IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)

Ash Narayanan <ashvinnarayanan@gmail.com> Thu, 02 September 2021 06:52 UTC

Return-Path: <ashvinnarayanan@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B4BF3A0CAB for <oauth@ietfa.amsl.com>; Wed, 1 Sep 2021 23:52:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NCjpd3PlpaBM for <oauth@ietfa.amsl.com>; Wed, 1 Sep 2021 23:52:36 -0700 (PDT)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 462B93A0C7C for <oauth@ietf.org>; Wed, 1 Sep 2021 23:52:36 -0700 (PDT)
Received: by mail-oi1-x232.google.com with SMTP id q39so1314236oiw.12 for <oauth@ietf.org>; Wed, 01 Sep 2021 23:52:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Keo5Z9HU9JmcfOuh//lx63Vu0IxZSUothYJJw0JkNgA=; b=VHCr0xHRVKkcCk/qdirWw95kGxTdJ9aNsXpSDEHGboTxAwPBzpcrwddvqC8bsJDHj2 bRokjUP13TlzKoxvzVbJpPmNnTKp+fq3u1jHQNVc6BnwfXWu6RzkwAk5cYuoM4p4jo2x oy9UbjnEhFN+xKxLVZVwqf1Iwr1iZR3Hz54kBN898CFhhJrBdnwdZT9j60ztq//FSFSg 3GfC4OLOnH1ujRZcdjGbJ9EGFz5Yoby3eHxypm4hfoFkWX1ZZTkSecJLh/QvKActb97o WMMhCLM0I+VZMZXNdsolSX6/fHJwsY6b8JxwEFhZgyAQnJI6egUoJt2MeL7FW16ipfcn FitA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Keo5Z9HU9JmcfOuh//lx63Vu0IxZSUothYJJw0JkNgA=; b=HgZQEgkdgSnUm2ECVn8bAgRe+DA3mRy2oT4Ie35e2Dm4q3FcqXSIb+t3m2m5BkymJL iodtfDVQ+7CgjyMfgkQmbG0KKoI1uPxOnMjs9PhsTiHvQtQmu8xs76OPIpXsPoFTmzEd Vev9O62NyHY8zCk+WJq/PTUUINFhB9Y0zUSrf6jW4oo1+VYPS8CpjYmcpJKQS+LLErJ0 aEgx15hPgQqWjEhmypL5F/siFtB0qHmDhdX0tHZAqzxM2OyZe9h6mhkMGgmBrqU9OZQt 0qDRrBHik9meuZjTZ8tmuUqIq9R0EaW5tF2HOADkF/rWgHWaUwDFOdrsbVR6kEfCT632 19VA==
X-Gm-Message-State: AOAM53020VNXdFv2I9RThrflEE8jFKcECY/YeYaMyAyFxK6hFzguxGKz b6T5DpGLGQkNPQcek7xLVkSOgHBC4kVpCi+BMY7BGvmcM7I=
X-Google-Smtp-Source: ABdhPJwLCy0CUaVwH0kgkUlC312y7gSeTP8Vnx0oX2fPL9/yxzn2dOw2n7qvgtMPOQ8lZIaJroqTRl+A5ZRZ6oz07OE=
X-Received: by 2002:a05:6808:657:: with SMTP id z23mr1195523oih.113.1630565553987; Wed, 01 Sep 2021 23:52:33 -0700 (PDT)
MIME-Version: 1.0
References: <20210822091434.93EFCF40723@rfc-editor.org> <80CE09CD-E462-4CB6-B4CC-EF4A7BE9F854@mit.edu> <CAEayHEP1Jg-WPo-4B5k5JVA_zDOL7m1tWq9q2yWSS_deRcP6Fw@mail.gmail.com> <CAFvbn=Zsh87pxNr_uXiOBOQ__ZJrqGPrkyOJbY5h1WLGzkemqA@mail.gmail.com> <CAJot-L0svK5tQ=ExTOYDybX-8zLC4omjKc6ggFcO8wUExA-5og@mail.gmail.com>
In-Reply-To: <CAJot-L0svK5tQ=ExTOYDybX-8zLC4omjKc6ggFcO8wUExA-5og@mail.gmail.com>
From: Ash Narayanan <ashvinnarayanan@gmail.com>
Date: Thu, 02 Sep 2021 16:52:22 +1000
Message-ID: <CAFvbn=ZC5Ufgh6gbEKd8ai91yc8Z2OJr3tx+u1GOx9qBy=znuA@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a0e35a05cafda0b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5WvdoO8qK7gxcEUAqkuIadA-TkE>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2021 06:52:48 -0000

Hi Warren,

If you are referring to the client_id as arbitrary information, then the
same would also be true for refresh requests to the token endpoint from
public clients.  As per 6749, you need to pass the client_id along with the
refresh token. The client_id adds no additional security.

But really, the whole point I've been trying to make from the start is that
the token itself should be the only form of 'security' needed...as that's
the point of OAuth.

Regardless, 7009 needs to be made obsolete by a newer RFC.

Ash

On Thu, Sep 2, 2021 at 4:41 PM Warren Parad <wparad@rhosys.ch> wrote:

> What's the point in passing arbitrary other information that is already
> known by the AS and does not provide the level of security necessary to
> prevent abuse of the revocation endpoint?
>
> On Thu, Sep 2, 2021, 01:12 Ash Narayanan <ashvinnarayanan@gmail.com>
> wrote:
>
>> Hi Thomas,
>>
>> The approach you've suggested sounds good. Passing just the client_id
>> along with the token and type (regardless of client type) would be
>> consistent with how refresh_token requests are structured. As long as the
>> new RFC obsoletes this one.
>>
>> Ash
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email