Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Wed, 19 May 2021 06:45 UTC

Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13D493A2082 for <oauth@ietfa.amsl.com>; Tue, 18 May 2021 23:45:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZWD57FRqUbhM for <oauth@ietfa.amsl.com>; Tue, 18 May 2021 23:45:35 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 607DF3A207D for <oauth@ietf.org>; Tue, 18 May 2021 23:45:33 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id r12so12732525wrp.1 for <oauth@ietf.org>; Tue, 18 May 2021 23:45:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to; bh=gk95+NL/StjVZvB5e0TuATvOMCQA1Qn5/FYjJld4jEs=; b=rBiavcQwYT65EJJSg7C1Q53+LMfzFO5g0wkA+IVjuN0f3ja/pJt+G8uV4GWWM3FdcR zELkSqKO5iyZk6UISc6emwXKZP7q2wQUXp2fPxB148Y5Ie9X01AlUcP4bmtWjkgiFezb z8AfG9Z6eqUGMDBmiFO9EqrELQRNCDtZ3HQfY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=gk95+NL/StjVZvB5e0TuATvOMCQA1Qn5/FYjJld4jEs=; b=BoMhLd+5ZQx8SOmeCAF9xvGiz6ap1Zgea3n4OZfPde6kGMvWpLh9h7N+HteCWN9LNO UxLd5zvSKxeCfexsZyYNm2rCM8W4wmP55TaWd3Aa92LAk+7uainK9GhHy14cmL+Ndqpa 4NGkIx/OTW0AftZf0iLZo+fxFDA9zPgnO7D/Ocrf9pNdwm/oEVhu//04Wwr0F2Snvq6W a7MyFvNNp9dl2AvxFljfBlnzViroRHGC881yxAXTxe2WrJs9IPmsVegp2wBSxOwcJPjr FNNmRc7Q4e/IRM3sGkyX6ctKMuP2o3TYVtGspFZYmBuTSfx/RRwa98ZaPoeEWvgQexBn CMDA==
X-Gm-Message-State: AOAM530xlnLyLcHxtZpzvEDn2T0+D882XdsiWOqnOHjYHbVb5IHwRBAr whBIht2uWtrCaF7bHxtATYX04/hdDNhfuCYy
X-Google-Smtp-Source: ABdhPJzEaBIloAboDC40s6GZvtGAFD3ruJ1ounPE8pPmd5XsX1/mFjG5nOJrt/0O/WcLmnvXFh64oA==
X-Received: by 2002:adf:e684:: with SMTP id r4mr12235140wrm.378.1621406729901; Tue, 18 May 2021 23:45:29 -0700 (PDT)
Received: from [192.168.137.22] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id g66sm19675795wma.11.2021.05.18.23.45.28 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 18 May 2021 23:45:28 -0700 (PDT)
To: Brian Campbell <bcampbell@pingidentity.com>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
References: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de> <CADNypP_P=bdtSHmX0aM4eK4yw+8n9HYnnS6ERVdOC_x7U3spZw@mail.gmail.com> <CA+k3eCQboyohxe=u8wxtA9RyVhy=E4sMDkdsn76x3Xk19asVMA@mail.gmail.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Message-ID: <b70f1d84-f395-9272-754d-61becb8e9aec@hackmanit.de>
Date: Wed, 19 May 2021 08:45:27 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQboyohxe=u8wxtA9RyVhy=E4sMDkdsn76x3Xk19asVMA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="gEerWBGmLd406EODtbtHr5yWOUDcmCDCy"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IMZlUvdLHXsmGmAm6f-_ZD6xzkU>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 06:45:40 -0000

Hi Brian,

thank you for your feedback.

I agree that the language is too strong here. What do you think about 
this new note?

> Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 
> (JARM)" [JARM] defines a mechanism that conveys all authorization 
> response parameters in a JWT. This JWT contains an iss claim that 
> provides the same protection if it is validated as described in 
> Section 2.4. Therefore, an additional iss authorization response 
> parameter as defined by this document MUST NOT be used when JARM is used.

Best regards,
Karsten

On 15.05.2021 00:35, Brian Campbell wrote:
> Overall it looks pretty good to me.
> One little nit is that I don't love this text from the end of sec 2.4 
> that talks about JARM:
>
> 'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 
> (JARM)" [JARM] forbids the use of additional parameters in the 
> authorization response. Therefore, the iss parameter MUST NOT be used 
> when JARM is used. However, JARM responses contain an iss claim that 
> provides the same protection if it is validated as described in 
> Section 2.4.'
>
> JARM doesn't exactly forbid additional parameters but rather just 
> wraps up all the authorization response parameters as claims in a JWT 
> which is itself sent as a single form/query/fragment parameter. So 
> really the iss authorization response parameter of this draft is still 
> sent as a claim of the JARM JWT. It just happens to be the same as the 
> iss claim value that JARM is already including.
>
> On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef 
> <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote:
>
>     All,
>
>     We have not seen any comments on this document.
>     Can you please review the document and provide feedback, or
>     indicate that you have reviewed the document and have no concerns.
>
>     Regards,
>      Rifaat & Hannes
>
>
>     On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen
>     <karsten.meyerzuselhausen@hackmanit.de
>     <mailto:karsten.meyerzuselhausen@hackmanit.de>> wrote:
>
>         Hi all,
>
>         the latest version of the security BCP references
>         draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to
>         mix-up attacks.
>
>         There have not been any concerns with the first WG draft
>         version so far:
>         https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>         <https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/>
>
>         I would like to ask the WG if there are any comments on or
>         concerns with the current draft version.
>
>         Otherwise I hope we can move forward with the next steps and
>         hopefully finish the draft before/with the security BCP.
>
>         Best regards,
>         Karsten
>
>         -- 
>         Karsten Meyer zu Selhausen
>         Senior IT Security Consultant
>         Phone:	+49 (0)234 / 54456499
>         Web:	https://hackmanit.de  <https://hackmanit.de>  | IT Security Consulting, Penetration Testing, Security Training
>
>         Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on:
>         https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks  <https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks>
>
>         Hackmanit GmbH
>         Universitätsstraße 60 (Exzenterhaus)
>         44789 Bochum
>
>         Registergericht: Amtsgericht Bochum, HRB 14896
>         Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>
>         _______________________________________________
>         OAuth mailing list
>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/oauth
>         <https://www.ietf.org/mailman/listinfo/oauth>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>     <https://www.ietf.org/mailman/listinfo/oauth>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./ 

-- 
Karsten Meyer zu Selhausen
Senior IT Security Consultant
Phone:	+49 (0)234 / 54456499
Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training

Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den Standards OAuth und OpenID Connect vertraut machen?
Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth und OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 Uhr!
https://www.hackmanit.de/de/schulungen/uebersicht/139-einfuehrung-in-single-sign-on-oauth-und-openid-connect

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz