Re: [OAUTH-WG] PAR metadata
Neil Madden <neil.madden@forgerock.com> Mon, 06 January 2020 14:28 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E69A1200B8 for <oauth@ietfa.amsl.com>; Mon, 6 Jan 2020 06:28:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id txYv1GzIkhVv for <oauth@ietfa.amsl.com>; Mon, 6 Jan 2020 06:28:25 -0800 (PST)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72D9712087F for <oauth@ietf.org>; Mon, 6 Jan 2020 06:28:25 -0800 (PST)
Received: by mail-wr1-x42a.google.com with SMTP id t2so49815878wrr.1 for <oauth@ietf.org>; Mon, 06 Jan 2020 06:28:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=lJbnjwBc8u76kWvLyNdUd6DVS9+r+vqXtnW5lHAIqV8=; b=Jy3frEhZYZI03qGkFWwhJHZK6shU0kJu0/Srh1Ocg3yEiY6TelXgbi/BjZT1za5jlY WvGbMxF618nTof1jBQSSw3dcvOUk933wHIZWbOnQ/PwuavbNV5+SG1lnUmAUSUa4u81c n+U2j09MoncPtVrcl2ZJ01P3wEeD0PX0ueihs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=lJbnjwBc8u76kWvLyNdUd6DVS9+r+vqXtnW5lHAIqV8=; b=cmElRjh3olVv0NRdvprelJex+iL/0+owYVusiZRwBqO3Mx/Hj2xd3IxnYHkWOsxFGE MrDAEDg6xFayhv444F1tKTugzpDePtDho77Wx1jaUNy9TvYGLnUC3NvKKPoX7PIkHJ7y AYN/QPwpyf/hoJaG8lbpHCMj+IWlNDk9kTO1R/Rf43ncbxua8iZbxgcOGhwWYgWL+GpQ Jv8pvahyxqogJ9e0yBFrjFyHwrxhBiSiBVWKaAunVE4IqGST4vtPGicGlAGoqXIHQggm md+Wuodgw4G0uBYdOkcakFMLlmIMUXECq3Mbzr3HJ+/sjKDkwWDdOvVWrCn/PgFhAQ30 3/TQ==
X-Gm-Message-State: APjAAAX83zRcwj8RX9Tw7gyl1wBgDUNgL0ft+D9RjZHKL5VeJh11ghHy hZaC5CSpomrfuQgl7CjJAqr+tbzUZjgD9Q==
X-Google-Smtp-Source: APXvYqx3yZjsuCeuvJ1AszsOC6k84v0cfIaJIDIcZCnrfvWalYdQTlwHc1MUidoFtr0c/mMVmXgQRw==
X-Received: by 2002:adf:f5cb:: with SMTP id k11mr99731087wrp.71.1578320903861; Mon, 06 Jan 2020 06:28:23 -0800 (PST)
Received: from [192.168.2.122] (77-44-110-214.xdsl.murphx.net. [77.44.110.214]) by smtp.gmail.com with ESMTPSA id z123sm23469307wme.18.2020.01.06.06.28.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Jan 2020 06:28:23 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <801AFC59-B94A-4C9E-A44D-60F4EF6F4EC2@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_98272658-59B1-4DB8-B69E-F3E03FFC2E1E"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Mon, 06 Jan 2020 14:28:21 +0000
In-Reply-To: <CA+k3eCS6SdAKjOp67o_zUytnNGnpM4p5UO68CvZeEXg11PWrtg@mail.gmail.com>
Cc: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, Nat Sakimura <nat@sakimura.org>, Dave Tonge <dave.tonge@moneyhub.com>, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net> <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com> <50191CC6-0A19-42B4-87C2-880F53FD3C4F@lodderstedt.net> <05AB19DB-FCD2-4FAA-A470-0978E7B65354@amazon.com> <CA+k3eCS6SdAKjOp67o_zUytnNGnpM4p5UO68CvZeEXg11PWrtg@mail.gmail.com>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IvXIK2851ga32dTjcnFo9-MQZrM>
Subject: Re: [OAUTH-WG] PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2020 14:28:28 -0000
Agreed. In addition, I'm not sure why the PAR endpoint would need access to the decryption keys at all. If you're using encrypted request objects then the PAR endpoint receives an encrypted JWT and then later makes the same (still encrypted) JWT available to the authorization endpoint. If the PAR endpoint is doing any kind of decryption or validation on behalf of the authorization endpoint then they are clearly not in separate trust boundaries. -- Neil > On 6 Jan 2020, at 13:57, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote: > > I really struggle to see the assumption that an entity be able to use the same key to decrypt the same type of message ultimately intended for the same purpose as an artificial limit. The same general assumption underlies everything else in OAuth/OIDC (Vladimir's post points to some but not all examples of such). There's no reason for PAR to make a one-off exception. And should there be some deployment specific reason that truly requires that kind of isolation, there are certainly implementation options that aren't compatibility-breaking. And having said all that, I'm honestly a little surprised anyone is thinking much about encrypted request objects with PAR as, at least with my limited imagination, there's not really a need for it. > > > > > > > > > On Fri, Jan 3, 2020 at 2:43 PM Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org <mailto:40amazon.com@dmarc.ietf.org>> wrote: > PAR introduces an added wrinkle for encrypted request objects: the PAR endpoint and authorization endpoint may not have access to the same cryptographic keys, even though they're both part of the "authorization server." Since they're different endpoints with different roles, it's reasonable to put them in separate trust boundaries. There is no way to support this isolation with just a single "jwks_uri" metadata property. > > The two options that I see are: > > 1. Define a new par_jwks_uri metadata property. > 2. Explicitly state that this separation is not supported. > > I strongly perfer #1 as it has a very minor impact on deployments that don't care (i.e., they just set par_jwks_uri and jwks_uri to the same value) and failing to support this trust boundary creates an artificial limit on implementation architecture and could lead to compatibility-breaking workarounds. > > – > Annabelle Richard Backman > AWS Identity > > > On 12/31/19, 8:07 AM, "OAuth on behalf of Torsten Lodderstedt" <oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> on behalf of torsten=40lodderstedt.net@dmarc.ietf.org <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote: > > Hi Filip, > > > On 31. Dec 2019, at 16:22, Filip Skokan <panva.ip@gmail.com <mailto:panva.ip@gmail.com>> wrote: > > > > I don't think we need a *_auth_method_* metadata for every endpoint the client calls directly, none of the new specs defined these (e.g. device authorization endpoint or CIBA), meaning they also didn't follow the scheme from RFC 8414 where introspection and revocation got its own metadata. In most cases the unfortunately named `token_endpoint_auth_method` and its related metadata is what's used by clients for all direct calls anyway. > > > > The same principle could be applied to signing (and encryption) algorithms as well. > > > > This I do not follow, auth methods and their signing is dealt with by using `token_endpoint_auth_methods_supported` and `token_endpoint_auth_signing_alg_values_supported` - there's no encryption for the `_jwt` client auth methods. > > Unless it was meant to address the Request Object signing and encryption metadata, which is defined and IANA registered by OIDC. PAR only references JAR section 6.1 and 6.2 for decryption/signature validation and these do not mention the metadata (e.g. request_object_signing_alg) anymore since draft 07. > > Dammed! You are so right. Sorry, I got confused somehow. > > > > > PS: I also found this comment related to the same question about auth metadata but for CIBA. > > Thanks for sharing. > > > > > Best, > > Filip > > thanks, > Torsten. > > > > > > > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote: > > Hi all, > > > > Ronald just sent me an email asking whether we will define metadata for > > > > pushed_authorization_endpoint_auth_methods_supported and > > pushed_authorization_endpoint_auth_signing_alg_values_supported. > > > > The draft right now utilises the existing token endpoint authentication methods so there is basically no need to define another parameter. The same principle could be applied to signing (and encryption) algorithms as well. > > > > What’s your opinion? > > > > best regards, > > Torsten. > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Filip Skokan
- [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Filip Skokan
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Torsten Lodderstedt
- Re: [OAUTH-WG] PAR metadata Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR metadata Vladimir Dzhuvinov
- Re: [OAUTH-WG] PAR metadata Brian Campbell
- Re: [OAUTH-WG] PAR metadata Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metada… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Justin Richer