Re: [OAUTH-WG] draft-ietf-oauth-mtls-03: enforcing mutual_tls_sender_constrained_access_tokens
Brian Campbell <bcampbell@pingidentity.com> Mon, 28 August 2017 15:54 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60FD3132027 for <oauth@ietfa.amsl.com>; Mon, 28 Aug 2017 08:54:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sV7ECQDxHvBr for <oauth@ietfa.amsl.com>; Mon, 28 Aug 2017 08:54:18 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 843B2126C7A for <oauth@ietf.org>; Mon, 28 Aug 2017 08:54:18 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id o132so3665700itc.1 for <oauth@ietf.org>; Mon, 28 Aug 2017 08:54:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0xvqzSo3SPXVXmYWuInLhm6F9M93NjXkkWeu6a6cmdY=; b=mk7xPaZ4IrwKohAJ7SHgYO8zAL1Sc+SOSS+bItM2gkX1xVWcWNzAYXqLJa3/kLH3ZM OTV0/54kQ16In2/2mN9/xQ50lqdCk3jvJ+KqUpyDvRwAcVBRWZDL0rzatpiD8inSYbQa HTWovKq6slS5xXM50rBx2fNZ5afq0SS1wJQ0M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0xvqzSo3SPXVXmYWuInLhm6F9M93NjXkkWeu6a6cmdY=; b=nQ8C4wfoaYasViNvz1TkkBg9JNO5/8LMN2C/yqodEgaQM7MU8iQr00UchyRtoyhAZ4 UOvEJFPHMw27TxmKnhqpzhoPGxAiaLeWd+32c9Kb9Gxq5REJDfnZ0PKrd0yLzJaFTg/7 HDUWRlcCAA6kjAIAg/mN3IdgRSVUhi2gzDAcDRyNwcdd39Cw0D9M+rseVgVDhkwjZGfy 7+pnB/sqEcPgTny/nLF8Es4pNEx0SkhwNwbAM01UI9Nv1sip7JYVvRrxbkS9syVbAoOT sGtVa8sy2GwlkniVg817WlJTgVOYAlOlbhMbeZ5vmTQ3eVYQQ6Fe4bTY7fHSDRbFrJa3 TLHA==
X-Gm-Message-State: AHYfb5juyJPeeBtTDfeSwZ8sRNLpEb+9QQe0BMFm53Xy5ZgUFvCIsqgE 26zaqkPQU+Gk48M9KAhRaNaRr6syvUjQH8+xZh1vjGCzk62qVHcCbNXhqpQ4ebk+jNGx2EMRTC+ s20pv
X-Received: by 10.36.13.20 with SMTP id 20mr1084223itx.102.1503935657774; Mon, 28 Aug 2017 08:54:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.2.67.134 with HTTP; Mon, 28 Aug 2017 08:53:47 -0700 (PDT)
In-Reply-To: <50944e7c-a958-1d59-c68d-77f1c68db05c@connect2id.com>
References: <50944e7c-a958-1d59-c68d-77f1c68db05c@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 28 Aug 2017 09:53:47 -0600
Message-ID: <CA+k3eCRYUoPWSzZMtSngv90kiw8UGedY5mN2S1ozLED=V-NfGg@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a11441994a5b2cf0557d24e48"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Hn0-rTPO8myj38hdZE8LcdG49pw>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-mtls-03: enforcing mutual_tls_sender_constrained_access_tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Aug 2017 15:54:20 -0000
"invalid_client" is the appropriate error, if the client is configured/registered for MTLS authentication, because it's effectively failed client authentication. I would say that "invalid_request" is probably the appropriate error for a public client with mutual_tls_sender_constrained_access_tokens=true that doesn't provide the TLS client certificate with the token request. There is effectively a missing required parameter in the context of the request. On Sun, Aug 27, 2017 at 1:46 AM, Vladimir Dzhuvinov <vladimir@connect2id.com > wrote: > Let's suppose that an OAuth 2.0 client is registered for > > mutual_tls_sender_constrained_access_tokens=true > > > Is it correct that in the presence of this parameter, and regardless of > how "token_endpoint_auth_method" is set, the AS must require a client X.509 > cert to be passed to the token endpoint? If yes, then what error should the > AS return if no client cert is passed with the token request? > > https://tools.ietf.org/html/rfc6749#section-5.2 > > Thanks, > > Vladimir > > PS: Noticed a typo - "manor" in #section-4.3 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*
- [OAUTH-WG] draft-ietf-oauth-mtls-03: enforcing mu… Vladimir Dzhuvinov
- Re: [OAUTH-WG] draft-ietf-oauth-mtls-03: enforcin… Brian Campbell
- Re: [OAUTH-WG] draft-ietf-oauth-mtls-03: enforcin… Vladimir Dzhuvinov