[OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00

Janak Amarasena <janakama360@gmail.com> Wed, 13 November 2024 16:29 UTC

Return-Path: <janakama360@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425B3C1ECA65 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 08:29:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crzUN8vSWpHy for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 08:29:32 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15F7CC1D6FCE for <oauth@ietf.org>; Wed, 13 Nov 2024 08:29:32 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2fb470a8b27so9095341fa.1 for <oauth@ietf.org>; Wed, 13 Nov 2024 08:29:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731515370; x=1732120170; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=AvZuMuUXXyQkLslJhn4RHNjy9GSFcGf/kd0rvo3OyEY=; b=kP6zXU3K2Vbi/nzAAZfhpP6SS7cUugEAItKaFXJHp1VJdEWDz/MiMwKV2L2FFJkzg+ uh+M4MzIr+zTzfNKq+0jihWRdkre/+e/bYhOI3xp/7SV2PPwVvGpbSU3iVCoSV2QTUzW 2hcYxvrfM9KIO7TVWo+2NAb9qaokND+i9e5zO4aMCJWbcJSn/ye4il3M+IGHebJetX30 NPqeS50wLsdNy7bKdml27d6V9mixhICoxhoFmIeRydj0PpDZ84JYLWQnT9JtCLtY08Ku l3pkhtUIKqELrYYrA5keoPUSmsYSYozG3x9ijgAs6JHfc/4m3x4XI125eySmOIV/VdoP 7hdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731515370; x=1732120170; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AvZuMuUXXyQkLslJhn4RHNjy9GSFcGf/kd0rvo3OyEY=; b=AFiPedKa0woMIhJqbxevQG5OhK3ZF9rnCi5tmNB8flq1Ai5HbBotZNwTi6oI1SWBsq 1jGU/uV7cSZeyzPAUZdS/dOCZ/RawPOux9RS7NJyZ2f9oIwG4mRo0S2zYDaiG1cQmfR3 DnXbky7Kbu7oAsQ1pR4+6ZJkHg1KhvFfo4EIsvEh9GbHI9rOl4teNA0GbOW4m3Qkfh9E wd31H62/H5FxxkXMThIM9mqbvN7W3Ok+O23g7AdrAe8mZ3+AVVvwuqGbh+pjdNM9hkxA 7XgAvH7a8RSCny0a7xWypSqYMIYx3Q5W82TsLG2eRo+vkNCTFL9SlTkxYT3mySCq6c00 69MQ==
X-Gm-Message-State: AOJu0YyctbkBKJT3nT6TaKlrhfBie6h+s2n5O19edWihw8LkZnmi6mlA phlcmKyBn5ZaGnNsDRYI0K/98ebZWiLETqTARhr1PZY59vIOOxUSCJmUs4liDlGqMQbRplGptjQ j+ORjRZQxS0TOTLGa2JcYNBKEsuoJ8kng
X-Google-Smtp-Source: AGHT+IFh6E63lC12+uhKSNXmtfS3ceffIL4uRlsBlRozHzwKRDByMpG9HTIi5TSm72EXoDS2XJMnLZD9yrE9pIQjC6c=
X-Received: by 2002:a2e:bba1:0:b0:2ff:5589:5a1a with SMTP id 38308e7fff4ca-2ff55895c6cmr1534011fa.6.1731515369708; Wed, 13 Nov 2024 08:29:29 -0800 (PST)
MIME-Version: 1.0
References: <CAM7dPt1+PAjUtHmrp-d_y7i8SZXgjjyO2izmMk543xXwF1iY5Q@mail.gmail.com>
In-Reply-To: <CAM7dPt1+PAjUtHmrp-d_y7i8SZXgjjyO2izmMk543xXwF1iY5Q@mail.gmail.com>
From: Janak Amarasena <janakama360@gmail.com>
Date: Wed, 13 Nov 2024 21:58:52 +0530
Message-ID: <CAM7dPt36g33t2mLT4Q2w3+MnLqSEzssv3=uv4-8uPU6Zm_YRPw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088e3e00626cdd6db"
Message-ID-Hash: AUHIH4P2E3B3SG7AGKZIZHFBC2A7L52Y
X-Message-ID-Hash: AUHIH4P2E3B3SG7AGKZIZHFBC2A7L52Y
X-MailFrom: janakama360@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EqbJtQCHxf98i1nR_-kLP5cJ8bw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi All,

I created GitHub issues[1] #125 to #131 covering the feedback I provided
through my previous email.

[1] - https://github.com/oauth-wg/oauth-first-party-apps/issues

Best Regards,
Janak Amarasena

On Fri, Nov 1, 2024 at 11:43 AM Janak Amarasena <janakama360@gmail.com>
wrote:

> Hi All,
>
> I have gone through the OAuth 2.0 for First Party Applications draft (
> draft-ietf-oauth-first-party-apps-00) and have some feedback on it. I
> think this is a much needed standard. At my organization(WSO2) also we have
> seen a significant demand from customers requesting to do API centric
> authorization largely due to the need for seamless UX. We have seen places
> where organizations lean more towards UX disregarding security best
> practices. Due to the demand we ourselves did an extension for OAuth to
> solve the same problem this specification is addressing and at the time if
> this specification existed we would have definitely implemented this
> without going ahead with our own extension.
>
> Please find my feedback below;
>
> Under section 5.1. “Authorization Challenge Request” the spec lists the
> “code_challenge” and the "code_challenge_method" as optional parameters. As
> this protocol establishes direct communication between the client and the
> AS I don’t see a real requirement to mention PKCE related parameters
> here. Please let me know if I have missed anything here.
>
> As I understood, using these two parameters in the authorization
> challenge request is useful only when the client expects that it will have
> to perform a redirect based authorization flow and also the AS supports PAR
> capabilities through the authorization_challenge_endpoint. I think this
> will be an edge case and given the spec mentions it supports all extensions
> applicable to the authorization endpoint I don’t see a major need to
> specifically mention these two parameters under this section. I think this
> could also cause confusion to implementers.
>
> Under section 5.2.2.1. “Redirect to Web Error Response” the spec mentions
>
>    In this case, the client is expected to initiate a new OAuth
>
>    Authorization Code flow with PKCE according to [RFC6749] and
>
>    [RFC7636].
>
>    If the client expects the frequency of this error response to be
>
>    high, the client MAY include a PKCE ([RFC7636]) code_challenge in the
>
>    initial authorization challenge request.  This enables the
>
>    authorization server to essentially treat the authorization challenge
>
>    request as a PAR [RFC9126] request, and return the request_uri and
>
>    expires_in as defined by [RFC9126] in the error response.  The client
>
>    then uses the request_uri value to build an authorization request as
>
>    defined in [RFC9126] Section 4.
>
> I think it would be good to add some text to the spec mentioning the
> possibility to use the auth_session in this new authorization request such
> that the user can continue the login from where the user left off.
> Something similar is mentioned in section 6.1. for step-up authentication.
>
>
> I have some concerns with the authorization_challenge_endpoint being able
> to act as the PAR endpoint. I understand the improved experience gained
> here but this essentially creates two standard endpoints that can do
> similar things. Instead it might be possible to use the auth_session to
> maintain the complete context. However this could be overloading the
> expectations of the auth_session.
>
> Under section 5.3.1. “Auth Session” spec mentions;
>
>    The auth_session value is completely opaque to the client, and as
>
>    such the authorization server MUST adequately protect the value from
>
>    inspection by the client, for example by using a random string or
>
>    using a JWE if the authorization server is not maintaining state on
>
>    the backend.
>
> I think the intention behind mandating to maintain the opaqueness is to
> protect any sensitive information. Depending on the AS implementation it
> could decide on using an auth_session value which is not opaque but also
> does not contain any sensitive data. I think it would be better to
> recommend that the AS uses adequate measures such as encryption in the
> event they are using something other than an opaque value that contains
> sensitive data. The current mandating will put an unnecessary burden on the
> AS to encrypt and decrypt data if it doesn’t contain sensitive information.
>
> In the same section it mentions;
>
>   To mitigate the risk of session hijacking, the 'auth_session' MUST be
>
>    bound to the device, and the authorization server MUST reject an
>
>    'auth_session' if it is presented from a different device than the
>
>    one it was bound to.
>
> I completely agree on the need to mitigate the risk of session hijacking.
> However, in the current text, although it's not directly mentioned here, it
> will require the AS to have a proof of possession mechanism in place as
> pointed in Section 9 "Security Considerations". This can be a major
> barrier to implement this specification as the AS should also implement
> another specification. There can be different ways the implementation can
> solve this problem without needing proof of possession. For example if the
> auth_session is only transmitted between the AS and the client then it will
> be protected with TLS in transit and the client and AS can use independent
> mechanisms to protect the auth_session at rest. Since this specification
> applies only to first party applications the implementers will have full
> control over how the client and the AS protects the data, and therefore can
> make sure adequate protection is in place for the auth_session. Due to this
> I think it is better to change wording from mandating to a recommendation.
>
> Regarding section “7. Resource Server Error Response” I am wondering
> whether this section is required at all as this spec makes no addition to
> RFC9470. I guess this section is there to provide clarity due to RFC9470
> using the authorization endpoint in its text.
>
> Under section 9.5.1. DPoP: Demonstrating Proof-of-Possession it mentions
> “… The authorization server MUST ensure that the same key is used in all
> subsequent Authorization Challenge Requests, or in the eventual token
> request…” I think it was meant to say “... Authorization Challenge
> Requests, and in the eventual token request…”
>
> Best Regards,
>
> Janak Amarasena
>
>