IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP - Document Shepherd Review

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Tue, 05 July 2022 17:15 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79E21C15AD55 for <oauth@ietfa.amsl.com>; Tue, 5 Jul 2022 10:15:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0UYR7S0n3sU for <oauth@ietfa.amsl.com>; Tue, 5 Jul 2022 10:14:59 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3910FC15AD4E for <oauth@ietf.org>; Tue, 5 Jul 2022 10:14:59 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id h14-20020a1ccc0e000000b0039eff745c53so7620630wmb.5 for <oauth@ietf.org>; Tue, 05 Jul 2022 10:14:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ix5EQMlpoc2lCm1wp9ad9sFEUpDnMKk8J8wbPVVmAso=; b=A3ek2TYg1rIeyhPhvVJ/nDmV9WAjZeESGis0pY2qXXT/l/DgXSo/AvHw0UKjspM5t+ 5s9yhzIX+GjNkPiLH826m/p5PE7KIBqHMF/0UHHOYkDGGIbYIbk6+3elg7RIPcP1RoXV b6Mv9PkE+f516lri09/q8nuNKNMxBR0xrAC1SjBCoUiYxrvnwDZqUJDhbSYsYEYU58XD ff/VHC8fXO6Vgk8RiLooHZl0JGgUqAADCFEcuQKaJDYow6iSD7kx8YZc+Bw1yDmyTqML 19t5HZBDdDQIWOzSpP4SqERM4gcq9GZdUHpN4Bmvq8lGIMIYXpBNwDIurSaOuJ7hUAeb jnVw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ix5EQMlpoc2lCm1wp9ad9sFEUpDnMKk8J8wbPVVmAso=; b=1MMYxdKuSHqJCIPHFUWp+ruL4qGEDS2gydg5pljampwkETTK4e1uYNiMTHav+IMNT3 /dXi5ESrOj1A87Ru6wNdIPHh1S6ln03X8JLfH3Ry4EVCRLF69h7VPG7VL+I+2Bm4laDD xIAcLD8ZyqadXaf/zm/8eTVj3RrkZOPrABUvQDTxWRQdnZRbMmN/JhBh1C+RCb1n1AnL r53TayE3W1kp6w9ExqOungKmgQ9UI3W6vStNa3KsXyNA8qznO+IgEdv6vycwySx0EkJw yo/mXYz+9YsrYV3ZtEoqq8hUd6AMSpT4NcH5cSnIhmolTll1RyFm+EUrAUNzgShR817H hYqw==
X-Gm-Message-State: AJIora9BsIAY/wG5d/dbHArO0rXVOz/K9JAioSc3PY6/6Hh1Us0h9uO0 4kFkI2hJtfrUJRo2xTTC/ail/id5JaRJYXDNrzg8Wt8icuA=
X-Google-Smtp-Source: AGRyM1vm0hDLMg5ME4cKF4qDaxiaGjiOEuDzA10q5UfE7J9Aj5MAsK2ie0VIyFxiK6exr7hWL7EQ/xobiVvxkClHQ9k=
X-Received: by 2002:a7b:cb8a:0:b0:3a0:ac8a:7c43 with SMTP id m10-20020a7bcb8a000000b003a0ac8a7c43mr38910129wmi.152.1657041297382; Tue, 05 Jul 2022 10:14:57 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP_0LLLmwdPa2sjsp8mmjOO2woQbdLf3XyPzUsJ_CuogXQ@mail.gmail.com> <CA+k3eCRyoncwUGu3cpnsXut6t8u2UUD9ZmBYYTCf7J9e3tpfzQ@mail.gmail.com>
In-Reply-To: <CA+k3eCRyoncwUGu3cpnsXut6t8u2UUD9ZmBYYTCf7J9e3tpfzQ@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Tue, 05 Jul 2022 13:14:46 -0400
Message-ID: <CADNypP-nrgPHHbmxUZke=9UdpHWhv9wnd-v5vdC-36jgSSNBUw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8a24b05e311fd34"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9FItYIZn_DjpXcbt2by79t0DiG8>
Subject: Re: [OAUTH-WG] DPoP - Document Shepherd Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jul 2022 17:15:03 -0000

Thanks Brian!
See my replies inline below.


On Thu, Jun 30, 2022 at 6:52 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Thanks for shepherding Rifaat. And apologies for the slow reply. My
> attempts at answering questions and responding to comments are inline
> below.
>
>
> On Fri, Jun 3, 2022 at 11:55 AM Rifaat Shekh-Yusef <
> rifaat.s.ietf@gmail.com> wrote:
>
>> The following is my review as a document shepherd:
>>
>> Section 4.3
>>
>> Last sentence
>>
>> Since the document uses “SHOULD”, this implies that there are some valid
>> cases where this is not needed.
>>
>> Should a text be added to explain when this is not needed?
>>
>
>
> What about giving a bit more context about why they should? Changing that
> sentence to say, "To reduce the likelihood of false negatives, servers
> SHOULD employ Syntax-Based Normalization (Section 6.2.2
> <https://rfc-editor.org/rfc/rfc3986> of [RFC3986]) and Scheme-Based
> Normalization (Section 6.2.2 <https://rfc-editor.org/rfc/rfc3986> of [
> RFC3986]) before comparing the htu claim." And also maybe changing it to
> a little "should".
>
> Yes, that works.
I suggest keeping it as "SHOULD" to encourage implementers to use this,
unless they have a really good reason not to.



>
>
>>
>> Section 6.1
>>
>>    1.
>>
>>    First sentence - what is the reason for using “SHOULD”, instead of
>>    “MUST” in this case?
>>
>>
>
> Good question. I think it was a bit of carryover from OAuth in general not
> strictly defining access token format or content. And wanting to not
> encroach on that. But that's kinda covered/allowed for in general by
> Section 6 already. And Section 6.2 is effectively the same as 6.1 but for
> introspection and it doesn't use "SHOULD". I think the “SHOULD” in the first
> sentence of 6.1 should be removed thereby making it an implicit must - like
> "when using JWT, this is how it is". That would align with the way it's
> described for introspection. Also leaves some room for hash algorithm
> agility via a new confirmation method member (described in
> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#name-access-token-and-public-key)
> without going against a "MUST"
>
>
I am fine with removing the "SHOULD" to make it an implicit must.



>
>
>>
>>    1.
>>
>>    The DPoP Proof contains a hash of the Access Token, and the Access
>>    Token contains a hash of the public key in the DPoP Proof.
>>
>> Why do you need both? Would one of these be sufficient?
>>
>
>
> The latter (AT containing a hash of the public key in the DPoP Proof) is
> needed and largely sufficient for the main goals of binding the AT to a key
> held by the client. The former (DPoP Proof containing a hash of the AT)
> was added later via very rough WG consensus - it can prevent some esoteric
> swapping of tokens that I never really understood to be honest and also
> limits the impact of using maliciously precomputed and exfiltrated proofs
> (https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-2-6
> talks about it a bit). Use of the nonce mechanism, which was added to the
> draft even later, also (and better) protects against precomputed and
> exfiltrated proofs. The value of the AT hash in the proof seems somewhat
> questionable. To me anyway. But removing it at this point is potentially
> problematic due to inertia, existing implementations/deployments, rough WG
> consensus, and more.
>
>
I think that at least a text is needed to justify this, and explain the "
it can prevent some esoteric swapping of tokens" issue.
Maybe we can discuss this during one of the side meetings in Philly.



>
>

>> Section 7.1
>>
>>    1.
>>
>>    “if the request does not include valid credentials or does not
>>    contain an access token sufficient for access, the server can respond
>>    with a challenge to the client to provide DPoP authentication information.”
>>
>>
>> Should the “can” be replaced with a “SHOULD”?
>>
>
>
> FWIW, there was some discussion around that sentence that included some
> pushback on dropping the "can".
> https://github.com/danielfett/draft-dpop/issues/119 and
> https://github.com/danielfett/draft-dpop/pull/122 have the conversation.
> I'm rather hesitant to try and change it after all that.
>
>
>
Ok



>
>>
>>    1.
>>
>>    Also, I think it would be clearer if you can explicitly state what
>>    the authorization server should do when it does not challenge the client,
>>    which I am assuming will be something along the lines of: “the
>>    authorization server issues an error response per Section 5.2 of RFC6749“
>>
>>
>
> The section in question is about protected resource access so anything
> about the authorization server wouldn't be appropriate there. The protected
> resource / RS always has the option to simply fail the request and can do
> that however it sees fit. I'm not sure how to state that in the document
> text. Or if anything should be stated, honestly.
>
> Ok



>
>
>>
>> Section 7.2
>>
>>    1.
>>
>>    “Specifically, such a protected resource MUST reject a DPoP-bound
>>    access token received as a bearer token per [RFC6750
>>    <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>
>>    ].”
>>
>>
>> I think that I understand what you are trying to say with this sentence,
>> but the way the sentence reads is confusing to me.
>>
>> I am assuming what you are trying to say is something along the lines of
>> “a dpop protected resource must reject a request that provides a bearer
>> token”. Is that correct? If so, can you please rephrase the sentence to
>> make it clearer?
>>
>
>
> That's not quite correct. That paragraph
> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-7.2-1>
> (copied below) is attempting say that a protected resource that will
> accept either "Authorization: Bearer <bearer token>" or "Authorization:
> DPoP <dpop-bound token>" is required to reject a request that uses the
> Bearer scheme with a DPoP-bound access token. This is to prevent
> downgraded usage of a bound access token without demonstrating possession
> of the key to which it is bound.
>
> "Protected resources simultaneously supporting both the DPoP and Bearer
> schemes need to update how evaluation of bearer tokens is performed to
> prevent downgraded usage of a DPoP-bound access token. Specifically, such a
> protected resource MUST reject a DPoP-bound access token received as a
> bearer token per [RFC6750
> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#RFC6750>]."
>
> Got it.


>
>
>>
>>
>>    1.
>>
>>    “A protected resource that supports only [RFC6750
>>    <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>]
>>    and is unaware of DPoP would most presumably accept a DPoP-bound access
>>    token as a bearer token”
>>
>>
>> Wouldn't such a resource server check the value of the WWW-Authenticate
>> header to make sure it contains the Bearer scheme, which means that the
>> request is most likely to be declined?
>>
>
>
> What that is trying to say is that a protected resource that only does or
> knows about the RFC6750 Bearer scheme ("Authorization: Bearer <token>")
> will almost certainly accept a bound access token sent via the Bearer
> scheme.
>
> Ok


>
>
>>
>> Section 10.1
>>
>> Why define two different mechanisms to achieve the same thing?
>>
>> This seems to add complexity without an obvious benefit.
>>
>
>
> This is a bit of a tricky area. The benefit with PAR is the direct request
> from client to AS, which allows for an actual DPoP proof to be used for the
> eventual binding of the authorization code to the key. Also the client
> doesn't have to do the JWK hash in that case. Whereas the normal
> authorization request is indirect via the browser and just a hash of the
> key is given for the code binding with the dpop_jkt parameter. And the
> client has to compute the hash. But PAR is just an alternative way to pass
> the authorization parameters (like dpop_jkt) so it's kinda awkward to use
> things together like this.
> https://github.com/danielfett/draft-dpop/issues/103 and
> https://github.com/danielfett/draft-dpop/pull/111 have some discussion
> around this but there was some in person talk too so that's not complete.
>
> I don't love that there's two different mechanisms here. But it's what we
> were able to come up with given all the factors. Certainly open to
> considering improvements but am pretty much at a loss of what that might
> be.
>
> Let's discuss this during one of the side meetings in Philly



>
>
>>
>> Section 11.6
>>
>> Should the algorithms be explicitly called out? Or at least reference a
>> document that calls out such algorithms?
>>
>
>
> There isn't a single such document and it's not necessarily a static list
> of algorithms. I was about to say we could point to the JOSE alg registry
> but glancing again at it
> https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
> and I suspect that'd confuse more than help. We could perhaps list
> some/many of the algs with the qualification that it's not an exclusive or
> complete list? But I'm not sure how useful that would be, to be honest.
>
> If you do not specify any algorithm, how do you ensure interop?
I think this is worth a discussion in Philly



>
>
>>
>> Section 11.7
>>
>> Why is OAuth Token Binding included?
>>
>
>
> Yeah, that doesn't make sense to encourage its use because it's not a
> viable thing to use. OAuth Token Binding should be removed from Section
> 11.7. Was that what you were getting at? That particular text in the
> paragraph that mentions token binding has been in the draft for a long time
> and honestly never made a lot of sense to me. So I could envision removing
> more. But that's maybe more than you were aiming for.
>
> I am actually in favor of removing it



>
>>
>> Section 11.8
>>
>> Why not include algorithm agility to make sure the mechanism is ready to
>> allow for more secure algorithms in the future?
>>
>
> Algorithm agility is a whole can of worms that can be accomplished in
> different ways with different amounts of added complexity and potential
> vulnerabilities and issues of interop and MTI. Section 11.8 describes how
> DPoP allows for algorithm agility (without using the exact words) by
> suggesting that new dpop binding cnf method and/or AT hash claim be
> defined using a "better" hash algorithm if/when the need arises (OAuth
> 2.0 Mutual-TLS takes a similar approach FWIW). The intent of doing it
> that way was to keep things as simple as possible in the spec right now
> without completely closing the door on future needs. .
>
> This is another topic that is worth a discussion in Philly.

Regards,
 Rifaat



>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*

v2.23.0 | Report a Bug | By Email