IETF Logo Mail Archive

Re: [OAUTH-WG] audience parameter in client_credentials

Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Tue, 18 April 2023 06:30 UTC

Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DA1BC16B5A0 for <oauth@ietfa.amsl.com>; Mon, 17 Apr 2023 23:30:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fk5LZhbC17ux for <oauth@ietfa.amsl.com>; Mon, 17 Apr 2023 23:29:58 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6567BC169538 for <oauth@ietf.org>; Mon, 17 Apr 2023 23:29:57 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id dm2so70498563ejc.8 for <oauth@ietf.org>; Mon, 17 Apr 2023 23:29:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; t=1681799396; x=1684391396; h=in-reply-to:autocrypt:from:content-language:references:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=JUzwy/GzstsjZnNArPa/TpcoPMjQH4J26NJI32OGSaQ=; b=T7IAhCfIQwwqh6Jc8xd+wLo3peLkol/Hzvt5rq+cH/jOnvcP1lbneVPrs6k2wXN1sg /mLg79fCKugzcTgIJzxjL+U+Ek/Km0IcupmFo6emws2DCLYopef8eSSQpNaSseQCmov6 n6dLqjusqhG3xyklA6+vYHU1az0dWMNQiQeXs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681799396; x=1684391396; h=in-reply-to:autocrypt:from:content-language:references:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JUzwy/GzstsjZnNArPa/TpcoPMjQH4J26NJI32OGSaQ=; b=ag5saLygTxqHBBz4TEMGcGQtZH+w5Sg+GoyaolU72t5SYuhFtGwyR/FXlML5cSJzWK 3/+0sZmmjoJuF+6277vnJlPf0ka3ssrD1Yzj1vOnChJ7C4SehBfYgffMcqM6EwVEMJnQ NZGAjmV/IZnwQRR8dGPQVz5yRURReqEYZ8+g7qBR+gxnI9Be9SByliYZOz0QzIMMcXKJ fxhskW62g99FDq3ugk3ak23Usle5UF9LCGF8iFqOG5iupTYVeOZdSnnm0ISNr5zvt9C5 VICdFT4onDyVSd0u8Bnl9ghGwL5OH13zAfu8hXiYByGJb53NHYtrrEKZgyitzsobCEDR GqaQ==
X-Gm-Message-State: AAQBX9e7htXrxG43uEZHeIkbj/qNu+Xuua4mXnvU94HLmgz5a4w5Vi0F v7+ze6Vz8U4dVBf+rUEsmuSVWSonFrs0Q+HZ3nA=
X-Google-Smtp-Source: AKy350b0ftOLYADbVIgGPzIHQCpIx+CTzeXcZ82PQf+1/Zjrw/y9mBLR4DghLKQry9QBQOmdLx2vpQ==
X-Received: by 2002:a17:907:6d9f:b0:94f:3482:e607 with SMTP id sb31-20020a1709076d9f00b0094f3482e607mr8445509ejc.11.1681799396073; Mon, 17 Apr 2023 23:29:56 -0700 (PDT)
Received: from ?IPV6:2003:f7:5f10:8f00:48e1:331c:e128:3296? (p200300f75f108f0048e1331ce1283296.dip0.t-ipconnect.de. [2003:f7:5f10:8f00:48e1:331c:e128:3296]) by smtp.gmail.com with ESMTPSA id u13-20020a170906408d00b0094f29a53129sm4328255ejj.205.2023.04.17.23.29.55 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 17 Apr 2023 23:29:55 -0700 (PDT)
Message-ID: <df966146-d9c8-6f78-c004-2c3ad21c6c9b@hackmanit.de>
Date: Tue, 18 Apr 2023 08:29:55 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0
To: Evert Pot <me@evertpot.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <aec27932-c294-6b0e-98db-c71d61ee5d8a@evertpot.com>
Content-Language: en-US
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Autocrypt: addr=karsten.meyerzuselhausen@hackmanit.de; keydata= xsFNBFh1IBMBEADV73c10lB7zeFy6/ezLFzOBp8z6Zy1zUyIrf6RoBk1GQWREcGEGeaL90Pj F5plZeASVJdsEYnYXdgcIPE0tlBq6al6OYoWtH/VbFPWEPLVhA3rL1iXVJveD3J40OzSYP8N G7bla3zQ2+TXOB3iDPPsHZUdHCLASkIIWQK6+fE1C2epAdPtnsLsb++1d080jfXXwgyUUh4y bimcy9Jg5oZ4QMwnSq3Y+x38PNb+nTgjDi1X/89/WsNd7Bdh4Zvw3CAuc/W58CFaDjb7liUD YRoAp6ysnjPKEUSnAnMpgaiXJc1gFoL+ahdKJ3D9XTn28NTjUrvOkVidsuKbyxnXP9I6BO6i 2jzjrH6TEAfIYMjZlYTyPZTt271SW5iAHYwvPZWlqQTBT2P/d4gHl0To5b4e+UXxjQgxqUyi QIcxh3Ris21Kx4lKQKDXYWiwNTZzx8AdqrcxCWfK+MRpFyk0B+4uDMm7Apm5ZWwDKN/JnVsJ yokkkrrHs/elRCUGtN9NyhJQf3VnE87862Pej8PVvQJr3uVnoNX2yieTvJZftIOBG1b9ta6Z BcYyn3un1rSn7lBPg+RSnPemposVorQpjGwT+Dhg13Bpv5q0JfSc//js/nB6A4iq5YssdtQ7 35QBWLLaF1oCxalvrQVDD4Sh06eAUQsga9xeE0yv7sxqdsozdwARAQABzUJLYXJzdGVuIE1l eWVyIHp1IFNlbGhhdXNlbiA8a2Fyc3Rlbi5tZXllcnp1c2VsaGF1c2VuQGhhY2ttYW5pdC5k ZT7CwX8EEwEIACkFAl/4WSsCGyMFCQ+L3RcHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK CRBFNcDn2xbxSKWlD/9BVhp53BFytM1EQ17x1TB76zFygZA33KZeQIWLkw/M8yWkuzgGTFJ8 Lx+kmC3xnk4WG6nIv4paU4y+K2+WlAQg3FR0CN0oHgb6gOSHu9ISDMdZm8Kzmie2hKSOG8wA 56oVhRYXElt3Oe22usywpcfCf8C1t0SjHkufUWgVFspaplKsEN6NwdSBLxQ0gzfEkl3RTfLV JEopw5MlLzKxM1EAbL0QZdORX6cIJI96BecnXA0fwlV2PmM+TSPUDzBFOneZBOdtgCduKVhG bVRDOtJ4LIEQFT7ZvlzYEaWueh8HNC6Y8wZKRaZ4cg8mXJuz+BizA8EEicubkqljKNlTuHB4 0l3R30m4w202U3XNDKmCsLGUVLfNet4mM3wLIw5sr9GUuDvz0+8J9eaAypqgU9NKfUHpecHC /AULjk7TK9hKq2o2mQCRiOOt4Ki6yeC068nQrE97eCS7/YikVHA7TXTchG82x4eqRpgyBonk uRwnuU3sGAty1+D1ehDFzTvGfh9GS8tncKgyAtj9acUIhYDW6yWesSX6B4OenXKnJhjbskAZ LFVegXWAPf1YT3ImCLBnhn8g7ZHwB/icyMaWCXURsO63beRhvAFjXNxKcL6f7gg8uW9z3GhR +Kcz2DRAWO6Xo8MBbed+Nc9z01jSNQBQa5SPnJaeBtfiUY+ZbmHfLs7BTQRYdSATARAAsp2V mr3N7iNND8+M/OyA/OwcDQ6utZh+m4TnKsOVdiNLGpu2U3/2Qg3yrbjic2dWx1CsS6VH2/oO 1e/a4FlxA93wFv/OZjiUjHtEvdIJeHWlCvWOUlMsqyGDc3Q75fNjFw6DGKkiOu9lZaBs6naS BmkvAMGjV5bNKLyIL5j7Im1pCdZ2lCjD7eVwR3RQQKobTmu916htX8g1cB9yFmquu37X+ZBl A4GLJi63Kw0L2r8i8iO1NqDLOfT8IeNkOroEm3SDAuEApGAubKLSPBJ1khQ7kDhpdfzSYKUF tiIHpGWVOImDjqf4JIcF7OIdRPQfFPlwoPnsyBAS8znQJvmqbbMowgFZe3UMLAN78CETZHGM OLBPB873oWyZ07Ar4v/SL5/aD+FRj2VnYEcGwt0HMmMyaN6ed8Udj4OTNZ7ceZA1Tw8/lZuI KCamj0XfJIK6376RCGnqjsEfS65P1KWZXfWphCKWp2c7uWKtau1q8pgiVRoBSAmjvfXRrIvK LhhQyNOiCUDKrvEWpoeq9y5GTrY27ncLov8nSR/SUPOw5HwJmzdFjhOF9XAOtiND/QRH886O IohdlnUu668mwLCmL2ROe7XWcTkFQWLDg+5b0bC9dgfL+HHpWGUdQPG3CCyPG5LfDmnmuXkE eU1kSD27kFe1kM6pfqpCydJW66DuwoMAEQEAAcLBlwQYAQgADwUCX/hZKwIbDAUJD4vdFwA8 CRBFNcDn2xbxSAkQRTXA59sW8UgJEEU1wOfbFvFICRBFNcDn2xbxSAkQRTXA59sW8UgJEEU1 wOfbFvFIQHUP/jKpA/Xco+eCnh1t4jR9c/8AiE1JR+3txOvsaMK8bWjnDtY5bIxOVvVPMUAI DUjNhSWVbHxPt+sZxEol+6oo9IP6MnWYxgx3IW2BWQUlYDyXzH3S8t7YxVo92+yD4kgZLOdq sKEJ2efr8OSgL4tcbAWA36UB8bOOHkOUXzoLLVN4qjuyRn9BPADGpcfxXEQb9iGVwbEZzfJ6 OtvbOHO0qfI3aX7btjqo2muhD1B8auhLQBVOfpn7LOnL8Hk6QKvkFEC3nqBMQbFUSLarmtXa o4cXSyLDmj+efMhbaimgbwxTxh125/ZaYE1q+LdHyHtbbPLAaxHr3dxPk1p0rjQxxXKG7k0p aal8dcVxp0yGEXOeuXr7Xba+uquF1wLf8kZRD0g7L31py3ay3cw+f3ADF/AgC+8lrlUlODa9 +z9sU7RKGF0fAY1gXV8P6GGPlVGJronrSIM2nSMkcCRJzg9vmPGAvrljQTqDQOf12s0jtevq VelIncMyQacOmw6DGKXsUiGRMNsobYe2BWrfXxoYFZ/0biIPnlY23MImgFUWZjnjD1jvkMzH 0u16cXBgjEAkPq5xy21RvXkwCt4T3XzOglDsxi22jmCSLTx45CGkEJaHLJ9tllkjrd3dQVIw P8hzeF0pGduCQAurcejd++jxzlqDk1hIuG9BqPySrt5AIMEG
In-Reply-To: <aec27932-c294-6b0e-98db-c71d61ee5d8a@evertpot.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------MQ0riKO0RGnADPrlNhAAKhKa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GF4Q5gKvo3Z-fHgmEi64DRTU-vI>
Subject: Re: [OAUTH-WG] audience parameter in client_credentials
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 06:30:03 -0000

These parameters seem to be similar to the "resource" parameter defined 
in RFC8707 (https://www.rfc-editor.org/rfc/rfc8707.html).

Maybe the vendors implemented their non-standard extensions before the 
RFC was published.

Best regards,
Karsten

On 17.04.2023 23:57, Evert Pot wrote:
>
> Hi list,
>
> I'm the author a OAuth2 client library[1]. I received a feature 
> request to support the "audience" parameter on client_credentials, as 
> seen on the following two server implementations:
>
>   * Auth0:
>     https://auth0.com/docs/api/authentication?http#authorization-code-flow-with-pkce45
>   * Kinde:
>     https://kinde.com/docs/build/get-access-token-for-connecting-securely-to-kindes-api/
>
> Is this parameter based on any standard or draft or are these 
> non-standard vendor extensions? I'm hesitant blindly adding support 
> for these without understanding the security implications.
>
> Evert
>
> [1]: https://github.com/badgateway/oauth2-client
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:	+49 (0)234 / 54456499
Web:	https://hackmanit.de  | IT Security Consulting, Penetration Testing, Security Training

Save the date: 11.-12.5.2023. Join us in celebrating the 5th anniversary of RuhrSec - the IT security conference in Bochum:https://www.ruhrsec.de/2023

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Prof. Dr. Marcus Niemietz

v2.23.0 | Report a Bug | By Email