[OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00
Pieter Kasselman <pieter@spirl.com> Wed, 13 November 2024 19:22 UTC
Return-Path: <pieter@spirl.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AF16C14F701 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 11:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spirl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g684aJJEld97 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 11:22:13 -0800 (PST)
Received: from mail-yw1-x112b.google.com (mail-yw1-x112b.google.com [IPv6:2607:f8b0:4864:20::112b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C6DFC14F6E9 for <oauth@ietf.org>; Wed, 13 Nov 2024 11:22:13 -0800 (PST)
Received: by mail-yw1-x112b.google.com with SMTP id 00721157ae682-6ea50585bf2so73050267b3.3 for <oauth@ietf.org>; Wed, 13 Nov 2024 11:22:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spirl.com; s=google; t=1731525732; x=1732130532; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=y2XQ7bF+8x6iZnZgtA2KZpHiuk99RfnwdZ5w+FrDGYk=; b=Oya0YXb9KiMfC/xbZ64JxVlb7bPCd8MAfosin/l2eSGKFNcTMN57uDeNaCqc702Gby hGVufZuGJYsBz1BmLXOMy7H5yZUrDIhLeDCZGV+z4DnUxbz3AbkqxDUS2tFUdnwueaui Sc0GLST+ALWkvJ19rkrahHcYZtStLfeYOOo/AKChCQ2h5h0gainipc+SxNEpMFo1kYYK 7x2wYEC+aTtgJw+fsp7uvlIV506D9P+35TixqnXedH0xYhFVV0Q4EGBwiHZodLdNc7aS 0xZd3CMCi2YSaZDAKa0SIx2bpaRW2WdrHuyqJSvorbFU/6jf74ekwSCinxReuUXJmAay gTAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731525732; x=1732130532; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=y2XQ7bF+8x6iZnZgtA2KZpHiuk99RfnwdZ5w+FrDGYk=; b=Nk4aI0pljmafZ1FpmoXPdLKGXtD+OL8ja2ixNIOxcVA5QD0K0b07HaKwjkU9BwQ9F+ jAZA+wUbRNK0QkwlXfRDXNDV5xdxnN34bKeSKV9ceFbe4QpSBqDgyquPPq4fhomv8G3W pidi1AQ/NLrJhJ525r2iMzYaZ9R1rVySrduINYZSVglRsah5K5vldIjTrz3NQG3f8Nfi HnHaJAJ0ugHx+Ms0FR9ttquQQvW/uYNraF3ENultVtTNvjKJuercKDItPMYMnU1TuzPF HPzFESJR4vlzjJRtdXUZgqGx6Re81qQerSZu8Hn9BVMn0i8Uwe8sVLZ8kBirBJWIQL2D joZA==
X-Gm-Message-State: AOJu0YycUt3snSTXjQIW9KlqlSVNEZOgWhknDWWIGkG1BD1sevnh7L5H Q8J1r0m1Rsi2C0iEQ1GAw/pKzN1/xVnMT8cJ8QRSahE8r/mtxLNAtJUAfZ7Ei0y7moupChPdG6R xo5lPZncrvb1WL7yzGPwZizkNiq12WmA9XOf41A==
X-Google-Smtp-Source: AGHT+IGA4O8IgIiuImEKcg0DCPJzPjz9oFNE2XIOypyti/rBTp6t1yALfXW/85SJSOk36kjF3Xy9lUMooiIswH9qX08=
X-Received: by 2002:a05:690c:10:b0:6ea:6871:f6a8 with SMTP id 00721157ae682-6eaddfbe53cmr199375707b3.36.1731525732373; Wed, 13 Nov 2024 11:22:12 -0800 (PST)
MIME-Version: 1.0
References: <CAM7dPt1+PAjUtHmrp-d_y7i8SZXgjjyO2izmMk543xXwF1iY5Q@mail.gmail.com> <CAM7dPt36g33t2mLT4Q2w3+MnLqSEzssv3=uv4-8uPU6Zm_YRPw@mail.gmail.com>
In-Reply-To: <CAM7dPt36g33t2mLT4Q2w3+MnLqSEzssv3=uv4-8uPU6Zm_YRPw@mail.gmail.com>
From: Pieter Kasselman <pieter@spirl.com>
Date: Wed, 13 Nov 2024 12:22:01 -0700
Message-ID: <CALtWOA0TamKdDpj0SaRXx+Oj0V+Y_==xZPqgpJhub-Cq_qj6jA@mail.gmail.com>
To: Janak Amarasena <janakama360@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000032b36f0626d0401d"
Message-ID-Hash: WPMVV2OGQLZVVTFZBYOPKLRPSZVVAE2Z
X-Message-ID-Hash: WPMVV2OGQLZVVTFZBYOPKLRPSZVVAE2Z
X-MailFrom: pieter@spirl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first-party-apps-00
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JUzoUOmW7bGshzY9c4DARJu2KKM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Thanks Janak for your detailed review and opening the GitHub issues. On Wed, Nov 13, 2024 at 9:39 AM Janak Amarasena <janakama360@gmail.com> wrote: > Hi All, > > I created GitHub issues[1] #125 to #131 covering the feedback I provided > through my previous email. > > [1] - https://github.com/oauth-wg/oauth-first-party-apps/issues > > Best Regards, > Janak Amarasena > > On Fri, Nov 1, 2024 at 11:43 AM Janak Amarasena <janakama360@gmail.com> > wrote: > >> Hi All, >> >> I have gone through the OAuth 2.0 for First Party Applications draft ( >> draft-ietf-oauth-first-party-apps-00) and have some feedback on it. I >> think this is a much needed standard. At my organization(WSO2) also we have >> seen a significant demand from customers requesting to do API centric >> authorization largely due to the need for seamless UX. We have seen places >> where organizations lean more towards UX disregarding security best >> practices. Due to the demand we ourselves did an extension for OAuth to >> solve the same problem this specification is addressing and at the time if >> this specification existed we would have definitely implemented this >> without going ahead with our own extension. >> >> Please find my feedback below; >> >> Under section 5.1. “Authorization Challenge Request” the spec lists the >> “code_challenge” and the "code_challenge_method" as optional parameters. As >> this protocol establishes direct communication between the client and the >> AS I don’t see a real requirement to mention PKCE related parameters >> here. Please let me know if I have missed anything here. >> >> As I understood, using these two parameters in the authorization >> challenge request is useful only when the client expects that it will have >> to perform a redirect based authorization flow and also the AS supports PAR >> capabilities through the authorization_challenge_endpoint. I think this >> will be an edge case and given the spec mentions it supports all extensions >> applicable to the authorization endpoint I don’t see a major need to >> specifically mention these two parameters under this section. I think this >> could also cause confusion to implementers. >> >> Under section 5.2.2.1. “Redirect to Web Error Response” the spec mentions >> >> In this case, the client is expected to initiate a new OAuth >> >> Authorization Code flow with PKCE according to [RFC6749] and >> >> [RFC7636]. >> >> If the client expects the frequency of this error response to be >> >> high, the client MAY include a PKCE ([RFC7636]) code_challenge in the >> >> initial authorization challenge request. This enables the >> >> authorization server to essentially treat the authorization challenge >> >> request as a PAR [RFC9126] request, and return the request_uri and >> >> expires_in as defined by [RFC9126] in the error response. The client >> >> then uses the request_uri value to build an authorization request as >> >> defined in [RFC9126] Section 4. >> >> I think it would be good to add some text to the spec mentioning the >> possibility to use the auth_session in this new authorization request such >> that the user can continue the login from where the user left off. >> Something similar is mentioned in section 6.1. for step-up authentication. >> >> >> I have some concerns with the authorization_challenge_endpoint being able >> to act as the PAR endpoint. I understand the improved experience gained >> here but this essentially creates two standard endpoints that can do >> similar things. Instead it might be possible to use the auth_session to >> maintain the complete context. However this could be overloading the >> expectations of the auth_session. >> >> Under section 5.3.1. “Auth Session” spec mentions; >> >> The auth_session value is completely opaque to the client, and as >> >> such the authorization server MUST adequately protect the value from >> >> inspection by the client, for example by using a random string or >> >> using a JWE if the authorization server is not maintaining state on >> >> the backend. >> >> I think the intention behind mandating to maintain the opaqueness is to >> protect any sensitive information. Depending on the AS implementation it >> could decide on using an auth_session value which is not opaque but also >> does not contain any sensitive data. I think it would be better to >> recommend that the AS uses adequate measures such as encryption in the >> event they are using something other than an opaque value that contains >> sensitive data. The current mandating will put an unnecessary burden on the >> AS to encrypt and decrypt data if it doesn’t contain sensitive information. >> >> In the same section it mentions; >> >> To mitigate the risk of session hijacking, the 'auth_session' MUST be >> >> bound to the device, and the authorization server MUST reject an >> >> 'auth_session' if it is presented from a different device than the >> >> one it was bound to. >> >> I completely agree on the need to mitigate the risk of session hijacking. >> However, in the current text, although it's not directly mentioned here, it >> will require the AS to have a proof of possession mechanism in place as >> pointed in Section 9 "Security Considerations". This can be a major >> barrier to implement this specification as the AS should also implement >> another specification. There can be different ways the implementation can >> solve this problem without needing proof of possession. For example if the >> auth_session is only transmitted between the AS and the client then it will >> be protected with TLS in transit and the client and AS can use independent >> mechanisms to protect the auth_session at rest. Since this specification >> applies only to first party applications the implementers will have full >> control over how the client and the AS protects the data, and therefore can >> make sure adequate protection is in place for the auth_session. Due to this >> I think it is better to change wording from mandating to a recommendation. >> >> Regarding section “7. Resource Server Error Response” I am wondering >> whether this section is required at all as this spec makes no addition to >> RFC9470. I guess this section is there to provide clarity due to RFC9470 >> using the authorization endpoint in its text. >> >> Under section 9.5.1. DPoP: Demonstrating Proof-of-Possession it mentions >> “… The authorization server MUST ensure that the same key is used in all >> subsequent Authorization Challenge Requests, or in the eventual token >> request…” I think it was meant to say “... Authorization Challenge >> Requests, and in the eventual token request…” >> >> Best Regards, >> >> Janak Amarasena >> >> _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Feedback on draft-ietf-oauth-first-par… Janak Amarasena
- [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first… Janak Amarasena
- [OAUTH-WG] Re: Feedback on draft-ietf-oauth-first… Pieter Kasselman