IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and in-browser clients using the token endpoint

Neil Madden <neil.madden@forgerock.com> Tue, 05 February 2019 16:17 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E0F86130DE4 for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2019 08:17:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5wBEPb3oQw0 for <oauth@ietfa.amsl.com>; Tue, 5 Feb 2019 08:17:26 -0800 (PST)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBF9912008A for <oauth@ietf.org>; Tue, 5 Feb 2019 08:17:25 -0800 (PST)
Received: by mail-wm1-x333.google.com with SMTP id y8so4296211wmi.4 for <oauth@ietf.org>; Tue, 05 Feb 2019 08:17:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6vOfYQgmBj3Yx3p/fEO5aQtYY3kq6izQMNHLqvxs9GY=; b=Dn86cQKKwmYqx1c+PRe5OwG4udbI1v5DTNTWdiEgQWp0AYdg5sos4GES13T1E4PXOi VoICDn2Wj39fNMMM2LRnF/N5bbMEtDQCq1x8kgDNVNHHDP3uxumxaYiiMpGaPlsPEoUV A2i/RUFSwCJ86H+9XF/MtNYrk4En8kwchHGMc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=6vOfYQgmBj3Yx3p/fEO5aQtYY3kq6izQMNHLqvxs9GY=; b=AZy4UP8gkJYA0WSDyK1zC11N2XmJX6d4P3LaWwdhJMiANros7ulIIlLE+AGq/jmI9A H+PSnFv7KrURWJNMaeCvTd6qsXLJrvnzVhdQOb4yESdMmXuz5FzfOK4yhyB/LZeWqAky UJcnZOOqlvVWsUOf/FkoMLBFuVI4PDgTPImSA1UMgpkB56Zoqoi5kM/PRbMZ3QImC06x tAHFjajtG+9Ia5AELyEc4BIIbpRrEnImDTQb15LYxsEdHu207PTPUFkfKQFd37u5hnc0 em8CV0bAZh+H2xz2UtLY1a2YwDwt531gBvC2a9rcrfyusTf+5XzfNjvJ++wfO9j76WJw Jk9g==
X-Gm-Message-State: AHQUAuacIHdrRCnbQtDiPmERmPZQvGSUFfEOS0/9ZK5J6+lGwd9Jy1Pk iGDJOkc2hmmYME9v5o9w2zJz9A==
X-Google-Smtp-Source: AHgI3IZKImHV4tZuGJjfVN3g05D5O3ySVB8NUrrNQY1nhHu6E4dSbS3+droz1LoL1EpAINBfD6MldA==
X-Received: by 2002:a1c:c707:: with SMTP id x7mr4262656wmf.120.1549383444159; Tue, 05 Feb 2019 08:17:24 -0800 (PST)
Received: from guest2s-mbp.lan (173.132.93.209.dyn.plus.net. [209.93.132.173]) by smtp.gmail.com with ESMTPSA id x186sm27160043wmg.41.2019.02.05.08.17.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Feb 2019 08:17:23 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <9864BB84-3987-4EF9-81C3-45B4387F0B1A@mit.edu>
Date: Tue, 05 Feb 2019 16:17:21 +0000
Cc: David Waite <david@alkaline-solutions.com>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <761DA897-56F2-4201-81BA-04D894DE28BA@forgerock.com>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com> <1119DDAE-8044-43C9-A6D4-6032B3BB62B8@forgerock.com> <9D007408-3BCC-4165-BCA4-083BD7602E7D@alkaline-solutions.com> <CA+k3eCQi1sz2bDOMEATpN9ZvXd+VJydQXG03WKuLczG5kz2z+Q@mail.gmail.com> <CAP-T6TTD-nLGoPHqJ042SzotLorb2mzoWgLxsausWHhRPZr8xA@mail.gmail.com> <CA+k3eCQtgku68usoCFsTeHVnNOLqWs6NweOgpQKsa7_9=wK7Vw@mail.gmail.com> <99d38517-0e25-789f-83ae-9f33e5620475@aol.com> <CA+k3eCQVL4DeRqHWYu6=xXjBK2RnukQ5RxFzRjGZYr4au8bBkQ@mail.gmail.com> <F5841CEA-BA74-4F17-977A-A78922CDC68C@amazon.com> <CA+k3eCT+mPu0=9TDKtuVqXy=zStEWTS5aVOsc2TuJcYQ2cvE6A@mail.gmail.com> <CC05C965-3308-4449-A1E2-EDA0119BE5D2@amazon.com> <5C615068-4D43-4697-B5B1-612F01166828@forgerock.com> <CA+k3eCQnpVG6D3-Q0dConTvM7oAKp6530U2_sRhJHQWKMMCMfQ@mail.gmail.com> <CFEDC47D-4AC7-437C-AA63-EB374C6EB931@alkaline-solutions.com> <9864BB84-3987-4EF9-81C3-45B4387F0B1A@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JhTij6kJtwwjxJgF16B-Vz7TJq8>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Feb 2019 16:17:29 -0000

I’m less and less convinced that a redirect is the best way to do this.

I was reading the WHATWG Fetch spec yesterday, in particular the entries about CORS, and realised that for cross-origin requests TLS client certificates are treated as credentials just like cookies: https://fetch.spec.whatwg.org/#credentials

    Credentials are HTTP cookies, TLS client certificates, and authentication entries (for HTTP authentication)

So assuming that web browser clients calling the token endpoint will most likely be calling cross-origin, then it seems that client certificates won’t be sent anyway unless Access-Control-Allow-Credentials: true is returned from the preflight request. Given that calls to the token endpoint shouldn’t generally require cookies, then it seems likely that you can just *not* allow credentials in the CORS response and therefore not have any problem with prompting users for certificates. (Note that you can still manually set the Authorization header without ACAC set to true, you just have to whitelist that header in the AC-Allowed-Headers response).

I haven’t got time to test it myself right now, but if so that seems like it side-steps the issue pretty neatly. Configure the token endpoint to ask for, but not require, client certs, and then make sure you don’t return Access-Control-Allow-Credentials: true on CORS preflight requests to that endpoint.

— Neil

> On 5 Feb 2019, at 15:21, Justin Richer <jricher@mit.edu> wrote:
> 
> +1 to David. If it’s a redirect, 307 is more appropriate. It’s up to the AS to decide if the client should do MTLS or not, if there’s an option.
> 
> — Justin
> 
>> On Feb 4, 2019, at 12:17 PM, David Waite <david@alkaline-solutions.com> wrote:
>> 
>> My understanding is that a permanent redirect would be telling the client (and any other clients getting cached results from an intermediary) to now stop using the original endpoint in perpetuity for all cases. I don’t think that is appropriate (in the general case) for an endpoint with request processing business logic behind it, since that logic may change over time.
>> 
>> -DW
>> 
>>> On Feb 4, 2019, at 6:28 AM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>>> 
>>> Yeah, probably. 
>>> 
>>> On Sat, Feb 2, 2019 at 12:39 AM Neil Madden <neil.madden@forgerock.com> wrote:
>>> If we go down the 307 route, shouldn’t it rather be a 308 (permanent) redirect? It seems unnecessary for the client to keep trying the original endpoint or have to remember cache-control/expires timeouts. 
>>> 
>>> — Neil
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email