[OAUTH-WG] Is OAuth 2.0 a delegation protocol or a Big Brother protocol ? (was OAuth for institutional users)

[Denis <denis.ietf@free.fr>]

Justin,

First of all, thank you for your detailed responses.

Since you said: "don't bring up issues you have with the book", let us 
forget about the book ... but not about the topics that have been raised.

You said: " This is the model of OAuth: it's a delegation protocol, 
delegating from a resource owner to a client. (...) OAuth specifically 
abstracts
that process using the authorization server,"

I also took a look at: 
http://nordicapis.com/api-security-oauth-openid-connect-depth/

That text states:

(...)

After all this, your head may be spinning. Mine was when I first learned 
these things. It’s normally.
To help you you orient yourself, I want to stress one really important 
high-level point:

·*OAuth is not used for authorization*. You might think it is from it’s 
name, but it’s not.

·*OAuth is also not for authentication*. If you use it for this, expect 
a breach if your data is of any value.

·*OAuth is also not for federation*.

So what is it for?

*It’s for delegation, and delegation**only!**

*

I also read the following sentences on the web:

"Using OAuth as an authentication method is /not recommended/, it is 
explicitly designed as a delegated authorisation method".

"OpenID Connect is just an authentication layer built on top of OAuth2".


My head is also spinning ...


The real world situation is different. For example, 
draft-ietf-oauth-token-exchange-07 defines a protocol extending OAuth 2.0
that enables clients to request and obtain security tokens from 
authorization servers acting in the role of an STS. In such a context,
this has nothing to do with a delegation protocol.

Nevertheless, let us make the assumption, for the moment, that OAuth 2.0 
is "/*for delegation, and delegation*//**/*/only/"*.

About privacy, you said: " This is a topic that has been covered in 
great depth on the web",

I can say that privacy considerations _have not been adequately covered_ 
in the current RFCs or in the IETF drafts from the OAuth WG.

When a delegation protocol is needed, the best way to prevent an 
Authorization Server to act as *Big Brother* is simply to get rid of it,
i.e. DON'T use /any/ authorization server, ... since *authorization 
servers are not needed in the context of a delegation protocol*.

Let me explain (without writing a treatise as you suggested) how to 
design a delegation protocol taking care of privacy principles.

In order to be more illustrative, I will reuse the example from your 
book (since it is a good example):

"In the printing example, let’s say you’ve uploaded your vacation photos 
to the photo-storage site, and now you want to have them printed.
The storage site’s API is the resource, and the printing service is the 
client of that API. You, as the resource owner, need to be able to
delegate part of your authority to the printer so that it can read your 
photos. You probably don’t want the printer to be able to read
all of your photos, nor do you want the printer to be able to delete 
photos or upload new ones of its own. Ultimately, what you’re interested in
is getting certain photos printed (...)"

I first connect and authenticate to the photo-storage site.

Since I am only interested in getting certain photos printed, I then 
create a temporary context where I select different vacations photos 
from my vacations
in Louisiana last May and from my vacations in Patagonia last December 
which are placed in different directories. I specify the operation(s) 
that will be
allowed for this context. In this specific case, it will be "read-only".

I ask the photo-storage site to generate for me an access token tied to 
this context that it will be able to recognize itself during the next 24 
hours.
The PoP (Proof of Possession) of that access token will be demonstrated 
by anyone able to perform an "adequate" computation using a key referenced
in the access token. So, in addition of the access token, I receive 
either a secret key or a private key corresponding to the referenced key.

I then connect and authenticate to the printing service and I transmit 
to it:

  * the access token which contains in particular the reference of the
    context created by the photo-storage site, and
  * the associated secret key or a private key that it shall use to
    demonstrate the PoP of the access token.

The printing service is thus able to use that information to get an 
access to the set of photos I have selected on the photo-storage site 
(and only that set).

The printing service will also indicate to me the amount of money that 
is requested to perform the operation and if, I accept it, I will obtain 
later on my vacation photos.

BTW, when reading the various specifications from the OAuth WG, I have 
not seen how it is possible to restrict the read-only access to only 20 
of my vacations
photos that have been placed in different directories. In the solution 
explained above, the restriction does not need to be indicated in an 
access token.


The approach I suggest is an access control system where the 
photo-storage site recognizes "delegation tokens" that it has itself 
generated.
These /delegation tokens/ may either be sealed using a symmetric key 
(which is faster) or signed using an asymmetric key (which is slower).

*W*hen OAuth 2.0 is used */for delegation,/**the Authorization Server is 
indeed able to act as Big Brother**, since it is able to identify the 
*printing service(s)
and the photo-storage site(s) I am using and to trace my activities. It 
can use that information for itself or, even worse, sell that 
information to someone else.

Obviously, when no Third Party *Authorization Server is being involved 
in the process, this is impossible.*

*
*

*A privacy issue still remains: the *photo-storage site is able to 
identify the printing service I am using. If I only want to print 20 
vacations photos,
there is a better alternative: get back in a package the 20 vacations 
photos and send that package myself to the printing service of my choice.
And in such a case, there is/*no need for any delegation protocol 
anymore*/ ...

Obviously, when the quantity of data to be transferred is rather large, 
a delegation protocol should be considered, but the user should be made 
aware
of the privacy issues. This is not the case at present.

OAuth 2.0 and its derivatives are currently presented as the most 
up-to-date solution where all the security problems are solved or 
mitigated one way
or another. Unfortunately, this is not the case.

So let me say once again: privacy considerations in OAuth 2.0 _have not 
been sufficiently covered_ in the current RFCs, nor in the IETF drafts 
from the OAuth WG.

OAuth 2.0 should have been designed using Privacy by Design (PbD) 
principles.

The OASIS Privacy Management Reference Model Version 1.0 see 
http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs01/PMRM-v1.0-cs01.pdf describes
an interesting methodology to be followed to implement "Privacy by 
Design". Even if some steps would need to be improved, it is a good 
document to start with.

Rather than simply adding a privacy considerations section at the end of 
an IETF draft (which is nice anyway), it would be advantageous to identify
at the very beginning of each draft: (a) the model, (b) the exchange 
flows, (3) the privacy principles that apply to the model and (4) the 
security requirements
that apply to the model.


Let us now forget about delegation protocols.

An Authorization Server is very useful in a "different protocol where 
the client and resource negotiate attributes for the client to present 
to the resource
to fulfill its requirements".

For example, draft-ietf-oauth-token-exchange-07 defines a protocol 
extending OAuth 2.0 that enables clients to request and obtain security 
tokens
from authorization servers acting in the role of an STS.

My conclusion is the following:

-OAuth 2.0, /when used as a delegation protocol/, allows Authorization 
Servers to act as Big Brother and there is not a single warning about 
this issue
in the published or current documents,

-there exists at least one contender to the OAuth 2.0 delegation 
protocol (sketched above) able to fulfill many (but not all) Privacy by 
Design (PbD) principles.


Denis

> Hi Denis,
>
> The book is being published very shortly and the text is completed, so 
> there aren't any more updates to be made to it. Additionally, this 
> isn't really the forum for comments on the book (there's an online 
> form for discussion if you're interested: 
> https://forums.manning.com/forums/oauth-2-in-action), this is a list 
> for discussing and developing OAuth itself. Still, most of your 
> comments are general enough misconceptions of OAuth that they may be 
> of interest to others so I'll answer them on the list here, inline below.
>
>
> On 2/2/2017 5:47 PM, Denis wrote:
>>
>> Justin,
>>
>> Your are making the promotion of your book (OAuth 2 In Action), soon 
>> to be published.
>>
>> I browsed through the 23 pages of Chapter 1 that are provided as a 
>> free download.
>>
>> I saw the footnote from Manning Publications Co. which states:
>>
>> "/We welcome reader comments about anything in the manuscript/"
>>
>> Since Manning Publications Co. asked for it, I hope that you will be 
>> able to take into consideration some of my comments before this book 
>> is published.
>>
>> I will only comment on a few sentences.
>>
>> 1. Page 1: "The application requests authorization from the owner of 
>> the resource and receivestokens that it can use to access the resource".
>>
>> Such a model is rather restrictive and does not cover the general 
>> case where an application is willing to perform an operation on a 
>> resource
>> and where the resource tells to the application which kind of 
>> attributes need to be presented by the application for that specific 
>> operation.
>> In such a case, the resource owner is not involved in anyway at the 
>> time of the request. If this restriction remains, this should be 
>> clearly stated.
>>
>
> This is the model of OAuth: it's a delegation protocol, delegating 
> from a resource owner to a client. What you're describing is a 
> different protocol where the client and resource negotiate attributes 
> for the client to present to the resource to fulfill its requirements. 
> OAuth specifically abstracts that process using the authorization 
> server, and to great success.
>
>> 2. Page 10:" To acquire a token, the client first sends the resource 
>> owner to the authorization server in order to request that the 
>> resource owner authorize this client".
>>
>> This sentence is not English. You cannot "send the resource owner to 
>> the authorization server". This sentence should be rephrased.
>>
>
> Yes you can send the resource owner to the authorization server -- 
> generally by redirecting their web browser to a page on the 
> authorization server (the authorization endpoint) for the resource 
> owner to interact with the authorization server.
>
>> 3. Page 16: "Even worse, some of the available options in OAuth can 
>> be taken in the wrong context or not enforced properly, leading to 
>> insecure implementations.
>> These kinds of vulnerabilities are discussed at length in the OAuth 
>> Threat Model Document and the vulnerabilities section of this book 
>> (chapters 7, 8, 9, and 10)."
>>
>> Bear in mind that RFC 6819 was issued four years ago (in January 
>> 2013). Collusions between servers was considered, but collusions 
>> between clients was omitted,
>> typically the ABC attack (Alice and Bob Collusion attack). See: 
>> https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html
>>
>> You should add some text in section 7.6 to deal with the ABC attack.
>>
>
> Sharing bearer tokens is a well known attack surface and there's 
> really no way to stop that. Even PoP-style tokens can be shared since 
> nothing stops Bob and Alice from sharing their secrets with each 
> other. I've read everything you've written about the so-called ABC 
> attack and don't think there's more to say about it, especially in an 
> introductory book.
>
>> 4. Page 16: " Ultimately, OAuth 2.0 is a good protocol, but it’s far 
>> from perfect. We will see its replacement at some point in the 
>> future, as with all things
>> in technology, but no real contender has yet emerged as of the 
>> writing of this book.
>>
>> I can agree with you that "OAuth 2.0is far from perfect". Can a 
>> protocol with so many options be a "good protocol" ? Can 
>> interoperability be achieved ?
>> I don't think so. You then say: " but no real contender has yet 
>> emerged as of the writing of this book". I would rather suggest that 
>> you delete
>> " but no real contender has yet emerged as of the writing of this book".
>>
>
> I address the optionality and interoperability issues in that chapter, 
> more in chapter 2, and even more in chapter 6. Yes, it's a good 
> protocol, and I'm sorry you don't like it. When there's a delegation 
> protocol that's similarly used across millions of sites and APIs all 
> over the internet, then we can talk about a real contender for 
> replacement. I look forward to that day, but we're not there yet (and 
> I don't think we're anywhere near there).
>
>> 5. Page 17: "OAuth assumes that the resource owner is the one that’s 
>> controlling the client".
>>
>> I do hope that it is not the case. The client should only be 
>> controlled by an end-user or by a local application and no one else.
>>
>
> The resource owner *is* the end user. Your "should" is the same as the 
> assumption I'm stating.
>
>>
>> 6. Page 17: " OAuth isn’t defined outside of the HTTP protocol. Since 
>> OAuth 2.0 with bearer tokens provides no message signatures,
>> is it not meant to be used outside of HTTPS (HTTP over TLS). 
>> Sensitive secrets and information are passed over the wire, and
>> OAuth requires a transport layer mechanism such as TLS to protect 
>> these secrets".
>>
>> The HTTPS protocol indeed needs to be used for resource data origin 
>> authentication and confidentiality protection of the data being 
>> exchanged.
>> However, protecting sensitive secrets and information passed over the 
>> wire using TLS does not prevent in anyway an ABC attack. TLS binding
>> does not provide either any extra protection in case of an ABC 
>> attack. This should be stated since this is an important issue. I 
>> really wonder
>> if you can still say: " OAuth 2.0 is a good protocol". In any case, 
>> OAuth 2.0 is not a protocol but a framework.
>>
>
> It doesn't prevent people from sharing secrets with each other out of 
> band, as we've just talked about, but it does prevent a whole raft of 
> other non-collusive attacks which are significantly more malicious and 
> problematic.
>
>> 7. Page 18: "OAuth doesn’t define a token format".
>>
>> How do you want to interoperate if no token format is being defined ? 
>> IETF RFCs on the standards track are primarily intended to be used to 
>> address interoperability.
>>
>
> It all is based on *what* OAuth defines interoperability between. 
> OAuth says how a client talks to an AS and how a client talks to an 
> RS. It says nothing about how an RS and AS get along. Since the token 
> format is opaque to the client, OAuth defines no token format because 
> it didn't need to define one to be interoperable in the way it was 
> intended to be.
>
>> 8. Page 18 "In fact, the OAuth protocol explicitly states that the 
>> content of the token is completely opaque to the client application.
>>
>> This is even worse. In such a case, the client will be unable to make 
>> sure that what he got in the token is really what he was asking for: 
>> nothing more and nothing less.
>>
>
> This is one of OAuth's best features, as it make things simpler.
>
>> 9. Page 18: " OAuth 2.0 is also not a single protocol. As discussed 
>> previously, the specification is split into multiple definitions and 
>> flows, each of which has
>> its own set of use cases. The core OAuth 2.0 specification has 
>> somewhat accurately been described as a security protocol generator, 
>> because it can be used
>> to design the security architecture for many different use cases. As 
>> discussed in the previous section, these systems aren’t necessarily 
>> compatible with each other."
>>
>> This is indeed a very good description of the current mess.
>>
>
> Yes, and I hope you read the rest of the paragraph that explains the 
> nature of that "mess" and why it's set up the way that it is. There's 
> a reason for it, which is why that section is there in the book.
>
>> 10. Section 15.2 is not provided. Its title is : *Proof of possession 
>> (PoP) tokens*. I am really curious to read how you can achieve PoP in 
>> the case of an ABC attack.
>>
>
> That's in chapter 15, which you don't have because you haven't bought 
> the book. :) Same with all of the other forward references throughout 
> that section.
>
> And you can still share secrets if they're given to you in the PoP 
> case. Or you can just skip the security layer and share the results of 
> the API calls. There's literally nothing in the world that can prevent 
> that level of collusion -- PoP, token binding, DRM... nothing.
>
>> 11. I also observed that there is no chapter dealing with *privacy 
>> issues.* Nowadays, it is an important topic. In particular on how to 
>> prevent an authorization server
>> to act as *Big Brother*. A section should be added to deal with 
>> privacy issues.
>>
>
> This is a topic that has been covered in great depth on the web, and 
> since this is a technical book we didn't feel the need to get into it. 
> I encourage you to write a treatise yourself, please let us know when 
> you do.
>
>> 12. Finally a typo on page 18:"Since OAuth 2.0 with bearer tokens 
>> provides no message signatures, *is it*not meant to be used outside 
>> of HTTPS (HTTP over TLS)".
>>
> The preview chapters are not the latest copy of the manuscript text as 
> it's being prepared for final publication, so a lot of typos and 
> format errors have been fixed already.
>
> Thanks for the feedback, but as I said above, in the future please 
> don't bring up issues you have with the book on this mailing list.
>
>  -- Justin
>
>>
>> Denis
>>
>>
>>> +1 to Phil's reference to SCIM, and since it looks like you're 
>>> looking to do end user authentication you should look at OpenID Connect:
>>>
>>> http://openid.net/connect/
>>>
>>> There are a lot of ways to get an authentication protocol based on 
>>> OAuth very, very wrong, and I've covered some of the big ones in an 
>>> article I wrote (with the community's help) a few years ago:
>>>
>>> http://oauth.net/articles/authentication/
>>>
>>> Furthermore, I've covered the topic in my upcoming book, OAuth 2 In 
>>> Action, which you might find useful:
>>>
>>> https://www.manning.com/books/oauth-2-in-action
>>>
>>> All said, the space is not as easy as you may think it is at first 
>>> and there are a lot of pitfalls. But the good news is that you're 
>>> not the first to dive in here and there are a lot of really good 
>>> solutions already available.
>>>
>>>  -- Justin
>>>
>>>
>>> On 2/2/2017 10:52 AM, Phil Hunt (IDM) wrote:
>>>> You are headed down the road to a very big domain called identity 
>>>> management and provisioning.
>>>>
>>>> You might want to look at SCIM (RFC7643, 7644) for a restful api 
>>>> pattern.
>>>>
>>>> SCIM is usually OAuth enabled but the scopes/rights have not yet 
>>>> been standardized. There is however some obvious access control 
>>>> patterns that apply from the old ldap directory world.
>>>>
>>>> Phil
>>>>
>>>> On Feb 1, 2017, at 6:36 PM, Yunqi Zhang <zhangyunqi.cs@gmail.com 
>>>> <mailto:zhangyunqi.cs@gmail.com>> wrote:
>>>>
>>>>> Hi all,
>>>>>
>>>>> I'm working on a set of API endpoints to allow institutions to 
>>>>> manage their users and records, and their users to read their own 
>>>>> records.
>>>>>
>>>>> Specifically, each institution will get a {client_id} and a 
>>>>> {secret} after registering with us, which allows them to create 
>>>>> users under its institution using [POST https://hostname/users/]. 
>>>>> Then the institution can also insert records for each user using 
>>>>> [POST https://hostname/users/:user_id/]. Once a user has been 
>>>>> created, he/she can read his/her own records using [GET 
>>>>> https://hostname/users/:user_id/].
>>>>>
>>>>> In this process, there are two types of authentications I would 
>>>>> like to achieve, which I'm thinking about using oauth. However, I 
>>>>> am super new on oauth and have four questions.
>>>>>
>>>>> Institution authentication (e.g., company FOO will have READ and 
>>>>> WRITE access to https://hostname/ to create users under its own 
>>>>> institution, insert records for specific users): (1) Since this 
>>>>> part of the system will be created and run by the institution, 
>>>>> this should be a "client credential grant" using {client_id} and 
>>>>> {secret} of the institution, correct?
>>>>>
>>>>> End-user authentication (e.g., user John Doe of company FOO will 
>>>>> have READ access to https://hostname/users/:john_doe_user_id/ to 
>>>>> read his own personal records): (2) Because this part of the 
>>>>> system will probably run on the web/mobile app created by company 
>>>>> FOO, this should be a "resource owner credential grant" using 
>>>>> {username}, {password} of the specific user, correct?
>>>>>
>>>>> (3) Because I am allow two types of different authentications, 
>>>>> which will use two types of different {access_token}s I assume, 
>>>>> would that be something weird (or hard to build) under the oauth 
>>>>> model?
>>>>>
>>>>> (4) What if the web/mobile app created by a subset of the 
>>>>> companies already has its own authentication and does not want to 
>>>>> create another password for each of its users, what should I do? 
>>>>> For example, company FOO has its own authentication for its 
>>>>> web/mobile app and does not want to bother creating another 
>>>>> password for each of its user (i.e., requires only {username}), 
>>>>> whereas company BAR would like to create another password for each 
>>>>> user (i.e., requires {username} and {password}). What kind of 
>>>>> authentication model should I use for a scenario like this?
>>>>>
>>>>> Thank you very much for your help!
>>>>>
>>>>> Yunqi
>>>>> ___