IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 19 July 2022 13:45 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B263FC188729 for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 06:45:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ux7HPp3YQRZn for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 06:45:19 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF2CC06B8FB for <oauth@ietf.org>; Tue, 19 Jul 2022 06:44:56 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id mf4so27283016ejc.3 for <oauth@ietf.org>; Tue, 19 Jul 2022 06:44:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=9DkPQFM+RqIPLmsUGidgRWLFZykIYzXKAimmctz1gCI=; b=WqIvKsMjWsBvhn2DBwNs2FFbOd7cWJMkjKL/IFvFk4/wx0pS9tDfm97IeGM9mQpU73 WPVyqJHeDgyoIpXbvGPSe9uB6rw9ZcuIvC+BUSYMr46vhIKaVX/a5f/5bNOk6LPJH9Tt TW6L1v9G7SzCgQpTuxLhFP7tDMo/eh0faRb7MklmeZQibbuCb19LWCYR3MCvelH4qSHX nda84eOyvd1ZfOvwuvAGAqzXofbrRbqcGbx49eMol/4vrTOphbDLC3HXcsutPHNlcyjy 9gPOr2PBahc0IiN63vWMDu6F16ebJlH5RpbdkTAvyVI4Ule2zyNvdmdBodjxlhyChh6N Em4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=9DkPQFM+RqIPLmsUGidgRWLFZykIYzXKAimmctz1gCI=; b=hBnd8iKlAbQ+x3yG6xWA3iQIsDIG4ZJiOH9UMoB+59H5qZhTFXLQUkoBtMtJQi0VCY NlEblIA2DLMObkaoIxWSRnOENP10Ru0CXQE2hNgGkZnW8qSUc0MAy1WNeplOQBomIXlM logydGnM7bmNEcCrx/1IoQrb00m6TbWpZ9o9aYGtyDsCFKxcB6e166FVjSTLNrg/gmFP 1JRRVkSuvsNmsGaGNiR5cK2IT/DJ/pGgYBJpgr0o6aida8SvVKy4YWIqO6Y75XhAhwLy udEZOG9CtgauGOgGBkDBskwhlIvY/+9nQdF1REnBUYmUYO/7BJEW01CJ3aOtwWagogXN Rm+A==
X-Gm-Message-State: AJIora+kdiVu6KfTRphYoDT9ScXpMoB5pLzOTRIHxtwaBEiAx0eo53U+ kMCG3xFOUis5mpVxhQ838wy3AA==
X-Google-Smtp-Source: AGRyM1uM+YjDSXY3oAkd+J1DUV/DOeitw9wBVdYuqMgJ13H5OtdEaSSlun8+bAAdi8f2jCC7jQZ2rQ==
X-Received: by 2002:a17:907:8a14:b0:72b:76d0:520 with SMTP id sc20-20020a1709078a1400b0072b76d00520mr30457825ejc.468.1658238294581; Tue, 19 Jul 2022 06:44:54 -0700 (PDT)
Received: from smtpclient.apple (p200300eb8f25a431148497bef6f3e78d.dip0.t-ipconnect.de. [2003:eb:8f25:a431:1484:97be:f6f3:e78d]) by smtp.gmail.com with ESMTPSA id a18-20020a056402169200b00438ac12d6b9sm248162edv.52.2022.07.19.06.44.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Jul 2022 06:44:54 -0700 (PDT)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <0BDBCCBF-8292-494E-B2BE-471DE0BCCC58@lodderstedt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_04981B8F-BB58-4741-A909-99F803F8F3DC"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Tue, 19 Jul 2022 15:44:52 +0200
In-Reply-To: <CADNypP_WF1FOCncUs8djWqKndz5dXsnD7+uLiFvURmDqEGiCMw@mail.gmail.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, RFC Errata System <rfc-editor@rfc-editor.org>, Nat Sakimura <nat@sakimura.org>, dave@tonge.org, Filip Skokan <panva.ip@gmail.com>, Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, oauth <oauth@ietf.org>, paul.wouters@aiven.io
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
References: <20211015193847.E6C9E20EBD5@rfc-editor.org> <CA+k3eCTmZHQ9yrokOQLd98t9JWvQB39Qf1Xz2rq=Dm8=JZ_nBw@mail.gmail.com> <CADNypP_WF1FOCncUs8djWqKndz5dXsnD7+uLiFvURmDqEGiCMw@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ed-yi1lYRiBQlWbZeFVBpcboOkg>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 13:45:22 -0000

I’m not sure this requires an update. It basically says „stick the uri you get from step 1 into this parameter in step 2“. Does this really require use to re-state any further requirements of a proper JAR?

> Am 19.07.2022 um 15:15 schrieb Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>:
> 
> + Roman and Paul
> 
> On Mon, Jul 18, 2022 at 12:25 PM Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
> I believe this should be verified. I'm also the one that reported it though. But it's been sitting in reported status for a while now. 
> 
> On Fri, Oct 15, 2021 at 1:38 PM RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote:
> The following errata report has been submitted for RFC9126,
> "OAuth 2.0 Pushed Authorization Requests".
> 
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid6711 <https://www.rfc-editor.org/errata/eid6711>
> 
> --------------------------------------
> Type: Technical
> Reported by: Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
> 
> Section: 3.
> 
> Original Text
> -------------
>    Clients MAY use the "request" parameter as defined in JAR [RFC9101]
>    to push a Request Object JWT to the authorization server.  The rules
>    for processing, signing, and encryption of the Request Object as
>    defined in JAR [RFC9101] apply.  Request parameters required by a
>    given client authentication method are included in the "application/
>    x-www-form-urlencoded" request directly and are the only parameters
>    other than "request" in the form body (e.g., mutual TLS client
>    authentication [RFC8705] uses the "client_id" HTTP request parameter,
>    while JWT assertion-based client authentication [RFC7523] uses
>    "client_assertion" and "client_assertion_type").  All other request
>    parameters, i.e., those pertaining to the authorization request
>    itself, MUST appear as claims of the JWT representing the
>    authorization request.
> 
> Corrected Text
> --------------
>   Clients MAY use the request and client_id parameters as defined in 
>   JAR [RFC9101] to push a Request Object JWT to the authorization 
>   server. The rules for processing, signing, and encryption of the 
>   Request Object as defined in JAR [RFC9101] apply. Request parameters
>   required by a given client authentication method are included in the
>   application/x-www-form-urlencoded request directly and are the only 
>   parameters other than request and client_id in the form body (e.g.,
>   JWT assertion-based client authentication [RFC7523] uses 
>   "client_assertion" and "client_assertion_type") HTTP request
>   parameters). All authorization request parameters, i.e., those 
>   pertaining to the authorization request itself, MUST appear as
>   claims of the JWT representing the authorization request.
> 
> Notes
> -----
> That first paragraph of Sec 3 was not properly updated to come inline with JAR (now RFC9101) when it changed in draft -21 to require "client_id" in the authorization request in addition to in addition to "request" or "request_uri" - so is  somewhat ambiguous in maybe suggesting that "client_id" isn't required. But it is required based on how PAR works and RFC9101 requiring "client_id".
> 
> Instructions:
> -------------
> This erratum is currently posted as "Reported". If necessary, please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party  
> can log in to change the status and edit the report, if necessary. 
> 
> --------------------------------------
> RFC9126 (draft-ietf-oauth-par-10)
> --------------------------------------
> Title               : OAuth 2.0 Pushed Authorization Requests
> Publication Date    : September 2021
> Author(s)           : T. Lodderstedt, B. Campbell, N. Sakimura, D. Tonge, F. Skokan
> Category            : PROPOSED STANDARD
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email