IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-21.txt

Mike Jones <Michael.Jones@microsoft.com> Sun, 26 April 2020 17:17 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ADF23A0C00 for <oauth@ietfa.amsl.com>; Sun, 26 Apr 2020 10:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DihgFopVuZ7F for <oauth@ietfa.amsl.com>; Sun, 26 Apr 2020 10:17:13 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650124.outbound.protection.outlook.com [40.107.65.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A3D63A0BFB for <oauth@ietf.org>; Sun, 26 Apr 2020 10:17:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bo2NlMLI1X+/X/Auqd3nepMucsgCssM/gZUEkh9Ov7gVr3cUfPe7q20o05XvbGATtoF2Q4EFhKgxUkvkz3KCJkFhLwVlXCSCPxga8xWDgunYVLztbPOwxPaUXxY7tyHIXj9eyW23o5mPuB8f4/2GMC7dm/EjOHJuMteLNyzkzsOUOCbPNnSHDPa8IwDAeBcudaVlQhn3bO6DbtKxLkTSNs5eerU7Fh6kZczevl7JJdAwRXUFQf9BKy0skJg+IQD353TK0Vkofr9mGHga3PYZR8Vrh0Jf2iW5pDB3urabtotQ228AKnimnxRpqVky8Qio9gnT7lZ9YIxUNOT//CSpHA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EF41PutRydDcnSMeXRJiR3xvx7rMURP546Va968KXQQ=; b=ZojsJTpODz/GfjX18ZDxZ3n0SE+w/4TGv1k+wQ4DhYx452pNJ9hNujKOSHvxi6UTAZ0cYxGJTWy2y7rnMRsMrGoqphytTX3hl7S822yUqL7IAF+q3vt6hwhCEHemFMgpIVKMzNAz25bo0Qkz7NmdGxdNge9Xsy/Pkdo3Pszlzt48/S2FStO4pcA6/S9j7WjcMGK+mzpoJ8WKoZdZ/y6K05pwYYK82ud4iYDnzpif5AyqIpunWIQOZ2cp8TuB+1Ebttq+qKhpmL+mrtTGm1VVawFTllCr+3AFkRVWGr7yF+0ORw5GMgCcMbbhxqBBuiDajsx9qcRm/ZglYs2S1qLEbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EF41PutRydDcnSMeXRJiR3xvx7rMURP546Va968KXQQ=; b=fZCVNCWdWkRLM/Ws/VjujaWpqf260MDPaAzukdbvtkDsIB0UO8ox1dT61vCRLH5pMS4qxRGLZyQkXlR4E3CbLlkr9rnOfRB2agNhgQxtnsaYk6wafOCyYINB62hR0Se35q0abpsBlhLcZ3xD8WGpEzxljkuHmShB13f6s3p4D2s=
Received: from CH2PR00MB0679.namprd00.prod.outlook.com (2603:10b6:610:af::7) by CH2PR00MB0780.namprd00.prod.outlook.com (2603:10b6:610:6f::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2988.0; Sun, 26 Apr 2020 17:17:08 +0000
Received: from CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::5c07:f872:b7d:cc68]) by CH2PR00MB0679.namprd00.prod.outlook.com ([fe80::5c07:f872:b7d:cc68%8]) with mapi id 15.20.2988.000; Sun, 26 Apr 2020 17:17:08 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Nat Sakimura <nat@sakimura.org>, John Bradley <jbradley@yubico.com>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-21.txt
Thread-Index: AdYb7ny/PQDH7dVXRBSZpdWvw5uEuw==
Date: Sun, 26 Apr 2020 17:17:08 +0000
Message-ID: <CH2PR00MB06798A6DCC36BD152F324155F5AE0@CH2PR00MB0679.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=d0e155a8-109a-4e0b-8b31-0000a4d4d783; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-04-26T17:13:47Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: fffd8e2d-b17d-4c3f-2d77-08d7ea05a681
x-ms-traffictypediagnostic: CH2PR00MB0780:
x-microsoft-antispam-prvs: <CH2PR00MB07802232A3C8F1699A041395F5AE0@CH2PR00MB0780.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 03853D523D
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bkLuaRu4/1kgo0danU+6opwacfXmuMDBNXbJ0rnXBscs0YvHyerzzLe4USBMGtjLNExw9+X5c0JWrB3Ika+crbH9qjMzl2PFghHCyCwN3iuwqNAPhx28daBF0Cp11LXLcv1U1bsgoSJrbjWvT9Cx6S5gBe9hWjyjeWdBRhsRJsCyy4V7UN6t+C1JZDAAHpeVoUHJ4rC7eq862rs+YpW0qLnUOQtmAj1i+IHBO7uEduLuvMUxbJpB9b1dRoxjlZoHF6LJhCCMu704DFJeIsWBJb9GVHtGTukegNNQ2WWCNZY1jSL2ibQ1KbQ8RNbBqbEcUVeP6u/Z/LwG/2ufPQg47zy+qliRxzsk2pTakjAElOsIFFf3LTY5miskvnKjlWzHvyOB6ViYPAmiT78IpPOzq6zeDzzOXR5NM2xtui0t2Phh8vKEmW7swDSp8kx89D+683DriBkqd0n5ecqzvNrcY0J+gBSYDsOQoZ0rmPdhLYOLXa3B9gwxpAGJcLYsIxjV
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0679.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(366004)(39860400002)(346002)(136003)(396003)(2906002)(64756008)(52536014)(66946007)(66556008)(76116006)(66446008)(66476007)(4326008)(9686003)(55016002)(7696005)(71200400001)(8990500004)(966005)(5660300002)(478600001)(8676002)(6506007)(53546011)(26005)(33656002)(186003)(10290500003)(66574012)(8936002)(82950400001)(82960400001)(86362001)(316002)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: icVUJazot8T2OF/tyNwZCnKZ6H5w67lZa5wSQ4KbhMormiYiYjH6fbZ6u2ucMqoHLJk76JoNO6g1BaUn9u4IYbMV/osL+KX9CrCK7hRyg4wnI/O4VDQOr7LYrSO6VBM4fkiU5CPhpZHHhNZrsE8gQEQ9GzJt4xTkd/EXbGs3NSOi7GN43cR/xkQF2HdFtw19RMdBLl30E+hcWhWXKxwxbM8ESo5aKYEYHTbS6zBXdRd8lX0t7Ergsqu8bPc6JHi3cacEBbgpitMkehCd9GtDDOFX7csDU1sn3nNv/zIx6iySDtUZmuSmyKpRIkfQaCh3ADtJf/DoI+ff/3NWG5yGpNC8gTknToGnsHPkb7MyN4/AyBd/OBMxQ+UwqTNItNyrp1JgEPZeJ9OyhjvPAAc8l0kkEtleZIDR1d7Nv7/4+2WxRUAik7qeFfhzR3/tvdpoZB1EZqo2dtlNcCUAyNPWiH+vAGkCdMbVIvwI5LwLUTgSTGGrCCRHFRb2oxCgVvFG1kFhrVDSChqLm7ff8zI/vjCHh3VwnkzFt6XBUYK7FhMNJ8hxnYUnmL3E1WvbDh2gvDU09dUbguVV8ZsnwkD6wS5NrnP4MnKFfGcyRtrqvN1KOSHqDSffVDqOxQdPt36+zs5gB1HFntdU3WtBE4DqbIs4HvibsoxKJ9RTpeWt+9mlZ7LGdRAcsLwKB+vWcItlBlaSwlyb+JdmxRmudu0//mun32SaZNEsdZb2mpcwXbxArwLnKEjnmgUZ8Rjn6ZUFuWzZ10K+Eo4HWRHqK5NnUWj2TzbZ1ugGHE7O6tK2ptw=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0679.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: fffd8e2d-b17d-4c3f-2d77-08d7ea05a681
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2020 17:17:08.4110 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EJ5ZWxlTSj1HIrweeQQICJZrY+3ieqJGLTRch5+FHPOkwi1ds54G90dKiBY6p6VdmVGhPCrMr7RyzELCtJhBcw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0780
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q-kfhvnDl8iuwhscWux8qmIZlPY>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-21.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 17:17:16 -0000

The next errata version of OpenID Connect Discovery will register the parameter request_object_signing_alg_values_supported and other parameters not previously registered.  See https://openid.net/specs/openid-connect-discovery-1_0-29.html for the latest published errata draft.

I can make a request for early registration if it would be useful.

				-- Mike

-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Torsten Lodderstedt
Sent: Sunday, April 26, 2020 8:17 AM
To: Nat Sakimura <nat@sakimura.org>; John Bradley <jbradley@yubico.com>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-21.txt

Hi Nat & John,

I tried to find out how signing & encryption algorithms are determined in the JAR context. 

I just found this note in the history for -07: "Stopped talking about request_object_signing_alg”

I assume you assume this is done via client registration parameters registered in https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#client-metadata? Why doesn’t JAR state so?

What is about algorithms supported by the AS? The respective parameters, such as request_object_signing_alg_values_supported are not registered yet in https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#authorization-server-metadata.

best regards,
Torsten. 
 

> On 19. Apr 2020, at 20:30, internet-drafts@ietf.org wrote:
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
> 
>        Title           : The OAuth 2.0 Authorization Framework: JWT Secured Authorization Request (JAR)
>        Authors         : Nat Sakimura
>                          John Bradley
> 	Filename        : draft-ietf-oauth-jwsreq-21.txt
> 	Pages           : 31
> 	Date            : 2020-04-19
> 
> Abstract:
>   The authorization request in OAuth 2.0 described in RFC 6749 utilizes
>   query parameter serialization, which means that Authorization Request
>   parameters are encoded in the URI of the request and sent through
>   user agents such as web browsers.  While it is easy to implement, it
>   means that (a) the communication through the user agents are not
>   integrity protected and thus the parameters can be tainted, and (b)
>   the source of the communication is not authenticated.  Because of
>   these weaknesses, several attacks to the protocol have now been put
>   forward.
> 
>   This document introduces the ability to send request parameters in a
>   JSON Web Token (JWT) instead, which allows the request to be signed
>   with JSON Web Signature (JWS) and encrypted with JSON Web Encryption
>   (JWE) so that the integrity, source authentication and
>   confidentiality property of the Authorization Request is attained.
>   The request can be sent by value or by reference.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-21
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-21
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-21
> 
> 
> Please note that it may take a couple of minutes from the time of 
> submission until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email