IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP - Document Shepherd Review

Brian Campbell <bcampbell@pingidentity.com> Wed, 27 July 2022 23:11 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44219C16ECB1 for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2022 16:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M5QPuMHPJt9g for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2022 16:11:45 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05384C13C224 for <oauth@ietf.org>; Wed, 27 Jul 2022 16:11:44 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id d124so724697ybb.5 for <oauth@ietf.org>; Wed, 27 Jul 2022 16:11:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3Pu2ZOrh44g4+Y8sZPEaxRKFjOeE6UfecQz9EI34ay4=; b=I8gG6EF9COMjUQy2w7wya/EknzFWgFYmFl+R4VfAiziUzL84gZC3/NxfJ255fCcH95 PjvjDWsKEnHqqMwlSlNLU8ONzd3ip0uX3tf/mFwPhn2p7yU3PNIzi/5suRK3LQGxiPsQ ANJJF1AdVjPzHt3yGHL2a496/VZksmS03uimjYLjY4miruy6SdAnC0xsAiI2JwELR6HD qoyTkL+NBf1z/7Bpbvx6VPJPuiql3qiAyKFX6G6vZUoepq+SWjJEJiy/06B7CmXOdm4K mTwJaAFqlNWJ92AVBPvJONEc4lnri4c17T7zIYrT+DZoFVjmT8JqD2Jxey1vIGSvTMD5 nWkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3Pu2ZOrh44g4+Y8sZPEaxRKFjOeE6UfecQz9EI34ay4=; b=GrojKNjNHnkd1dQ38qIUJJ5ARavTJyOWJ3iAvTaqxi0U/o9NeTOcQs2YCRw+CDahKT dsNROfV8n5HQ7ubs5IYCS88tN/bR0dTgogT6ZOAZdC4fW/rw9eFbfxDRzS8kAjUec1Bi cCKeb45U3D3PVzSUutiKhE3BZYKzDIGdsE+RtsQI9maMwRyWC5FtG2skrooyyajt2wCp OdyON+kw+DSk5+0VgmoAnDgHwPZX4v0F1km+eypWLZ2dZV6y+1BhL1YaMmkRSnbqUW+U +Em6cv0E2IWibzWoKeuQCgj/ODLjQWW+ZVuQLPXep6EVeazIHX4gzJyhZmzdlxJI0CRr bsLg==
X-Gm-Message-State: AJIora/5nYVTRGO9K9m0d8qSXODYbs0kgwN9HzZb7RGX9YlHLWXSLZyn DZuvObPo/xk5r0chqSKfddphMUwJS8JEkhyM5hXcIYhZLWcL2nqaldSj157b21qRtejKXf/h0g+ PFIASVLgrYiPZO8CQpT/8Jw==
X-Google-Smtp-Source: AGRyM1sS1o5UBNc4H3VJSQvY/5qo0OxG12NzDB+PB8FEdcHJ0s5O+YOfdcv/UiUa6uWsTzZ2COP2aboYevhpSSLVlc8=
X-Received: by 2002:a25:73c1:0:b0:673:4728:d270 with SMTP id o184-20020a2573c1000000b006734728d270mr2248768ybc.256.1658963503844; Wed, 27 Jul 2022 16:11:43 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP_0LLLmwdPa2sjsp8mmjOO2woQbdLf3XyPzUsJ_CuogXQ@mail.gmail.com> <CA+k3eCRyoncwUGu3cpnsXut6t8u2UUD9ZmBYYTCf7J9e3tpfzQ@mail.gmail.com> <CADNypP-nrgPHHbmxUZke=9UdpHWhv9wnd-v5vdC-36jgSSNBUw@mail.gmail.com> <CA+k3eCR5uZwGnnqN13WpPOeE0TseCACi=K3NDwu5k4NWtfex8A@mail.gmail.com> <CA+k3eCS4WjaW3A7VUnkb+Wtq3HTogqi2uG6EQppcKOkC9r7d2w@mail.gmail.com>
In-Reply-To: <CA+k3eCS4WjaW3A7VUnkb+Wtq3HTogqi2uG6EQppcKOkC9r7d2w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Jul 2022 19:11:06 -0400
Message-ID: <CA+k3eCRzXnWo-P3UHrmyOHm3etx+afH8MUsqne20s2B2q8J0NA@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000057ae1605e4d18a68"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/F6WHhBhRVOaa--5ifxuDBfIXRpI>
Subject: Re: [OAUTH-WG] DPoP - Document Shepherd Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jul 2022 23:11:49 -0000

I need to make one more apology - this time for the incorrect spelling of
Dr. Fett's name (should be Daniel not Danial). My apologies.

On Wed, Jul 27, 2022 at 6:43 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Thanks Rifaat and others for the vibrant* discussions about the DPoP draft
> in the side meeting yesterday.
>
> I thought it'd be appropriate to share/reiterate the three action items
> we'd agreed on during the meeting (as I remember anyway):
>
>    1. Justin to review the text about why we have the AT hash and either
>    create a PR adding additional motivations or say that what we have is
>    already sufficient
>    2. Danial to add some text to further explain decisions with respect
>    to PAR
>    3. Brian (aka me) to add a parenthetical remark to the Signature
>    Algorithms subsection listing 'ES256'
>
> PR's for the latter two are here
> <https://github.com/danielfett/draft-dpop/pull/165> and here
> <https://github.com/danielfett/draft-dpop/pull/166> respectively.  And
> yes, this message is, at least in part, a passive-aggressive reminder to
> Justin about #1.
>
> The slides that I used to try and help guide the discussions are attached.
> They are admittedly rather suboptimal but I'm including them for the sake
> of transparency (and because they have a couple of photos).
>
>
> * my apologies for being overly vibrant at times
>
>
>
>
> On Wed, Jul 6, 2022 at 4:32 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> Thanks Rifaat!
>> I will make those changes in the document source and come to Philly
>> prepared to discuss the other items. One of the side meetings seems like a
>> good forum for that, good idea.
>>
>> On Tue, Jul 5, 2022 at 11:14 AM Rifaat Shekh-Yusef <
>> rifaat.s.ietf@gmail.com> wrote:
>>
>>> Thanks Brian!
>>> See my replies inline below.
>>>
>>>
>>> On Thu, Jun 30, 2022 at 6:52 PM Brian Campbell <
>>> bcampbell@pingidentity.com> wrote:
>>>
>>>> Thanks for shepherding Rifaat. And apologies for the slow reply. My
>>>> attempts at answering questions and responding to comments are inline
>>>> below.
>>>>
>>>>
>>>> On Fri, Jun 3, 2022 at 11:55 AM Rifaat Shekh-Yusef <
>>>> rifaat.s.ietf@gmail.com> wrote:
>>>>
>>>>> The following is my review as a document shepherd:
>>>>>
>>>>> Section 4.3
>>>>>
>>>>> Last sentence
>>>>>
>>>>> Since the document uses “SHOULD”, this implies that there are some
>>>>> valid cases where this is not needed.
>>>>>
>>>>> Should a text be added to explain when this is not needed?
>>>>>
>>>>
>>>>
>>>> What about giving a bit more context about why they should? Changing
>>>> that sentence to say, "To reduce the likelihood of false negatives, servers
>>>> SHOULD employ Syntax-Based Normalization (Section 6.2.2
>>>> <https://rfc-editor.org/rfc/rfc3986> of [RFC3986]) and Scheme-Based
>>>> Normalization (Section 6.2.2 <https://rfc-editor.org/rfc/rfc3986> of [
>>>> RFC3986]) before comparing the htu claim." And also maybe changing it
>>>> to a little "should".
>>>>
>>>> Yes, that works.
>>> I suggest keeping it as "SHOULD" to encourage implementers to use this,
>>> unless they have a really good reason not to.
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 6.1
>>>>>
>>>>>    1.
>>>>>
>>>>>    First sentence - what is the reason for using “SHOULD”, instead of
>>>>>    “MUST” in this case?
>>>>>
>>>>>
>>>>
>>>> Good question. I think it was a bit of carryover from OAuth in general
>>>> not strictly defining access token format or content. And wanting to not
>>>> encroach on that. But that's kinda covered/allowed for in general by
>>>> Section 6 already. And Section 6.2 is effectively the same as 6.1 but for
>>>> introspection and it doesn't use "SHOULD". I think the “SHOULD” in the first
>>>> sentence of 6.1 should be removed thereby making it an implicit must - like
>>>> "when using JWT, this is how it is". That would align with the way it's
>>>> described for introspection. Also leaves some room for hash algorithm
>>>> agility via a new confirmation method member (described in
>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#name-access-token-and-public-key)
>>>> without going against a "MUST"
>>>>
>>>>
>>> I am fine with removing the "SHOULD" to make it an implicit must.
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>    1.
>>>>>
>>>>>    The DPoP Proof contains a hash of the Access Token, and the Access
>>>>>    Token contains a hash of the public key in the DPoP Proof.
>>>>>
>>>>> Why do you need both? Would one of these be sufficient?
>>>>>
>>>>
>>>>
>>>> The latter (AT containing a hash of the public key in the DPoP Proof)
>>>> is needed and largely sufficient for the main goals of binding the AT to a
>>>> key held by the client. The former (DPoP Proof containing a hash of
>>>> the AT) was added later via very rough WG consensus - it can prevent some
>>>> esoteric swapping of tokens that I never really understood to be honest and
>>>> also limits the impact of using maliciously precomputed and exfiltrated
>>>> proofs (
>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-2-6
>>>> talks about it a bit). Use of the nonce mechanism, which was added to
>>>> the draft even later, also (and better) protects against precomputed
>>>> and exfiltrated proofs. The value of the AT hash in the proof seems
>>>> somewhat questionable. To me anyway. But removing it at this point is
>>>> potentially problematic due to inertia, existing
>>>> implementations/deployments, rough WG consensus, and more.
>>>>
>>>>
>>> I think that at least a text is needed to justify this, and explain the "
>>> it can prevent some esoteric swapping of tokens" issue.
>>> Maybe we can discuss this during one of the side meetings in Philly.
>>>
>>>
>>>
>>>>
>>>>
>>>
>>>>> Section 7.1
>>>>>
>>>>>    1.
>>>>>
>>>>>    “if the request does not include valid credentials or does not
>>>>>    contain an access token sufficient for access, the server can
>>>>>    respond with a challenge to the client to provide DPoP authentication
>>>>>    information.”
>>>>>
>>>>>
>>>>> Should the “can” be replaced with a “SHOULD”?
>>>>>
>>>>
>>>>
>>>> FWIW, there was some discussion around that sentence that included some
>>>> pushback on dropping the "can".
>>>> https://github.com/danielfett/draft-dpop/issues/119 and
>>>> https://github.com/danielfett/draft-dpop/pull/122 have the
>>>> conversation. I'm rather hesitant to try and change it after all that.
>>>>
>>>>
>>>>
>>> Ok
>>>
>>>
>>>
>>>>
>>>>>
>>>>>    1.
>>>>>
>>>>>    Also, I think it would be clearer if you can explicitly state what
>>>>>    the authorization server should do when it does not challenge the client,
>>>>>    which I am assuming will be something along the lines of: “the
>>>>>    authorization server issues an error response per Section 5.2 of RFC6749“
>>>>>
>>>>>
>>>>
>>>> The section in question is about protected resource access so anything
>>>> about the authorization server wouldn't be appropriate there. The protected
>>>> resource / RS always has the option to simply fail the request and can do
>>>> that however it sees fit. I'm not sure how to state that in the document
>>>> text. Or if anything should be stated, honestly.
>>>>
>>>> Ok
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 7.2
>>>>>
>>>>>    1.
>>>>>
>>>>>    “Specifically, such a protected resource MUST reject a DPoP-bound
>>>>>    access token received as a bearer token per [RFC6750
>>>>>    <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>
>>>>>    ].”
>>>>>
>>>>>
>>>>> I think that I understand what you are trying to say with this
>>>>> sentence, but the way the sentence reads is confusing to me.
>>>>>
>>>>> I am assuming what you are trying to say is something along the lines
>>>>> of “a dpop protected resource must reject a request that provides a bearer
>>>>> token”. Is that correct? If so, can you please rephrase the sentence to
>>>>> make it clearer?
>>>>>
>>>>
>>>>
>>>> That's not quite correct. That paragraph
>>>> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-7.2-1>
>>>> (copied below) is attempting say that a protected resource that will
>>>> accept either "Authorization: Bearer <bearer token>" or "Authorization:
>>>> DPoP <dpop-bound token>" is required to reject a request that uses the
>>>> Bearer scheme with a DPoP-bound access token. This is to prevent
>>>> downgraded usage of a bound access token without demonstrating possession
>>>> of the key to which it is bound.
>>>>
>>>> "Protected resources simultaneously supporting both the DPoP and Bearer
>>>> schemes need to update how evaluation of bearer tokens is performed to
>>>> prevent downgraded usage of a DPoP-bound access token. Specifically, such a
>>>> protected resource MUST reject a DPoP-bound access token received as a
>>>> bearer token per [RFC6750
>>>> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#RFC6750>
>>>> ]."
>>>>
>>>> Got it.
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>    1.
>>>>>
>>>>>    “A protected resource that supports only [RFC6750
>>>>>    <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>]
>>>>>    and is unaware of DPoP would most presumably accept a DPoP-bound access
>>>>>    token as a bearer token”
>>>>>
>>>>>
>>>>> Wouldn't such a resource server check the value of the
>>>>> WWW-Authenticate header to make sure it contains the Bearer scheme, which
>>>>> means that the request is most likely to be declined?
>>>>>
>>>>
>>>>
>>>> What that is trying to say is that a protected resource that only does
>>>> or knows about the RFC6750 Bearer scheme ("Authorization: Bearer <token>")
>>>> will almost certainly accept a bound access token sent via the Bearer
>>>> scheme.
>>>>
>>>> Ok
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 10.1
>>>>>
>>>>> Why define two different mechanisms to achieve the same thing?
>>>>>
>>>>> This seems to add complexity without an obvious benefit.
>>>>>
>>>>
>>>>
>>>> This is a bit of a tricky area. The benefit with PAR is the direct
>>>> request from client to AS, which allows for an actual DPoP proof to be used
>>>> for the eventual binding of the authorization code to the key. Also the
>>>> client doesn't have to do the JWK hash in that case. Whereas the normal
>>>> authorization request is indirect via the browser and just a hash of the
>>>> key is given for the code binding with the dpop_jkt parameter. And the
>>>> client has to compute the hash. But PAR is just an alternative way to pass
>>>> the authorization parameters (like dpop_jkt) so it's kinda awkward to use
>>>> things together like this.
>>>> https://github.com/danielfett/draft-dpop/issues/103 and
>>>> https://github.com/danielfett/draft-dpop/pull/111 have some discussion
>>>> around this but there was some in person talk too so that's not complete.
>>>>
>>>> I don't love that there's two different mechanisms here. But it's what
>>>> we were able to come up with given all the factors. Certainly open to
>>>> considering improvements but am pretty much at a loss of what that might
>>>> be.
>>>>
>>>> Let's discuss this during one of the side meetings in Philly
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 11.6
>>>>>
>>>>> Should the algorithms be explicitly called out? Or at least reference
>>>>> a document that calls out such algorithms?
>>>>>
>>>>
>>>>
>>>> There isn't a single such document and it's not necessarily a static
>>>> list of algorithms. I was about to say we could point to the JOSE alg
>>>> registry but glancing again at it
>>>> https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
>>>> and I suspect that'd confuse more than help. We could perhaps list
>>>> some/many of the algs with the qualification that it's not an exclusive or
>>>> complete list? But I'm not sure how useful that would be, to be honest.
>>>>
>>>> If you do not specify any algorithm, how do you ensure interop?
>>> I think this is worth a discussion in Philly
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 11.7
>>>>>
>>>>> Why is OAuth Token Binding included?
>>>>>
>>>>
>>>>
>>>> Yeah, that doesn't make sense to encourage its use because it's not a
>>>> viable thing to use. OAuth Token Binding should be removed from Section
>>>> 11.7. Was that what you were getting at? That particular text in the
>>>> paragraph that mentions token binding has been in the draft for a long time
>>>> and honestly never made a lot of sense to me. So I could envision removing
>>>> more. But that's maybe more than you were aiming for.
>>>>
>>>> I am actually in favor of removing it
>>>
>>>
>>>
>>>>
>>>>>
>>>>> Section 11.8
>>>>>
>>>>> Why not include algorithm agility to make sure the mechanism is ready
>>>>> to allow for more secure algorithms in the future?
>>>>>
>>>>
>>>> Algorithm agility is a whole can of worms that can be accomplished in
>>>> different ways with different amounts of added complexity and potential
>>>> vulnerabilities and issues of interop and MTI. Section 11.8 describes how
>>>> DPoP allows for algorithm agility (without using the exact words) by
>>>> suggesting that new dpop binding cnf method and/or AT hash claim be
>>>> defined using a "better" hash algorithm if/when the need arises (OAuth
>>>> 2.0 Mutual-TLS takes a similar approach FWIW). The intent of doing it
>>>> that way was to keep things as simple as possible in the spec right now
>>>> without completely closing the door on future needs. .
>>>>
>>>> This is another topic that is worth a discussion in Philly.
>>>
>>> Regards,
>>>  Rifaat
>>>
>>>
>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>
>>>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email