Re: [OAUTH-WG] updated Distributed OAuth ID

n-sakimura <n-sakimura@nri.co.jp> Fri, 20 July 2018 08:33 UTC

Return-Path: <n-sakimura@nri.co.jp>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A3B130E98 for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 01:33:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.789
X-Spam-Level:
X-Spam-Status: No, score=-1.789 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIM_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nri365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZxzA6trAssc for <oauth@ietfa.amsl.com>; Fri, 20 Jul 2018 01:33:28 -0700 (PDT)
Received: from nrifs01.index.or.jp (nrigw01.index.or.jp [133.250.250.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DA10131074 for <oauth@ietf.org>; Fri, 20 Jul 2018 01:33:24 -0700 (PDT)
Received: from nrimmfm052.index.or.jp (unknown [172.19.246.144]) by nrifs01.index.or.jp (Postfix) with ESMTP id 44E7A77EF5; Fri, 20 Jul 2018 17:33:24 +0900 (JST)
Received: from index.or.jp (unknown [172.19.246.151]) by nrimmfm052.index.or.jp (Postfix) with ESMTP id DF90D4E0046; Fri, 20 Jul 2018 17:33:23 +0900 (JST)
Received: from nriea04.index.or.jp (localhost.localdomain [127.0.0.1]) by pps.mf051 (8.15.0.59/8.15.0.59) with SMTP id w6K8XNGF030647; Fri, 20 Jul 2018 17:33:23 +0900
Received: from nrims00a.nri.co.jp ([192.50.135.11]) by nriea04.index.or.jp with ESMTP id w6K8XN37030646; Fri, 20 Jul 2018 17:33:23 +0900
Received: from nrims00a.nri.co.jp (localhost.localdomain [127.0.0.1]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id w6K8XNO8043259; Fri, 20 Jul 2018 17:33:23 +0900
Received: (from mailnull@localhost) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.0/Submit) id w6K8XN8B043256; Fri, 20 Jul 2018 17:33:23 +0900
X-Authentication-Warning: nrims00a.nri.co.jp: mailnull set sender to n-sakimura@nri.co.jp using -f
Received: from nrizmf13.index.or.jp ([172.100.25.22]) by nrims00a.nri.co.jp (Switch-3.3.4/Switch-3.3.4) with ESMTP id w6K8XNZT043252; Fri, 20 Jul 2018 17:33:23 +0900
Received: from CUEXE02PA.cu.nri.co.jp (192.51.23.32) by CUEXM01SA.cu.nri.co.jp (172.59.253.43) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 20 Jul 2018 17:33:22 +0900
Received: from APC01-PU1-obe.outbound.protection.outlook.com (65.55.88.23) by ex.nri.co.jp (192.51.23.33) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 20 Jul 2018 17:33:21 +0900
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nri365.onmicrosoft.com; s=selector1-cu-nri-co-jp; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=K0L/aCZd56GJif8ehop6zKo2omvRi/AQ9oBu3QjypfQ=; b=SzAN+Swk4mPR+kV4tG3Ju7Y4wSZqsJ3K/dP/S246HVlV6YgNdlBoP8lh3OM5M3+oJNVd9BiiWtMEvTQiI6nAD9KE9tuxLKcuCXF8RiQTQOMnFXjPe2nnHP22Eayh6JhCwdu9Y9E5AZdxgj0kbBgnFqS+WRsMnYCgjZOClu83JVQ=
Received: from TY2PR01MB2297.jpnprd01.prod.outlook.com (52.133.184.14) by TY2PR01MB3227.jpnprd01.prod.outlook.com (20.177.100.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.20; Fri, 20 Jul 2018 08:33:19 +0000
Received: from TY2PR01MB2297.jpnprd01.prod.outlook.com ([fe80::a80c:6cfe:7925:86f4]) by TY2PR01MB2297.jpnprd01.prod.outlook.com ([fe80::a80c:6cfe:7925:86f4%2]) with mapi id 15.20.0952.022; Fri, 20 Jul 2018 08:33:19 +0000
From: n-sakimura <n-sakimura@nri.co.jp>
To: David Waite <david@alkaline-solutions.com>, Dick Hardt <dick.hardt@gmail.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] updated Distributed OAuth ID
Thread-Index: AQHUAoOaSSHKxrUFgUqarOSvA9w6jaSWZocAgAGYHwA=
Date: Fri, 20 Jul 2018 08:33:19 +0000
Message-ID: <TY2PR01MB2297DBA5677C67441221DF54F9510@TY2PR01MB2297.jpnprd01.prod.outlook.com>
References: <CAD9ie-sW7EbfuJWc8_fkLO0wGg9kd0VR=xuO346yOoMK8ZGiyQ@mail.gmail.com> <1AD25F21-4F76-41CA-96E8-6E09373D04E8@alkaline-solutions.com>
In-Reply-To: <1AD25F21-4F76-41CA-96E8-6E09373D04E8@alkaline-solutions.com>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailadviser: 20170719
authentication-results: spf=none (sender IP is ) smtp.mailfrom=n-sakimura@cu.nri.co.jp;
x-originating-ip: [133.250.250.4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; TY2PR01MB3227; 6:Gzd21+oGyg69KY8HPPa2JXucFq6dlTBvfHdwHctrDuWf7sZFif5otVz3BmCQtkDCU9mmdqOjcOPFUc3P9im1kOiHWXhe4WdjLaK1t4Q/QGONorFhZhyDYcVhZG5E8p3HoYCox7EPfjow4krNHrmtv6Gzt4BHl+utli8zQpHpUm2psNW2b2pOhhbYObyZjtLmStS9bmOlnUGWLyrAU6M9slMP4waxgHOWyprffz8KutIcM4McDFtgAaDZkUibhnArnn+qTtUvUTRGUFLThSi3Es/NA3RRb5fREWW4c97DSS6pfO0UJzJiBxuai7vfMN9IQV/QJkv8hS2VKyOUkKRwBlTIoL5miMmF7n+zrNRuPos1rYDmzhaR4mvwcWwibRSvWnrdD8t7sbHDLyVeW1kXxXkHBkfQtXPaDgK5yUpDrzYXCVmCeJgsdW0coZmkbxyq25HQ09etjeIVjMZnPGnsOA==; 5:5YndP8kQZRatVDOt+LjLfgkruYxKegrxKmcl0e2Kou8IIS5ukI+hKQyT8YAiVhP0wJcqjsb+Fkg4HQUrxgru7r3FZrdL1gNAVU9wMk4jwR/r010f14G25GC3JfRx9y0efHs7szk5yoEzNNrWDCjn7qtV6YvUXDMeNJ6ncyj+7Bk=; 7:+EKFfiyq+pgNLJioCNVBTIal6LvXN/raxC19k0M8sPmGl+A9OxjE0mvYUCxatUxH41Yr3tpBOvZJ1L0hsaWW2TFpvcjxxb8cW93W2k1FTkf99biydwzJs7S/Px/8oLbOuVc/AavSzrzSXs+kTPcmedfzI6viKItakzRjcCOi+qMSm1bB6BTx5oBZBNWxf8Fzz3VjRQgWiUv7oIm02xaccWmNfiYkezsVHhgsln5Qf066SIJqHWAfuX8tiQBqo/We
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7ae9f7b4-dcbd-4329-82e8-08d5ee1b72a6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(7021125)(8989117)(5600053)(711020)(4534165)(7022125)(4603075)(4627221)(201702281549075)(8990107)(7048125)(7024125)(7027125)(7028125)(7023125)(2017052603328)(7153060)(7193020); SRVR:TY2PR01MB3227;
x-ms-traffictypediagnostic: TY2PR01MB3227:
x-microsoft-antispam-prvs: <TY2PR01MB3227DF821C5AA6A4EF2A0447F9510@TY2PR01MB3227.jpnprd01.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(120809045254105)(85827821059158)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(149027)(150027)(6041310)(20161123564045)(2016111802025)(20161123558120)(20161123560045)(20161123562045)(6043046)(6072148)(201708071742011)(7699016); SRVR:TY2PR01MB3227; BCL:0; PCL:0; RULEID:; SRVR:TY2PR01MB3227;
x-forefront-prvs: 073966E86B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(366004)(39840400004)(136003)(376002)(199004)(189003)(51914003)(25786009)(2900100001)(4326008)(2420400007)(8936002)(15650500001)(3846002)(790700001)(6116002)(105586002)(6246003)(81156014)(106356001)(8676002)(81166006)(256004)(11346002)(7736002)(476003)(14444005)(19609705001)(486006)(2906002)(5660300001)(74316002)(10710500007)(39060400002)(53936002)(229853002)(9686003)(6306002)(236005)(5250100002)(6436002)(54896002)(86362001)(99286004)(316002)(55016002)(966005)(33656002)(110136005)(14454004)(66066001)(478600001)(26005)(102836004)(186003)(7696005)(446003)(53546011)(76176011)(6506007)(97736004)(68736007)(7110500001)(9326002)(606006)(74482002); DIR:OUT; SFP:1102; SCL:1; SRVR:TY2PR01MB3227; H:TY2PR01MB2297.jpnprd01.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: cu.nri.co.jp does not designate permitted sender hosts)
x-microsoft-antispam-message-info: eyWs1qYBXDUkUNWK1iITK2Q092uCkRWvOXI16pfvJ0xl5UYZzQ0UXUmN2eWWn5OEonA8M5blwxWHCrvuWzharv3Z7MjdTErrok+Ft7lW75utvLdE54GJeLADxeCSohi1FC5QT3svmJ8ZWtUsuKI9AmtnHfGowSQQZ6DAagolaViTyrvj/1tdMjuQHEtheF+6DHU6kKPUIOWSP5KLZ0deQ+5asAGdaulW3d5q/+UG+r3MTv6BDniaKpv+NZPoV+pVwO48bpfamVfr54QxtCCqAUzHZWUUKKZN216FkJCxU7DfQk++XqU+5gYk7/YVlLMsPxp194krorkNrv9nzBTIeiq+80HqI9qr9QmLAd9ZYbE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_TY2PR01MB2297DBA5677C67441221DF54F9510TY2PR01MB2297jpnp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7ae9f7b4-dcbd-4329-82e8-08d5ee1b72a6
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2018 08:33:19.7367 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e3e360d9-7e7f-48d5-ac33-3c5de61f0a75
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TY2PR01MB3227
X-OrganizationHeadersPreserved: TY2PR01MB3227.jpnprd01.prod.outlook.com
X-CrossPremisesHeadersPromoted: CUEXE02PA.cu.nri.co.jp
X-CrossPremisesHeadersFiltered: CUEXE02PA.cu.nri.co.jp
X-OriginatorOrg: cu.nri.co.jp
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LGOi6MfxrCGYn7brM9WfLjAPlK4>
Subject: Re: [OAUTH-WG] updated Distributed OAuth ID
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 08:33:32 -0000

Hi David,

Thanks for the comment, and sorry for the delay in my reply.

Doing it with Web Linking [RFC8288]  has several advantages.


  1.  It is standard based ☺ It is just a matter of registering link relations to the IANA Link Relation Type Registry, and it is quite widely used.
  2.  No or very little coding needed: Other than adding some HTTP server configuration, the rest stays the same as RFC6750.
  3.  Standard interface: this kind of metadata is applicable not only for letting the client find the appropriate authorization server but for other metadata as well. Also, other endpoints as long as it is supporting the direct communication with the client, can provide relevant metadata with it without going through the client authorization.

I did not quite follow why CORS is relevant here. We are just talking about the client to server communication, and there are no embedded resources in the response. Could you kindly elaborate a little, please?

For the second point, since it was discussed in the WG meeting yesterday, I will defer to that discussion.

Best,

Nat Sakimura


From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of David Waite
Sent: Thursday, July 19, 2018 4:55 PM
To: Dick Hardt <dick.hardt@gmail.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] updated Distributed OAuth ID

Four comments.

First: What is the rationale for including the parameters as Link headers rather than part of the WWW-Authenticate challenge, e.g.:

WWW-Authenticate: Bearer realm="example_realm",
                             scope="example_scope",
                             error=“invalid_token",
    resource_uri="https://api.example.com/resource"urce",
    oauth_server_metadata_uris="https://as.example.com/.well-known/oauth-authorization-server https://different-as.example.com/.well-known/oauth-authorization-server"

My understanding is that the RFC6750 auth-params are extensible (but not currently part of any managed registry.)

One reason to go with this vs Link headers is CORS policy - exposing Link headers to a remote client must be done all or nothing as part of the CORS policy, and can’t be limited by the kind of link.

Second: (retaining link format) Is there a reason the metadata location is specified the way it is? It seems like

<https://as.example.com/.well-known/oauth-authorization-server>; rel=“oauth_server_metadata_uri"

should be

<https://as.example.com>; rel=“oauth_issuer"

OAuth defines the location of metadata under the .well-known endpoint as a MUST. An extension of OAuth may choose from at least three different methods for handling extensions beyond this:
1. Add additional keys to the oauth-authorization-server metadata
2. Add additional resources to .well-known for clients to supporting their extensions to attempt to resolve, treating ‘regular’ OAuth as a fallback.
3. Define their own parameter, such as rel=“specialauth_issuer”, potentially using a different mechanism for specifying metadata

Given all this, it seems appropriate to only support specifying of metadata-supplying issuers, not metadata uris.

Third: I have doubts of the usefulness of resource_uri in parallel to both the client requested URI and the Authorization “realm” parameter.

As currently defined, the client would be the one enforcing (or possibly ignoring) static policy around resource URIs - that a resource URI is arbitrary except in that it must match the host (and scheme/port?) of the requested URI. The information on the requested URI by the client is not shared between the client and AS for it to do its own policy verification. It would seem better to send the client origin to the AS for it to do (potential) policy verification, rather than relying on clients to implement it for them based on static spec policy.

The name “resource URI” is also confusing, as I would expect it to be the URI that was requested by the client. The purpose of this parameter is a bit confusing, as it is only defined as “An OAuth 2.0 Resource Endpoint specified in [RFC6750] section 3.2 - where the term doesn’t appear in 6750 and there does not appear to be a section 3.2 ;-)

It seems that:
a. If the resource_uri is a direct match for the URI requested for the client, it is redundant and should be dropped
    (If the resource URI is *not* a direct match with the URI of the resource requested by the client, it might need a better name).
b. If the resource URI is meant to provide a certain arbitrary grouping for applying tokens within the origin of the resource server, what is its value over the preexisting “ realm” parameter?
c. If the resource URI is meant to provide a way for an AS to allow resources to be independent, identified entities on a single origin - I’m unsure how a client would understand it is meant to treat these resource URIs as independent entities (e.g. be sure not to send bearer tokens minted for resource /entity1 to /entity2, or for that matter prevent /entity1 from requesting tokens for /entity2).

Admittedly based on not fully understanding the purpose of this parameter, it seems to me there exists a simpler flow which better leverages the existing Authentication mechanism of HTTP.

A request would fail due to an invalid or missing token for the realm at the origin, and and the client would make a request to the issuer including the origin of the requested resource as a parameter. Any other included parameters specified by the WWW-Authenticate challenge understood by the client (such as “scope”) would also be applied to this request.

Normal authorization grant flow would then happen (as this is the only grant type supported by RFC6750). Once the access token is acquired by the client, the client associates that token with the “realm” parameter given in the initial challenge by the resource server origin. Likewise, the ‘aud’ of the token as returned by a token introspection process would be the origin of the resource server.

It seems any more complicated protected resource groupings on a resource server would need a client to understand the structure of the resource server, and thus fetch some sort of resource server metadata.

Fourth and finally: Is the intention to eventually recommend token binding here? Token binding as a requirement across clients, resources, and the authorization servers would isolate tokens to only being consumed within an origin. This would actually make redundant/supplemental the AS additions defined within this spec (resource/origin request parameter, ‘aud’ introspection response member)

-DW


On Jun 12, 2018, at 1:28 PM, Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:

Hey OAuth WG

I have worked with Nat and Brian to merge our concepts and those are captured in the updated draft.

https://datatracker.ietf.org/doc/draft-hardt-oauth-distributed/

We are hopeful the WG will adopt this draft as a WG document.

Any comments and feedback are welcome!

/Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth