[OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00
Janak Amarasena <janakama360@gmail.com> Wed, 13 November 2024 16:29 UTC
Return-Path: <janakama360@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425B3C1ECA65 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 08:29:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.847
X-Spam-Level:
X-Spam-Status: No, score=-1.847 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crzUN8vSWpHy for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 08:29:32 -0800 (PST)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15F7CC1D6FCE for <oauth@ietf.org>; Wed, 13 Nov 2024 08:29:32 -0800 (PST)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2fb470a8b27so9095341fa.1 for <oauth@ietf.org>; Wed, 13 Nov 2024 08:29:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731515370; x=1732120170; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=AvZuMuUXXyQkLslJhn4RHNjy9GSFcGf/kd0rvo3OyEY=; b=kP6zXU3K2Vbi/nzAAZfhpP6SS7cUugEAItKaFXJHp1VJdEWDz/MiMwKV2L2FFJkzg+ uh+M4MzIr+zTzfNKq+0jihWRdkre/+e/bYhOI3xp/7SV2PPwVvGpbSU3iVCoSV2QTUzW 2hcYxvrfM9KIO7TVWo+2NAb9qaokND+i9e5zO4aMCJWbcJSn/ye4il3M+IGHebJetX30 NPqeS50wLsdNy7bKdml27d6V9mixhICoxhoFmIeRydj0PpDZ84JYLWQnT9JtCLtY08Ku l3pkhtUIKqELrYYrA5keoPUSmsYSYozG3x9ijgAs6JHfc/4m3x4XI125eySmOIV/VdoP 7hdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731515370; x=1732120170; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=AvZuMuUXXyQkLslJhn4RHNjy9GSFcGf/kd0rvo3OyEY=; b=AFiPedKa0woMIhJqbxevQG5OhK3ZF9rnCi5tmNB8flq1Ai5HbBotZNwTi6oI1SWBsq 1jGU/uV7cSZeyzPAUZdS/dOCZ/RawPOux9RS7NJyZ2f9oIwG4mRo0S2zYDaiG1cQmfR3 DnXbky7Kbu7oAsQ1pR4+6ZJkHg1KhvFfo4EIsvEh9GbHI9rOl4teNA0GbOW4m3Qkfh9E wd31H62/H5FxxkXMThIM9mqbvN7W3Ok+O23g7AdrAe8mZ3+AVVvwuqGbh+pjdNM9hkxA 7XgAvH7a8RSCny0a7xWypSqYMIYx3Q5W82TsLG2eRo+vkNCTFL9SlTkxYT3mySCq6c00 69MQ==
X-Gm-Message-State: AOJu0YyctbkBKJT3nT6TaKlrhfBie6h+s2n5O19edWihw8LkZnmi6mlA phlcmKyBn5ZaGnNsDRYI0K/98ebZWiLETqTARhr1PZY59vIOOxUSCJmUs4liDlGqMQbRplGptjQ j+ORjRZQxS0TOTLGa2JcYNBKEsuoJ8kng
X-Google-Smtp-Source: AGHT+IFh6E63lC12+uhKSNXmtfS3ceffIL4uRlsBlRozHzwKRDByMpG9HTIi5TSm72EXoDS2XJMnLZD9yrE9pIQjC6c=
X-Received: by 2002:a2e:bba1:0:b0:2ff:5589:5a1a with SMTP id 38308e7fff4ca-2ff55895c6cmr1534011fa.6.1731515369708; Wed, 13 Nov 2024 08:29:29 -0800 (PST)
MIME-Version: 1.0
References: <CAM7dPt1+PAjUtHmrp-d_y7i8SZXgjjyO2izmMk543xXwF1iY5Q@mail.gmail.com>
In-Reply-To: <CAM7dPt1+PAjUtHmrp-d_y7i8SZXgjjyO2izmMk543xXwF1iY5Q@mail.gmail.com>
From: Janak Amarasena <janakama360@gmail.com>
Date: Wed, 13 Nov 2024 21:58:52 +0530
Message-ID: <CAM7dPt36g33t2mLT4Q2w3+MnLqSEzssv3=uv4-8uPU6Zm_YRPw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088e3e00626cdd6db"
Message-ID-Hash: AUHIH4P2E3B3SG7AGKZIZHFBC2A7L52Y
X-Message-ID-Hash: AUHIH4P2E3B3SG7AGKZIZHFBC2A7L52Y
X-MailFrom: janakama360@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EqbJtQCHxf98i1nR_-kLP5cJ8bw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi All, I created GitHub issues[1] #125 to #131 covering the feedback I provided through my previous email. [1] - https://github.com/oauth-wg/oauth-first-party-apps/issues Best Regards, Janak Amarasena On Fri, Nov 1, 2024 at 11:43 AM Janak Amarasena <janakama360@gmail.com> wrote: > Hi All, > > I have gone through the OAuth 2.0 for First Party Applications draft ( > draft-ietf-oauth-first-party-apps-00) and have some feedback on it. I > think this is a much needed standard. At my organization(WSO2) also we have > seen a significant demand from customers requesting to do API centric > authorization largely due to the need for seamless UX. We have seen places > where organizations lean more towards UX disregarding security best > practices. Due to the demand we ourselves did an extension for OAuth to > solve the same problem this specification is addressing and at the time if > this specification existed we would have definitely implemented this > without going ahead with our own extension. > > Please find my feedback below; > > Under section 5.1. “Authorization Challenge Request” the spec lists the > “code_challenge” and the "code_challenge_method" as optional parameters. As > this protocol establishes direct communication between the client and the > AS I don’t see a real requirement to mention PKCE related parameters > here. Please let me know if I have missed anything here. > > As I understood, using these two parameters in the authorization > challenge request is useful only when the client expects that it will have > to perform a redirect based authorization flow and also the AS supports PAR > capabilities through the authorization_challenge_endpoint. I think this > will be an edge case and given the spec mentions it supports all extensions > applicable to the authorization endpoint I don’t see a major need to > specifically mention these two parameters under this section. I think this > could also cause confusion to implementers. > > Under section 5.2.2.1. “Redirect to Web Error Response” the spec mentions > > In this case, the client is expected to initiate a new OAuth > > Authorization Code flow with PKCE according to [RFC6749] and > > [RFC7636]. > > If the client expects the frequency of this error response to be > > high, the client MAY include a PKCE ([RFC7636]) code_challenge in the > > initial authorization challenge request. This enables the > > authorization server to essentially treat the authorization challenge > > request as a PAR [RFC9126] request, and return the request_uri and > > expires_in as defined by [RFC9126] in the error response. The client > > then uses the request_uri value to build an authorization request as > > defined in [RFC9126] Section 4. > > I think it would be good to add some text to the spec mentioning the > possibility to use the auth_session in this new authorization request such > that the user can continue the login from where the user left off. > Something similar is mentioned in section 6.1. for step-up authentication. > > > I have some concerns with the authorization_challenge_endpoint being able > to act as the PAR endpoint. I understand the improved experience gained > here but this essentially creates two standard endpoints that can do > similar things. Instead it might be possible to use the auth_session to > maintain the complete context. However this could be overloading the > expectations of the auth_session. > > Under section 5.3.1. “Auth Session” spec mentions; > > The auth_session value is completely opaque to the client, and as > > such the authorization server MUST adequately protect the value from > > inspection by the client, for example by using a random string or > > using a JWE if the authorization server is not maintaining state on > > the backend. > > I think the intention behind mandating to maintain the opaqueness is to > protect any sensitive information. Depending on the AS implementation it > could decide on using an auth_session value which is not opaque but also > does not contain any sensitive data. I think it would be better to > recommend that the AS uses adequate measures such as encryption in the > event they are using something other than an opaque value that contains > sensitive data. The current mandating will put an unnecessary burden on the > AS to encrypt and decrypt data if it doesn’t contain sensitive information. > > In the same section it mentions; > > To mitigate the risk of session hijacking, the 'auth_session' MUST be > > bound to the device, and the authorization server MUST reject an > > 'auth_session' if it is presented from a different device than the > > one it was bound to. > > I completely agree on the need to mitigate the risk of session hijacking. > However, in the current text, although it's not directly mentioned here, it > will require the AS to have a proof of possession mechanism in place as > pointed in Section 9 "Security Considerations". This can be a major > barrier to implement this specification as the AS should also implement > another specification. There can be different ways the implementation can > solve this problem without needing proof of possession. For example if the > auth_session is only transmitted between the AS and the client then it will > be protected with TLS in transit and the client and AS can use independent > mechanisms to protect the auth_session at rest. Since this specification > applies only to first party applications the implementers will have full > control over how the client and the AS protects the data, and therefore can > make sure adequate protection is in place for the auth_session. Due to this > I think it is better to change wording from mandating to a recommendation. > > Regarding section “7. Resource Server Error Response” I am wondering > whether this section is required at all as this spec makes no addition to > RFC9470. I guess this section is there to provide clarity due to RFC9470 > using the authorization endpoint in its text. > > Under section 9.5.1. DPoP: Demonstrating Proof-of-Possession it mentions > “… The authorization server MUST ensure that the same key is used in all > subsequent Authorization Challenge Requests, or in the eventual token > request…” I think it was meant to say “... Authorization Challenge > Requests, and in the eventual token request…” > > Best Regards, > > Janak Amarasena > >
- [OAUTH-WG] Feedback on draft-ietf-oauth-first-par… Janak Amarasena
- [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first… Janak Amarasena
- [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first… Pieter Kasselman