the scopes.
>
> The client gets back a AT with a list of scopes granted, aud/dst allowed
> and time to live for the token (one extra thing returned)
>
> This doesn’t require any discovery (yes there is a optional AS meta-data
> discovery but not required)
>
> I prefer to fix the RS man in the middle issue as part of the protocol and
> not part of discovery that should remain optional.
>
> I honestly don’t quite know how the client learns about this bad RS and
> starts talking to it, so this may be a solution to a problem that doesn’t
> yet exist.   The one place this is posable is if the registration for the
> client is compromised.  However we are discussing other mitigations for
> that that also explicitly do not require discovery.
>
> John B.
>
>
> I am not stuck on webfinger or well-known. Because this is config maybe it
> should be an oauth endpoint.
>
> Phil
>
> On Mar 11, 2016, at 06:51, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> I think Phil is proposing something different.   Should the client send a
> token from this AS to that RS.
>
> His goal is to prevent man in the middle attacks where a bad RS gets a AT
> that is audianced to/accepted by another RS.
>
> That is separate from the question of if a RS accepts tokens from a good
> AS.   A bad AS would always say yes.
>
> We need to be careful of what if anything the RS provides to the client as
> meta-data without validation.
>
> Currently the client can provide a list of scopes required to get access.
>   I personally feel it would be useful to also include in the
> unauthenticated error response an indication of what API the resource
> supports.  Say “scim2” as an example.   I don’t think adding that is
> however a high priority as most if all clients know what API they expect.
> It might be useful if at some point in the future if a client were to be
> given a RS URI it could check to see if it is a protocol that it supports
> before bothering with OAuth.    I expect that a lot of people will want
> that left to the API definition.   I think we can talk about it but rate
> this low priority.
>
> I agree that the RS giving out a list of AS that it trusts is a generally
> bad idea.  I hope that is not on the table.
>
> I don’t think that preventing a client from sending a token to the wrong
> RS is part of a AS meta-data discovery problem.
>
> I do however think that it is important.
>
> We have been discussing this as a separate problem to AS meta-data
> discovery where the endpoints of the AS and it’s configuration are
> discovery.   Sorry for perhaps stating the obvious, but the RS is
> explicitly not part of the AS in OAuth 2.   Starting in WAP that was a core
> principal.
>
> So we have a number of options to address the RS token leakage via MiTM
> attacks.
>
> 1) PoP bound tokens.  If they are bound to the TLS channel by mutual TLS
> or Token binding they cannot be replayed.  Signed messages where the
> signing covers the RS Host and path components,  also would work.
>
> 2) Have the AS audience restrict the resources the AT is good at. (AT
> should be doing that now)
> In the token response include the list of audience/s the token is
> presentable at.  The client would throw an error if the RS it intends to
> send the token to is not on the list.   The RS the token is good at might
> change based on scopes, client_id and resource owner.   This is the place
> where all of that comes together.   In some cases the RS and AS might not
> have a pre-established relationship.   The client should send the RS base
> URI to the AS as part of the request.  The AS can use that to audience
> restrict the AT and issue the AT or refuse to issue the AT based on policy.
> It can also use the audience in the request to down audience the AT if the
> default is to have multiple audiences.    We may want to use a term other
> than audience for this like resource or destination.  It is a audience but
> that term might confuse people with AT.
>
> We did talk about breaking audience out of POP key distribution, and Brian
> Campbell did a draft
> https://tools.ietf.org/html/draft-campbell-oauth-dst4jwt.
>
> To do this we could take dst4jwt and add another spec that adds a new dst
> parameter to the token and authorization endpoints requests That would be a
> space separated list of dst values.  and in the response from the token
> endpoint would be a JSON array of dst values.
>
> 3) Have the AS always return all the list of all RS the token can be used
> at (basically Nat's link relationship proposal).  It needs a way to handle
> down destinationing of AT and to allow for un-configured RS that it might
> issue a token for.  So could be combined with dst from 2.  Basically
> returning the acceptable destinations as link headers vs JS in the response
> is mostly a style issue that other people can bike shed.
>
>
> 4) Trying to add all the RS to the AS discovery document.  This seems
> impractical as there would be multiple protocols and doesn’t address
> un-configured RS.
>
> 5) Some new AS endpoint that the client could introspect the RS URI and
> get back metadata about if the client should send tokens there.
>     A couple of problems with this.  The first is that it would not
> support un-configured RS unless you add dst to the token and authorization
> endpoints.   The other is that the introspection endpoint doesn’t have the
> context of the RO and client_id unless you also pass the code/RT and
> client_id, and probably client credentials.    Basically this is trying to
> introspect the AT to determine the audiance/dst.   By the time you build a
> new introspection endpoint securely it is going to look like the token
> endpoint with a bit more meta data about the token beyond expiry and scopes.
>
>
> I think we should go a head with the renamed "OAuth 2.0 Authorization
> Server Discovery Metadata”
> I am also fine with making the default document 'openid-configuration’  as
> long as we allow for protocol specific variation so that SCIM2 could define
> a file name.    If people want we could do a API  to file name registry so
> that protocol specific ones can be defined.
>
> We are all-ready working on option 1 to secure AT, we need a spec like I
> propose in 2 for bearer tokens.  We can add one request parameter and a bit
> more token meta-data to the token response and that takes care of the
> problem.   Honestly we probably should have separated scope and destination
> in the first place and returned both dst and scope in the response all
> along, so this is update that is consistent with the eisting architecture
> of OAuth 2.
>
> Lets keep the two issues separate.
>
> John B.
>
>
>
>
> On Mar 11, 2016, at 12:07 AM, Anthony Nadalin <tonynad@microsoft.com>
> wrote:
>
> The relationship between AS and RS need to be scoped to “does this RS
> accept tokens from this AS” as a list is too much information that could be
> used in the wrong way
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org <oauth-bounces@ietf.org>] *On
> Behalf Of *Nat Sakimura
> *Sent:* Thursday, March 10, 2016 6:25 PM
> *To:* Phil Hunt (IDM) <phil.hunt@oracle.com>
> *Cc:* oauth <oauth@ietf.org>
> *Subject:* Re: [OAUTH-WG] Working Group Last Call on OAuth 2.0 Discovery
>
> Phil,
>
> Right. So what my conditional approvals (11 conditions in total) said was
> to drop the word "discovery" from everywhere. This is not a discovery spec.
> This is a configuration lookup spec as you correctly points out. So, I am
> with you here.
>
> Also, my 2nd conditiion is essentially saying to drop section 3.
>
> One thing that I overlooked and am with you is that we need to be able to
> express the AS-RS relationships. I have been preaching this in the other
> thread for so many times as you know so I thought I pointed it out, but
> missed apparently in my previous comment. So, I would add my 12th
> condition:
>
> 12. A way to express a list of valid RSs for this AS needs to be added to
> section 2.
>
> Best,
>
> Nat
>
> 2016-03-11 2:09 GMT+09:00 Phil Hunt (IDM) <phil.hunt@oracle.com>:
>
> I strongly oppose. 2 major issues.
>
> This is not service discovery this is configuration lookup. The client
> must have already discovered the oauth issuer uri and the resource uri.
>
> The objective was to provide a method to ensure the client has a valid set
> of endpoints to prevent mitm of endpoints like the token endpoint to the
> resource server.
>
> The draft does not address the issue of a client being given a bad
> endpoint for an rs. What we end up with is a promiscuous authz service
> giving out tokens to an unwitting client.
>
> Phil
>
>
> On Mar 10, 2016, at 08:06, Vladimir Dzhuvinov <vladimir@connect2id.com>
> wrote:
>
> +1 to move forward with these
> On 10/03/16 17:35, Brian Campbell wrote:
>
> +1
>
>
>
> On Thu, Mar 10, 2016 at 6:04 AM, Roland Hedberg <roland.hedberg@umu.se> <roland.hedberg@umu.se>
>
> wrote:
>
>
>
> I support this document being moved forward with these two changes:
>
>
>
> - change name to “OAuth 2.0 Authorization Server Discovery Metadata” as
>
> proposed by Brian and
>
> - use the URI path suffix ’oauth-authorization-server’ instead of
>
> ’openid-configuration’ as proposed by Justin.
>
>
>
> 18 feb 2016 kl. 14:40 skrev Hannes Tschofenig <hannes.tschofenig@gmx.net
>
> :
>
>
>
> Hi all,
>
>
>
> This is a Last Call for comments on the  OAuth 2.0 Discovery
>
> specification:
>
> https://tools.ietf.org/html/draft-ietf-oauth-discovery-01 <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-ietf-oauth-discovery-01&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=w3%2biiaWon81LJCU%2b2mCPRmA%2brECBHgqyRr0OgqiWSHU%3d>
>
>
>
> Since this document was only adopted recently we are running this last
>
> call for **3 weeks**.
>
>
>
> Please have your comments in no later than March 10th.
>
>
>
> Ciao
>
> Hannes & Derek
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>
>
> — Roland
>
>
>
> ”Everybody should be quiet near a little stream and listen."
>
> >From ’Open House for Butterflies’ by Ruth Krauss
>
>
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>
>
>
>
>
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=tNCikmXDBF7ubk%2b%2bzJiXwPB0LIzQXA%2fk%2bqR9m5WgA2k%3d>
>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fnat.sakimura.org%2f&data=01%7c01%7ctonynad%40microsoft.com%7c116eae6bd1b2492d56a508d349545c72%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=6FVmdN7ad0YzoYKSNF%2fDO%2ffG2EF1haj5aOHiMid6UMI%3d>
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email