Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23
Daniel Fett <mail@danielfett.de> Thu, 04 January 2024 12:10 UTC
Return-Path: <mail@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA88DC14F69C for <oauth@ietfa.amsl.com>; Thu, 4 Jan 2024 04:10:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.806
X-Spam-Level:
X-Spam-Status: No, score=-2.806 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UjTm4zpjRsNA for <oauth@ietfa.amsl.com>; Thu, 4 Jan 2024 04:10:15 -0800 (PST)
Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [IPv6:2001:67c:2050:0:465::103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F0B0C14F699 for <oauth@ietf.org>; Thu, 4 Jan 2024 04:10:13 -0800 (PST)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4T5QQ81Q7jz9smP; Thu, 4 Jan 2024 13:10:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1704370208; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references:autocrypt:autocrypt; bh=Y6iqlKJa3bS16izOkwFNa3cr8WUZXaC6kmWsSfjudo4=; b=NPHGppia9ygIE+aoPNgSLs9tckRgCOATLuVPRE9EeLhMCMZhcCP0RbXOADSCyQCT050awZ 5g46T55WY26J1vg4kIGUv+WxgSwJVC8FVzi0K4wDSLYa1u4uYMl1gtzG2gFqMpGEgc7cJL ptemBC1fL6/j7frXwFhuU+F4srtFhtT2j/6z9c3uCLllVw8AB7+6qvLN3GGm4O4uhb6sSC 9D0RDQKVcvnMmNu8vjZ94I9VoYQjYdoglFw3RaQNWn053VwBwsPlRin+fN4aXq/HlRljjj Lin5YyJFSd2+w+/K1ECYiEzGxgCtcohQk9vn/9p21EE3EQAoNTUG3wp3vfOfeQ==
Content-Type: multipart/alternative; boundary="------------i2EeomrIq5pktB0eGlB0MFek"
Message-ID: <4f759add-d281-4aae-9b81-79733d9e373f@danielfett.de>
Date: Thu, 04 Jan 2024 13:10:07 +0100
MIME-Version: 1.0
Content-Language: de-DE
To: oauth@ietf.org
References: <AS8PR10MB74277A2DAC89D987531F7F74EECBA@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM> <6bdfa6d8-594c-40b2-a5ed-4a8ca9943929@danielfett.de> <BE1P281MB20977CD398EB9C1C4A18150EED61A@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <60861607-c450-4b62-8155-f9012a6565f2@danielfett.de> <BE1P281MB2097707E4E61A1DCF7A03500ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <e6ea482f-2984-4aca-92c7-479836064dd3@danielfett.de> <BE1P281MB20971C3BF0ECBF6F46BEB220ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <CDD28A99-05F0-4534-98EE-B086BF786E58@mit.edu> <BE1P281MB209791393882B1DFA919CBA4ED602@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM> <a429db26-71dd-4df6-b9cd-3032d9a7e4c0@danielfett.de> <BE1P281MB2097E8949CA350C979F59AAEED672@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM>
From: Daniel Fett <mail@danielfett.de>
Autocrypt: addr=mail@danielfett.de; keydata= xjMEZVtP1hYJKwYBBAHaRw8BAQdAnfQRnVGKVUpdbc4qBhwIfryncOMAa1XjIFTAysHFgmXN IERhbmllbCBGZXR0IDxtYWlsQGRhbmllbGZldHQuZGU+wo8EExYIADcWIQTZQBZqxnGfR0Z5 iv7gQ6HKpmkhyAUCZVtP1gUJBaOagAIbAwQLCQgHBRUICQoLBRYCAwEAAAoJEOBDocqmaSHI NzcA/iNXFgwxZqvdaCDTRNib4iq82zFwXl3KwKYgL06xityzAQDIe7hIw6KnGaztTZsRXSvi +9srzbMJdDqVtC1n4A+YCs44BGVbT9cSCisGAQQBl1UBBQEBB0AwPb4iR2rn5k5DT4vAbYNK Oe4CMgQnwWexMYZFlAL0MwMBCAfCfgQYFggAJhYhBNlAFmrGcZ9HRnmK/uBDocqmaSHIBQJl W0/XBQkFo5qAAhsMAAoJEOBDocqmaSHI0Z8A/jd8Id2bvz6/D71d6HPvXZ+2z2BXzOd7MemE 9hHN+y6kAP44pe/GY97tvIZQa8aSinFJzDfbIVph6cUDlnPiwLjJDg==
In-Reply-To: <BE1P281MB2097E8949CA350C979F59AAEED672@BE1P281MB2097.DEUP281.PROD.OUTLOOK.COM>
X-Rspamd-Queue-Id: 4T5QQ81Q7jz9smP
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/B-Yp0fZDZ7XdgJ-jLunYxLKJM_Q>
Subject: Re: [OAUTH-WG] Shepherd Review of draft-ietf-oauth-security-topics-23
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2024 12:10:20 -0000
Hi Axel, The key word here is "rely". They MAY rely. "Rely" in this sentence in practice means omitting state and instead using only PKCE (as opposed to using both PKCE and state together). The REQUIRED/RECOMMENDED comes from the other sentences that you quoted: "Public clients MUST use PKCE" "For confidential clients, the use of PKCE [RFC7636] is RECOMMENDED" In other words: - Even if a public client uses PKCE because it MUST do so, it MAY only omit state if it is confident that the AS actually implements it. - Even if a confidential client decides to use PKCE because it SHOULD do so, it MAY only omit state if it is confident that the AS actually implements it. -Daniel Am 04.01.24 um 12:24 schrieb Axel.Nennker@telekom.de: > > Sorry, for me an all-capitalized MAY is not a recommendation to use PKCE > > MAY This word, or the adjective "OPTIONAL", mean that an item is > > truly optional. One vendor may choose to include the item because a > > particular marketplace requires it or because the vendor feels that > > it enhances the product while another vendor may omit the same item. > > An implementation which does not include a particular option MUST be > > prepared to interoperate with another implementation which does > > include the option, though perhaps with reduced functionality. In the > > same vein an implementation which does include a particular option > > MUST be prepared to interoperate with another implementation which > > does not include the option (except, of course, for the feature the > > option provides.) > > "Clients that have ensured that the authorization server supports > Proof Key for Code Exchange (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]) > MAY rely on the CSRF protection provided by PKCE." > > And leaving the interpreting of "ensure" as an exercise to the reader, > is not spec-language. > > But, this email is my last comment on this. I do not seem to get > support for my concerns. > > Sorry, again, for commenting so late in the discussion. > > //Axel > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Daniel Fett > <mail=40danielfett.de@dmarc.ietf.org> > *Date: *Thursday, 4. January 2024 at 08:41 > *To: *oauth@ietf.org <oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Am 03.01.24 um 20:10 schrieb Axel.Nennker@telekom.de: > > Why not RECOMMEND PKCE for CSRF protection, instead of that "MAY"? > > That's the case already, PKCE is RECOMMENDED/REQUIRED for clients > (which includes the CSRF protection). > > It is just that omitting "state" is a MAY, because "(to) rely on the > CSRF protection provided by PKCE" effectively means that. > > -Daniel > > And in some cases MUST (verb) PKCE? > > //Axel > > *From: *Justin Richer <jricher@mit.edu> <mailto:jricher@mit.edu> > *Date: *Wednesday, 3. January 2024 at 19:53 > *To: *Nennker, Axel <Axel.Nennker@telekom.de> > <mailto:Axel.Nennker@telekom.de> > *Cc: *mail=40danielfett.de@dmarc.ietf.org > <mail=40danielfett.de@dmarc.ietf.org> > <mailto:mail=40danielfett.de@dmarc.ietf.org>, oauth@ietf.org > <oauth@ietf.org> <mailto:oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > On Jan 3, 2024, at 12:30 PM, Axel.Nennker@telekom.de wrote: > > The email discussion triggered me jumping into the discussion. > > Also, I am looking into this from a Camara PoV. > > https://github.com/camaraproject/IdentityAndConsentManagement > <https://github.com/camaraproject/IdentityAndConsentManagement> > > Camara is about to define what is a MUST for authorization > servers etc and we are taking FAPI and the OAuth2 security > best practices as input. > > So, when we write our own security profile in Camara, we are > probably going to copy the language"Authorization servers MUST > support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > We then have no problem requiring clients to use PKCE. > > Coming back to draft-ietf-oauth-security-topics-23. That > document's language feels like it would really, really likes > to require PKCE support, but then it does not go there. > > "Public clients MUST use PKCE" > > "For confidential clients, the use of PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>] > is RECOMMENDED" > > "Authorization servers MUST support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > "Although PKCE was designed as a mechanism to protect native > apps, this advice applies to all kinds of OAuth clients, > including web applications." > > I read this as pretty clear advice — the AS has to support it, but > doesn’t universally require it. Public clients have to use it, so > an AS could reasonably require it automatically for public > clients. Confidential clients can use it, and it’s a good idea, > but it would be surprising for an AS to enforce it on a > confidential client. Of course, even today, an AS can decide that > any particular client has to use PKCE for whatever reason, so > we’re not that different in the "maybe" space than we are now. > > The following two lines are talking about different things: > > I still think that the MAY in 2.1 > > "Clients that have ensured that the authorization server > supports Proof Key for Code Exchange (PKCE, [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]) > MAY rely on the CSRF protection provided by PKCE." > > This is not about the client using or not using PKCE — it’s about > the client relying on PKCE for CSRF protection, which was > previously relegated to state and nonce parameters alone. > > and the MUST in 2.1.1 > > "Authorization servers MUST support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > This just means it has to be available at the AS for anyone to > use, and, as above, possibly required for some circumstances. > > do not go well together. > > //Axel > > — Justin > > *From:*OAuth <oauth-bounces@ietf.org > <mailto:oauth-bounces@ietf.org>> on behalf of Daniel Fett > <mail=40danielfett.de@dmarc.ietf.org > <mailto:mail=40danielfett.de@dmarc.ietf.org>> > *Date:*Wednesday, 3. January 2024 at 17:48 > *To:*oauth@ietf.org <mailto:oauth@ietf.org><oauth@ietf.org > <mailto:oauth@ietf.org>> > *Subject:*Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Axel, > > It is to be expected that not all AS will immediately upgrade > to adhere to the security BCP after its release. So a client > who wants to use PKCE may encounter AS that don't support it. > > See also the discussion > inhttps://mailarchive.ietf.org/arch/msg/oauth/ZiwEfenZZlboikXxBLes5ebPmBw/ > <https://mailarchive.ietf.org/arch/msg/oauth/ZiwEfenZZlboikXxBLes5ebPmBw/> > > -Daniel > > Am 03.01.24 um 17:39 schriebAxel.Nennker@telekom.de > <mailto:Axel.Nennker@telekom.de>: > > Hi Daniel, > > there is also this sentence in this > sectionhttps://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#name-authorization-code-grant > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#name-authorization-code-grant>in > a paragraph on it own. > > "Authorization servers MUST support PKCE [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]." > > Why must a client "ensure" that the AS supports PKCE if > the security best practices say the AS MUST support PKCE? > > //Axel > > *From:*OAuth<oauth-bounces@ietf.org> > <mailto:oauth-bounces@ietf.org>on behalf of Daniel > Fett<mail=40danielfett.de@dmarc.ietf.org> > <mailto:mail=40danielfett.de@dmarc.ietf.org> > *Date:*Wednesday, 3. January 2024 at 14:01 > *To:*oauth@ietf.org > <mailto:oauth@ietf.org><oauth@ietf.org> > <mailto:oauth@ietf.org> > *Subject:*Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Axel, > > I would be happy to see OAuth move away from state as a > CSRF protection mechanism in the future, but there is not > too much to be gained from relying solely on PKCE right > now. The main advantage is that relying on PKCE > incentivizes clients to properly manage the session state > in a cookie instead of relying on a parameter. Beyond > that, there's a small reduction in effort required by the > client, messages will be smaller messages, etc.. The > disadvantage is that a client puts CSRF protection in the > hands of the AS. Therefore, we chose the wording "ensure" > to say that the client has be sure that the AS actually > implements PKCE correctly before relying on it. What that > means in the concrete instance is up to the client. > > Likewise, to your second point, I do not see enough of an > advantage to RECOMMEND relying solely on PKCE for CSRF > protection. > > The main intention here is to open the door to rely on > PKCE, e.g., in closed ecosystems, ecosystems with in-depth > conformance testing, first-party applications and similar. > This also helps to avoid a lot of convoluted language > telling client developers how to properly choose, track, > and check state values in profiles such as FAPI (and the > pitfalls when interpreting that language). > > -Daniel > > Am 02.01.24 um 10:31 schriebAxel.Nennker@telekom.de > <mailto:Axel.Nennker@telekom.de>: > > Hi, > > sorry for being late in the game. > > I am not too happy with this section: > > "Clients that have ensured that the authorization > server supports Proof Key for Code Exchange (PKCE, > [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]) > MAY rely on the CSRF protection provided by PKCE." > > 1. Maybe a minor point that is due to not being a > native speaker, but the verb "ensure" seems too > strong. > If the AZ states in its metadata, that it supports > PKCE than this is "ensurance" enough, right? The > client does not have to "ensure" the support by > actually testing compliance, right? > I suggest rephrasing that to "*If****the > authorization server**states in its meta-data > support for****Proof Key for Code Exchange*(PKCE, > [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>])the > clientMAY rely on the CSRF protection provided by > PKCE." > 2. I suggest changing the "MAY" into a recommendation > for all OAuth2-based protocols. OIDC flows can > easily support PKCE, and new clients SHOULD use > PKCE, I think. > Suggestion: > "Ifthe authorization serverstates in its meta-data > support forProof Key for Code Exchange (PKCE, > [RFC7636 > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html#RFC7636>]), > it is RECOMMENDED the client relieson the CSRF > protection provided by PKCE." > > Kind regards > > Axel > > *From:*OAuth<oauth-bounces@ietf.org> > <mailto:oauth-bounces@ietf.org>on behalf of Daniel > Fett<fett=40danielfett.de@dmarc.ietf.org> > <mailto:fett=40danielfett.de@dmarc.ietf.org> > *Date:*Thursday, 28. December 2023 at 14:38 > *To:*oauth@ietf.org > <mailto:oauth@ietf.org><oauth@ietf.org> > <mailto:oauth@ietf.org> > *Subject:*Re: [OAUTH-WG] Shepherd Review of > draft-ietf-oauth-security-topics-23 > > Hi Hannes, > > thanks again for your feedback! It is incorporated in > the editor's copy now. > > -https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html > <https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.html> > > - Diff to published > version:https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt > <https://author-tools.ietf.org/api/iddiff?doc_1=draft-ietf-oauth-security-topics&url_2=https://oauthstuff.github.io/draft-ietf-oauth-security-topics/draft-ietf-oauth-security-topics.txt> > > I plan to publish the next version once we have > resolved the discussion points from Roman's AD review. > > -Daniel > > Am 04.10.23 um 15:41 schrieb Tschofenig, Hannes: > > Hi all, > > here are some comments as part of my shepherd > review of the OAuth Security BCP. > > First, I want to send a big "Thanks" to everyone > in the group for the work on this document and to > the authors in particular. It has taken us a while > to come up with such an impressive list of > security recommendations for OAuth 2.0. > > At this point in time my review comments can only > be minor given the amount of feedback this > documents has already received. > > Here are a few remarks. > > I believe we should indicate that the > specification updates other OAuth RFCs. The > obvious documents it updates are RFC 6749, RFC > 6750 and RFC 6819. > > You can set these "updates" in the template you > are using. > > In Section 1 you say: > > " > > It does not supplant the security advice given in > > [RFC6749], [RFC6750], and [RFC6819], but > complements those documents. > > " > > In the subsequent paragraph you state that you > "depreciate some modes of operation". > > I believe you are need to be clear about what you > are doing in relationship to these prior > documents. It might also be useful to say > something about OAuth 2.1. > > Expand abbreviations on first use. Example: "AS" > and "PKCE" in Section 2.1. The AS abbreviation is > only expanded later in Section 3. Decide whether > you want to use abbreviations or not. You mix them > throughout the document without no reasons. > > Listing the abbreviations in Section 1.2 may also > be useful. There are not that many abbreviations > anyway. > > I have wording suggestions for this paragraph: > > FROM: > > " > > Authorization servers SHOULD use client > authentication if possible. > > It is RECOMMENDED to use asymmetric (public-key > based) methods for > > client authentication such as mTLS [RFC8705] or > using signed JWTs > > ("Private Key JWT") in accordance with [RFC7521] > and [RFC7523] (in > > [OpenID.Core] defined as the client authentication > method > > private_key_jwt). When such methods for client > authentication are > > used, authorization servers do not need to > store sensitive symmetric > > keys, making these methods more robust against > a number of attacks. > > " > > TO: > > " > > Authorization servers SHOULD enforce client > authentication, if possible. > > It is RECOMMENDED to use asymmetric > cryptography for > > client authentication, such as mTLS [RFC8705] > or using signed JWTs > > ("Private Key JWT"), in accordance with [RFC7521] > and [RFC7523] (in > > [OpenID.Core] defined as the client authentication > method > > private_key_jwt). When asymmetric cryptography for > client authentication is > > used, authorization servers do not need to > store sensitive symmetric > > keys, making client authentication more robust > against leakage of keys. > > " > > (Note: For the reader it is always better if they > are told what attacks > > are prevented rather than saying "a number of > attacks". You don't want the reader > > to guess what you mean.) > > Section 2 is a summary of what follows in Section > 4. Maybe you can make this explicit > > either in the title of Section 2 or in the first > paragraph of Section 2. > > Section 3. > > You write: > > " > > These attackers conform to the attacker model > that was used in formal > > analysis efforts for OAuth [arXiv.1601.01229]. > This is a minimal > > attacker model. Implementers MUST take into > account all possible > > types of attackers in the environment in which > their OAuth > > implementations are expected to run. > > " > > When you say "these attackers" please clarify > which attackers you are talking about. > > Prior to this paragraph you have just spoken about > various forms of network attackers. > > Just before that you talked about network and web > attackers. > > Then, you introduce more attackers and you keep > talking about "this attacker model" and > > "these attackers". Make it easier for the reader > by referring explictly which attackers > > you are talking about in a specific paragraph. > > Then, you conclude the section with a hint that > there is an even stronger attacker model. > > As a reader I might want to know what this > stronger attacker model looks like and why you > > do not consider it in this document. > > Section 4.1.1: > > You write: > > " > > Note: Vulnerabilities of this kind can also exist > if the > > authorization server handles wildcards properly. > > " > > I believe you are saying that the vulnerabilities > caused by incorrect redirect URI validation > parsing when you refer to "this kind". > > I would also remove the "note" > > Section 4.1.3: > > You write: > > " > > * Servers on which callbacks are hosted MUST > NOT expose open > > redirectors (see Section 4.11). > > " > > Are you talking about authorization servers (which > is what was referenced in the paragraph before)? > > Section 4.10.1: Sender-constrained Access Tokens > > The text gives the reader the impression that the > token binding would be an option for developers to > use. > > I don't think that this is the case. I am > particularly referring to this sentence: > > " > > * *DPoP* ([I-D.ietf-oauth-dpop]): DPoP > (Demonstration of Proof-of- > > Possession at the Application Layer) outlines an > application-level > > sender-constraining for access and refresh tokens > that can be used > > in cases where neither mTLS nor OAuth Token > Binding (see below) > > are available. > > " > > I would change it to: > > " > > * *DPoP* ([I-D.ietf-oauth-dpop]): DPoP > (Demonstration of Proof-of- > > Possession at the Application Layer) outlines an > application-level > > sender-constraining for access and refresh tokens > that can be used > > in cases where mTLS is not available. > > " > > I would then remove the subsequent text talking > about old, expired drafts. > > Alternatively, you could move the text to the > appendix. > > Section 4.10.2: Audience Restricted Access Tokens > > In the text you say: > > " > > Audience restriction essentially restricts access > tokens to a > > particular resource server. The authorization > server associates the > > access token with the particular resource > server and the resource > > server SHOULD verify the intended audience. > > " > > You have to put a MUST here. If the resource > server does not check the audience > > restriction when using audience restricted access > tokens then you obviously do not > > get the value from it. It is like using DPOP and > not using the proof-of-possession. > > Likewise the SHOULD language in this sentence is > also questionable: > > " > > The client SHOULD tell the authorization server > the intended resource > > server. The proposed mechanism [RFC8707] could be > used or by > > encoding the information in the scope value. > > " > > If the client does not tell the authorization > server what the intended resource server > > is then how should the authorization server know > (unless in a very limited setup). > > Also the reference to RFC 8707 is a bit weak. We > standardized resource indicators: why not > > recommend using it? > > Section 4.10.3: The section heading is > "Discussion: Preventing Leakage via Metadata". > > The content of the section is not really a > discussion but rather a description of why > > this path has not been taken. I wonder whether it > would be better to move this section > > to the appendix and then start the text by > explaining why other solutions have been used > instead of this approach. > > Section 4.11: I would put the definition about > what an "open redirector" is into the terminology > section since you > > are using the term already in earlier sections. > Here is the definition: > > " > > An open redirector is an endpoint that forwards a > user’s > > browser to an arbitrary URI obtained from a > query parameter. > > " > > Typos/Wording: > > FROM: > > " > > Afterwards, the updated the OAuth attacker model > is presented. > > " > > TO: > > " > > Afterwards, the updated OAuth attacker model is > presented. > > " > > Section 4.1: > > "... wild ." > > ^ > > Consider using the guidelines for inclusive language: > > https://www.rfc-editor.org/part2/#inclusive_language > <https://www.rfc-editor.org/part2/#inclusive_language> > > For example, "If the attacker is able to ... , > **he** will directly get access to ..." > > Another example is "whitelisted". > > Section 4.1.2: a wording suggestion. > > FROM: > > " > > The attack > > described here combines this behavior with the > client as an open > > redirector (see Section 4.11.1) in order to get > access to access > > tokens. > > " > > TO: > > " > > The attack > > described here combines this behavior with the > client as an open > > redirector (see Section 4.11.1) to obtain access > tokens. > > " > > Section 4.7.1: word missing > > FROM: > > " > > PKCE provides robust protection against CSRF > attacks even in presence > > of an that can read the authorization response > (see Attacker A3 in > > Section 3). > > " > > TO: > > " > > PKCE provides robust protection against CSRF > attacks even in presence > > of an attacker that can read the authorization > response (see Attacker A3 in > > Section 3). > > " > > Section 4.18.2: capitalization > > FROM: > > " > > Wildcard origins like "*" in postMessage MUST not > be used as > > attackers can use them to leak a victim's > in-browser message to > > malicious origins. > > " > > TO: > > " > > Wildcard origins like "*" in postMessage MUST NOT > be used as > > attackers can use them to leak a victim's > in-browser message to > > malicious origins. > > " > > You might also want to replace the short title > "oauth-security-topics" (which can be found on > each page) with something like "OAuth 2.0 Security > BCP". > > Ciao > > Hanns > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > -- > > Please use my new email address:mail@danielfett.de <mailto:mail@danielfett.de> > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org <mailto:OAuth@ietf.org> > > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Shepherd Review of draft-ietf-oauth-se… Tschofenig, Hannes
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Justin Richer
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Axel.Nennker
- Re: [OAUTH-WG] Shepherd Review of draft-ietf-oaut… Daniel Fett