Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
Phil Hunt <phil.hunt@oracle.com> Thu, 16 May 2019 16:42 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4A631200B3 for <oauth@ietfa.amsl.com>; Thu, 16 May 2019 09:42:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.309
X-Spam-Level:
X-Spam-Status: No, score=-4.309 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5onmxrVh_uHO for <oauth@ietfa.amsl.com>; Thu, 16 May 2019 09:42:11 -0700 (PDT)
Received: from aserp2130.oracle.com (aserp2130.oracle.com [141.146.126.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C9412011D for <oauth@ietf.org>; Thu, 16 May 2019 09:42:11 -0700 (PDT)
Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4GGSPjU055649; Thu, 16 May 2019 16:42:03 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2018-07-02; bh=2RlIvW9N1mgVoa9G1B6J0chivtMEoZtXTnGgYO4sSCI=; b=SM3UwFbNWdx/gkADiNMkBOujsXrScKgSZTV2CvUrIuyOWrZE9mLrs/kMYtDxy//KUnIo svg+B2hDKN9JLt3lRPmtY20pUkWCUTY2mNcFgRqK8ff8EYTlb9LcxDVhSqAd/uHtzSKj RE4wgRu4LygelFJj70iipzEWzuibDN+l2Q4WMN+hLvvrEgLfnzu+ZH7XZAWyIjFC+XI1 U1dMv8y261Sf2gqTuWOywrsllSL/0bJNqzZbLUbEypQikGQndvC1/jOlLlpl31QBOnD3 Orx764pON5fxzboaDxbkWgEZD/4OhW96Vp3Fm/yDrd6sx5ARg18WPoPPnDt7XaLT24Ig qw==
Received: from userp3030.oracle.com (userp3030.oracle.com [156.151.31.80]) by aserp2130.oracle.com with ESMTP id 2sdkwe4xd1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 May 2019 16:42:03 +0000
Received: from pps.filterd (userp3030.oracle.com [127.0.0.1]) by userp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4GGcGRw126404; Thu, 16 May 2019 16:40:02 GMT
Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userp3030.oracle.com with ESMTP id 2sgkx46p7r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 16 May 2019 16:40:02 +0000
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x4GGe0wa009071; Thu, 16 May 2019 16:40:00 GMT
Received: from [192.168.1.22] (/70.70.142.148) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 16 May 2019 09:40:00 -0700
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (16E227)
In-Reply-To: <480b151b02714a7fb7cedc871df429de@datev.de>
Date: Thu, 16 May 2019 09:39:59 -0700
Cc: Justin Richer <jricher@mit.edu>, "oauth@ietf.org" <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <EE64D184-5C45-4BCB-909B-308D3687207C@oracle.com>
References: <9FDB4A17E451433AB2EDF31BEF4F2EF9@bk.datev.de> <480b151b02714a7fb7cedc871df429de@datev.de>
To: "Sahler, Frank" <frank.sahler@datev.de>
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9259 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905160105
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9259 signatures=668687
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905160105
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GNV-nhPQZs1uvHJdmyjC5rQBGRE>
Subject: Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 16:42:15 -0000
We looked at giving clients a public client id they could use to perform an authorize with scope “dcr” to get an AT to be used as an IAT. While it works it seems like overkill. The main risk with the DCR endpoint is generating too many IDs ... a DoS issue primarily since having an ID is not authorization. Because of the perceived developer complexity and confusion over dealing with a public and confidential client id, my feeling was that software statements are sufficient. They provide a signed assertion the developer can pass in so the DCR can establish what the client claims to be registering as. This is enough to establish some access policy at the DCR endpoint. Phil > On May 16, 2019, at 1:33 AM, Sahler, Frank <frank.sahler@datev.de> wrote: > > Hi Justin, > background of my query is that we want to offer in our company the possibility of dynamic client registration. > Unfortunately, the topic initial access token - how do I get it and how exactly it is constructed - is not exactly specified - it is out of scope. > That is the reason why I searched in internet and found the scope "dcr" in curity documentation. > > Central question in the moment: how does the user who want to register a client get the initial access token? > My idea: > We are using a protected client registration so the user first has to authenticate himself. > In the authorization request, the scope "dcr" (or any other?) is transferred to the authorization server and as a result there is the initial access token for this user and this client. So, in my opinion, it is guaranteed that one gets the initial access token, which has also requested it. > > With the idea to use the software statement, I have to work more intensively. I had not seen that way before. Perhaps the initial access token can even be replaced by this. But also there is the question, how is it requested? > > Greetings > Frank > > > -----Ursprüngliche Nachricht----- > Von: Justin Richer <jricher@mit.edu> > Gesendet: Mittwoch, 15. Mai 2019 19:57 > An: Sahler, Frank <frank.sahler@datev.de> > Cc: oauth@ietf.org > Betreff: Re: [OAUTH-WG] Query on RFC 7591 - dynamic client registration protocol > > On the surface this is fine, but it hides an important detail: you need to have a client registered with the system in order to make a token request, meaning that the “dcr” token was issued to a different client than the one making the registration request. So that just means that the developer is going to have to copy it by hand into a configuration, or otherwise pass it to the instances at runtime. > > Is it allowable? Sure, as the RFC doesn’t state (or care) how you got the initial access token for the registration request. Is it standard? Well, the “dcr” scope is specific to this company’s implementation, and it’s a little odd using an automated process to get a token for what will be an automated process. That basically leaves one instance of the application as the “primary” instance and everything else builds off of that. > > It’s more common to use a software statement, which also locks down a set of client attributes in a signed statement. In fact, in the original version of this part of the specification, which came from the BlueButton+REST project, the “software statement” and “initial access token” were one and the same. This working group decided that the functionality was better separated. > > — Justin > > On May 14, 2019, at 1:30 PM, Sahler, Frank <frank.sahler@datev.de<mailto:frank.sahler@datev.de>> wrote: > > Hello, > I read in the dynamic client registration documentation of the company curity (https://developer.curity.io/tutorials/dynamic-client-registration-overview) that they use the scope "dcr" in the authorization request to get an initial access token i.e. a bearer token that only allows access to the registration endpoint. > > Is this also from your point of view a feasible way to initiate the client registration? > > Unfortunately the specification says nothing about how to get the token and how its purpose is limited to the registration endpoint. These two points are "out of scope for this specification". > > Regards > Frank Sahler > Security Consultant > DATEV eG, Nuremberg, Germany > ________________________________ > Signatur > Diese E-Mail wurde mit einem Zertifikat der DATEV eG signiert. Damit können Sie sicher sein, dass die Nachricht so von uns gesendet wurde. Wenn Sie eine Meldung erhalten, dass die Signatur ungültig ist oder nicht geprüft werden kann, fehlt das Zertifikat zu dieser Signatur auf Ihrem Rechner. Informationen zu Zertifikaten und zur digitalen Signatur finden Sie unter https://www.datev.de/zertifikate im Internet. > ________________________________ > DATEV eG > 90329 Nürnberg > Telefon +49 911 319-0 > > E-Mail: info@datev.de<mailto:info@datev.de> > Internet: https://www.datev.de<https://www.datev.de/> > Sitz: 90429 Nürnberg, Paumgartnerstraße 6-14 > Registergericht Nürnberg, GenReg Nr. 70 > > Vorstand > Dr. Robert Mayr (Vorsitzender) > Eckhard Schwarzer (stellv. Vorsitzender) > Julia Bangerth > Prof. Dr. Peter Krug > Diana Windmeißer > > Vorsitzender des Aufsichtsrates: Nicolas Hofmann > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org<mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > > ________________________________ > Signatur > Diese E-Mail wurde mit einem Zertifikat der DATEV eG signiert. Damit können Sie sicher sein, dass die Nachricht so von uns gesendet wurde. Wenn Sie eine Meldung erhalten, dass die Signatur ungültig ist oder nicht geprüft werden kann, fehlt das Zertifikat zu dieser Signatur auf Ihrem Rechner. Informationen zu Zertifikaten und zur digitalen Signatur finden Sie unter https://www.datev.de/zertifikate im Internet. > ________________________________ > > DATEV eG > 90329 Nürnberg > Telefon +49 911 319-0 > > E-Mail: info@datev.de > Internet: https://www.datev.de > Sitz: 90429 Nürnberg, Paumgartnerstraße 6-14 > Registergericht Nürnberg, GenReg Nr. 70 > > Vorstand > Dr. Robert Mayr (Vorsitzender) > Eckhard Schwarzer (stellv. Vorsitzender) > Julia Bangerth > Prof. Dr. Peter Krug > Diana Windmeißer > > Vorsitzender des Aufsichtsrates: Nicolas Hofmann >
- [OAUTH-WG] Query on RFC 7591 - dynamic client reg… Sahler, Frank
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Justin Richer
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Sahler, Frank
- Re: [OAUTH-WG] Query on RFC 7591 - dynamic client… Phil Hunt