Re: [OAUTH-WG] Client assertions to endpoints other than the token endpoint
George Fletcher <gffletch@aol.com> Fri, 31 May 2019 18:47 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1981112035F for <oauth@ietfa.amsl.com>; Fri, 31 May 2019 11:47:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9Yv7lXPjwO7 for <oauth@ietfa.amsl.com>; Fri, 31 May 2019 11:47:25 -0700 (PDT)
Received: from sonic315-13.consmr.mail.bf2.yahoo.com (sonic315-13.consmr.mail.bf2.yahoo.com [74.6.134.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7F55120319 for <oauth@ietf.org>; Fri, 31 May 2019 11:47:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1559328444; bh=XMxV7xgl1LvvMVtdum22+NpNfIXWzS0nF2YNxE3ooEY=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject; b=liRxSFyiojY+6rVPqIl93GjkPVXbHsppno5CqjyH1ynSIK+1XUawynWRgxrhLeHTy/kUKxRaYksLigY5WXsVAptlJBN3hj05RwF+LBxoO6oyhcL3TqMnd6un6+OUGX2x7aijp7Ub3OInRu/6W9tURhnewBEXCmaWqRQyepKXH9NN2r+++V91SXN/hk8W2V0POXNklzc9a+ElvBC21rR46Y9+Cih48lfq27OKToIug0m5FhT8QvPctf/akU+3ebU5w6ywcv7p71cebV9R0D583m5b4IJuSIQENFgLMHxtyfho2AOXHwvmdtxpEk5s4DjLixZtZVOL/ZZkVrfc35ZY9g==
X-YMail-OSG: KK4hqYsVM1kDrkachcD84vDbmL6Vj2m1p1srqUZPSEWxLHFJdLJEYA7Dt5PUlbt zPWQXoPqxgGZsblY4cVsGEmuhiiU4TK3mE6mNuPpIkaZ6ksPxk6nVdiaeRIT0FHUscvkOXpCv6K7 ISvAc1t2JQYNFji8LPVDCDxMOkPKbHkqiaf494_1Y5PnojGC9_jfuTrpNfZdQ5P6KPJt2.nGoWDy X7nySvF0pEFrb9.LX90GCHflutqoMPT0Bj01TW.CYleHD..cCkvSWUcVqrJTWyUlTC54kWfOGVQm bhklgE7dJ.n234oC9bJG77KxPfJfT2qoEPvUSf._qOIJFdiYD3QhvO51_8nfgDCzc_PgVBQVjoom 7xAoe8r8qIQ4i0WGeek7MRcXD6fuO91fvnUCuyKTs4cpqf7tc1ZSPOXKoZAj8B6uBmwgRXYUys0q ZUBzXswMVXjgMd5IC8QQwLC9_aspPLiQvDMzD5tJgpYfmIOERA0rjzbG7vzjmPAo7Tku1YB7fK0i kN58EBDoQNx7XaoNmvYHFr00Mo3H6BnJXRshk0b2RGQUaAJR01zufiJwBcnQSNvumU2Wioh1exNo 1Z88L6RkHKHE4dT05XEXkECt.1rglC7mcRuR1yWGojFCQ5DeA589DxFmwJwBnFSItQNOhizlKs_Y .jqenmWcAidpuqapJNF4co5gksZaMhDNmO6zqAzghaJGYw5Q1EVgoJqwZq7za3d5_xrKnpLMfRoi SH.AyOqTlqtgpBVKnCsoYJMMBAfvJZekrnbVGnDmj74n3H_l28GPgOhHZM6i7x33sgqisnJcGzZV kdTfuG4mPkbtq42MqlJBctj698FA4u5EdMzkwM5pLE6uiiPFKhv.j0FHBJ99Va9fmeIb9JEAq.jF PMLknHhPu.lV9DVEs0I_NPjcLU6Nqeon65pV42ueTAp42mtWzCFJvPgu76GYgaq4FWJ48qPi_cwf bDYwQDCqImOz4nfd_mvqrORMy2GBTiRthINogTJdLDcp7IBBvc1EiSebIRMLCnrJz7LvPBtbMdbL MFDgJc2M.M8JPNcYiSoCZRHk1cF_XsBpFIuT9QvAzw5TiPhuNGVW2o8ljdo2VqYxxG_iwOKypdiZ C.JjcZHvzzq1JB0CMNGm.nb0bXqkxfiOFzzf3VOM5Q86gL7Kom58jEO0lTWPcuwATWrR2.p3v4BL s7JYLCVCh.L2XaSEVvtrsPj8MeA8tpujssDhkXz4DGesAHyS0nc7.Buqkkw--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.bf2.yahoo.com with HTTP; Fri, 31 May 2019 18:47:24 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp410.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 2d02ef1f147b4cc69698da797da5cf89; Fri, 31 May 2019 18:47:21 +0000 (UTC)
To: Dave Tonge <dave.tonge@momentumft.co.uk>, oauth <oauth@ietf.org>
References: <CAP-T6TRfq1Bo5L3MoNKKTLQ+M9aTSb-z0-j=y0GaXabEW+s6Lg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <fdc06fa2-19ee-0cd6-9968-c7ece4aa5c30@aol.com>
Date: Fri, 31 May 2019 14:47:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <CAP-T6TRfq1Bo5L3MoNKKTLQ+M9aTSb-z0-j=y0GaXabEW+s6Lg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------F1A984C16153F7F2B07927A3"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6o_54ypL8tyypmyPflmNwK1WFvU>
Subject: Re: [OAUTH-WG] Client assertions to endpoints other than the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 18:47:28 -0000
So if by "other endpoints" we mean "other endpoints at the AS" then I think issuer makes a lot of sense and could be recommended value. However, if the client assertion is being sent to an endpoint not managed by the AS, then it should use a value that identifies that "audience". In this case, something more akin to the "resource identifier" of the endpoint is probably best. Abeit, that is still a very fuzzy definition :) On 5/28/19 11:28 AM, Dave Tonge wrote: > Dear OAuth WG > > We have an issue that we are discussing in the OIDF MODRNA work group > relating to the Client Initiated Back Authentication spec (which is an > OAuth 2 extension). As the issue affects the wider OAuth ecosystem we > wanted to post it here and gain feedback from the OAuth Working Group. > > Full details of the issue are here: > https://bitbucket.org/openid/mobile/issues/155/aud-to-use-in-client_assertion-passed-to??(including > a helpful context setting by Brian), but the summary is: > > *What audience value should a Client use when using a client assertion > (RFC7521) to authenticate at an endpoint other than the token endpoint?* > * > * > The three options we have are: > 1. the token endpoint (as RFC7521 says) > 2. the endpoint the assertion is being sent to (e.g. revocation, > backchannel) > 3. the issuer > > We are leaning towards requiring the Authorization Server to accept > any of the above values, but recommending that the Client use the > issuer value. > > The reasons for this are: > 1. All of the above values are arguably valid, so in the interest of > interoperability the AS should accept them all. > 2. We see no clear security benefit to requiring the audience to be > the value of the endpoint the assertion is being sent to, and > therefore think that the issuer value is the one we should recommend > that clients use. > > We would be grateful for your feedback on this issue and believe it > would be in the best interest of the ecosystem for there to be a > consistent approach to this across OAuth 2 extensions and profiles. > > Thanks > > Dave Tonge > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Client assertions to endpoints other t… Dave Tonge
- Re: [OAUTH-WG] Client assertions to endpoints oth… George Fletcher
- Re: [OAUTH-WG] Client assertions to endpoints oth… Brian Campbell