Re: [OAUTH-WG] First Draft of OAuth 2.1

Neil Madden <neil.madden@forgerock.com> Fri, 13 March 2020 09:25 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED03F3A149D for <oauth@ietfa.amsl.com>; Fri, 13 Mar 2020 02:25:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o0YAR83KXw7B for <oauth@ietfa.amsl.com>; Fri, 13 Mar 2020 02:25:50 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C43A3A1499 for <oauth@ietf.org>; Fri, 13 Mar 2020 02:25:49 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id 6so9076750wmi.5 for <oauth@ietf.org>; Fri, 13 Mar 2020 02:25:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=3B4keqsnUBnyireN9Cw7426EI8/EQbrX0JOGGjwcvRg=; b=hbOb2MXFg8vs5p3WXwkpleHf/oE8guMkjMJBX/GSJoy+KGa/j7bN6SlItKIiFmLvTu Y+5NaXyyhbog4DiJarQG4kTT28Kvw4AlbuahH7gWFuWYlCGAUF+a3+Bg7weuuuBCAvy1 em2tOrfXKb/XHlPiUKccm3YOI3K17/T7bxv3c=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=3B4keqsnUBnyireN9Cw7426EI8/EQbrX0JOGGjwcvRg=; b=dQ/7YFj1ATcJhO+gHSBNqzf3kmfUdMMECINSgInj3wnb10kD2rcyHzndSS46FDgLpb rbTFFXpPKT+H+ei8RESO54ebyeE+QqPQ7y1nWrS3+My8szx4kqU5vhTnoBJjQhrIJyOI PCkgFHwQy3o9jsCO4U9pu/c+DVH/ZOCFQ6TLgUjFsU7/6QYc8+mcDoS/woyHPEEPtYmX 3UNrCaYOgwuClkNoRli9vHqNSNNZfkm4tw0O1JoivESs59vWMXvO4/ScKutANb75RpAT X3cisqO7TEHjUYrGOCCW6YA1XkT7UcwqhL/t4ivCe0h/GfcRtGmyAHDQ1VMk3zmoDo2X 7xow==
X-Gm-Message-State: ANhLgQ3XwembYEG90H2pR3sSyScPO9Gz7dR/8ddlOgCFr69/jOsLUnQd vKH5m/Ac4bMOIT3OamqX4CcyLzZvOAnJjw==
X-Google-Smtp-Source: =?utf-8?q?ADFU+vtOJjWTU8In/yEnFIJNu4b6G2VcE1AQULFirr5Q?= =?utf-8?q?PIZgN81mHVTUI7AHqGemiosAUDTq6Bpnow=3D=3D?=
X-Received: by 2002:a1c:a950:: with SMTP id s77mr9750359wme.176.1584091547597; Fri, 13 Mar 2020 02:25:47 -0700 (PDT)
Received: from [192.168.1.65] (11.61.147.147.dyn.plus.net. [147.147.61.11]) by smtp.gmail.com with ESMTPSA id k3sm3042003wro.59.2020.03.13.02.25.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 13 Mar 2020 02:25:46 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-BAA54987-0C62-4E7B-822E-A2CA5B9092F2
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 13 Mar 2020 09:25:45 +0000
Message-Id: <D6C5A4C3-293C-44CB-9534-582AF3F9EDC9@forgerock.com>
References: <CAO7Ng+u=xW2iCtCO9Qr15PkKLD3edo7V5GnHv4DsSGDz4PFNfQ@mail.gmail.com>
Cc: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
In-Reply-To: <CAO7Ng+u=xW2iCtCO9Qr15PkKLD3edo7V5GnHv4DsSGDz4PFNfQ@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
X-Mailer: iPhone Mail (17D50)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/FQpQe5-ssypV23A3EPcBSVBLZ3A>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2020 09:25:53 -0000

We have had several customers express interest in sliding expiration (idle timeouts) of refresh tokens and push back against rotation, particularly for mobile apps where they worry that the false positive rate with rotation can be too high to be practical due to flaky network connections. 

Neil

> On 13 Mar 2020, at 08:47, Dominick Baier <dbaier@leastprivilege.com> wrote:
> 
> 
> Off the top of my head, rotation is useful for 2 things
> 
> * reducing the likelihood that an “old” refresh token is still valid (e.g. “found” on some device, log file, source code etc...)
> * being able to revoke all the active refresh tokens if a refresh token is used twice
> 
> ..and yes it introduces a higher chance of false positives.
> 
> https://leastprivilege.com/2020/01/21/hardening-refresh-tokens/
> 
> But I agree with the spec - if the refresh token cannot be bound to a client by a secret (looking at you, SPAs) - it should be hardened using sliding expiration, rotation and replay detection. Maybe the wording needs to be clearer.
> 
> ———
> Dominick Baier
> 
>> On 12. March 2020 at 23:15:19, Vittorio Bertocci (vittorio=40auth0.com@dmarc.ietf.org) wrote:
>> 
>> Rotation can be used to detect leakage, right? Client credentials offer more guarantees, but unless you are using private JWTs with a non exportable certificate as client cred, a classic client secret _could_ technically leak. Having rotation would alert you if someone got a hold on those. Admittedly it’s a stretch, but not entirely inconceivable.
>> 
>>> On Thu, Mar 12, 2020 at 13:57 Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>> Then why are you rotating refresh tokens? 
>>> 
>>>>> Am 12.03.2020 um 20:48 schrieb Pedro Igor Silva <psilva@redhat..com>:
>>>>> 
>>>> 
>>>> A confidential client, as per the `web application` definition in Section `2.1.  Client Types`.
>>>> 
>>>>> On Thu, Mar 12, 2020 at 4:39 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
>>>>> Is that a public client?
>>>>> 
>>>>>>> Am 12.03.2020 um 20:32 schrieb Pedro Igor Silva <psilva@redhat.com>:
>>>>>>> 
>>>>>> 
>>>>>> I agree with you and recently, we had to deal with an issue where a `web application` using rotation (as defined by the draft) was having issues to refresh tokens due to multiple concurrent requests at the moment a token is about to expire or already expired.. We had to add some controls to deal with concurrency and additional complexity + performance penalties. And for such clients, I was not sure whether or not rotation makes sense.
>>> 
>>>>>> 
>>>>>>> On Thu, Mar 12, 2020 at 4:05 PM Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org> wrote:
>>>>>>> Thanks for the clarification, Torsten.
>>>>>>> I believe it's the first time I see use of client credentials positioned as sender constraint; if the intent is saying that confidential clients should use their credentials when redeeming refresh tokens, I am of course in agreement but I think the language should be clearer and state the above explicitly.
>>>>>>> 
>>>>>>> Re: failure frequency, I know of scenarios were the designers added rotation by default, and after a while it was turned to opt in because of the frequency of errors and impact on user experience/call center.
>>>>>>> I really believe that putting this as a MUST is justified only for exceedingly vulnerable situations, like SPAs.
>>>>>>> Native/desktop clients should be free to decide whether they want to opt in without loosing compliance. Just my 2 C
>>>>>>> 
>>>>>>>> On Thu, Mar 12, 2020 at 11:58 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>>>>>>> Hi,
>>>>>>>> 
>>>>>>>> sender constraining refresh tokens for confidential client means client authentication + check the binding of the refresh token with the respective client id. I don’t think this is new as RFC6759 already required ASs to check this binding. Assuming backends are generally confidential clients also means no rotation and no cache synchronization needed.
>>>>>>>> 
>>>>>>>> Rotation should be used for frontends, e.g. native apps and only if there is there no other option. If a refresh fails, the app must go through the authorization process again. That’s inconvenient so the question is how often this happens. What I can say, I have never seen customer complaining in several years of operation of ASs with refresh token rotation (including replay detection) for native apps with millions of users.
>>>>>>>> 
>>>>>>>> best regards,
>>>>>>>> Torsten.
>>>>>>>> 
>>>>>>>>>> Am 12.03..2020 um 19:24 schrieb Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf..org>:
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Hey guys,
>>>>>>>>> thanks for putting this together.
>>>>>>>>> I am concerned with the real world impact of imposing sender constraint | rotation as a MUST on refresh tokens in every scenario.
>>>>>>>>> Sender constraint isn't immediately actionable - we just had the discussion for dPOP, hence I won't go in the details here.
>>>>>>>>> Rotation isn't something that can be added without significant impact on development and runtime experiences:
>>>>>>>>> on distributed scenarios, it introduces the need to serialize access to shared caches
>>>>>>>>> network failures can lead to impact on experience- stranding clients which fail to receive RTn+1 during RTn redemption in a limbo where user interaction might become necessary, disrupting experience or functionality for scenarios where the user isn't available to respond.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> On Wed, Mar 11, 2020 at 5:28 PM Aaron Parecki <aaron@parecki..com> wrote:
>>>>>>>>>> I'm happy to share that Dick and Torsten and I have published a first
>>>>>>>>>> draft of OAuth 2.1. We've taken the feedback from the discussions on
>>>>>>>>>> the list and incorporated that into the draft.
>>>>>>>>>> 
>>>>>>>>>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01
>>>>>>>>>> 
>>>>>>>>>> A summary of the differences between this draft and OAuth 2.0 can be
>>>>>>>>>> found in section 12, and I've copied them here below.
>>>>>>>>>> 
>>>>>>>>>> > This draft consolidates the functionality in OAuth 2.0 (RFC6749),
>>>>>>>>>> > OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange
>>>>>>>>>> > (RFC7636), OAuth 2.0 for Browser-Based Apps
>>>>>>>>>> > (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current
>>>>>>>>>> > Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage
>>>>>>>>>> > (RFC6750).
>>>>>>>>>> >
>>>>>>>>>> >   Where a later draft updates or obsoletes functionality found in the
>>>>>>>>>> >   original [RFC6749], that functionality in this draft is updated with
>>>>>>>>>> >   the normative changes described in a later draft, or removed
>>>>>>>>>> >   entirely.
>>>>>>>>>> >
>>>>>>>>>> >   A non-normative list of changes from OAuth 2.0 is listed below:
>>>>>>>>>> >
>>>>>>>>>> >   *  The authorization code grant is extended with the functionality
>>>>>>>>>> >      from PKCE ([RFC7636]) such that the only method of using the
>>>>>>>>>> >      authorization code grant according to this specification requires
>>>>>>>>>> >      the addition of the PKCE mechanism
>>>>>>>>>> >
>>>>>>>>>> >   *  Redirect URIs must be compared using exact string matching as per
>>>>>>>>>> >      Section 4.1.3 of [I-D.ietf-oauth-security-topics]
>>>>>>>>>> >
>>>>>>>>>> >   *  The Implicit grant ("response_type=token") is omitted from this
>>>>>>>>>> >      specification as per Section 2.1.2 of
>>>>>>>>>> >      [I-D.ietf-oauth-security-topics]
>>>>>>>>>> >
>>>>>>>>>> >   *  The Resource Owner Password Credentials grant is omitted from this
>>>>>>>>>> >      specification as per Section 2.4 of
>>>>>>>>>> >      [I-D.ietf-oauth-security-topics]
>>>>>>>>>> >
>>>>>>>>>> >   *  Bearer token usage omits the use of bearer tokens in the query
>>>>>>>>>> >      string of URIs as per Section 4.3.2 of
>>>>>>>>>> >      [I-D.ietf-oauth-security-topics]
>>>>>>>>>> >
>>>>>>>>>> >   *  Refresh tokens must either be sender-constrained or one-time use
>>>>>>>>>> >      as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]
>>>>>>>>>> 
>>>>>>>>>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12
>>>>>>>>>> 
>>>>>>>>>> I'm excited for the direction this is taking, and it has been a
>>>>>>>>>> pleasure working with Dick and Torsten on this so far. My hope is that
>>>>>>>>>> this first draft can serve as a good starting point for our future
>>>>>>>>>> discussions!
>>>>>>>>>> 
>>>>>>>>>> ----
>>>>>>>>>> Aaron Parecki
>>>>>>>>>> aaronparecki.com
>>>>>>>>>> @aaronpk
>>>>>>>>>> 
>>>>>>>>>> P.S. This notice was also posted at
>>>>>>>>>> https://aaronparecki.com/2020/03/11/14/oauth-2-1
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>> _______________________________________________ 
>> OAuth mailing list 
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth