Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
Daniel Fett <fett@danielfett.de> Mon, 18 October 2021 06:49 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C3F43A12AF for <oauth@ietfa.amsl.com>; Sun, 17 Oct 2021 23:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbkfYeMIYVXj for <oauth@ietfa.amsl.com>; Sun, 17 Oct 2021 23:49:29 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 618833A1217 for <oauth@ietf.org>; Sun, 17 Oct 2021 23:49:28 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id B9F1017F00 for <oauth@ietf.org>; Mon, 18 Oct 2021 06:49:18 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1634539758; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=41za1qfrawr9bHz6uhVB174ys9ZD/SFDN1IUUkQX9Ow=; b=WelcylZ401t6LM5GLIhcvcz/R/SUcbJUPlblYxEkKMPZmQ2OZUQqAbcdAm7jioEBRlWOkw /Rm7SDHgOTBZ+5y9Wt4IsjaaaKOqrCMtseA+I5NMH8tU18kgSjTgDEyCTLFUzJwO3i9iWB NOXMOywKo3nZK8x9GqrllOsPyphSoeU=
To: oauth@ietf.org
References: <SJ0PR00MB1005DDD53BB9E1CB098632B1F5B99@SJ0PR00MB1005.namprd00.prod.outlook.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <6d73b543-eedf-0c87-8523-ff843355649f@danielfett.de>
Date: Mon, 18 Oct 2021 08:49:18 +0200
MIME-Version: 1.0
In-Reply-To: <SJ0PR00MB1005DDD53BB9E1CB098632B1F5B99@SJ0PR00MB1005.namprd00.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------B41ECAABFB153BAE75D2F7CC"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1634539758; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=41za1qfrawr9bHz6uhVB174ys9ZD/SFDN1IUUkQX9Ow=; b=MIbEFls/JuK77388Hklz1Ja3kK45lvrf+gmS9Hdb5Mhm+jolmDtghd7eOiYs+F2CuOGjlz ApfNy6lMzk6shzT/iZNUMCkEmBHL0sIx/xxmTqd5qTKzuuYNgab0W/+cZ1+wcxr9tBKmbd 0nSHSPTHO/jYYRbSyl9jQAmwIWOBglY=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1634539758; a=rsa-sha256; cv=none; b=I2k6nFg/b8zowRykeQLcvMv/EYwhG54GK6bvhXlgW9+mvPAmTU4TJVlVSVbNu6RBHDesPr B22W3oC7pDPb8kCVNSHaBPvszrWOO0j6k6AeVq5ChTn2kVNeEvjOELdGLL1PDAp9W+E24R hMt8clJGNjIpbwDc7yXX4c2+l0llqMc=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/75mTOuNy_chAoK3LdOfLQQIP-xE>
Subject: Re: [OAUTH-WG] Authorization code reuse and OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Oct 2021 06:49:43 -0000
Am 16.10.21 um 01:41 schrieb Mike Jones: > > As I see it, the retry in case of network failures should happen by > performing a new authorization request – not by trying to reuse an > authorization code – which is indistinguishable from an attack. > It only looks like an attack when the code has actually arrived at the token endpoint on the first try (which the client cannot know, of course). I think Annabelle's proposal of allowing reuse-on-error has its merits. The AS can still reject the code when it has seen the same code already, and the client can then fall back to starting a new authorization request. -Daniel > > > Let’s not use OAuth 2.1 as an opportunity to sanction behaviors that > we can’t distinguish from attacks. > > > > The prohibition on clients reusing an authorization code needs to remain. > > > > -- Mike > > > > *From:* Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org> > *Sent:* Friday, October 15, 2021 4:19 PM > *To:* Richard Backman, Annabelle <richanna@amazon.com> > *Cc:* Mike Jones <Michael.Jones@microsoft.com>; oauth@ietf.org > *Subject:* [EXTERNAL] Re: [OAUTH-WG] Authorization code reuse and > OAuth 2.1 > > > > I am a fan of this approach. It feels pretty empty to cast people out > of compliance just because they are handling a realistic circumstance, > such as network failures, that we know about beforehand. > > In addition, this gives us a chance to provide guidance on how to > handle the situation, instead of leaving AS implementers to their own > device. > > > > On Fri, Oct 15, 2021 at 11:32 AM Richard Backman, Annabelle > <richanna=40amazon.com@dmarc.ietf.org > <mailto:40amazon.com@dmarc.ietf.org>> wrote: > > The client MUST NOT use the authorization code more than once. > > > > This language makes it impossible to build a fault tolerant, spec > compliant client, as it prohibits retries. We could discuss > whether a retry really constitutes a separate "use", but > ultimately it doesn't matter; multiple presentations of the same > code look the same to the AS, whether they are the result of > retries, the client attempting to get multiple sets of tokens, or > an unauthorized party trying to replay the code. > > > > I think we can have a fault tolerant, replay-proof implementation, > but it takes some effort: > > > > 1. The AS can prevent the authorized client from using one code > to get a bunch of independent refresh and access token pairs > by either re-issuing the same token (effectively making the > token request idempotent) or invalidating previously issued > tokens for that code. (Almost but not quite > idempotent…idempotent-adjacent?) > 2. The AS can prevent unauthorized parties from replaying snooped > codes+PKCE by requiring stronger client authentication: > implement dynamic client registration and require a > replay-resistant client authentication method like > `jwt-bearer`. The AS can enforce one-time use of the client > credential token without breaking fault tolerance, as the > client can easily mint a new one for each retry to the token > endpoint. > > > > Yes, I know, this is way more complex than just a credential-less > public client doing PKCE. Perhaps we can have our cake and eat it > too with language like: > > > > The client MUST NOT use the authorization code more than once, > unless retrying a token request that failed for reasons beyond > the scope of this protocol. (e.g., network interruption, > server outage) Refer to [Fault Tolerant Replay Prevention] for > guidance. > > > > …where Fault Tolerant Replay Prevention is a subsection under > Security Considerations. I don't think this wording is quite > right, as the guidance is really going to be for the AS, not the > client, but hopefully it's enough to get the idea across. > > > > — > > Annabelle Backman (she/her) > > richanna@amazon.com <mailto:richanna@amazon.com> > > > > > -- https://danielfett.de
- [OAUTH-WG] Authorization code reuse and OAuth 2.1 Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Jeff Craig
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Ash Narayanan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Ash Narayanan
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Filip Skokan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Takahiko Kawasaki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- [OAUTH-WG] SUB and AUD configuration for web iden… Warren Parad
- Re: [OAUTH-WG] SUB and AUD configuration for web … Ash Narayanan