Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23
Daniel Fett <mail@danielfett.de> Wed, 03 January 2024 16:48 UTC
Return-Path: <mail@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08840C31A638 for <oauth@ietfa.amsl.com>; Wed, 3 Jan 2024 08:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmiROK3gECs5 for <oauth@ietfa.amsl.com>; Wed, 3 Jan 2024 08:48:19 -0800 (PST)
Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [IPv6:2001:67c:2050:0:465::103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CF78C31A636 for <oauth@ietf.org>; Wed, 3 Jan 2024 08:48:18 -0800 (PST)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4T4wdT2zfcz9skt for <oauth@ietf.org>; Wed, 3 Jan 2024 17:48:13 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1704300493; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=TwuzPu/Pv/ipoWAirbqgU4XtkCdG2XAPYe/7ObLcbhQ=; b=zDXCnYZl+XHhxuOdPIxHZwtee2OF+MjYlnran8vNKgADVE+xT0rPlbIN3M6B0ygrhGBnWy ZmMIE37Z09F441I+hvEawS0YvHrxF6iPbupjvKyZU8LbzfHcafnkYrZ8RF8HG3sJy7wgpI ULqltcvFat7MZqVxgdHN7ZAKgikILwn0oQ+USA6HjgQG0d8k8JZ5VCva+l/wpXT60pIE+G /MQIHOxodd+wBfVmzv5JxXnHZGlf4SXOm0v8KwnAhZJYGxo5w5GKidVwVoUXaEJC6TtWr6 pPKznf8iU/9/zQijuC2oXgeuAcP/nbpKcw3sXGwp3Yj4l090vLL45t2KQqFfqg==
Content-Type: multipart/alternative; boundary="------------cFJon0Duy25Ton0tvPiTGymx"
Message-ID: <e6ea482f-2984-4aca-92c7-479836064dd3@danielfett.de>
Date: Wed, 03 Jan 2024 17:48:12 +0100
MIME-Version: 1.0
Content-Language: de-DE
To: oauth@ietf.org
References: <AS8PR10MB74277A2DAC89D987531F7F74EECBA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <6bdfa6d8-594c-40b2-a5ed-4a8ca9943929@danielfett.de> <BE1P281MB20977CD398EB9C1C4A18150EED61A@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <60861607-c450-4b62-8155-f9012a6565f2@danielfett.de> <BE1P281MB2097707E4E61A1DCF7A03500ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM>
From: Daniel Fett <mail@danielfett.de>
Autocrypt: addr=mail@danielfett.de; keydata= xjMEZVtP1hYJKwYBBAHaRw8BAQdAnfQRnVGKVUpdbc4qBhwIfryncOMAa1XjIFTAysHFgmXN IERhbmllbCBGZXR0IDxtYWlsQGRhbmllbGZldHQuZGU+wo8EExYIADcWIQTZQBZqxnGfR0Z5 iv7gQ6HKpmkhyAUCZVtP1gUJBaOagAIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEOBDocqmaSHI NzcA/iNXFgwxZqvdaCDTRNib4iq82zFwXl3KwKYgL06xityzAQDIe7hIw6KnGaztTZsRXSvi +9srzbMJdDqVtC1n4A+YCs44BGVbT9cSCisGAQQBl1UBBQEBB0AwPb4iR2rn5k5DT4vAbYNK Oe4CMgQnwWexMYZFlAL0MwMBCAfCfgQYFggAJhYhBNlAFmrGcZ9HRnmK/uBDocqmaSHIBQJl W0/XBQkFo5qAAhsMAAoJEOBDocqmaSHI0Z8A/jd8Id2bvz6/D71d6HPvXZ+2z2BXzOd7MemE 9hHN+y6kAP44pe/GY97tvIZQa8aSinFJzDfbIVph6cUDlnPiwLjJDg==
In-Reply-To: <BE1P281MB2097707E4E61A1DCF7A03500ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8Aieil2_Pu5RHFSG7F7zYFqzD8g>
Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jan 2024 16:48:25 -0000
Hi Axel, It is to be expected that not all AS will immediately upgrade to adhere to the security BCP after its release. So a client who wants to use PKCE may encounter AS that don't support it. See also the discussion in https://mailarchive.ietf.org/arch/msg/oauth/ZiwEfenZZlboikXxBLes5ebPmBw/ -Daniel Am 03.01.24 um 17:39 schrieb Axel.Nennker@telekom.de: > > Hi Daniel, > > there is also this sentence in this section > https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#name-authorization-code-grant > in a paragraph on it own. > > "Authorization servers MUST support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > Why must a client "ensure" that the AS supports PKCE if the security > best practices say the AS MUST support PKCE? > > //Axel > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Daniel Fett > <mail=40danielfett.de@dmarc.ietf.org> > *Date: *Wednesday, 3. January 2024 at 14:01 > *To: *oauth@ietf.org <oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Axel, > > I would be happy to see OAuth move away from state as a CSRF > protection mechanism in the future, but there is not too much to be > gained from relying solely on PKCE right now. The main advantage is > that relying on PKCE incentivizes clients to properly manage the > session state in a cookie instead of relying on a parameter. Beyond > that, there's a small reduction in effort required by the client, > messages will be smaller messages, etc.. The disadvantage is that a > client puts CSRF protection in the hands of the AS. Therefore, we > chose the wording "ensure" to say that the client has be sure that the > AS actually implements PKCE correctly before relying on it. What that > means in the concrete instance is up to the client. > > Likewise, to your second point, I do not see enough of an advantage to > RECOMMEND relying solely on PKCE for CSRF protection. > > The main intention here is to open the door to rely on PKCE, e.g., in > closed ecosystems, ecosystems with in-depth conformance testing, > first-party applications and similar. This also helps to avoid a lot > of convoluted language telling client developers how to properly > choose, track, and check state values in profiles such as FAPI (and > the pitfalls when interpreting that language). > > -Daniel > > Am 02.01.24 um 10:31 schrieb Axel.Nennker@telekom.de: > > Hi, > > sorry for being late in the game. > > I am not too happy with this section: > > "Clients that have ensured that the authorization server supports > Proof Key for Code Exchange (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]) > MAY rely on the CSRF protection provided by PKCE." > > 1. Maybe a minor point that is due to not being a native speaker, > but the verb "ensure" seems too strong. > If the AZ states in its metadata, that it supports PKCE than > this is "ensurance" enough, right? The client does not have to > "ensure" the support by actually testing compliance, right? > I suggest rephrasing that to "*If**the authorization server > **states in its meta-data support for**Proof Key for Code > Exchange* (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]) > the client MAY rely on the CSRF protection provided by PKCE." > 2. I suggest changing the "MAY" into a recommendation for all > OAuth2-based protocols. OIDC flows can easily support PKCE, > and new clients SHOULD use PKCE, I think. > Suggestion: > "If the authorization server states in its meta-data support > for Proof Key for Code Exchange (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]), > it is RECOMMENDED the client relies on the CSRF protection > provided by PKCE." > > Kind regards > > Axel > > *From: *OAuth <oauth-bounces@ietf.org> > <mailto:oauth-bounces@ietf.org> on behalf of Daniel Fett > <fett=40danielfett.de@dmarc.ietf.org> > <mailto:fett=40danielfett.de@dmarc.ietf.org> > *Date: *Thursday, 28. December 2023 at 14:38 > *To: *oauth@ietf.org <oauth@ietf.org> <mailto:oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Hannes, > > thanks again for your feedback! It is incorporated in the editor's > copy now. > > - > https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html > > - Diff to published version: > https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt > <https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt> > > I plan to publish the next version once we have resolved the > discussion points from Roman's AD review. > > -Daniel > > Am 04.10.23 um 15:41 schrieb Tschofenig, Hannes: > > Hi all, > > here are some comments as part of my shepherd review of the > OAuth Security BCP. > > First, I want to send a big "Thanks" to everyone in the group > for the work on this document and to the authors in > particular. It has taken us a while to come up with such an > impressive list of security recommendations for OAuth 2.0. > > At this point in time my review comments can only be minor > given the amount of feedback this documents has already received. > > Here are a few remarks. > > I believe we should indicate that the specification updates > other OAuth RFCs. The obvious documents it updates are RFC > 6749, RFC 6750 and RFC 6819. > > You can set these "updates" in the template you are using. > > In Section 1 you say: > > " > > It does not supplant the security advice given in > > [RFC6749], [RFC6750], and [RFC6819], but complements those > documents. > > " > > In the subsequent paragraph you state that you "depreciate > some modes of operation". > > I believe you are need to be clear about what you are doing in > relationship to these prior documents. It might also be useful > to say something about OAuth 2.1. > > Expand abbreviations on first use. Example: "AS" and "PKCE" in > Section 2.1. The AS abbreviation is only expanded later in > Section 3. Decide whether you want to use abbreviations or > not. You mix them throughout the document without no reasons. > > Listing the abbreviations in Section 1.2 may also be useful. > There are not that many abbreviations anyway. > > I have wording suggestions for this paragraph: > > FROM: > > " > > Authorization servers SHOULD use client authentication if > possible. > > It is RECOMMENDED to use asymmetric (public-key based) > methods for > > client authentication such as mTLS [RFC8705] or using signed JWTs > > ("Private Key JWT") in accordance with [RFC7521] and [RFC7523] (in > > [OpenID.Core] defined as the client authentication method > > private_key_jwt). When such methods for client authentication are > > used, authorization servers do not need to store sensitive > symmetric > > keys, making these methods more robust against a number of > attacks. > > " > > TO: > > " > > Authorization servers SHOULD enforce client authentication, if > possible. > > It is RECOMMENDED to use asymmetric cryptography for > > client authentication, such as mTLS [RFC8705] or using signed JWTs > > ("Private Key JWT"), in accordance with [RFC7521] and > [RFC7523] (in > > [OpenID.Core] defined as the client authentication method > > private_key_jwt). When asymmetric cryptography for client > authentication is > > used, authorization servers do not need to store sensitive > symmetric > > keys, making client authentication more robust against > leakage of keys. > > " > > (Note: For the reader it is always better if they are told > what attacks > > are prevented rather than saying "a number of attacks". You > don't want the reader > > to guess what you mean.) > > Section 2 is a summary of what follows in Section 4. Maybe you > can make this explicit > > either in the title of Section 2 or in the first paragraph of > Section 2. > > Section 3. > > You write: > > " > > These attackers conform to the attacker model that was used > in formal > > analysis efforts for OAuth [arXiv.1601.01229]. This is a minimal > > attacker model. Implementers MUST take into account all possible > > types of attackers in the environment in which their OAuth > > implementations are expected to run. > > " > > When you say "these attackers" please clarify which attackers > you are talking about. > > Prior to this paragraph you have just spoken about various > forms of network attackers. > > Just before that you talked about network and web attackers. > > Then, you introduce more attackers and you keep talking about > "this attacker model" and > > "these attackers". Make it easier for the reader by referring > explictly which attackers > > you are talking about in a specific paragraph. > > Then, you conclude the section with a hint that there is an > even stronger attacker model. > > As a reader I might want to know what this stronger attacker > model looks like and why you > > do not consider it in this document. > > Section 4.1.1: > > You write: > > " > > Note: Vulnerabilities of this kind can also exist if the > > authorization server handles wildcards properly. > > " > > I believe you are saying that the vulnerabilities caused by > incorrect redirect URI validation parsing when you refer to > "this kind". > > I would also remove the "note" > > Section 4.1.3: > > You write: > > " > > * Servers on which callbacks are hosted MUST NOT expose open > > redirectors (see Section 4.11). > > " > > Are you talking about authorization servers (which is what was > referenced in the paragraph before)? > > Section 4.10.1: Sender-constrained Access Tokens > > The text gives the reader the impression that the token > binding would be an option for developers to use. > > I don't think that this is the case. I am particularly > referring to this sentence: > > " > > * *DPoP* ([I-D.ietf-oauth-dpop]): DPoP (Demonstration of > Proof-of- > > Possession at the Application Layer) outlines an application-level > > sender-constraining for access and refresh tokens that can be used > > in cases where neither mTLS nor OAuth Token Binding (see > below) > > are available. > > " > > I would change it to: > > " > > * *DPoP* ([I-D.ietf-oauth-dpop]): DPoP (Demonstration of > Proof-of- > > Possession at the Application Layer) outlines an application-level > > sender-constraining for access and refresh tokens that can be used > > in cases where mTLS is not available. > > " > > I would then remove the subsequent text talking about old, > expired drafts. > > Alternatively, you could move the text to the appendix. > > Section 4.10.2: Audience Restricted Access Tokens > > In the text you say: > > " > > Audience restriction essentially restricts access tokens to a > > particular resource server. The authorization server > associates the > > access token with the particular resource server and the resource > > server SHOULD verify the intended audience. > > " > > You have to put a MUST here. If the resource server does not > check the audience > > restriction when using audience restricted access tokens then > you obviously do not > > get the value from it. It is like using DPOP and not using the > proof-of-possession. > > Likewise the SHOULD language in this sentence is also > questionable: > > " > > The client SHOULD tell the authorization server the intended > resource > > server. The proposed mechanism [RFC8707] could be used or by > > encoding the information in the scope value. > > " > > If the client does not tell the authorization server what the > intended resource server > > is then how should the authorization server know (unless in a > very limited setup). > > Also the reference to RFC 8707 is a bit weak. We standardized > resource indicators: why not > > recommend using it? > > Section 4.10.3: The section heading is "Discussion: Preventing > Leakage via Metadata". > > The content of the section is not really a discussion but > rather a description of why > > this path has not been taken. I wonder whether it would be > better to move this section > > to the appendix and then start the text by explaining why > other solutions have been used instead of this approach. > > Section 4.11: I would put the definition about what an "open > redirector" is into the terminology section since you > > are using the term already in earlier sections. Here is the > definition: > > " > > An open redirector is an endpoint that forwards a user’s > > browser to an arbitrary URI obtained from a query parameter. > > " > > Typos/Wording: > > FROM: > > " > > Afterwards, the updated the OAuth attacker model is presented. > > " > > TO: > > " > > Afterwards, the updated OAuth attacker model is presented. > > " > > Section 4.1: > > "... wild ." > > ^ > > Consider using the guidelines for inclusive language: > > https://www.rfc-editor.org/part2/#inclusive_language > <https://www.rfc-editor.org/part2/#inclusive_language> > > For example, "If the attacker is able to ... , **he** will > directly get access to ..." > > Another example is "whitelisted". > > Section 4.1.2: a wording suggestion. > > FROM: > > " > > The attack > > described here combines this behavior with the client as an open > > redirector (see Section 4.11.1) in order to get access to access > > tokens. > > " > > TO: > > " > > The attack > > described here combines this behavior with the client as an open > > redirector (see Section 4.11.1) to obtain access tokens. > > " > > Section 4.7.1: word missing > > FROM: > > " > > PKCE provides robust protection against CSRF attacks even in > presence > > of an that can read the authorization response (see > Attacker A3 in > > Section 3). > > " > > TO: > > " > > PKCE provides robust protection against CSRF attacks even in > presence > > of an attacker that can read the authorization response > (see Attacker A3 in > > Section 3). > > " > > Section 4.18.2: capitalization > > FROM: > > " > > Wildcard origins like "*" in postMessage MUST not be used as > > attackers can use them to leak a victim's in-browser message to > > malicious origins. > > " > > TO: > > " > > Wildcard origins like "*" in postMessage MUST NOT be used as > > attackers can use them to leak a victim's in-browser message to > > malicious origins. > > " > > You might also want to replace the short title > "oauth-security-topics" (which can be found on each page) with > something like "OAuth 2.0 Security BCP". > > Ciao > > Hanns > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > -- > > Please use my new email address:mail@danielfett.de > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Shepherd Review of draft-ietf-oauth-se… Tschofenig, Hannes
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett