IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)

Torsten Lodderstedt <torsten@lodderstedt.net> Tue, 19 July 2022 16:50 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBD67C157B44 for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 09:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HR70D61Eicn6 for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 09:50:11 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABD00C14CF1E for <oauth@ietf.org>; Tue, 19 Jul 2022 09:50:11 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id id17so2227103wmb.1 for <oauth@ietf.org>; Tue, 19 Jul 2022 09:50:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=CfIVwEdlbVHOwuWImPv5VMG9ujV4EWoA/hO6AXLpCMc=; b=zoOw3gBSOxLC7H/Y/zAW9EWbH0zkLvxJOIBnJnPHt/c47MBFtWia1N/OerwLZE2uLi 1pJPFDDM3gDmOsdqHCwoklnkKEvm5nKIh4nXbKULGT1mapdO9A4uOaWxb/4OTwQvQPOi pnL5NntO1n5Xbp9c/51rfNp332FY55lb1SgE9BT41dLIkZqDZ5zPmWJO3IPWaBm3+NO6 izcE+oWd2Hc2kTTMH3hEFMBjLIrAy7nanNNd6mb/r5OqY4j8+3xqnaqAxU1YqIh4tv3t cCUcFXCupj6LJ7sNFtkrfsUvlrfKWEjQFANm893xeY2pVYl/Z2dOe/ba4eM+5nNSTx9O ymJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=CfIVwEdlbVHOwuWImPv5VMG9ujV4EWoA/hO6AXLpCMc=; b=jgu5QHm7bisKUIXzYCT1FtTvFOndZGzO7FnqhC7XLaMWHvsVpv75eh2CZ+SC6nSNHN JATfcGeywrkFhw+lXDiD0KFjfZST+AezLnh8NUDQ4M3qo/ip74HLgK+RCATACIFlIk3B 7eIwPy26rB8xUJYFtksBkFUE4X3ALV9SbQZR+E7VyM5UVZFEUhX2xeMT9BNJNOul8Vch sDP+RoOzEUcZcPhlog9SwUohQNjhJijJqefYWNRVpBhrOCvQoOsqK8mSONhTqcoTgKwV sem21uyyND6LgA6wASsHQ3v1GlU1KrmeJA0xOMAAA5xJ4SfOenHUOC5NnwlC3N1+o7dl EM9w==
X-Gm-Message-State: AJIora/g8a3d3A3Dy+UCOj4g9xeZFv06SHH+mxKSyA/0LgCRoQb2d8cj iW/qjk2EewrdrOAhfEQEkwokDA==
X-Google-Smtp-Source: AGRyM1tZnbOdtEjs3cV+uDejDacwe64EI7zR3wr5zPFtax1F9MqTWWbJx0rHI3uF/fwXpxGG2vKsnA==
X-Received: by 2002:a1c:7407:0:b0:3a3:1d8:5c12 with SMTP id p7-20020a1c7407000000b003a301d85c12mr167616wmc.191.1658249409579; Tue, 19 Jul 2022 09:50:09 -0700 (PDT)
Received: from smtpclient.apple (p200300eb8f25a46410b3d16480f3056b.dip0.t-ipconnect.de. [2003:eb:8f25:a464:10b3:d164:80f3:56b]) by smtp.gmail.com with ESMTPSA id d15-20020adffbcf000000b0020fff0ea0a3sm13917376wrs.116.2022.07.19.09.50.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 19 Jul 2022 09:50:09 -0700 (PDT)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <EC28AD6C-568C-4CB6-894A-30E790BD7255@lodderstedt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E257B9DF-260D-4CED-8201-E0485FAA7D9E"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Tue, 19 Jul 2022 18:50:07 +0200
In-Reply-To: <CA+k3eCREa_eFVKfemNGCVMQG77QJN8c4sq6ufA6PiPR9p8hKVw@mail.gmail.com>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, RFC Errata System <rfc-editor@rfc-editor.org>, Nat Sakimura <nat@sakimura.org>, dave@tonge.org, Filip Skokan <panva.ip@gmail.com>, Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, oauth <oauth@ietf.org>, paul.wouters@aiven.io
To: Brian Campbell <bcampbell@pingidentity.com>
References: <20211015193847.E6C9E20EBD5@rfc-editor.org> <CA+k3eCTmZHQ9yrokOQLd98t9JWvQB39Qf1Xz2rq=Dm8=JZ_nBw@mail.gmail.com> <CADNypP_WF1FOCncUs8djWqKndz5dXsnD7+uLiFvURmDqEGiCMw@mail.gmail.com> <0BDBCCBF-8292-494E-B2BE-471DE0BCCC58@lodderstedt.net> <CA+k3eCREa_eFVKfemNGCVMQG77QJN8c4sq6ufA6PiPR9p8hKVw@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HDWkjFkWXpDyQfmPQKAjd5Qw-so>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 16:50:15 -0000


> Am 19.07.2022 um 18:23 schrieb Brian Campbell <bcampbell@pingidentity.com>:
> 
> The correction is attempting to remove some potential ambiguity that has been interpreted as JAR's requirement for "client_id" not being applicable in the context JAR over PAR. 

I unterstand.If it has caused confusion already, we should change the text.  

>  
> Maybe it should have been an editorial errata rather than technical.
> 
> On Tue, Jul 19, 2022 at 7:44 AM Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
> I’m not sure this requires an update. It basically says „stick the uri you get from step 1 into this parameter in step 2“. Does this really require use to re-state any further requirements of a proper JAR?
> 
>> Am 19.07.2022 um 15:15 schrieb Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>>:
>> 
>> + Roman and Paul
>> 
>> On Mon, Jul 18, 2022 at 12:25 PM Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
>> I believe this should be verified. I'm also the one that reported it though. But it's been sitting in reported status for a while now. 
>> 
>> On Fri, Oct 15, 2021 at 1:38 PM RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote:
>> The following errata report has been submitted for RFC9126,
>> "OAuth 2.0 Pushed Authorization Requests".
>> 
>> --------------------------------------
>> You may review the report below and at:
>> https://www.rfc-editor.org/errata/eid6711 <https://www.rfc-editor.org/errata/eid6711>
>> 
>> --------------------------------------
>> Type: Technical
>> Reported by: Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
>> 
>> Section: 3.
>> 
>> Original Text
>> -------------
>>    Clients MAY use the "request" parameter as defined in JAR [RFC9101]
>>    to push a Request Object JWT to the authorization server.  The rules
>>    for processing, signing, and encryption of the Request Object as
>>    defined in JAR [RFC9101] apply.  Request parameters required by a
>>    given client authentication method are included in the "application/
>>    x-www-form-urlencoded" request directly and are the only parameters
>>    other than "request" in the form body (e.g., mutual TLS client
>>    authentication [RFC8705] uses the "client_id" HTTP request parameter,
>>    while JWT assertion-based client authentication [RFC7523] uses
>>    "client_assertion" and "client_assertion_type").  All other request
>>    parameters, i.e., those pertaining to the authorization request
>>    itself, MUST appear as claims of the JWT representing the
>>    authorization request.
>> 
>> Corrected Text
>> --------------
>>   Clients MAY use the request and client_id parameters as defined in 
>>   JAR [RFC9101] to push a Request Object JWT to the authorization 
>>   server. The rules for processing, signing, and encryption of the 
>>   Request Object as defined in JAR [RFC9101] apply. Request parameters
>>   required by a given client authentication method are included in the
>>   application/x-www-form-urlencoded request directly and are the only 
>>   parameters other than request and client_id in the form body (e.g.,
>>   JWT assertion-based client authentication [RFC7523] uses 
>>   "client_assertion" and "client_assertion_type") HTTP request
>>   parameters). All authorization request parameters, i.e., those 
>>   pertaining to the authorization request itself, MUST appear as
>>   claims of the JWT representing the authorization request.
>> 
>> Notes
>> -----
>> That first paragraph of Sec 3 was not properly updated to come inline with JAR (now RFC9101) when it changed in draft -21 to require "client_id" in the authorization request in addition to in addition to "request" or "request_uri" - so is  somewhat ambiguous in maybe suggesting that "client_id" isn't required. But it is required based on how PAR works and RFC9101 requiring "client_id".
>> 
>> Instructions:
>> -------------
>> This erratum is currently posted as "Reported". If necessary, please
>> use "Reply All" to discuss whether it should be verified or
>> rejected. When a decision is reached, the verifying party  
>> can log in to change the status and edit the report, if necessary. 
>> 
>> --------------------------------------
>> RFC9126 (draft-ietf-oauth-par-10)
>> --------------------------------------
>> Title               : OAuth 2.0 Pushed Authorization Requests
>> Publication Date    : September 2021
>> Author(s)           : T. Lodderstedt, B. Campbell, N. Sakimura, D. Tonge, F. Skokan
>> Category            : PROPOSED STANDARD
>> Source              : Web Authorization Protocol
>> Area                : Security
>> Stream              : IETF
>> Verifying Party     : IESG
>> 
>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email