Re: [OAUTH-WG] draft-fett-oauth-dpop-01 implementation feedback
Brian Campbell <bcampbell@pingidentity.com> Sun, 05 May 2019 12:56 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08DBA12014D for <oauth@ietfa.amsl.com>; Sun, 5 May 2019 05:56:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q3ire1gY8wLs for <oauth@ietfa.amsl.com>; Sun, 5 May 2019 05:56:09 -0700 (PDT)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0979412014C for <oauth@ietf.org>; Sun, 5 May 2019 05:56:09 -0700 (PDT)
Received: by mail-io1-xd2c.google.com with SMTP id m9so8937449iok.7 for <oauth@ietf.org>; Sun, 05 May 2019 05:56:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CXjHTs4qQuv6qOYdU7QGjJvSUO0BhruYSRx4vJqGD64=; b=pY6LaQkvG9VtbBnUPUuHYQoLtvq1MKigCgi/I/ZyXoZqL0Y7OeVzqlHNp9Sw57NspV yzem0DhJOsLRTZhdQQeHxruNJ9nritRlzsIQBumD5aUc7oxN3ZP0Ems75rlmQq9nwKRn 0svCPi1w3AQENieHey7HqaGyptBW54+5lkZlk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CXjHTs4qQuv6qOYdU7QGjJvSUO0BhruYSRx4vJqGD64=; b=LObHD44uQZW4zSzuQ5URzylHwlKChP41Ae/p5RsrEnphHmaMaDdG1nVd4Dgwc8n5Sb WfINb3HUqUQsQzo5x7Jilxg21Wi0JK7QxvHzelJwiG1uD4iu2n4wjbc3/rx4ab2s0j7o xaolvXcd6c5OMCh/Q/me+nzkmifDaWl+f0VIHY7/sEmB/80ITgEmTAV7nt5V9L8bW1+B d7WyKkOnMwAhmCVDnpln3OLI4sfayi3bLL+CvTpRw4rhhR6CFNPKjzN3+Sn6XA+MfSyA Fj51YBSlnh9h5PzYnSRAzoYflZuPiA2tLp8ASaIRhMi1qvN9YuFNdRYqJ6UX2pSX+cWX UmrA==
X-Gm-Message-State: APjAAAVE4B2Yb3RJKD8aUckmnbcF5b9hWgOtoN/0oAZnfiPUjDYDh/eX J/4gfHuBm0z/IQUfNJIXpmZECpE4hSIGJOvTp/b9EKglAf1sljbdzV5HAEGjI9b+SsVGCbB89bY YXzSL8spu2GCaUw==
X-Google-Smtp-Source: APXvYqxgy793e72X/Kyb3h1rKwuoNfqr01mfbuZGXfIrL0Lm749J1N359po+qBce9osyUlcaLK9JwGviVrc5RM2BqaI=
X-Received: by 2002:a5d:948d:: with SMTP id v13mr14108262ioj.59.1557060968159; Sun, 05 May 2019 05:56:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAMDeyhy=YCSm3su6t7wxWS-hgYm27_pDDj5UArMhXhTXMMWw9w@mail.gmail.com>
In-Reply-To: <CAMDeyhy=YCSm3su6t7wxWS-hgYm27_pDDj5UArMhXhTXMMWw9w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Sun, 05 May 2019 06:55:41 -0600
Message-ID: <CA+k3eCRG+kcSYcw7h5GPsAhGL2sYFmOTkyMM3M+YOXJvwpB1_Q@mail.gmail.com>
To: Paul Querna <pquerna@apache.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6b5e10588238160"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/K_z5tvcYqOLI-wsW2BoO7bDy3KU>
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-01 implementation feedback
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 May 2019 12:56:13 -0000
On Thu, May 2, 2019 at 12:33 AM Paul Querna <pquerna@apache.org> wrote: > Overall the spec felt functional, though I think the biggest gaps for > a deployment are with the Access Token interactions, but this makes > sense since that seems to be addressed in the future by > <https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-00> > This DPoP document should aspire to provide sufficient info on access token interactions so as not to have any dependency on draft-ietf-oauth-access-token-jwt. And I sorta doubt that PoP style tokens will be in scope for draft-ietf-oauth-access-token-jwt at all. Sections 6[a] and 8[b] of DPoP aim to define access token usage. Is there specific content that you feel is missing in the draft? [a] https://tools.ietf.org/html/draft-fett-oauth-dpop-01#section-6 [b] https://tools.ietf.org/html/draft-fett-oauth-dpop-01#section-8 > Is there a use case for this being present in the DPoP-Proof JWT? As > I've implemented DPoP, I didn't see how it was helpful to be sent as a > `cnf` claim of the Proof? > As David alluded to in his reply yesterday, this is an area that is likely to see some changes in the next revision of the draft - like doing away with the distinction between binding and proof, moving the proof key out of the JWT and less inappropriate use of the `cnf` claim. But in the -01 draft the key is included with the access token via the `cnf` claim and you're right that it's not particularly helpful to have it also sent with the Proof. > Request Headers vs Parameters > > 5. Token Request (Binding Tokens to a Public Key) > > Placing the DPoP Binding JWT in the HTTP Header `DPoP-Binding` is > different than most other OAuth extensions that I am familiar with. > It is easy in the Go OAuth2 library to add URL / /body params to the > `/token` endpoint, but it is impossible to add an HTTP Header. Is > there a reason that the binding can't be sent as an OAuth Parameter in > the token request body? > Also as David alluded to in his reply yesterday, there's a goal to have the proof mechanism be the same for accessing the token endpoint as when accessing resources. And using application/x-www-form-urlencoded parameters for resource access is problematic for a litany of reasons. HTTP Request signing may be a quagmire that this spec wishes to avoid, > Very much so, yes. [snip] I'm not sure where the spec-author team wants to take this area, but > am interested in providing feedback. > Somehow cleanly allowing for it by extension would be nice from the perspective of this document. But full treatment of HTTP signing is explicitly a non-goal of the DPoP draft with the intent that it have only a minimal set of stuff that's signed so as to facilitate the proof-of-possession. JWT as AT > > 7. IANA Considerations > > > > [[TODO: MIME type registration for at+jwt ]] > > Assume this will eventually be done via > <https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-00> > That's already where it is, no? Thank you for the work so far, and I'm happy to provide further > feedback as the spec evolves. > Thanks Paul, it's just a -01 version of an individual draft at this point (with all the authority thereby bestowed on it <https://tools.ietf.org/html/draft-abr-twitter-reply-00>) but your participation would certainly be appreciated as the spec evolves and if it's something the working group decides to pick up as a working group item. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] draft-fett-oauth-dpop-01 implementatio… Paul Querna
- Re: [OAUTH-WG] draft-fett-oauth-dpop-01 implement… Benjamin Kaduk
- Re: [OAUTH-WG] draft-fett-oauth-dpop-01 implement… David Waite
- Re: [OAUTH-WG] draft-fett-oauth-dpop-01 implement… Brian Campbell