IETF Logo Mail Archive

Re: [OAUTH-WG] HTTP request signing and repeated query/header keys

Justin Richer <jricher@mit.edu> Mon, 29 February 2016 01:13 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F8AA1AD0A6 for <oauth@ietfa.amsl.com>; Sun, 28 Feb 2016 17:13:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.206
X-Spam-Level:
X-Spam-Status: No, score=-4.206 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PX7ip_Uh654J for <oauth@ietfa.amsl.com>; Sun, 28 Feb 2016 17:12:58 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19E491AD0B3 for <OAuth@ietf.org>; Sun, 28 Feb 2016 17:12:56 -0800 (PST)
X-AuditID: 1209190c-c97ff70000002c85-1e-56d39b164681
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 0A.18.11397.61B93D65; Sun, 28 Feb 2016 20:12:55 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u1T1Cs7e010274; Sun, 28 Feb 2016 20:12:54 -0500
Received: from [10.0.1.8] (ip68-104-118-32.lv.lv.cox.net [68.104.118.32]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u1T1CoVi031465 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 28 Feb 2016 20:12:52 -0500
Content-Type: multipart/alternative; boundary="Apple-Mail=_F32D6EBC-F5A9-46B3-92DE-DCB70091EB19"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <005401d17272$070325a0$150970e0$@gmail.com>
Date: Sun, 28 Feb 2016 17:12:49 -0800
Message-Id: <844C70FF-8D41-4D4D-8F9D-F1CAC5D69D9E@mit.edu>
References: <003b01d1726f$66036590$320a30b0$@gmail.com> <16802C28-5478-41D5-8596-30C617C89016@mit.edu> <005401d17272$070325a0$150970e0$@gmail.com>
To: Brock Allen <brockallen@gmail.com>
X-Mailer: Apple Mail (2.2104)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphleLIzCtJLcpLzFFi42IRYrdT1xWffTnM4McNRosZP46yW5x8+4rN gclj56y77B5LlvxkCmCK4rJJSc3JLEst0rdL4MpY9Zyl4G4DY8XMTb/YGhgfFXQxcnJICJhI /Ny0hq2LkYtDSKCNSWL79e2sEM5GRok5c+cxQTjHmCTO/l3ICtLCLJAg8XbTexYQm1dAT+LV rctgcWEBb4m/h/rBbDYBVYnpa1qAmjk4OAUsJOY95AUJswCFP/98yQwSZhZQl5i7MgJiipXE 6kNb2SFWTWKU2Nz3nQ0kISKgJrFw+nxmiEtlJXb/fsQ0gZF/FpIrZiG5AiKuLbFs4WtmCFtT Yn/3chZMcQ2Jzm8TWRcwsq1ilE3JrdLNTczMKU5N1i1OTszLSy3SNdTLzSzRS00p3cQICmxO SZ4djGfeeB1iFOBgVOLhfaF5OUyINbGsuDL3EKMkB5OSKG+f+MUwIb6k/JTKjMTijPii0pzU 4kOMEhzMSiK87pZA5bwpiZVVqUX5MClpDhYlcd7C/afDhATSE0tSs1NTC1KLYLIyHBxKErx+ s4AaBYtS01Mr0jJzShDSTBycIMN5gIYrgdTwFhck5hZnpkPkTzEqSonzTp8JlBAASWSU5sH1 ghKPS0aZwitGcaBXhHnXg1TxAJMWXPcroMFMQIMl1l8CGVySiJCSamA8+qvRmkerrdho9lSX jeys2g4alwru7DVady9w5+ZvP/h3TU+0y7/Pcn7F5OOlrxmDz+9wdu/LvBgzeQOL/N83LyZ2 83ZEvT+W1n7bOGLNw4mOt1x2qS6rq015tkmdJSc84GTM/4x/R9q/J/zrvlKy8dr7Kwce88xU OBoa4HO/s7rnXm3BrNb1SizFGYmGWsxFxYkAunWXbxcDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/DCQsNqbRjvkImAi-OnoxxEGSBtc>
Cc: "<oauth@ietf.org>" <OAuth@ietf.org>
Subject: Re: [OAUTH-WG] HTTP request signing and repeated query/header keys
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Feb 2016 01:13:01 -0000

Yeah, that’s the trick — you don’t want to end up replicating the entire HTTP message inside the JWS envelope, because then you end up with a SOAP kind of approach where you’re not really using the outside HTTP constructs to their fullest anymore. 

In the end, I don’t think this spec is ever going to be perfectly universal, but if it can hit a majority of use cases with a simple and robust solution, I think we’re in good shape.

 — Justin

> On Feb 28, 2016, at 1:50 PM, Brock Allen <brockallen@gmail.com> wrote:
> 
> Now that I’m thinking about this, the only thing that comes to mind is a hash of the value included somehow (which I’m sure you’ve already thought of). That’s obviously more complexity and overhead for all scenarios to support this edge case.
>  
> -Brock
>  
> From: Brock Allen [mailto:brockallen@gmail.com] 
> Sent: Sunday, February 28, 2016 4:40 PM
> To: 'Justin Richer' <jricher@mit.edu>
> Cc: '<oauth@ietf.org>' <OAuth@ietf.org>
> Subject: RE: [OAUTH-WG] HTTP request signing and repeated query/header keys
>  
> Ok, missed that – thanks.
>  
> For now in my implementation I’m also ignoring this problem :)
>  
> -Brock
>  
> From: Justin Richer [mailto:jricher@mit.edu <mailto:jricher@mit.edu>] 
> Sent: Sunday, February 28, 2016 4:37 PM
> To: Brock Allen <brockallen@gmail.com <mailto:brockallen@gmail.com>>
> Cc: <oauth@ietf.org <mailto:oauth@ietf.org>> <OAuth@ietf.org <mailto:OAuth@ietf.org>>
> Subject: Re: [OAUTH-WG] HTTP request signing and repeated query/header keys
>  
> In §7.5 we currently have:
>  
>    The behavior of repeated query parameters or repeated HTTP headers is
>    undefined by this specification.  If a header or query parameter is
>    repeated on either the outgoing request from the client or the
>    incoming request to the protected resource, that query parameter or
>    header name MUST NOT be covered by the hash and signature. [[ Note to
>    the WG: is this something we need to cover? ]]
>  
> Which is to say: Yeah, that’s a problem, probably. We either declare this behavior out of scope and say you can’t use this method with that kind of API (or at least those parameters/headers) or we define a mechanism for handling that. I’m in favor of the former, and removing the text from the generation sections that says repeated parameters are processed with no special handling, making them explicitly out of scope throughout.
>  
> I would love to see more feedback from the group about this, especially if someone’s got a clever solution.
>  
>  — Justin
>  
>> On Feb 28, 2016, at 1:31 PM, Brock Allen <brockallen@gmail.com <mailto:brockallen@gmail.com>> wrote:
>>  
>> Given that the client can iterate over the query/headers in any order to generate the concatenated value to hash, I think there’s an issue with query string or header values with repeated keys. I’ll stick with query params for simplicity in my sample.
>>  
>> If a client signs this concatenated query: “a=1&a=2” then the “p” value in the signed JSON object could be this:
>>  
>> "p": [["a", "a"], "blah"]
>>  
>> On the resource server, how do you know which key/value pair to put in which order for verification? Also, given that different server implementations express these incoming parameters in different ways, it seems problematic to be consistent.
>>  
>> Thanks.
>>  
>> -Brock
>>  
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>

v2.23.0 | Report a Bug | By Email