[OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00

Pieter Kasselman <pieter@spirl.com> Wed, 13 November 2024 19:22 UTC

Return-Path: <pieter@spirl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF16C14F701 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 11:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spirl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g684aJJEld97 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 11:22:13 -0800 (PST)
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C6DFC14F6E9 for <oauth@ietf.org>; Wed, 13 Nov 2024 11:22:13 -0800 (PST)
Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-6ea50585bf2so73050267b3.3 for <oauth@ietf.org>; Wed, 13 Nov 2024 11:22:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spirl.com; s=google; t=1731525732; x=1732130532; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=y2XQ7bF+8x6iZnZgtA2KZpHiuk99RfnwdZ5w+FrDGYk=; b=Oya0YXb9KiMfC/xbZ64JxVlb7bPCd8MAfosin/l2eSGKFNcTMN57uDeNaCqc702Gby hGVufZuGJYsBz1BmLXOMy7H5yZUrDIhLeDCZGV+z4DnUxbz3AbkqxDUS2tFUdnwueaui Sc0GLST+ALWkvJ19rkrahHcYZtStLfeYOOo/AKChCQ2h5h0gainipc+SxNEpMFo1kYYK 7x2wYEC+aTtgJw+fsp7uvlIV506D9P+35TixqnXedH0xYhFVV0Q4EGBwiHZodLdNc7aS 0xZd3CMCi2YSaZDAKa0SIx2bpaRW2WdrHuyqJSvorbFU/6jf74ekwSCinxReuUXJmAay gTAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731525732; x=1732130532; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=y2XQ7bF+8x6iZnZgtA2KZpHiuk99RfnwdZ5w+FrDGYk=; b=Nk4aI0pljmafZ1FpmoXPdLKGXtD+OL8ja2ixNIOxcVA5QD0K0b07HaKwjkU9BwQ9F+ jAZA+wUbRNK0QkwlXfRDXNDV5xdxnN34bKeSKV9ceFbe4QpSBqDgyquPPq4fhomv8G3W pidi1AQ/NLrJhJ525r2iMzYaZ9R1rVySrduINYZSVglRsah5K5vldIjTrz3NQG3f8Nfi HnHaJAJ0ugHx+Ms0FR9ttquQQvW/uYNraF3ENultVtTNvjKJuercKDItPMYMnU1TuzPF HPzFESJR4vlzjJRtdXUZgqGx6Re81qQerSZu8Hn9BVMn0i8Uwe8sVLZ8kBirBJWIQL2D joZA==
X-Gm-Message-State: AOJu0YycUt3snSTXjQIW9KlqlSVNEZOgWhknDWWIGkG1BD1sevnh7L5H Q8J1r0m1Rsi2C0iEQ1GAw/pKzN1/xVnMT8cJ8QRSahE8r/mtxLNAtJUAfZ7Ei0y7moupChPdG6R xo5lPZncrvb1WL7yzGPwZizkNiq12WmA9XOf41A==
X-Google-Smtp-Source: AGHT+IGA4O8IgIiuImEKcg0DCPJzPjz9oFNE2XIOypyti/rBTp6t1yALfXW/85SJSOk36kjF3Xy9lUMooiIswH9qX08=
X-Received: by 2002:a05:690c:10:b0:6ea:6871:f6a8 with SMTP id 00721157ae682-6eaddfbe53cmr199375707b3.36.1731525732373; Wed, 13 Nov 2024 11:22:12 -0800 (PST)
MIME-Version: 1.0
References: <CAM7dPt1+PAjUtHmrp-d_y7i8SZXgjjyO2izmMk543xXwF1iY5Q@mail.gmail.com> <CAM7dPt36g33t2mLT4Q2w3+MnLqSEzssv3=uv4-8uPU6Zm_YRPw@mail.gmail.com>
In-Reply-To: <CAM7dPt36g33t2mLT4Q2w3+MnLqSEzssv3=uv4-8uPU6Zm_YRPw@mail.gmail.com>
From: Pieter Kasselman <pieter@spirl.com>
Date: Wed, 13 Nov 2024 12:22:01 -0700
Message-ID: <CALtWOA0TamKdDpj0SaRXx+Oj0V+Y_==xZPqgpJhub-Cq_qj6jA@mail.gmail.com>
To: Janak Amarasena <janakama360@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000032b36f0626d0401d"
Message-ID-Hash: WPMVV2OGQLZVVTFZBYOPKLRPSZVVAE2Z
X-Message-ID-Hash: WPMVV2OGQLZVVTFZBYOPKLRPSZVVAE2Z
X-MailFrom: pieter@spirl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JUzoUOmW7bGshzY9c4DARJu2KKM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Thanks Janak for your detailed review and opening the GitHub issues.

On Wed, Nov 13, 2024 at 9:39 AM Janak Amarasena <janakama360@gmail.com>
wrote:

> Hi All,
>
> I created GitHub issues[1] #125 to #131 covering the feedback I provided
> through my previous email.
>
> [1] - https://github.com/oauth-wg/oauth-first-party-apps/issues
>
> Best Regards,
> Janak Amarasena
>
> On Fri, Nov 1, 2024 at 11:43 AM Janak Amarasena <janakama360@gmail.com>
> wrote:
>
>> Hi All,
>>
>> I have gone through the OAuth 2.0 for First Party Applications draft (
>> draft-ietf-oauth-first-party-apps-00) and have some feedback on it. I
>> think this is a much needed standard. At my organization(WSO2) also we have
>> seen a significant demand from customers requesting to do API centric
>> authorization largely due to the need for seamless UX. We have seen places
>> where organizations lean more towards UX disregarding security best
>> practices. Due to the demand we ourselves did an extension for OAuth to
>> solve the same problem this specification is addressing and at the time if
>> this specification existed we would have definitely implemented this
>> without going ahead with our own extension.
>>
>> Please find my feedback below;
>>
>> Under section 5.1. “Authorization Challenge Request” the spec lists the
>> “code_challenge” and the "code_challenge_method" as optional parameters. As
>> this protocol establishes direct communication between the client and the
>> AS I don’t see a real requirement to mention PKCE related parameters
>> here. Please let me know if I have missed anything here.
>>
>> As I understood, using these two parameters in the authorization
>> challenge request is useful only when the client expects that it will have
>> to perform a redirect based authorization flow and also the AS supports PAR
>> capabilities through the authorization_challenge_endpoint. I think this
>> will be an edge case and given the spec mentions it supports all extensions
>> applicable to the authorization endpoint I don’t see a major need to
>> specifically mention these two parameters under this section. I think this
>> could also cause confusion to implementers.
>>
>> Under section 5.2.2.1. “Redirect to Web Error Response” the spec mentions
>>
>>    In this case, the client is expected to initiate a new OAuth
>>
>>    Authorization Code flow with PKCE according to [RFC6749] and
>>
>>    [RFC7636].
>>
>>    If the client expects the frequency of this error response to be
>>
>>    high, the client MAY include a PKCE ([RFC7636]) code_challenge in the
>>
>>    initial authorization challenge request.  This enables the
>>
>>    authorization server to essentially treat the authorization challenge
>>
>>    request as a PAR [RFC9126] request, and return the request_uri and
>>
>>    expires_in as defined by [RFC9126] in the error response.  The client
>>
>>    then uses the request_uri value to build an authorization request as
>>
>>    defined in [RFC9126] Section 4.
>>
>> I think it would be good to add some text to the spec mentioning the
>> possibility to use the auth_session in this new authorization request such
>> that the user can continue the login from where the user left off.
>> Something similar is mentioned in section 6.1. for step-up authentication.
>>
>>
>> I have some concerns with the authorization_challenge_endpoint being able
>> to act as the PAR endpoint. I understand the improved experience gained
>> here but this essentially creates two standard endpoints that can do
>> similar things. Instead it might be possible to use the auth_session to
>> maintain the complete context. However this could be overloading the
>> expectations of the auth_session.
>>
>> Under section 5.3.1. “Auth Session” spec mentions;
>>
>>    The auth_session value is completely opaque to the client, and as
>>
>>    such the authorization server MUST adequately protect the value from
>>
>>    inspection by the client, for example by using a random string or
>>
>>    using a JWE if the authorization server is not maintaining state on
>>
>>    the backend.
>>
>> I think the intention behind mandating to maintain the opaqueness is to
>> protect any sensitive information. Depending on the AS implementation it
>> could decide on using an auth_session value which is not opaque but also
>> does not contain any sensitive data. I think it would be better to
>> recommend that the AS uses adequate measures such as encryption in the
>> event they are using something other than an opaque value that contains
>> sensitive data. The current mandating will put an unnecessary burden on the
>> AS to encrypt and decrypt data if it doesn’t contain sensitive information.
>>
>> In the same section it mentions;
>>
>>   To mitigate the risk of session hijacking, the 'auth_session' MUST be
>>
>>    bound to the device, and the authorization server MUST reject an
>>
>>    'auth_session' if it is presented from a different device than the
>>
>>    one it was bound to.
>>
>> I completely agree on the need to mitigate the risk of session hijacking.
>> However, in the current text, although it's not directly mentioned here, it
>> will require the AS to have a proof of possession mechanism in place as
>> pointed in Section 9 "Security Considerations". This can be a major
>> barrier to implement this specification as the AS should also implement
>> another specification. There can be different ways the implementation can
>> solve this problem without needing proof of possession. For example if the
>> auth_session is only transmitted between the AS and the client then it will
>> be protected with TLS in transit and the client and AS can use independent
>> mechanisms to protect the auth_session at rest. Since this specification
>> applies only to first party applications the implementers will have full
>> control over how the client and the AS protects the data, and therefore can
>> make sure adequate protection is in place for the auth_session. Due to this
>> I think it is better to change wording from mandating to a recommendation.
>>
>> Regarding section “7. Resource Server Error Response” I am wondering
>> whether this section is required at all as this spec makes no addition to
>> RFC9470. I guess this section is there to provide clarity due to RFC9470
>> using the authorization endpoint in its text.
>>
>> Under section 9.5.1. DPoP: Demonstrating Proof-of-Possession it mentions
>> “… The authorization server MUST ensure that the same key is used in all
>> subsequent Authorization Challenge Requests, or in the eventual token
>> request…” I think it was meant to say “... Authorization Challenge
>> Requests, and in the eventual token request…”
>>
>> Best Regards,
>>
>> Janak Amarasena
>>
>> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>