Re: [OAUTH-WG] Comments on ietf-oauth-dpop
Brian Campbell <bcampbell@pingidentity.com> Thu, 24 March 2022 09:49 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 286313A16E9 for <oauth@ietfa.amsl.com>; Thu, 24 Mar 2022 02:49:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nEr7V2TPQVe1 for <oauth@ietfa.amsl.com>; Thu, 24 Mar 2022 02:49:16 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0778C3A16B3 for <oauth@ietf.org>; Thu, 24 Mar 2022 02:49:15 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id s207so4327652oie.11 for <oauth@ietf.org>; Thu, 24 Mar 2022 02:49:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3PAxgy9v/DM7hK3W2XaOYwgyd/LGM1UynHoqnpXug70=; b=XMTyEgdVak6jkcH247Cs616aMw1yNfl8AEBrDGVg9RdJIw6feUIaBKk9AM5LhODPpO tlmAAy7XtoGgQNWC2oL2j2ThTNgvW7GyVB+H3ea0LDiY/oOEKnRhje2Q70U8RZWHPwTe xSPdb0vMyC388QbhmUwLCr8P/O7jlygVRGSeu4fr19m8WEBocp9/x0xkg01nKg3zGiII S2rwLFpXgwCbBlncPUUmnwc1iSLlnRMg9xDeDmzV5KooqkIlJJEpf+J4Rrxp9tYbvUXx +TBsTPcz047FsX3/SuovCMP5OeNU7WJKibYvOzCuvKQNVp1RZ0MT7yhK/ZTAyrJYSd7a 9aoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3PAxgy9v/DM7hK3W2XaOYwgyd/LGM1UynHoqnpXug70=; b=ocqivh907OBEv3kJJrEQHyNtwX3yvYYlOTDae/KM/V6VYvB3adijpYadbqAy3CJ62s xaRMD4jxRqcxnyw+9/ETXC6+Oi+dCRhn1N04frmtfHz08EOeOaXR8qWFxjkRRsnA5+hd QGPOq4y0CqRSGGC68v/B7RoKsqcHUcCb18lDxVEByg4njbHMVcjUsX+8BHc7ks/rO0Ba GzaBBJfhq8qAJXmavf0Qu4UFLgJGFeaJuDINwewjuc549YTELexARg/CBt9SM6Gp2K8f EmH4RrnHEYNUGT+kZLe2Jlb7tgPVeXsmh+NtmwPmQcGsmdrhVTbKiwQ8nqeC/xiH5Mj8 L6fg==
X-Gm-Message-State: AOAM532PjSV+1LzSX+dtseHeU1Ow0DhJ8enBpFRIRWsf57pqYH20mGJP EXWknFpefj2sU521/JcIwR5WGndz4Xc86DzP3VgAeDYz1KdWC646UZ0Hdpaw19Fec4Gz8EkvPVp vJ2VdZtwpGcFlyBJ6JemUqV5iz4s=
X-Google-Smtp-Source: ABdhPJyBvjlA4Inxfoufv6OsQBQoYTmX1jn4X1CtH0asvD9PCxosYQ3U4AYxVIJohDFJQnjRGF/+hfa7LUXovS7IREg=
X-Received: by 2002:a05:6808:118d:b0:2d9:a01a:48c2 with SMTP id j13-20020a056808118d00b002d9a01a48c2mr6728350oil.269.1648115354872; Thu, 24 Mar 2022 02:49:14 -0700 (PDT)
MIME-Version: 1.0
References: <CACW8--PPqWp+AMCWTuFT3Q=w6OFpn2xrS=4Cu8oAd8wBEkDNYg@mail.gmail.com> <CACW8--PoQLzO3TP6Xi7PwY4vWoBHpUwn9Q3hz_3j375pvAo9gw@mail.gmail.com> <2bb4c1f0ca4ece28fa02fa135311b079@babelouest.org>
In-Reply-To: <2bb4c1f0ca4ece28fa02fa135311b079@babelouest.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 24 Mar 2022 10:48:47 +0100
Message-ID: <CA+k3eCSHLO=D9Wx3Noygi57F4THhf9Q0pKjF-t-rWAdkGCtVWQ@mail.gmail.com>
To: Nicolas Mora <nicolas@babelouest.org>
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000046d0a505daf3c2a7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CC0ZlExBdZFOjO2ltgkJ3w6VioI>
Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Mar 2022 09:49:22 -0000
Hello Nicolas, The situation you describe of nonce switching with different RSs using the same domain is possible. But I believe in practice it's rather unlikely to occur and is self correcting even if it does occur (though kinda chatty/inefficient). I don't believe it's worthwhile to add stuff to the protocol to optimize for the situation (of course, the WG should chime-in if I'm off base from rough consensus here) . The name "iss" is rather overloaded and would probably not be appropriate, even in the case something was added. Also - the realm parameter <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-06.html#section-7.1-10.2>, which may "be included to indicate the scope of protection" seems to me like it could serve the purpose. And, I realize it's a bit pedantic, but note that the discussion is about RS-provided nonce but the example shows what would be an AS response. With respect to "iat" and out-of-sync clocks - some leeway (on the order of a few seconds or minutes) in both directions to accommodate reasonable and likely clock skew is probably a good idea. As mentioned to Rohan in a prior reply, I'll look to qualify this a bit better in the next revision of the draft. On Tue, Mar 22, 2022 at 8:03 PM Nicolas Mora <nicolas@babelouest.org> wrote: > Hello, > > I would like to add some minor comments to this draft, based on what I've > seen so far. > > - Resource Server-Provided Nonce > Since a client may have to add different nonces for different RS in the > DPoP token, it would be useful to add the issuer in the RS error response, > so the client can differntiate nonces more easily. > There may be different RS using the same domain, the client might not know > it, and therefore switch nonces again and again between the RS. > Instead, if the RS error response looks like this, there will be no > ambiguity: > > HTTP/1.1 400 Bad Request > DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v > > { > "error": "use_dpop_nonce", > "error_description": > "Authorization server requires nonce in DPoP proof", > "iss": "https://resource.tld/person/" > } > > - iat and not synced servers > In addition to Rohan's question about the reasonable lifetime to expect > for a DPoP token, I'm wondering what is reasonable to accept concerning iat > in the future, where the client's clock may be out of sync. The paragraph > 11.1 says "the server MAY accept DPoP proofs that carry an iat time in the > reasonably near future". Could we add what a reasonably near future might > be? In my implementation there is no gap allowed, so I'm wondering. > > /Nicolas > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Nicolas Mora
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Joseph Heenan
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy