Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushed requests must become JWTs

Vladimir Dzhuvinov <vladimir@connect2id.com> Sat, 11 January 2020 10:28 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D0B1200FD for <oauth@ietfa.amsl.com>; Sat, 11 Jan 2020 02:28:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiFIZIZtHZ1G for <oauth@ietfa.amsl.com>; Sat, 11 Jan 2020 02:28:09 -0800 (PST)
Received: from p3plsmtpa12-03.prod.phx3.secureserver.net (p3plsmtpa12-03.prod.phx3.secureserver.net [68.178.252.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E67F120033 for <oauth@ietf.org>; Sat, 11 Jan 2020 02:28:09 -0800 (PST)
Received: from [192.168.88.250] ([94.155.17.54]) by :SMTPAUTH: with ESMTPSA id qDzyi86OK0h91qDzzijBaK; Sat, 11 Jan 2020 03:28:08 -0700
x-spam-cmae: v=2.3 cv=Ga9pYjfL c=1 sm=1 tr=0 p=_Y5QVBCcAAAA:8 a=FNQ4XmqxRr20pcroDK0mpg==:117 a=FNQ4XmqxRr20pcroDK0mpg==:17 a=jpOVt7BSZ2e4Z31A5e1TngXxSK0=:19 a=q0rX5H01Qin5IyBaTmIA:9 a=r77TgQKjGQsHNAKrUKIA:9 a=48vgC7mUAAAA:8 a=Mhp_Scw7AAAA:8 a=LS6YZpeZAAAA:8 a=DVqm7IH0AAAA:8 a=vggBfdFIAAAA:8 a=N8h_gfpVYWjWe7o_yeAA:9 a=bE3uGCcN48NBn6tY:21 a=W2xEMAoTgaYpDO5-:21 a=QEXdDO2ut3YA:10 a=ghQvJjrl4gepV0MTyA4A:9 a=9JXru4TqZan1D6SP:21 a=1QcUOMp1dgdAzQA9:21 a=WnRXZD6sfpb669X1:21 a=_W_S_7VecoQA:10 a=D8lnhvtxf0AONpHuB7QA:9 a=ZVk8-NSrHBgA:10 a=30ssDGKg3p0A:10 a=w1C3t2QeGrPiZgrLijVG:22 a=rCfoGGe4EEIQCwLoKFZE:22 a=IRr2vCDBpksuBOXhfkKu:22 a=IdGyktwZ2tr74praB_5u:22 a=M6wP_kGduNurgptF5PJY:22
x-spam-account: vladimir@connect2id.com
x-spam-domain: connect2id.com
To: Justin Richer <jricher@mit.edu>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
References: <8D1DD3BF-97B5-416A-B914-6867FD3553B0@amazon.com> <72A27E43-72C6-44D0-8D95-07FBF8CE332F@lodderstedt.net> <CA+k3eCSL5nS81uKbL3sPh9-SesPnaLsGgnO2=R4jjDy-fSVGKw@mail.gmail.com> <CAANoGh+9+g=2kzh5k-n5eOVHNX=F6kxWbwrP-u=yG-F_C02i8g@mail.gmail.com> <CA+k3eCSSSnX2oCoSvtGpbZZCQ+xydaE0g1SseikAs19M8VBLpw@mail.gmail.com> <CAANoGhJ+mffKvDSgHYuX+kYTCS_jyvQVYqia10LTRDg4Vw7jNw@mail.gmail.com> <CAC46A6B-229C-4B5A-AEE3-A2D8662A81DB@amazon.com> <1A5C82C9-383D-4C09-8233-3C9D0C85A1F6@mit.edu>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <d689cba5-2453-60a1-7ec8-895e32eb1a1b@connect2id.com>
Date: Sat, 11 Jan 2020 12:28:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <1A5C82C9-383D-4C09-8233-3C9D0C85A1F6@mit.edu>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms000001000806090209070408"
X-CMAE-Envelope: MS4wfAInAD+OcyrjcgqdlYetsjGR1JjX8EavolTNmWbr6E9lz64Bo1t9XMznb6qaOAbTLKCIUzuFTMLn+19svLss+YKBt2Ty/op4A8nudPfMnU+ak42tpcHW jND6OSW9Amde/KOt31yGTkpMqf2Sc4c95qmIwL1Qg63Dwe1Ib0Vk5LATqVfch+E/WsK5VuWLjYtAhTnFNHwdEXcAdhWf/0ZtwslHNHW6uac07TIhGk/PBoTt kmlClrSo3QEcooa5ObIuYiGpJJc4qyE7ilnEYUL5YU8=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/AzplM87DKB26w6EsMG3MKKKLeGs>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2020 10:28:13 -0000

My suggestion is to abstain from specifying the concrete form of the
resource pointed to by the PAR URI. Regardless of URI type (URN,
downloadable https URL or something else), and even if the PAR endpoint
and the authZ endpoint are managed by two different entities
(microservice or other scenario).

In the Connect2id implementation of PAR the returned URI doesn't point
to a request object and it doesn't point to a JWT either. It points to
an internally stored "pre-processed" authZ request, which the authZ
endpoint then picks up to complete the authZ.

Even if we eventually end up in microservice world, or allow the PAR
endpoint to be managed by some external entity, the PAR URI - its
interpretation, validation and potentially resource retrieval (JWT or
other blob), is an "internal contract" on the AS side. This doesn't
concern the client, and in OAuth 2.0 the role of AS is indivisible.


I see PAR request + authZ request as one logical OAuth 2.0 authZ
request: the client submits an authZ request and gets an authZ response
at the end. The URI is necessary for the client to proceed from the 1st
to the 2nd step. If we manage to frame / word the PAR URI in this
logical way, without getting stuck in the JAR definition / framing of
what the request_uri / object is, it would be great.


The normative language I think should focus on maintaining the OAuth 2.0
contract for the entire logical authZ request, together with the basic
contracts of 1) JAR and the 2) authZ endpoint.


Vladimir


On 10/01/2020 22:55, Justin Richer wrote:
> So we could solve this by saying the resulting data object of a PAR is
> a request object. Which might also contain a request object internally
> as well. In that case JAR should back off from saying it’s a JWT and
> instead say it’s a request object. Or we define a new term for this
> authorization request blob thing.
>
> Or PAR could at least say that if it’s dereferenced over a remote
> protocol then it MUST be a JWT, but otherwise it can be whatever you
> want. That’s where the real interop concerns come in.
>
>  — Justin
>
>> On Jan 10, 2020, at 3:41 PM, Richard Backman, Annabelle
>> <richanna=40amazon.com@dmarc.ietf.org
>> <mailto:richanna=40amazon.com@dmarc.ietf.org>> wrote:
>>
>> Correct. The problem becomes pretty clear in the context of PAR,
>> where the AS is generating and vending out the URI at the PAR
>> endpoint, and consuming it at the authorization endpoint. From an
>> interoperability standpoint, it’s analogous to the AS vending an
>> authorization code at the authorization endpoint and consuming it at
>> the token endpoint.
>> – 
>> Annabelle Richard Backman
>> AWS Identity
>>  
>>  
>> *From: *John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
>> *Date: *Friday, January 10, 2020 at 12:29 PM
>> *To: *Brian Campbell <bcampbell@pingidentity.com
>> <mailto:bcampbell@pingidentity.com>>
>> *Cc: *Torsten Lodderstedt <torsten@lodderstedt.net
>> <mailto:torsten@lodderstedt.net>>, Nat Sakimura <nat@sakimura.org
>> <mailto:nat@sakimura.org>>, "Richard Backman, Annabelle"
>> <richanna@amazon.com <mailto:richanna@amazon.com>>, oauth
>> <oauth@ietf.org <mailto:oauth@ietf.org>>
>> *Subject: *[UNVERIFIED SENDER] Re: [OAUTH-WG] PAR: pushed requests
>> must become JWTs
>>  
>> If we assume the client posts a JAR and gets back a reference.  Then
>> the reference is to a JAR. 
>>  
>> I think I see the problem.  If the server providing the reference is
>> associated with the AS then the server dosen't need to dereference
>> the object via HTTP, so it could be a URN as an example. 
>>  
>> So yes it is not a interoperability issue for the client.  
>>  
>> I will think about how I can finesse that. 
>>  
>> I agree it is not a change in intent. 
>>  
>> I will see if I can get our AD to accept that.
>>  
>> John B. 
>>  
>>  
>>  
>>  
>> On Fri, Jan 10, 2020, 4:57 PM Brian Campbell
>> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>> Sure but the text proposed (or something like it) qualifies it such
>>> that there aren't interoperability questions because it's only an
>>> implementation detail to the AS who both produces the URI and
>>> consumes its content.
>>>  
>>> On Fri, Jan 10, 2020 at 12:48 PM John Bradley <ve7jtb@ve7jtb.com
>>> <mailto:ve7jtb@ve7jtb.com>> wrote:
>>>> It may be a challenge to change text saying that the contents of
>>>> the resource could be something other than a request object. 
>>>>  
>>>> If not a request object then what and how is that interoperable are
>>>> likely AD questions. 
>>>>  
>>>> I could perhaps see changing it to must be a request object, or
>>>> other format defined by a profile.
>>>>
>>>> John B.  
>>>>  
>>>>  
>>>> On Fri, Jan 10, 2020, 3:45 PM Brian Campbell
>>>> <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>>>>> Agree and agree. But given that the change suggested by Annabelle
>>>>> has no impact on the client or interoperability, perhaps Nat or
>>>>> John could work the change into the draft during the edits that
>>>>> happen during the final stages of things?
>>>>>  
>>>>> On Thu, Jan 9, 2020 at 1:56 AM Torsten Lodderstedt
>>>>> <torsten=40lodderstedt.net@dmarc.ietf.org
>>>>> <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote:
>>>>>> I would assume given the status of JAR, we don’t want to change
>>>>>> it. And as I said, this difference does not impact
>>>>>> interoperability from client perspective.
>>>>>>
>>>>>>
>>>>>>> Am 09.01.2020 um 00:58 schrieb Richard Backman, Annabelle
>>>>>>> <richanna=40amazon.com@dmarc.ietf.org
>>>>>>> <mailto:40amazon.com@dmarc.ietf.org>>:
>>>>>>>
>>>>>>> It would be more appropriate to add the text to JAR rather than
>>>>>>> PAR. It doesn't seem right for PAR to retcon rules in JAR.
>>>>>>> Moving the text to JAR also highlights the weirdness of giving
>>>>>>> PAR special treatment.
>>>>>>>  
>>>>>>> What if we changed this sentence in Section 5.2 of JAR:
>>>>>>>
>>>>>>> The contents of the resource referenced by the URI MUST be a Request
>>>>>>>
>>>>>>> Object.
>>>>>>>
>>>>>>>  
>>>>>>> To: 
>>>>>>>
>>>>>>> The contents of the resource referenced by the URI MUST be a Request
>>>>>>>
>>>>>>> Object, unless the URI was provided to the client by the
>>>>>>> Authorization
>>>>>>>
>>>>>>> Server.
>>>>>>>
>>>>>>>  
>>>>>>> This would allow for use cases such as an AS that provides
>>>>>>> pre-defined request URIs, or vends request URIs via a client
>>>>>>> management console, or bakes them into their client apps.
>>>>>>>  
>>>>>>> – 
>>>>>>> Annabelle Richard Backman
>>>>>>> AWS Identity
>>>>>>>  
>>>>>>> On 1/8/20, 2:50 PM, "Torsten Lodderstedt"
>>>>>>> <torsten=40lodderstedt.net@dmarc.ietf.org
>>>>>>> <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote:
>>>>>>>  
>>>>>>>     Hi, 
>>>>>>>     
>>>>>>>     you are right, PAR does not require the AS to represent the
>>>>>>> request as a JWT-based request object. The URI is used as
>>>>>>> internal reference only. That why the draft states
>>>>>>>     
>>>>>>>     "There is no need to make the
>>>>>>>           authorization request data available to other parties
>>>>>>> via this
>>>>>>>           URI.”
>>>>>>>     
>>>>>>>     This difference matters from an AS implementation
>>>>>>> perspective, it doesn't matter from a client's (interop)
>>>>>>> perspective.
>>>>>>>     
>>>>>>>     We may add a statement to PAR saying that request_uris
>>>>>>> issued by the PAR mechanism (MAY) deviate from the JAR definition.
>>>>>>>     
>>>>>>>     best regards,
>>>>>>>     Torsten.  
>>>>>>>     
>>>>>>>     > On 8. Jan 2020, at 23:42, Richard Backman, Annabelle
>>>>>>> <richanna=40amazon.com@dmarc.ietf.org
>>>>>>> <mailto:40amazon.com@dmarc.ietf.org>> wrote:
>>>>>>>     > 
>>>>>>>     > Hi all,
>>>>>>>     >  
>>>>>>>     > The current drafts of PAR (-00) and JAR (-20) require that
>>>>>>> the AS transform all pushed requests into JWTs. This requirement
>>>>>>> arises from the following:
>>>>>>>     >         • PAR uses the request_uri parameter defined in
>>>>>>> JAR to communicate the pushed request to the authorization endpoint.
>>>>>>>     >         • According to JAR, the resource referenced by
>>>>>>> request_uri MUST be a Request Object. (Section 5.2)
>>>>>>>     >         • Request Object is defined to be a JWT containing
>>>>>>> all the authorization request parameters. (Section 2.1)
>>>>>>>     >  
>>>>>>>     > There is no need for this requirement to support
>>>>>>> interoperability, as this is internal to the AS. It is also
>>>>>>> inconsistent with the rest of JAR, which avoids attempting to
>>>>>>> define the internal communications between the two AS endpoints.
>>>>>>> Worse, this restriction makes it harder for the authorization
>>>>>>> endpoint to leverage validation and other work performed at the
>>>>>>> PAR endpoint, as the state or outcome of that work must be
>>>>>>> forced into the JWT format (or retrieved via a subsequent
>>>>>>> service call or database lookup).
>>>>>>>     >  
>>>>>>>     > – 
>>>>>>>     > Annabelle Richard Backman
>>>>>>>     > AWS Identity
>>>>>>>     >  
>>>>>>>     > _______________________________________________
>>>>>>>     > OAuth mailing list
>>>>>>>     > OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>>     > https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>     
>>>>>>>     
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>> */CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>> privileged material for the sole use of the intended recipient(s).
>>>>> Any review, use, distribution or disclosure by others is strictly
>>>>> prohibited.  If you have received this communication in error,
>>>>> please notify the sender immediately by e-mail and delete the
>>>>> message and any file attachments from your computer. Thank you./*
>>>
>>> */CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s).
>>> Any review, use, distribution or disclosure by others is strictly
>>> prohibited..  If you have received this communication in error,
>>> please notify the sender immediately by e-mail and delete the
>>> message and any file attachments from your computer. Thank you./*
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Vladimir Dzhuvinov