IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators

John Bradley <ve7jtb@ve7jtb.com> Mon, 28 November 2016 22:59 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0D7B12A049 for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2016 14:59:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xyI0UCgmWrNn for <oauth@ietfa.amsl.com>; Mon, 28 Nov 2016 14:59:17 -0800 (PST)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B548B12A066 for <oauth@ietf.org>; Mon, 28 Nov 2016 14:58:58 -0800 (PST)
Received: by mail-qt0-x230.google.com with SMTP id n6so138354961qtd.1 for <oauth@ietf.org>; Mon, 28 Nov 2016 14:58:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VhQrT3FxIf4wESe2w7mxvaPhuaz6QU9Y6Rq3wQXUUf0=; b=oYfb/V8UrTA822TCl9wZkkGZWs8jr/WK9vvVvZoyu5x8cCQIxfJoo6fGjmYmYJ/5gK y9xV1Ntx5tjobs6hLQ9D2mxXLaphNixtc96WoH1Iw+FbwOd8gFq/9LhKoSXBWqB6dBOH eftJbbkHCuhDkMtIdyJho8h8NABvUTvVwa4i1PaLW0fywNVAI9d/a+jk0evIAnLL+cSp NmgYJdR29SGuZ4phDpXOOh3s7XqghwAwDuDjRxLxWVBi/CKZVXMQbIgvrrtiWCZBR22D zjdxKCvG0PM5FagL/d1Co2jKIjN+pyUp6Osyk0ENuBdVneDxJUuvZ/+z/GbosZBsklfI KKzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=VhQrT3FxIf4wESe2w7mxvaPhuaz6QU9Y6Rq3wQXUUf0=; b=MaY+NSXGHFzU9Ma7fbaAXg7o8vQmPgcAePBcis99TuILDgkfk6bCncgYdtbMf5y9a0 0t8eySqtQfNv2zgo8zqggFIWKWMlZQeyaDFb2EX4ahiNO4Clgaay1VX/YmXqzvgpD3hM 3hEqiiFBvNKaC0Zt3IBIC5wgsDhwdprLPSXWBgnHbfvKxRlI8t+iC2+hNaXCNYrGywOL OIS0Gcskdbs1BgTpL/iWpU64yEX0Jb0Km96z0ICEtbTrIO5V2HQMFp+il2fRIxlFM/nf ZIV+gEI2W3f3aRXtuBwXiz1+TCcDIA4LBwWT51j2lbBcpDQqaeuQ2QxDIv6ocqkJqwW2 jF6w==
X-Gm-Message-State: AKaTC00OH9VxJ1FI6hO2D/S6ect/JJnCIbhBM833Q0J5+Mtp/QDzJ0R346JRsOr2R8QTKeC5
X-Received: by 10.237.35.246 with SMTP id k51mr21466429qtc.263.1480373937652; Mon, 28 Nov 2016 14:58:57 -0800 (PST)
Received: from [192.168.8.100] ([181.201.99.161]) by smtp.gmail.com with ESMTPSA id h46sm29388193qta.35.2016.11.28.14.58.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Nov 2016 14:58:57 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BFE837C1-C2A8-4393-A6E1-3F56E45AC12C@mit.edu>
Date: Mon, 28 Nov 2016 19:58:53 -0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <CD883FC7-531B-4BDF-91FF-33F0FBC102BD@ve7jtb.com>
References: <c607334a-edcd-2be6-1796-7b31e070bad0@gmail.com> <BFE837C1-C2A8-4393-A6E1-3F56E45AC12C@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/G26omw_Dd3Tb3CQMOU0dM-SCsxQ>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 22:59:19 -0000

To make something like this work with a loose coupling between the RS and AS the format of the AT would also need to be specified. 

To this point the WG has avoided standardizing AT.

Most AS probably believe they know what RS the token is going to be used at based on scopes. 
Taking those tokens and using them at other RS is arguably at-least out of scope or arguably not allowed by the current specs.

People are perhaps abusing the specs and sending AT to RS that are not properly audienced and can be replayed between RS.
This is really bad from a security perspective with bearer tokens.

I do however see a valid use case.

Registering RS with the client is not a bad idea, however if you register more than one without the client saying at runtime what RS the token is for they can still be replayed.
The client depending on design could still be tricked by a RS or something else to get a token audienced to a different RS if the AS dosen't know where the client is sending the token.

I don’t think registering RS gets around the need for the resource indicator draft https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators

Typically we have thought about a tight coupling between the RS and AS,  but now it seems people are putting more of the intelligence/burden on the the client.

in a more dynamic system the RS might provide a list of AS that it accepts tokens form and the client might dynamically register with one of them.

I suspect Sergey’s AS is doing something in between.

I am hesitant to pick off just dynamic registration as there are a number of interrelated issues that need to be thought through to prevent security issues.

John B.






> On Nov 28, 2016, at 3:47 PM, Justin Richer <jricher@mit.edu> wrote:
> 
> I would consider that a totally reasonable extension. You will need to define what the behavior is if the client doesn’t provide a value for that field: is there a default? Are there no resources available to the client?
> 
> — Justin
> 
>> On Nov 28, 2016, at 12:21 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>> 
>> Hi All
>> 
>> Our AS allows for the manual client registration with the UI offering an option to assign the audience/resource URIs to a given Client registration with all the associated future access tokens inheriting them.
>> 
>> The client will not have to follow the resource indicator registration as recommended at [1] - the administrator who registers the clients sets the audiences.
>> 
>> We'd like to achieve the same with the dynamic client registration but my colleague noted the client metadata in the dynamic registration request has no 'audience' property.
>> 
>> We will consider supporting either an 'audience' or 'resource' property - does it sound reasonable ?
>> 
>> By the way, as far as [1] is concerned, should a 'resource' property support an array of audiences ? (To support a case a client needed to talk to several RSs to complete a given action)
>> 
>> Thanks, Sergey
>> 
>> [1] https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email