IETF Logo Mail Archive

Re: [OAUTH-WG] PAR and client metadata

"Richard Backman, Annabelle" <richanna@amazon.com> Wed, 15 April 2020 19:44 UTC

Return-Path: <prvs=36733172d=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D61F3A0897 for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2020 12:44:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.766
X-Spam-Level:
X-Spam-Status: No, score=-9.766 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.168, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ps0DmO_BDlQn for <oauth@ietfa.amsl.com>; Wed, 15 Apr 2020 12:44:20 -0700 (PDT)
Received: from smtp-fw-6002.amazon.com (smtp-fw-6002.amazon.com [52.95.49.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B1533A0895 for <oauth@ietf.org>; Wed, 15 Apr 2020 12:44:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1586979861; x=1618515861; h=from:to:cc:date:message-id:mime-version:subject; bh=iIVyPEAIkjm4iH5UyNJTTVwLROj8WOnfvSk2j+tp0tU=; b=i8eWld164clyfqu21rrz++UpZi992RlT3JlG3DSgYU6fM1AdG5o/m5sG eC4VX5a1aUVgIfFN46OpZIFDwaysV0DapOpWZlp6hqxwH2ENotYQtUFCf 0xag6oMdPyAPOO3D1pHAU1kZsRNMTDhonik4laUWTr0J7YcIiIu2gwecK M=;
IronPort-SDR: JxJBFZH9wn3DX3sc7T+/+HnKHvuyWNbuk07hHqWL2mqTeLNl9yWF+l/NPZTNoj/7JbqNyD62Ua JRk0K3OIR1mg==
X-IronPort-AV: E=Sophos; i="5.72,388,1580774400"; d="scan'208,217"; a="25641920"
Thread-Topic: [OAUTH-WG] PAR and client metadata
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-1e-17c49630.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-out-6002.iad6.amazon.com with ESMTP; 15 Apr 2020 19:43:49 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan3.iad.amazon.com [10.40.159.166]) by email-inbound-relay-1e-17c49630.us-east-1.amazon.com (Postfix) with ESMTPS id 6DC99A2043; Wed, 15 Apr 2020 19:43:46 +0000 (UTC)
Received: from EX13D11UWC003.ant.amazon.com (10.43.162.162) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 15 Apr 2020 19:43:45 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC003.ant.amazon.com (10.43.162.162) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 15 Apr 2020 19:43:45 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1497.006; Wed, 15 Apr 2020 19:43:44 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
CC: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth <oauth@ietf.org>
Thread-Index: AQHWE14smwhXrB6IvU2ReCcw9fGtqw==
Date: Wed, 15 Apr 2020 19:43:44 +0000
Message-ID: <760B73F1-F31C-4474-8871-28EEBCF45D44@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_760B73F1F31C4474887128EEBCF45D44amazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6KFHpsycQDGl66Si1OfbRaz17go>
Subject: Re: [OAUTH-WG] PAR and client metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2020 19:44:23 -0000

As I think through this, I’m struggling to identify the threats this actually helps mitigate.

A client metadata parameter implies that the value may be different for different clients, and that any given client won’t already know via other means whether or not it needs to use PAR. That means we’re only talking about dynamic clients since statically registered clients already have some proprietary out-of-band registration mechanism (e.g., a developer console).

A client metadata parameter also implies that the AS allows some clients to make non-PAR requests (otherwise it would be an AS metadata parameter). If that’s the case then presumably a malicious party could register their own client that doesn’t use PAR.

So it seems to me that the only scenario that this parameter would protect against is a malicious party impersonating a dynamically registered client that uses PAR. That wouldn’t apply to Mix-Up, since in that attack the attacker uses its own client.

If a client can do PAR, then it can do authorization code grant and PKCE, so we’re further limited to scenarios where the attacker does not need to be able to redeem the authorization code themselves. What threats fall into this category?

—
Annabelle Backman (she/her)
AWS Identity

On Apr 14, 2020, at 2:44 PM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:



CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


I was hoping to get to a rough consensus in support of the idea before coming up with a name that everyone will hate :)

In the meantime, however, name suggestions are of course welcome.


On Tue, Apr 14, 2020 at 2:22 PM Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote:

I'm all for that.

I suppose you have already thought of a suitable name? :)

Vladimir

On 14/04/2020 23:08, Brian Campbell wrote:
Using PAR can facilitate improved security by giving clients a (relatively) simple means for sending a confidential, integrity protected, and (for confidential clients anyway) authenticated authorization request.

It seems like some of that improved security could be undermined by a malicious actor somehow getting a user to navigate to a URL of a regular old parameterized authorization request. One variation of the Mix-Up Attack does this https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.4.1<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-15#section-4.4..1> for example and email, social media, online forums, etc., are other ways a user might be tricked into following a maliciously crafted link.

Following from that it seems logical that an authorization server might want to restrict some clients from sending a regular parameterized authorization request and instead require use of the PAR endpoint to initiate an authorization request. Something like this could, of course, be implemented as custom policy or configuration in any AS. But I'm thinking it might be common enough to warrant adding a client metadata parameter to the PAR draft specifically for it. The metadata (and registered extensions) defined by Dynamic Client Registration [RFC7591] has come to imply a general data model and expected associated behaviors for clients that is useful for authorization server implementations, even when the Dynamic Client Registration Protocol isn't directly in play. This particular situation seems like a good potential candidate for a new such client metadata parameter that would indicate that the given client can only use a request_uri value obtained from the PAR endpoint to initiate an authorization request. And that a regular old fashioned authorization request from the given client would result in an error.

Do the folks of this fine WG think something like this would be a worthwhile addition to the PAR draft?





CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email