[OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
Brian Campbell <bcampbell@pingidentity.com> Wed, 22 July 2020 15:37 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFA63A090B for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 08:37:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lnHI93ZMaLLp for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 08:37:28 -0700 (PDT)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A82CD3A0908 for <oauth@ietf.org>; Wed, 22 Jul 2020 08:37:28 -0700 (PDT)
Received: by mail-lj1-x235.google.com with SMTP id q6so2970234ljp.4 for <oauth@ietf.org>; Wed, 22 Jul 2020 08:37:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=uXMMtYJDiApPPvXhagfyuIdGIc8eGyKJOzv7Su18Ro8=; b=Mzb92nozwouqrAUZjGN91RMWiOGMYM14AKEwUpbfSIgezMSLefEB/0TQhlA1Jb3EsY CQc3YYmFCz3UCM06udcxZ6Cci8qubygZkJYKMgOIZSDYsh9U4h5UPb6NMIguYSFkbSjV ermudcZAObuL2L1TIKf4riqbNblfficFPJSr90B1gXPaChbEwnraABRgVaU5Wp4RsYrx 6zChAIL2jRvlRw3fIGg8nyGXL4wHeqIFGgkRf5Ul211dH7/Qvi0CSCRmz94QPzVAmIwK 0xStlD7wyfiixKd3DGpGCr8qqMzEf/lCGNARmrL8PImwIeVQnDM9ZquQwbWzBwiY4j8j yEKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=uXMMtYJDiApPPvXhagfyuIdGIc8eGyKJOzv7Su18Ro8=; b=cfiQ3wDNwi8ZOoygNPcs8UaqBKEHe9oSrfSlEGD0/x7Q8EYwXJrvJtKultOJgrnfWr 4esDgycFXmnk6/EQawW+omMkDM1sL3trQalCpAvjq2JLzaEZrIm/YrDa6wzoi7xHlUO3 VZditiWh8V47XigLuahfiL+yYEWlkRhCTcIyOMBS9Ot2qz9iofyp06XvOkOKw/QIOsxk N9tUw9XjnFSKNY9wxCRo0/aj3Fai0RNbtvoFFQScEGYODFvfncKy0bEMVXZfvqIrziuP 6yomY0HHDT1iKCVwsjRIQablsL+OnLlz2Gk90d9iwAE5/V2DFYnV4X7cFbksx1uzAW2E pN2g==
X-Gm-Message-State: AOAM533et28RvDxP4CcYkDszt95vsEiSpe3U3cvc77r7MkH6yE8OFK5L /3PA83ZgoyzjEy5Yex580GDDrbhvyXZQ0GuFynyClDte53yVzZmRNBK5FA4O/AGawjkf8owE1la ON89Mu/n8tTf7QxV4
X-Google-Smtp-Source: ABdhPJwolYZs0N7tqaaln7zL37vOhTVWyf1+n9UZbG0VwbEpZ+bcxCsTZbpCX7E8I8DfW5wBdIxtn4qAiCcJCd9xWpw=
X-Received: by 2002:a05:651c:1116:: with SMTP id d22mr16124850ljo.170.1595432245648; Wed, 22 Jul 2020 08:37:25 -0700 (PDT)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 22 Jul 2020 09:36:59 -0600
Message-ID: <CA+k3eCRa9gMimtJ3917GaJPdTQGdCBskLEim0kVeh-qeB8EszQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000043fd6205ab098497"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KIB4aMt5ecDCqMfDQHax2ZsFhVs>
Subject: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 15:37:30 -0000
The TL;DR here is a somewhat tentative suggestion that a brief security consideration be added to https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ that prohibits the inclusion of a 'sub' claim containing the client id value in the request object JWT so as to prevent the request object JWT (which is exposed to the user agent) from being erroneously accepted as a valid JWT for client authentication. Some more details and the discussion that led to this here email can be found at https://github.com/oauthstuff/draft-oauth-par/issues/41 -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] swapping a jwsreq/JAR JWT for a client… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Mike Jones
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Benjamin Kaduk