Re: [OAUTH-WG] First Draft of OAuth 2.1

Brian Campbell <bcampbell@pingidentity.com> Thu, 12 March 2020 21:10 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EEA33A09B7 for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 14:10:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BzL75wV2y01S for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 14:10:48 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 933133A0A07 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:10:47 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id a10so8135479ljp.11 for <oauth@ietf.org>; Thu, 12 Mar 2020 14:10:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eBi3qg/rO22t4Ni388Rnw234v+2/csB4ylebmTJmi/8=; b=I8b650j3hU3qRihdY3eMM49AM8jGdBwtvo1kfaBZqn8q7Vz3jxytw9o0f6e9+IxEsx xSGGaPUfgZLSEreoxtYdm/g5TrjGLkhivxWBenxwjIGVUwvGx5UVBPKQQD+hOPSGcXE9 S/3qc2SG2ADKdynD/b0KWCOMkz+v+iaxVrQHtgwdRMeYwMmUl8UwGfQ91QVAfuGSfpMD HUmuF8f72UZpQE4e1jrvFcp0l232aNZCh/mc1Dd8FC89RqJBUb+CeRrJSF4iBEQRftP9 kuKqRvyrDs/Cqd8xoixeELmwxpHTzqlMdxRpibrb26A1r3p2t79IDpAnDVnLpPGx0dqK xgVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eBi3qg/rO22t4Ni388Rnw234v+2/csB4ylebmTJmi/8=; b=etCnRq1RmPpZk1IMnc4jVg+yiyURUDTwQs3DpILwDlF7eP/8XeK5uE6Ajc1eND5Dse AoLLfpFg+DuToui5HOyUlrmhFTo0McrlBFP10z17z2mfRLaLWozkYQysV35g5KtvW1/9 00/6RgYMya2THnzRUSWgoEZIoyeBtyTARDtk/q+cOvEZ5H9aK0ZIYtffZOJxg1V1awkq nAFFJmlhfW8ZN+bbJa6VZ8h7fmbQe3DrGfBmzMX4z0vEID669RRx5J5LiTpDtSi4byIs J4VJgTwRbD1qYykf0HL3xgQlo6xKFHzZajPfGyVirV9uUauLQ5+BGGhN43RU/s0vRrix pVeA==
X-Gm-Message-State: ANhLgQ21r6esW+SBiF3G8W1+sD8LL6XengcKoi15dSvsYfH2a8YuKUV2 D+bLHXNpZwOWpIQySAhuIGiulu2mJTl004vcAZJCjxBzw4TQ/gvFNQhdoVSQLSB0yWxgFhIxrCe /JyK6wuBV5dBzNWtZrIY=
X-Google-Smtp-Source: =?utf-8?q?ADFU+vuykJSJOB2A6J5E8smohmWlLsFK+Htn3xX2pIa0?= =?utf-8?q?34WMzYKtjBUseEvdPMscu6eNFHjzbD3sQwnXGZ5+2GTY4TQ=3D?=
X-Received: by 2002:a2e:9605:: with SMTP id v5mr6456097ljh.0.1584047445479; Thu, 12 Mar 2020 14:10:45 -0700 (PDT)
MIME-Version: 1.0
References: <CAO_FVe40ONas2em6gGviEgdh_bf4qG+PnQD+G+KR+QPcY+V8Bw@mail.gmail.com> <2E956E04-3919-45E8-B9A0-9DB74E7067AC@lodderstedt.net> <CAO_FVe5qEz43n=61qbf51P9iO5-N7A+9wJm8xj5f7tZFbeFweA@mail.gmail.com>
In-Reply-To: <CAO_FVe5qEz43n=61qbf51P9iO5-N7A+9wJm8xj5f7tZFbeFweA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 12 Mar 2020 15:10:19 -0600
Message-ID: <CA+k3eCRp0C9GeuyJE4L3c6yqizt4EC3+hoCSz6L50OZFdrpuaw@mail.gmail.com>
To: Vittorio Bertocci <Vittorio=40auth0.com@dmarc.ietf.org>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004bac8f05a0aec96f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IWBWvh8pt8G9WNPUc6xjvqt-QjY>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 21:10:59 -0000

I agree that the language around sender constraining refresh tokens and
confidential client could/should be clearer.
I did try and discuss the idea that that such a refresh token is
constrained by virtue of being bound to the client and the client having to
authenticate to use it in
https://www.rfc-editor.org/rfc/rfc8705.html#section-7.1 maybe there are
some words that can be borrowed. Maybe.

With respect to failure frequency, we've had reports similar to what
Vittorio said and did change the default behaviour in product to not do
rotation unless specifically configured to do so per client.



On Thu, Mar 12, 2020 at 1:05 PM Vittorio Bertocci <Vittorio=
40auth0.com@dmarc.ietf.org> wrote:

> Thanks for the clarification, Torsten.
> I believe it's the first time I see use of client credentials positioned
> as sender constraint; if the intent is saying that confidential clients
> should use their credentials when redeeming refresh tokens, I am of course
> in agreement but I think the language should be clearer and state the above
> explicitly.
>
> Re: failure frequency, I know of scenarios were the designers added
> rotation by default, and after a while it was turned to opt in because of
> the frequency of errors and impact on user experience/call center.
> I really believe that putting this as a MUST is justified only for
> exceedingly vulnerable situations, like SPAs.
> Native/desktop clients should be free to decide whether they want to opt
> in without loosing compliance. Just my 2 C
>
> On Thu, Mar 12, 2020 at 11:58 AM Torsten Lodderstedt <torsten=
> 40lodderstedt.net@dmarc.ietf.org> wrote:
>
>> Hi,
>>
>> sender constraining refresh tokens for confidential client means client
>> authentication + check the binding of the refresh token with the respective
>> client id. I don’t think this is new as RFC6759 already required ASs to
>> check this binding. Assuming backends are generally confidential clients
>> also means no rotation and no cache synchronization needed.
>>
>> Rotation should be used for frontends, e.g. native apps and only if there
>> is there no other option. If a refresh fails, the app must go through the
>> authorization process again. That’s inconvenient so the question is how
>> often this happens. What I can say, I have never seen customer complaining
>> in several years of operation of ASs with refresh token rotation (including
>> replay detection) for native apps with millions of users.
>>
>> best regards,
>> Torsten.
>>
>> Am 12.03..2020 um 19:24 schrieb Vittorio Bertocci <Vittorio=
>> 40auth0.com@dmarc.ietf.org>:
>>
>> 
>> Hey guys,
>> thanks for putting this together.
>> I am concerned with the real world impact of imposing sender constraint |
>> rotation as a MUST on refresh tokens in every scenario.
>> Sender constraint isn't immediately actionable - we just had the
>> discussion for dPOP, hence I won't go in the details here.
>> Rotation isn't something that can be added without significant impact on
>> development and runtime experiences:
>>
>>    - on distributed scenarios, it introduces the need to serialize
>>    access to shared caches
>>    - network failures can lead to impact on experience- stranding
>>    clients which fail to receive RTn+1 during RTn redemption in a limbo where
>>    user interaction might become necessary, disrupting experience or
>>    functionality for scenarios where the user isn't available to respond.
>>    -
>>
>>
>>
>> On Wed, Mar 11, 2020 at 5:28 PM Aaron Parecki <aaron@parecki..com
>> <aaron@parecki.com>> wrote:
>>
>>> I'm happy to share that Dick and Torsten and I have published a first
>>> draft of OAuth 2.1. We've taken the feedback from the discussions on
>>> the list and incorporated that into the draft.
>>>
>>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01
>>>
>>> A summary of the differences between this draft and OAuth 2.0 can be
>>> found in section 12, and I've copied them here below.
>>>
>>> > This draft consolidates the functionality in OAuth 2.0 (RFC6749),
>>> > OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange
>>> > (RFC7636), OAuth 2.0 for Browser-Based Apps
>>> > (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current
>>> > Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage
>>> > (RFC6750).
>>> >
>>> >   Where a later draft updates or obsoletes functionality found in the
>>> >   original [RFC6749], that functionality in this draft is updated with
>>> >   the normative changes described in a later draft, or removed
>>> >   entirely.
>>> >
>>> >   A non-normative list of changes from OAuth 2.0 is listed below:
>>> >
>>> >   *  The authorization code grant is extended with the functionality
>>> >      from PKCE ([RFC7636]) such that the only method of using the
>>> >      authorization code grant according to this specification requires
>>> >      the addition of the PKCE mechanism
>>> >
>>> >   *  Redirect URIs must be compared using exact string matching as per
>>> >      Section 4.1.3 of [I-D.ietf-oauth-security-topics]
>>> >
>>> >   *  The Implicit grant ("response_type=token") is omitted from this
>>> >      specification as per Section 2.1.2 of
>>> >      [I-D.ietf-oauth-security-topics]
>>> >
>>> >   *  The Resource Owner Password Credentials grant is omitted from this
>>> >      specification as per Section 2.4 of
>>> >      [I-D.ietf-oauth-security-topics]
>>> >
>>> >   *  Bearer token usage omits the use of bearer tokens in the query
>>> >      string of URIs as per Section 4.3.2 of
>>> >      [I-D.ietf-oauth-security-topics]
>>> >
>>> >   *  Refresh tokens must either be sender-constrained or one-time use
>>> >      as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]
>>>
>>> https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12
>>>
>>> I'm excited for the direction this is taking, and it has been a
>>> pleasure working with Dick and Torsten on this so far. My hope is that
>>> this first draft can serve as a good starting point for our future
>>> discussions!
>>>
>>> ----
>>> Aaron Parecki
>>> aaronparecki.com
>>> @aaronpk
>>>
>>> P.S. This notice was also posted at
>>> https://aaronparecki.com/2020/03/11/14/oauth-2-1
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._