Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24.txt
Nat Sakimura <sakimura@gmail.com> Wed, 01 July 2020 23:43 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C76EA3A123B; Wed, 1 Jul 2020 16:43:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1E-ZmKKeXZe4; Wed, 1 Jul 2020 16:43:14 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95A8B3A1258; Wed, 1 Jul 2020 16:43:13 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id s10so25837288wrw.12; Wed, 01 Jul 2020 16:43:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wj77HfIg9UNXHtJ4HLERQ3Fjdne1OrCwoTA3+CCfnno=; b=rRhg4pVdSvSw0bsX2lsDtdcnkaHoIyTemKNpThQZT0LFSIFKveZVGos3sETEHB4LkV z6rE2Jc73L+esibX3qpTUifE+fo4sq1/CWdbQIwjuQMHE/jM9zU9GbYTDScJzRnbo+te /xj3jSEy2myJPiP8INo3wrZ36QecZMxgWm6VNv4KzO4tWPiiWmflUs4DLA5zw83VCUjr jFP6BFaBKRfnnqJNaVgcKj1u5nNLhncITvqyVa91U0NaYqAUnRc41AQ0k92H6bD1gH1Q LdueHpwHt5Zn1nsGt+AAFEFEZoJIrhgwX8YsV/7Sijwtm6YIXqWx4MJR96oIm7pqzWFu om6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wj77HfIg9UNXHtJ4HLERQ3Fjdne1OrCwoTA3+CCfnno=; b=gN8SHtPoqy7aSk5/aWRD1dQJPgILxUfZXwXu1cIMsleJcxeVRNTmm/bVdPxtK4FSVS f9LnqGBIPg/xK9aH5TBlNlwAabAkL4qNkEoXvwAGnxqCdojqwtFJRQ5xYeT6XFxauSna 9GB0EXYEFhEHmtsxKqublE4O8ptK/SU1XVWyAPoF8l8QAAf7LlMZA0a16MIFxj/sDcs5 gliX3Dz0Wvj5ExCCPXoMA/uuI4NHm2WIVjPuvwZjHWlaWMKeHHlL1dRp2tlfndWiBLRJ y52R6IUcNDyga5cWBre5xBe+OYCZMEqeFx9dwTUOqWokFFnULB8L//zJgtzjqq5Xrwk2 oj+g==
X-Gm-Message-State: AOAM5335r5umKo2/jahDmG+SPFBB9sOnupdUVucjIu6w6c36DUQBKhxD M08Dxk9QKLKBvI6V2P6vvk3K6cEG6h0kf3AS/WYi2Bpv058=
X-Google-Smtp-Source: ABdhPJxIEXS5RcpZPCvKCR2QiaKnzhPAjBGzJNdjXQz/1WWimNJaHHA5Z9ohWk/w++6OKExAKjeHBnO8x40doxicRx4=
X-Received: by 2002:a5d:6cce:: with SMTP id c14mr27507023wrc.377.1593646991886; Wed, 01 Jul 2020 16:43:11 -0700 (PDT)
MIME-Version: 1.0
References: <159360926310.29368.17616782975245600683@ietfa.amsl.com> <040466fc-f05b-13a7-8981-eff63552d570@mail.ru>
In-Reply-To: <040466fc-f05b-13a7-8981-eff63552d570@mail.ru>
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 02 Jul 2020 08:43:00 +0900
Message-ID: <CABzCy2C1AEq16u-VAAPU27x_RoLaf6nkhr556gUtJL58hTOPPA@mail.gmail.com>
To: Tangui Le Pense <tangui.lepense=40mail.ru@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>, internet-drafts@ietf.org, i-d-announce@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d94c8e05a969da6a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/B3_0DqtN1jTp8vEiLHHIOe0rWLM>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2020 23:43:24 -0000
Thanks for the quick check. I updated the draft. Also, Mike Jones pointed me that It MUST also reject the request if the request object uses "alg":"none". needs to be added, so I did. On Thu, Jul 2, 2020 at 2:30 AM Tangui Le Pense <tangui.lepense= 40mail.ru@dmarc.ietf.org> wrote: > Hello, > > There seems to be a typo: > > 9.2 and 9.3: "require_signed_request_objects" > > 10.5: "require_signed_request_object" > > Regards, > > -- > > Tangui > > 01.07.2020 16:14, internet-drafts@ietf.org пишет: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > This draft is a work item of the Web Authorization Protocol WG of the > IETF. > > > > Title : The OAuth 2.0 Authorization Framework: JWT > Secured Authorization Request (JAR) > > Authors : Nat Sakimura > > John Bradley > > Filename : draft-ietf-oauth-jwsreq-24.txt > > Pages : 33 > > Date : 2020-07-01 > > > > Abstract: > > The authorization request in OAuth 2.0 described in RFC 6749 utilizes > > query parameter serialization, which means that Authorization Request > > parameters are encoded in the URI of the request and sent through > > user agents such as web browsers. While it is easy to implement, it > > means that (a) the communication through the user agents are not > > integrity protected and thus the parameters can be tainted, and (b) > > the source of the communication is not authenticated. Because of > > these weaknesses, several attacks to the protocol have now been put > > forward. > > > > This document introduces the ability to send request parameters in a > > JSON Web Token (JWT) instead, which allows the request to be signed > > with JSON Web Signature (JWS) and encrypted with JSON Web Encryption > > (JWE) so that the integrity, source authentication and > > confidentiality property of the Authorization Request is attained. > > The request can be sent by value or by reference. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-24 > > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-24 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-jwsreq-24 > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsreq-24… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Tangui Le Pense
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-jwsre… Nat Sakimura