Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments

Nov Matake <matake@gmail.com> Sun, 07 June 2020 12:42 UTC

Return-Path: <matake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 202BF3A07B6 for <oauth@ietfa.amsl.com>; Sun, 7 Jun 2020 05:42:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jcRFnq0iJBOU for <oauth@ietfa.amsl.com>; Sun, 7 Jun 2020 05:42:10 -0700 (PDT)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BE933A07B3 for <oauth@ietf.org>; Sun, 7 Jun 2020 05:42:10 -0700 (PDT)
Received: by mail-pg1-x52d.google.com with SMTP id p21so7425050pgm.13 for <oauth@ietf.org>; Sun, 07 Jun 2020 05:42:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=syRb+//no42A0FwLT/HIjt3Ao6AJXF51/yrCwit79ms=; b=Lo/v9Yj1FJSlOdFpaxhQUXadJihbY7GpzSQZUNK87HjZ+V2EbUmHGp2881PPqpA/wh zQ3MQUiPQisNhRmeGZteJrjvNKckKivowFzMfjNgeKNctFpTtAVBKJJs8L55b52VSl8d rPa/vxNiTzqzswIaIPm5414NosEXCfp7QVudLTjGxSkjOTmWYCzfkA2QMIhzRoYzRN2F RQFK6txj0p5IhE8HI4qNNSER33C6ZWr4dAt+nnXqUY3iKAFv2bSAgTr8VJRfgmp69V3/ O0Q6CJDmCUey+a2Z50QCLjymdCch7Y1STzHP3bcd0M5LqRfpkwj9jqYCXxtp1zDNfQnV owLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=syRb+//no42A0FwLT/HIjt3Ao6AJXF51/yrCwit79ms=; b=r5w+19MgG3w1qK+jdZocoJlx5fN8zhd99a762QwoFhKvxNq+dj8FogReQONWd3Rtw8 f11eqqswBdaIHbqD/Qof+BMNRjkDFpHDuOeBmACz14PS0rIV4Ni2RJhh3hKh8In7tyoY 3CAUpAdsnJ3Y5LOB6OobOi9NdfRLRFfSRLX3uUJdS1X2JMnjIcVCGeWvsBBNJGKSxaAC EQEt4s2qe2dQEID/tLZlFpH8eLlSz1GrGyBlEJZk8ThuFE9gxjvDwu3ERg6o92+/deG6 5+3GrHT3QgWSXS3l7JcnDXD4HEwCjDNx6aXiZK52GMNx0pEh3aOW963LxeJEOAxFO0jD KYOQ==
X-Gm-Message-State: AOAM530N6lzg+8UIPraVR0a/eLANAMMfcXUtMI72ZDSH4535Sdq60wiK tYdgivrV8sOY0AMxZ5yWg04=
X-Google-Smtp-Source: ABdhPJyjow+oacfz4kes9UhSvK1NWbyHkhELXyXgWEpeTjBFsTa1uhvhIYh/1Bb1921j8ttEbGLVLA==
X-Received: by 2002:a63:5761:: with SMTP id h33mr16102452pgm.175.1591533728958; Sun, 07 Jun 2020 05:42:08 -0700 (PDT)
Received: from [172.16.80.79] (122x210x153x65.ap122.ftth.ucom.ne.jp. [122.210.153.65]) by smtp.gmail.com with ESMTPSA id p30sm3575356pgn.58.2020.06.07.05.42.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 07 Jun 2020 05:42:08 -0700 (PDT)
From: Nov Matake <matake@gmail.com>
Message-Id: <BB604649-B01B-460B-B312-126600CD69DE@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_100D096B-2E76-48A6-9BE5-345DB5B1F654"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Sun, 7 Jun 2020 21:42:05 +0900
In-Reply-To: <AC87697A-07BC-43E6-82C3-73892A7C505D@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
To: Neil Madden <neil.madden@forgerock.com>
References: <375FA230-5700-42A5-B933-2A37D296BCDF@forgerock.com> <AC87697A-07BC-43E6-82C3-73892A7C505D@gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5rrayXnNBVc_er25cS0JuYdzaq4>
Subject: Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jun 2020 12:42:13 -0000

* sender-constrained code, bearer access token and sender-constrained refresh token, use DynReg or "PKCE + DPoP allowing access token remaining bearer".
* sender-constrained code, sender-constrained access token and sender-constrained refresh token, use "DynReg + DPoP" or "PKCE + DPoP".
* bearer code, sender-constrained access token and sender-constrained refresh token, use DPoP only.
* sender-constrained code, bearer access token and bearer refresh token, use PKCE only.
* bearer code, bearer access token and bearer refresh token, use none of them.

> 2020/06/07 21:36、Nov Matake <matake@gmail.com>のメールt;のメール:
> 
> Yeah, both PKCE and Client Credential provide sender-constrained code...
> lots of choices
> 
> Sent from my iPhone
> 
>> On Jun 7, 2020, at 21:26, Neil Madden <neil.madden@forgerock.com> wrote:
>> 
>> 
>> Answers inline: 
>> 
>>> On 7 Jun 2020, at 13:07, Nov Matake <matake@gmail.com> wrote:
>>> 
>>> So, you mean…
>>> 
>>> If a frontend client want to use
>>> * sender-constrained code, bearer access token and sender-constrained refresh token, use DynReg.
>> 
>> I’m not really sure what a sender-constrained code would be, but I suspect the right answer here is PKCE + DPoP. PKCE basically is PoP for auth codes. 
>> 
>>> * sender-constrained code, sender-constrained access token and sender-constrained refresh token, use DynReg + DPoP.
>> 
>> PKCE + DPoP
>> 
>>> * bearer code, sender-constrained access token and sender-constrained refresh token, use DPoP only.
>> 
>> Sure, but you should always use PKCE, so PKCE + DPoP. 
>> 
>>> * bearer code, bearer access token and bearer refresh token, use neither.
>>> 
>>> is my understanding correct??
>> 
>> Just use PKCE + DPoP. (Or a different PoP mechanism, eg mTLS cert-bound tokens, or etc). 
>> 
>>> 
>>>> 2020/06/07 20:49、Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>>のメール:
>>>> 
>>>> There are multiple issues with using dynamic client registration for this. If a user uninstalls and later reinstalls an app then they can end up with multiple registrations for the same client, which makes it harder for them to manage access. Additionally, client registrations typically don’t expire so the AS doesn’t know when it can remove unused clients.
>>>> 
>>>> Besides, this ship already sailed with mTLS cert-bound refresh tokens. 
>>>> 
>>>> Neil
>>>> 
>>>>> On 7 Jun 2020, at 12:34, Nov Matake <matake@gmail.com <mailto:matake@gmail.com>> wrote:
>>>>> 
>>>>> Confidential clients can also use DPoP.
>>>>> 
>>>>>> 2020/06/07 20:25、Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>のメール:
>>>>>> 
>>>>>> If the client would register for every transaction.
>>>>>> 
>>>>>> And don’t forget, DPoP also supports sender constrained access to resource servers, which dyn registration does not.
>>>>>> 
>>>>>>> Am 07.06.2020 um 13:04 schrieb Nov Matake <matake@gmail.com <mailto:matake@gmail.com>>:
>>>>>>> 
>>>>>>> Since each client instance has at least one key, those are same level of state management.
>>>>>>> 
>>>>>>>> 2020/06/07 16:24、Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>>のメール:
>>>>>>>> 
>>>>>>>> There are similarities in this particular use case but I would argue DPoP is more light weight than dynamic client registration, less state management in particular.
>>>>>>>> 
>>>>>>>>> Am 07.06.2020 um 05:41 schrieb Nov Matake <matake@gmail.com <mailto:matake@gmail.com>>:
>>>>>>>>> 
>>>>>>>>> DPoP-bound refresh token seems feature duplication with dynamic client registration.
>>>>>>>>> 
>>>>>>>>>> 2020/06/07 7:57、Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org <mailto:fpo=40adorsys.de@dmarc.ietf.org>>のメール:
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> > Am 05.06.2020 um 22:17 schrieb George Fletcher <gffletch=40aol.com <http://40aol.com/>@dmarc..ietf.org <http://ietf.org/>>:
>>>>>>>>>> > 
>>>>>>>>>> > Secondly, I do think we need a way to allow for the refresh_token to be bound while leaving the access_tokens as bearer tokens. This adds useful security without impacting existing RS deployments.
>>>>>>>>>> 
>>>>>>>>>> +1 that’s a very useful feature_______________________________________________
>>>>>>>>>> AFAIK a refresh_token is always bound. What am I missing here?
>>>>>>>>>> -- 
>>>>>>>>>> Francis Pouatcha
>>>>>>>>>> Co-Founder and Technical Lead at adorys
>>>>>>>>>> https://adorsys-platform.de/solutions/ <https://adorsys-platform.de/solutions/>_______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>>>>>> 
>>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>