Re: [OAUTH-WG] WGLC Review of PAR

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 03 September 2020 12:25 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1EBD3A0B41 for <oauth@ietfa.amsl.com>; Thu, 3 Sep 2020 05:25:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUIoG9etEZBj for <oauth@ietfa.amsl.com>; Thu, 3 Sep 2020 05:25:30 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7C773A0AA8 for <oauth@ietf.org>; Thu, 3 Sep 2020 05:25:29 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id nw23so3593568ejb.4 for <oauth@ietf.org>; Thu, 03 Sep 2020 05:25:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=eqlI3twXWqRDf49veqoIk61CzT4T9d6/eQzCohewqrQ=; b=uqnKYVr5rixmovPImq06qOhOYljAenE6auKGWas0EYFa4oNDmnVlMadcFSs6DpK6Zu MQy8DAyGQh+rSoV1H+HO2hQFKfOocuSawjHWYl9PD5+1/II140a5fs+YS0V5eHVT78kP IdvgjPSXj/ZZ/hB3ytCZYs6OF1lpodzj16ied4PMqgNXkD5QySyYgWyVML5glFyWtzQF wEyngWVoBrIu2Xa8byF6B8FQJeXJ5csapq2UAj26+9PeOCUiY1I/xYURHKPEHmknTS4q UJRMgpteYI738u641TLqQjG1Y6Lgt6lxBym2GJzYVRx1tnbuieX+P+ZS+6srmoKT6Uzy T0/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=eqlI3twXWqRDf49veqoIk61CzT4T9d6/eQzCohewqrQ=; b=WcytZea4mdZWIYTd7x2pw8H70D52xoRrc1TB8Ar0qTs9Z1xKcSlmd55OY/m1k69mas hP9h9vm3gzQ8J9rcyvY/VIM+3hm45Mabygwh8dskCxtp7BDY5rLJZaWdMN36mG6N7iEH Gk1q8pDvIkT/xUCc9/XEdzJB8dijReuZ3JoOnfYMUvorAtNE6EJh+np1NDsEkmcSjfto 8RJ2Tj+HFBuPKuGB8BBTgXYPC+w3F2NUFjDMfiHWi1pU5RVv5HxBEoOY4B7DCQ1dfIwu R5CRFsKOk/h/gYkZM7yT3pmZQqNGgcyGFc7AHVffqGdLFvfVotaLTOxgMfG6soU3ZAzV v78Q==
X-Gm-Message-State: AOAM530BoYFemmt6oWrLBZS0zbdqWgGGaoxQHgpvwi/tHPPQuSxj23a3 X8XLCo4zJO7tV285JmzZBiIgWQ==
X-Google-Smtp-Source: ABdhPJwQeyzWk/t/CTU17nbOvyB8SZy5aewjgbeJh7gVE02UStO4SsYNws3elEyqbmvaaZqUmdmF1g==
X-Received: by 2002:a17:906:c34d:: with SMTP id ci13mr1803954ejb.356.1599135928311; Thu, 03 Sep 2020 05:25:28 -0700 (PDT)
Received: from p200300eb8f1e2a2218ad54581fcb1426.dip0.t-ipconnect.de (p200300eb8f1e2a2218ad54581fcb1426.dip0.t-ipconnect.de. [2003:eb:8f1e:2a22:18ad:5458:1fcb:1426]) by smtp.gmail.com with ESMTPSA id n15sm3013116eja.26.2020.09.03.05.25.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Sep 2020 05:25:26 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CA+k3eCQc3jc2zp-KpRx3gsJBthqFYAB3qDcJXkUjUndZ9RQSqA@mail.gmail.com>
Date: Thu, 3 Sep 2020 14:25:25 +0200
Cc: Takahiko Kawasaki <taka@authlete.com>, oauth <oauth@ietf.org>, Justin Richer <jricher@mit.edu>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3B5DCF39-44C1-4162-AB35-504407A0A2B8@lodderstedt.net>
References: <19d4b2ae7e2c456a82b41803f10017c4@oc11expo18.exchange.mit.edu> <19D00FD1-88BF-465B-8A11-FE5388AFDA6E@lodderstedt.net> <CA+k3eCQc3jc2zp-KpRx3gsJBthqFYAB3qDcJXkUjUndZ9RQSqA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K9uwfjMEpWVsqVxs3J_oXzrTwpo>
Subject: Re: [OAUTH-WG] WGLC Review of PAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Sep 2020 12:25:37 -0000

yes.

> On 3. Sep 2020, at 13:33, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> Do you mean just putting the "Note:" back in front of it? WFM. 
> 
> 
> 
> On Thu, Sep 3, 2020 at 12:11 AM Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
> Thanks Brian!
> 
> I suggest to put a Note: in front of the last paragraph to indicate it is additional infomercial.
> 
> WDYT?
> 
> > Am 03.09.2020 um 02:29 schrieb Justin Richer <jricher@mit.edu>du>:
> > 
> > Nice work, Brian. Looks good to me! 
> > ________________________________________
> > From: Brian Campbell [bcampbell@pingidentity.com]
> > Sent: Wednesday, September 2, 2020 3:41 PM
> > To: Justin Richer
> > Cc: Takahiko Kawasaki; Torsten Lodderstedt; oauth
> > Subject: Re: [OAUTH-WG] WGLC Review of PAR
> > 
> > Thanks Torsten, Taka, and Justin,
> > 
> > I took the revised text from Justin and tweaked it with some typo cleanup and minor adjustments to make what is hopefully a final proposal below. I had a similar feeling about the last paragraph not really fitting but don't have a better location to suggest so am just leaving it.
> > 
> > 2.4. Management of Client Redirect URIs
> > 
> > While OAuth 2.0 [RFC6749] allows clients to use unregistered redirect_uri values in certain circumstances, or for the authorization server to apply its own matching semantics to the redirect_uri value presented by the client at the authorization endpoint, the OAuth Security BCP [I-D.ietf-oauth-security-topics] as well as OAuth 2.1 [I-D.ietf-oauth-v2-1] require an authorization server exactly match the redirect_uri parameter against the set of redirect URIs previously established for a particular client. This is a means for early detection of client impersonation attempts and prevents token leakage and open redirection. As a downside, this can make client management more cumbersome since the redirect URI is typically the most volatile part of a client policy.
> > 
> > The exact matching requirement MAY be relaxed by the authorization server for a confidential client using pushed authorization requests since the authorization server authenticates the client before the authorization process starts and thus ensures it is interacting with the legitimate client. The authorization server MAY allow such clients to specify redirect_uri values that were not previously registered with the authorization server. This will give the client more flexibility (e.g. to mint distinct redirect URI values per authorization server at runtime) and can simplify client management. It is at the discretion of the authorization server to apply restrictions on supplied redirect_uri values, e.g. the authorization server MAY require a certain URI prefix or allow only a query parameter to vary at runtime.
> > 
> > The ability to set up transaction specific redirect URIs is also useful in situations where client ids and corresponding credentials and policies are managed by a trusted 3rd party, e.g. via client certificates containing client permissions. Such an externally managed client could interact with an authorization server trusting the respective 3rd party without the need for an additional registration step.
> > 
> > On Wed, Sep 2, 2020 at 8:09 AM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
> > The real conflict here is with the BCP and 2.1, both of which adopt the stricter matching semantics for redirect URIs than 6749 does on its own. This section would be needed to clarify how they relate to each other. That said, I think adding some of Taka’s observations to Torsten’s text wouldn’t hurt:
> > 
> > 2.4. Management of redirect_uri
> > 
> > While OAuth 2.0 [RFC6749] allows clients to use unregistered redirect_uri values in certain circumstances, or for the AS to apply its own matching semantics to the redirect_uri value presented by the client at the authorization endpoint, the OAuth Security BCP [I-D.ietf-oauth-security-topics] as well as OAuth 2.1 [I-D.ietf-oauth-v2-1] require an AS to excactly match the redirect_uri parameter against the set of redirect URIs previously established for a particular client. This is a means to early detect attempts to impersonate a client and prevent token leakage and open redirection. As a downside, it makes client management more complex since the redirect URI is typically the most volatile part of a client policy.
> > 
> > This requirement MAY be relaxed by the AS if a confidential client uses pushed authorization requests since the AS authenticates the client before the authorization process starts and that way ensures it interacts with the legit client. The AS MAY allow such clients to specify redirect_uri values not previously registered with the AS. This will give the client more flexibility (e.g. to mint AS-specific redirect URIs on the fly) and makes client management much easier. It is at the discretion of the AS to apply restriction on redirect_uri values, e.g. the AS MAY require a certain URI prefix or allow only a query parameter to vary at runtime.
> > 
> > I also feel like this paragraph belongs in a different section outside of here. I’m not sure where, but it doesn’t quite seem to fit, to me. It’s not the end of the world if it stays here though as it’s a decent view on the “why".
> > 
> > The aibility to set up transaction specific redirect URIs is also useful in situations where client ids and correspoding credentials and policies are managed by a trusted 3rd party, e.g. via client certifiates containing client permissions. Such an externally managed client could interact with an AS trusting the respective 3rd party without the need for an additional registration step.
> > 
> > — Justin
> > 
> > On Sep 1, 2020, at 11:05 PM, Takahiko Kawasaki <taka@authlete.com<mailto:taka@authlete.com>> wrote:
> > 
> > Under existing specifications (RFC 6749, OIDC Core 1.0 and FAPI), a client can choose an arbitrary redirect_uri without registering it only when all the following conditions are satisfied.
> > 
> > 1. The client type of the client is "confidential". (RFC 6749 Section 3.1.2.2 requires that public clients register redirect URIs.)
> > 2. The flow is not "implicit". (RFC 6749 Section 3.1.2.2 requires that confidential clients utilizing the implicit grant type register redirect URIs.)
> > 3. The authorization request is not an OIDC request. (OIDC Core 1.0 Section 3.1.2.1 requires that redirect_uri match a pre-registered one.)
> > 4. The authorization request is not a FAPI request. (FAPI Part 1 Section 5.2.2 Clause 8 requires that redirect URIs be pre-registered.)
> > 
> > In short, under existing specifications, pure RFC-6749 authorization-code-flow requests from confidential clients can choose an arbitrary redirect_uri without registering it. Once OIDC or FAPI is used, existing specifications require pre-registration of redirect URIs. I'm not sure but if PAR's "redirect_uri Management" is going to introduce rules that conflict with existing specifications, it is better to list the conflicts explicitly in the section.
> > 
> > Best Regards,
> > Takahiko Kawasaki
> > 
> > 
> > On Wed, Sep 2, 2020 at 3:48 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org<mailto:40lodderstedt.net@dmarc.ietf.org>> wrote:
> > Here is my proposal for the new section:
> > 
> > 2.4. redirect_uri Management
> > 
> > The OAuth Security BCP [I-D.ietf-oauth-security-topics] as well as OAuth 2.1 [I-D.ietf-oauth-v2-1] require an AS to excactly match the redirect_uri parameter against the set of redirect URIs previously established for a particular client. This is a means to early detect attempts to impersonate a client and prevent token leakage and open redirection. As a downside, it makes client management more complex since the redirect URI is typically the most volatile part of a client policy.
> > 
> > This requirement MAY be relaxed by the AS, if a confidential client uses pushed authorization requests since the AS authenticates the client before the authorization process starts and that way ensures it interacts with the legit client. The AS MAY allow such clients to specify redirect_uri values not previously registered with the AS. This will give the client more flexibility (e.g. to mint AS-specific redirect URIs on the fly) and makes client management much easier. It is at the discretion of the AS to apply restriction on redirect_uri values, e.g. the AS MAY require a certain URI prefix or allow only a query parameter to vary at runtime.
> > 
> > Note: The aibility to set up transaction specific redirect URIs is also useful in situations where client ids and correspoding credentials and policies are managed by a trusted 3rd party, e.g. via client certifiates containing client permissions. Such an externally managed client could interact with an AS trusting the respective 3rd party without the need for an additional registration step.
> > 
> >> On 29. Aug 2020, at 17:22, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
> >> 
> >> I completely agree with the utility of the function in question here and it needs to be included. I’m in favor of creating a dedicated section for redirect_uri management, so that we can explain exactly how and why to relax the requirement from core OAuth. In addition, I think we want to discuss that the AS might have its own restrictions on which redirect URIs an authenticated client might be able to use. For example, registering a client with a Redirect URI prefix, or allowing only a query parameter to vary at runtime. All of these can be enforced in PAR because the client is presenting its authentication, as you point out, so the AS can determine which policies should apply.
> >> 
> >> — Justin
> >> 
> >>>> On Aug 29, 2020, at 7:52 AM, Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>> wrote:
> >>> 
> >>> 
> >>>> 
> >>>> 
> >>>>  ¶6: Does the AS really have "the ability to authenticate and authorize clients”? I think what we mean here is "the ability to authenticate clients and validate client requests”, but I’m not positive of the intent.
> >>>> 
> >>>> I think the intent is that the AS can check whether a client is authorized to make a particular authorization request (specific scopes, response type, etc.). But checking authorization to request authorization is confusing wording. I think your working is less confusing and still allows for the intent.
> >>>> 
> >>>> I'll let Torsten interject if he feels differently as I think he originally wrote the text in question.
> >>> 
> >>> that was the original intent. I think “validate" is fine.
> >>> 
> >>>> 
> >>>> 
> >>>> 
> >>>>  ¶7: I’m not sure I buy this example. Even if the clientID is managed externally, the association with a set or pattern of allowed redirect URIs is still important, and the AS will need to know what that is. I think this example could lead an AS developer to (erroneously and dangerously) conclude that they don’t have to check any other values in a request, including scope and redirect URI. It’s important that DynReg doesn’t alleviate that issue, but removal of DynReg doesn’t really change things in that regard. Suggest removing example or reworking paragraph.
> >>>> 
> >>>> I'm going to have to defer to Torsten on this because, to be honest, I'm not too sure about it myself. I tend to lean towards thinking the draft would be better off without it.
> >>>> 
> >>> 
> >>> In the traditional authorization flow, the redirect_uri serves as way to make sure the AS is really talking to the legit client and the allowed redirect_uri values are determined by the legit client at registration time (might be manually).
> >>> 
> >>> With PAR, we have a much stronger means to ensure the AS is talking to the legit client. That’s why I don’t see an issue with letting the client set a per transaction redirect_uri. This will give the client more flexibility (mint AS-specific redirect URIs on the fly) and makes client management much easier since redirect URIs are the most volatile part of a client policy.
> >>> 
> >>> It also makes use of OAuth much easier in deployments where client identities are managed by external entities (even without any idea of OAuth). A prominent example is open banking in the EU (aka PSD2). The (technical) identity of any PSD2-licensed client is asserted by an eIDAS compliant CA in a special X.509 certificate. Those certificates contain the permissions (access to account information and/or payment initiation allowed) and the identity (member state specific). But they don’t contain OAuth policy values. Nevertheless, the regulation requires any financial institution in the EU to at runtime, without any registration, to accept and process calls from any licensed PSD2 clients.
> >>> 
> >>> There are two ways to cope with it in OAuth context:
> >>> a) use dynamic client registration with the X.509 cert as credential. Unfortunately, RFC 7591 does not support other client authentication means then an initial access token. Beside that, it would violate the text of the regulation.
> >>> b) establish a redirect URL with every transaction. This is the recommended approach in at least one of the PSD2 specs.
> >>> 
> >>> PAR is a clean way to solve that problem.
> >>> 
> >>> I don’t want this text to cause confusing. On the other hand this potential of PAR is way too important to not mention it at all. What about moving it into a special section "redirect_uri management”?
> >>> 
> >>>> 
> >>> 
> >> 
> > 
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org<mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
> > 
> > 
> > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.