IETF Logo Mail Archive

Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01

John Bradley <ve7jtb@ve7jtb.com> Tue, 02 December 2014 20:15 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA26A1A6FCA for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 12:15:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9SngmXi4DlCJ for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 12:15:20 -0800 (PST)
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BC881A7016 for <oauth@ietf.org>; Tue, 2 Dec 2014 12:15:00 -0800 (PST)
Received: by mail-wg0-f43.google.com with SMTP id l18so17941452wgh.30 for <oauth@ietf.org>; Tue, 02 Dec 2014 12:14:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=9QOeV2csuaQnhhzMO8wbs0B7LT8M23R50Z337WbCmtA=; b=mH2AQ3fwDjN9p1bQFWycaTHD3VlAIcRKS+GJzDvX2NhHmLnBuxJ7af+Qolxy0oEMUH DGlUiSkPIRHah7tbAzctRbwtGadue1su+nF1i8JQxGzp8rrlgFotMuD/15ErUf5CsbsF fqLWiTzMaBKhGokAfd2nEJed8jQOBGKxEBNZ54NGjC7T4FdYlqj6u6eGqfIuAgU7MWnj TKH1p9+P8y3QySUcIUx9IUJRzyTH3h1G9bIloTw3736++12rsRaUYxmawMruLovDY7K0 WCreDe2ouJzg69i2H89CeW6KtjQYoRLQk22kxRa2pr5hvv3V6VXtULBGTpO3mbfaS9wU pGoA==
X-Gm-Message-State: ALoCoQkyNW3F7PK3IOLUtAK3y6H68Pm3hb19t6okH8z/uJIX28x6RDWZaaAz1d7kSe4qf2nQhHSj
X-Received: by 10.180.38.98 with SMTP id f2mr7808352wik.55.1417551299145; Tue, 02 Dec 2014 12:14:59 -0800 (PST)
Received: from [10.47.81.9] (host86-187-11-58.range86-187.btcentralplus.com. [86.187.11.58]) by mx.google.com with ESMTPSA id j2sm33307981wjs.28.2014.12.02.12.14.56 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 02 Dec 2014 12:14:57 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_2519D241-BA48-494E-BAB9-27ECD4DF6DBD"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <EA29FCAC-B690-40D3-A6EF-345F4483856E@mitre.org>
Date: Tue, 02 Dec 2014 17:14:54 -0300
Message-Id: <BA5E5445-7B45-4798-A462-154A76152A4A@ve7jtb.com>
References: <46D29E35-5A69-4687-BC44-45462DEA8D47@mitre.org> <580238515.3962316.1417548302668.JavaMail.yahoo@jws10646.mail.bf1.yahoo.com> <EA29FCAC-B690-40D3-A6EF-345F4483856E@mitre.org>
To: "Justin P. Richer" <jricher@mitre.org>
X-Mailer: Apple Mail (2.1993)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/H1Ali2oAFfxBpjbfz9_sjem1T6Y
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 20:15:24 -0000

Many of the proprietary introspection protocols in use return scope, role or other meta data for the RS to make its access policy decision on.
One of the reasons for using opaque tokens rather than JWT is to prevent leakage of that info.

Making authentication to the introspection endpoint a MUST if additional attributes are present is OK,  I might even be inclined to say that authentication of some sort is always required, but that might be going a bit far for some use cases.

We have a lot of proprietary ways to do this from IBM, Layer 7, Ping etc.  It would be nice if we could standardize it.   Precluding other attributes would not be helpful for adoption.


One issue that we haven’t addressed in this spec is what happens if there are multiple AS for the RS and how it would decide what introspection endpoint to use.
Perhaps that needs to be a extension, leaving this for the simple case.

However having more than on e AS per RS is not as unusual as it once was in larger environments.

John B.


> On Dec 2, 2014, at 4:56 PM, Richer, Justin P. <jricher@mitre.org> wrote:
> 
> Agreed, which is why we've got space for the "sub" and "user_id" fields but not anything else about the user, and we've got a privacy considerations section for dealing with that. If you can help make the wording on that section stronger, I'd appreciate it.
> 
>  -- Justin
> 
> On Dec 2, 2014, at 2:25 PM, Bill Mills <wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com>> wrote:
> 
>> If introspection returns any other user data beyond what is strictly required to validate the token based solely on possession of the public part it would be a mistake.
>> 
>> 
>> On Tuesday, December 2, 2014 11:13 AM, "Richer, Justin P." <jricher@mitre.org <mailto:jricher@mitre.org>> wrote:
>> 
>> 
>> That's all fine -- it's all going over TLS anyway (RS->AS) just like the original token fetch by the client (C->AS). Doesn't mean you need TLS *into* the RS (C->RS) with a good PoP token. 
>> 
>> Can you explain how this is related to "act on behalf of"? I don't see any connection.
>> 
>>  -- Justin
>> 
>> On Dec 2, 2014, at 2:09 PM, Bill Mills <wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com>> wrote:
>> 
>>> Fetching the public key for a token might be fine, but what if the introspection endpoint returns the symmetric key?  Data about the user?  Where does this blur the line between this and "act on behalf of"?
>>> 
>>> 
>>> On Tuesday, December 2, 2014 11:05 AM, "Richer, Justin P." <jricher@mitre.org <mailto:jricher@mitre.org>> wrote:
>>> 
>>> 
>>> The call to introspection has a TLS requirement, but the call to the RS wouldn't necessarily have that requirement. The signature and the token identifier are two different things. The identifier doesn't do an attacker any good on its own without the verifiable signature that's associated with it and the request. What I'm saying is that you introspect the identifier and get back something that lets you, the RS, check the signature.
>>> 
>>>  -- Justin
>>> 
>>> On Dec 2, 2014, at 1:40 PM, Bill Mills <wmills_92105@yahoo.com <mailto:wmills_92105@yahoo.com>> wrote:
>>> 
>>>> "However, I think it's very clear how PoP tokens would work. ..."
>>>> 
>>>> I don't know if that's true.  POP tokens (as yet to be fully defined) would then also have a TLS or transport security requirement unless there is token introspection client auth in play I think.  Otherwise I can as an attacker take that toklen and get info about it that might be useful, and I don't think that's what we want.
>>>> 
>>>> -bill
>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.38.3 | Report a Bug | By Email | System Status