Re: [OAUTH-WG] DPoP and OAuth2 extensions
Brian Campbell <bcampbell@pingidentity.com> Wed, 27 October 2021 15:46 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF143A1271 for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 08:46:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08Dw8-Vz6LkQ for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 08:46:28 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 953C33A126C for <oauth@ietf.org>; Wed, 27 Oct 2021 08:46:28 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id x192so7003463lff.12 for <oauth@ietf.org>; Wed, 27 Oct 2021 08:46:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tIZPggfeAt1N8WWs5i7MD+BY74CO53W5nlITieK6gjo=; b=DNbTF+cX5dplKpcX6ak+7yLzOJBKrQNVswc57RXZ7B9ncmRgC2y0U/Qw35FoaBrwxP 4gTYzB2+GjEjmmXEpRyEObv4Dky7fi9Tj8C1eeQmvi5QIeYh1NMROu85z4FVWhsGXZhC ccAU2+4K1uxiOr009WUeF1DMX/GMt4jRPDLgWgp2ohlZpgc5bANA93vl22+HPIabvRa/ VK+OHctlRlGAH8PDA4bYku4tPQoIixzEUUde4oQF32qQR34dVmq/ynu3LGDVrlkhWINu snUtlxmJoaenPvXfrtqRYjUC5cX6PtcYxcAyi8C7mhGSnKmyb7AwVb9UolhMjIO3Ma/9 CauA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tIZPggfeAt1N8WWs5i7MD+BY74CO53W5nlITieK6gjo=; b=TS6Lv4rTmsY2vA2b7cdYwTr5xWgHsfmapPYmzASE+9G/JbX0AI87QbcAtWevxYnvGt JCZar9IjRdPk6Cgmsq+i0rJFHrnb7+UGJsVCIl6LBivL1UWfk/e0zPfz5IHnOhF+RQGg iUA/b7CIWfp6xbC6LpIMyK/99KMqslzqWswAQ7IeH9sj7cykMaz3RdpOuF0HeudRi2AI NGmvgFbmLWlZ1GYOTqfFsaNN9iLz+QPDv4s/wk+iIfwJ8c7JaK+BbX/MFQbnTIglASmP CVLJw0KExvy3rLmyTEJCqmO4awUpyum2WQKMTk7lFKTQK7TGA87Zyfl3UPkW0NvqsOiT yANw==
X-Gm-Message-State: AOAM531yEqcREtTut16Z70ym0JWPsxlw/pe62gyBPWlgB7fOuFrTDhJX qrdzaRQOfNw/jh+C+y0H5a17IKCuUSE42XhgUJ3hkXjc9TrZsntHEIE+0S748pvkXO74jk8KRWw wRNh/vEU2QbnEb3qz1MkvqQ==
X-Google-Smtp-Source: ABdhPJz2tEgUTHbwcTZWE1KLz8wpE9jMkHbBbTpL2NdLLLXPm3fHvllI8+YQDfdI6H1CWAoNFmdh+HW8ttuOxYACUkw=
X-Received: by 2002:a05:6512:3e11:: with SMTP id i17mr3939476lfv.560.1635349585441; Wed, 27 Oct 2021 08:46:25 -0700 (PDT)
MIME-Version: 1.0
References: <CAOtx8D=_ioCAaCpK5N3qEmEM8m2Hj0au0sjUvmsVq=Xg86nrKg@mail.gmail.com>
In-Reply-To: <CAOtx8D=_ioCAaCpK5N3qEmEM8m2Hj0au0sjUvmsVq=Xg86nrKg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Oct 2021 09:45:59 -0600
Message-ID: <CA+k3eCQ3waO=dpB_aNkWbm+eMKE24wBKbF6u=EyQgzJz7+xO2g@mail.gmail.com>
To: Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001fd31b05cf577fd8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HuVnzMuf2uRW31FS0iH6RsbuPrM>
Subject: Re: [OAUTH-WG] DPoP and OAuth2 extensions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 15:46:33 -0000
https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html#name-dpop-access-token-request is pretty clear (I think?) that DPoP is applicable with all token endpoint requests of any grant type. I don't know what would be said about Token Revocation. I'm not seeing the UserInfo endpoint as being different enough to need any special treatment or discussion. But maybe that's just because I'm not sure what it would say. On Wed, Oct 27, 2021 at 7:49 AM Dmitry Telegin <dmitryt= 40backbase.com@dmarc.ietf.org> wrote: > The draft currently focuses on DPoP support in Authorization endpoint and > Token endpoint (authorization code grant + refresh token grant). The > concept, however, could be extrapolated to several other endpoints, grant > types and OAuth2 extensions: > - ROPC (RFC 6749 section 1.3.3); > - OAuth 2.0 Token Exchange (RFC 8693); > - OAuth 2.0 Extension Grants (RFC 6749 section 4.5); > - OAuth 2.0 Token Revocation (RFC 7009); > - OpenID Connect > > (As for the latter, the UserInfo endpoint is introduced, which is an OAuth > 2.0 protected resource conforming to OAuth 2.0 Bearer Token Usage (RFC > 6750). However, UserInfo is different from the traditional protected > resources in having no advance knowledge on whether DPoP should be enforced > or not (until the incoming token is processed), hence the need to advertise > both "Bearer" and "DPoP" schemes via WWW-Authenticate.) > > Would it make sense to mention these relations in the spec? > > Regards, > Dmitry > Backbase > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] DPoP and OAuth2 extensions Dmitry Telegin
- Re: [OAUTH-WG] DPoP and OAuth2 extensions Brian Campbell