IETF Logo Mail Archive

[OAUTH-WG] Re: Deferred Key Binding / TMB

Pieter Kasselman <pieter@spirl.com> Wed, 11 June 2025 15:01 UTC

Return-Path: <pieter@spirl.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 2127733BACB1 for <oauth@mail2.ietf.org>; Wed, 11 Jun 2025 08:01:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=spirl.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AfrwNnTJ-paO for <oauth@mail2.ietf.org>; Wed, 11 Jun 2025 08:01:16 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 5789733BACA8 for <oauth@ietf.org>; Wed, 11 Jun 2025 08:01:16 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-e819aa98e7aso5635232276.2 for <oauth@ietf.org>; Wed, 11 Jun 2025 08:01:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spirl.com; s=google; t=1749654076; x=1750258876; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NRem1Lyd4kjMV7ZYVx6WddxmjyNUvcN4kWxF5HninTw=; b=DyHlY0WYjr65GoO+urpJz87tErcNTrjH2DdLVIA/JbzwodN+PTUrYkO/8jbir/7eDG KhLuXXzN7vHMhun+h7mSoRkFEbMj49qCkrtUp/iCJwPFHeVL5hVcEWL6siFM5IlgBoXn ayFeGUl2iGO8tEwObfaXIvjc9oSVlsT9PskYV5peUrmcZH53FD4TZ2WTSJ07k0T0zB80 Cd9UZQQScBa+f6yHitoK3iRsAjxDvdZG2nrJybDSFpPr2u29brWgXuNZI5xiVoJOL+1a EFLweSNnetIM3458S8ocUWkpeqAIhUzgmjGvC1zpjf0SYCxSFl+kGfkpfrD990HqneUL mGTQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749654076; x=1750258876; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NRem1Lyd4kjMV7ZYVx6WddxmjyNUvcN4kWxF5HninTw=; b=sW5QzWyLK4ueqw1CSlSMCBykeT1NC+3wTg7GWqaJJKt9QSLQSN1Sw+WvpXGd9h1GhG JPJuszRpHrMihQH07od7VylwxLEQVO45xEp0Flt/WEWP3gyMuJV+6PW2IfXcxmdRqGgM ov3oLK5bPOXB/qvj3becPR3fJec8cjmzyYeZL9K7b9nqWSdSVPPIVASiz+8jWjO51ygS njjtXLiTBsXyYF8BBK4e9lF0mc/NaN/zXS3Okj8GHhpkFPSlAGDGP/LXqbFBP8uaVnXe gOakiF8jFxMkOEAr0IhIcs/Zc1Fs2dmXyQsG8LrY+yllCHIj3xmbIZx7LdGkO5XFOWcc kp1g==
X-Forwarded-Encrypted: i=1; AJvYcCVth/zaSAoYnuUlzl7up0z8ARxL+PFiRJtKQMqvQ6P9YpmqQMqC5Che9VqXLU2W99nEqYb98Q==@ietf.org
X-Gm-Message-State: AOJu0YzoBVJDKmvnR4CPKG5MjuC7m10Gq24ugFNZMbXg370nDAP0Da/U IJQZIMb7uUe9xoRC95GlwCcjo3JHI2CZp9suImHkfTreEVNwthf/3aNFxTlRModhZqJVtzgJIm5 P7bzDjBCwq87u3U9jk8oAYbwTP3eMmsmlJnffK5K/Mw==
X-Gm-Gg: ASbGncuQUjAGnQ+UwDCPi6Ah3eudASPVdLaUPLDImmTckM37LP6XRWNEmh/vo9Fo570 ENQpv2XTgzGEt7/c+kGpk/mwIKmqhnx6xElUnPztvwpe7n2cevqPOCuPYd3QC8WuKmEoRyiHVAl ZfrvMzW/4E/UUNTCiVeF/8T48FzivDueY1MvyxmZswHgmMTzQP266X+bytOTP37SBasdpWT0Rdm 6M=
X-Google-Smtp-Source: AGHT+IH3p5Wna+/h3zmUtk41ru5Sa9/VMLio/9ekeAkt0F2Gv042TQh9GoLooThaQJ3kxhCgbrYoGTVi8hNUFE12CBc=
X-Received: by 2002:a05:6902:4a81:b0:e82:4a7:25b4 with SMTP id 3f1490d57ef6-e8204a7270emr2046925276.22.1749654075111; Wed, 11 Jun 2025 08:01:15 -0700 (PDT)
MIME-Version: 1.0
References: <E40270D7-F032-49B1-9B10-87167331EA3C@mit.edu> <fdcb60f9-3bc6-4aff-8c2e-3cf74d17f90d@gmail.com> <46381B94-84FB-49D3-9C71-2FE4F5A97256@mit.edu> <CALAqi_9f4SVzwbcib4pPWz4j6njRZiDXAkFcuEA8dB1ZO=kbSA@mail.gmail.com> <881B8C9E-9C0E-4600-ACE5-63B7644A0217@mit.edu>
In-Reply-To: <881B8C9E-9C0E-4600-ACE5-63B7644A0217@mit.edu>
From: Pieter Kasselman <pieter@spirl.com>
Date: Wed, 11 Jun 2025 16:01:04 +0100
X-Gm-Features: AX0GCFsfvPJqI229dnX6CkUEtVtolOwp2XRmiYBnNrywDB78C3QNdjsCvHur7mM
Message-ID: <CALtWOA2gYEaOOb275gcWq2HbqinU+O3X-5KO+gM6HGgh+dsdMA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000a08b6a06374d1520"
Message-ID-Hash: RLE6LLY6JV3HXJZQY5JK67YHIZ7AYU4E
X-Message-ID-Hash: RLE6LLY6JV3HXJZQY5JK67YHIZ7AYU4E
X-MailFrom: pieter@spirl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Deferred Key Binding / TMB
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EFM6nPBFgeU4UilqVV81noqvbac>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

This "deferred key binding" model where a token should be bound to a key
for which PoP can only be demonstrated later is increasingly common. Having
recommended patterns for cases where this gets deployed will be helpful.

On Wed, Jun 11, 2025 at 12:50 PM Justin Richer <jricher@mit.edu> wrote:

> Yup, that’s one of the patterns - it hands the public key to the backend
> over some channel and then gets the bound token back in exchange for that.
> Whoever presents the token gets to keep the private key.
>
>  — Justin
>
> On Jun 10, 2025, at 3:40 PM, Filip Skokan <panva.ip@gmail.com> wrote:
>
> > It’s not a bearer token because the resulting token IS bound to a key,
> just not a key held by the requesting software. Think of it this way: if
> you logically split the OAuth “Client” into two parts, you can have one
> part that can ask for a new token and one that can present that new token
> but with a key binding of some kind (DPoP, MTLS, HTTPSig, the mechanism
> doesn’t matter here I believe).
>
> So like the Token-Mediating Backend pattern from
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#section-6.2,
> today that pattern can't use DPoP unless the Browser hands off the Proof
> JWT for the token endpoint request to be made to its backend. Using TMB it
> could still have a non-extractable CryptoKeyPair stored in the frontend's
> IndexedDB and just hand off the jkt to use for binding to its backend.
>
> Do I get that right Justin?
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Tue, 10 Jun 2025 at 21:27, Justin Richer <jricher@mit.edu> wrote:
>
>> “Deferred” is maybe not the most accurate term, I wrote the draft itself
>> VERY quickly — but it was meant to convey that you don’t bind the token to
>> the key being presented but defer that to another party.
>>
>> I’d be happy to list out possible mechanisms for establishing trust
>> beyond configured policy (which is the only thing I’ve seen in the wild) —
>> that’s one of the things I’m hoping to gather in the conversation about
>> this!
>>
>> It’s not a bearer token because the resulting token IS bound to a key,
>> just not a key held by the requesting software. Think of it this way: if
>> you logically split the OAuth “Client” into two parts, you can have one
>> part that can ask for a new token and one that can present that new token
>> but with a key binding of some kind (DPoP, MTLS, HTTPSig, the mechanism
>> doesn’t matter here I believe). The part that gets the token can’t use it
>> at an RS, but it can hand it over to someone who CAN use it, and use it
>> with a specific key. The part that can use the token (with the key) doesn’t
>> have a means of getting a new token from the AS (either through
>> architectural decisions or through performance concerns or just not mapping
>> to the OAuth view of a monolithic client), but it can talk to the other
>> part that’s able to get the token on its behalf.
>>
>> So the token does need a key to be used at the RS, and it’s the second
>> part of the client that holds the key.
>>
>>  — Justin
>>
>> > On Jun 7, 2025, at 9:51 AM, John Kemp <stable.pseudonym@gmail.com>
>> wrote:
>> >
>> > Some initial feedback upon a quick read (with no background context for
>> this issue):
>> >
>> > [...]
>> >
>> >> that up again and see if that interim can get scheduled soon. I’d
>> >> also like to encourage people to read through the draft and open the
>> >> discussion here on the list more.
>> >
>> > * What is the point of using the word "deferred" in this case? Is the
>> "key binding" made at some future time? Why? What value does that bring?
>> Until when is it deferred?
>> >
>> > * Might we enumerate the mechanisms by which you might "trust me, bruh"
>> if not by PoP?
>> >
>> > * How is this _not_ just effectively a bearer token then?
>> >
>> > - johnk
>> >
>> > El 06/05/25 a las 12:45, Justin Richer escribió:
>> >> Hi Chairs and WG,
>> >> Back in Bangkok, we presented the draft https://datatracker.ietf.org/
>> >> doc/draft-richer-oauth-tmb-claim/ that introduces, in a concrete
>> >> way, the notion of getting a token bound to a key that you don’t
>> >> possess. As we discussed, this is a topic that keeps coming up in
>> >> the OAuth space and is usually dutifully pushed aside for the sake
>> >> of simplicity (and some would argue sanity).
>> >> The chairs mentioned pulling together an interim meeting for the
>> >> OAuth WG for us to discuss this topic ahead of Madrid, to see if
>> >> there was anything more we as a community want to do with it. As
>> >> we’re now more than halfway between the meetings, we wanted to bring
>> >> that up again and see if that interim can get scheduled soon. I’d
>> >> also like to encourage people to read through the draft and open the
>> >> discussion here on the list more.
>> >> — Justin _______________________________________________ OAuth
>> >> mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-
>> >> leave@ietf.org
>> >
>> > --
>> > Independent Security Architect
>> > t: +1.413.645.4169
>> > e: stable.pseudonym@gmail.com
>> >
>> > https://www.linkedin.com/in/johnk-am9obmsk/
>> > https://github.com/frumioj
>> >
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.31.3 | Report a Bug | By Email | System Status