Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
Brian Campbell <bcampbell@pingidentity.com> Fri, 01 February 2019 23:16 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBCA7130EEB for <oauth@ietfa.amsl.com>; Fri, 1 Feb 2019 15:16:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQAKjQW_Rwyq for <oauth@ietfa.amsl.com>; Fri, 1 Feb 2019 15:16:47 -0800 (PST)
Received: from mail-it1-x12e.google.com (mail-it1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32618130DFA for <oauth@ietf.org>; Fri, 1 Feb 2019 15:16:47 -0800 (PST)
Received: by mail-it1-x12e.google.com with SMTP id c9so12428976itj.1 for <oauth@ietf.org>; Fri, 01 Feb 2019 15:16:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1aJqNyGPAXpvkC0oDjCaLZNMveJkbkwqpI/wp+9a5a4=; b=d004ofxoJiYyT8poSNEynnoHpYf3S8SgAcwhvgEMG6iPMYMpP7amJk1NujtPaaO9O7 Sd8TD/vePMKdOxgikf6Djv5uXuC8EQxW9PcPJuihg6k1xbVmlX8wLDXJOMZf3Dh0Jp88 f+c0vca7Se+cWqta/IVMM3uBDRCWZWzNUw93I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1aJqNyGPAXpvkC0oDjCaLZNMveJkbkwqpI/wp+9a5a4=; b=bJJ8qzLju4ikV6EzsvHAGeUqQaZ11QzS5yo0e31TZ5nN2rCNHB6lY79lOHP04fe7F9 E91k2y8qtCFL3DMpoaKB/MEuzwB85e3mBqGmZN8nvDhXsCXT2R2klhNFhcoefUhneIrz /7qlBr73biobx5gbc5pshM4qBirUlgdHJkhuEYQfXnZ7akMi5yAQRl9rORyMTYosTWXt Ad3LETveZg/ktbGmHGcvvBXY6PkX1vr3pm+O3G7dxIn17nrqYspVo8vK8p+MPsqdTvdW BndKqyjxAL4mvP14qu8gAEkhJ4JztN6RhjkXgfpigMNUa8Oi8RxCroQY+wRbn3NAMsUX M2kQ==
X-Gm-Message-State: AHQUAua9crSpv0bR3fpeZKA1ypB09fcCliwnWqdvw1dSdHsaxD46lxWH OwVRy/Jr78D17yxHbcJUDSxdJj+22/r5fr7Ain+WhTCx/paCVgsimSECAB7789cDzq2qD2pkS9a +8ggS4LUWtTga8A==
X-Google-Smtp-Source: AHgI3IYLaKKpUaerS1EP2Y2bM4smdV0DqqL+iT01M9os2CpS9KVkIA2y/aeVv66q5mnLUwvdb7mNXIB2zRSRFkxTom4=
X-Received: by 2002:a24:3987:: with SMTP id l129mr2871973ita.45.1549063006304; Fri, 01 Feb 2019 15:16:46 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com> <1119DDAE-8044-43C9-A6D4-6032B3BB62B8@forgerock.com> <9D007408-3BCC-4165-BCA4-083BD7602E7D@alkaline-solutions.com> <CA+k3eCQi1sz2bDOMEATpN9ZvXd+VJydQXG03WKuLczG5kz2z+Q@mail.gmail.com> <CAP-T6TTD-nLGoPHqJ042SzotLorb2mzoWgLxsausWHhRPZr8xA@mail.gmail.com> <CA+k3eCQtgku68usoCFsTeHVnNOLqWs6NweOgpQKsa7_9=wK7Vw@mail.gmail.com> <99d38517-0e25-789f-83ae-9f33e5620475@aol.com> <CA+k3eCQVL4DeRqHWYu6=xXjBK2RnukQ5RxFzRjGZYr4au8bBkQ@mail.gmail.com> <F5841CEA-BA74-4F17-977A-A78922CDC68C@amazon.com>
In-Reply-To: <F5841CEA-BA74-4F17-977A-A78922CDC68C@amazon.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 01 Feb 2019 16:16:19 -0700
Message-ID: <CA+k3eCT+mPu0=9TDKtuVqXy=zStEWTS5aVOsc2TuJcYQ2cvE6A@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Cc: George Fletcher <gffletch@aol.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039d8600580dd56ee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LOY1IlnYfGgT-djhegZcVbBTPfc>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Feb 2019 23:16:50 -0000
It doesn't seem like that confusing or large of a change to me - if the client is doing MTLS and the given endpoint is present in `mtls_endpoints`, then it uses that one. Otherwise it uses the regular endpoint. It gives an AS a lot of flexibility in deployment options. I personally think getting a 307 approach deployed and working would be more complicated and error prone. It is a minority use case at the moment but there are forces in play, like the push for increased security in general and to have javascript clients use the code flow, that suggest it won't be terribly unusual to see an AS that wants to support MTLS clients and javascript/spa clients at the same time. I've personally wavered back and forth in this thread on whether or not to add the new metadata (or something like it). With my reasoning each way kinda explained somewhere back in the 40 or so messages that make up this thread. But it seems like the rough consensus of the group here is in favor of it. On Fri, Feb 1, 2019 at 3:18 PM Richard Backman, Annabelle <richanna= 40amazon.com@dmarc.ietf.org> wrote: > This strikes me as a very prominent and confusing change to support what > seems to be a minority use case. I’m getting a headache just thinking about > the text needed to clarify when the AS should provide `mtls_endpoints` and > when the client should use that versus using `token_endpoint.` Why is the > 307 status code insufficient to cover the case where a single AS supports > both mTLS and non-mTLS? > > > > -- > > Annabelle Richard Backman > > AWS Identity > > > > > > *From: *OAuth <oauth-bounces@ietf.org> on behalf of Brian Campbell > <bcampbell=40pingidentity.com@dmarc.ietf.org> > *Date: *Friday, February 1, 2019 at 1:31 PM > *To: *George Fletcher <gffletch=40aol.com@dmarc.ietf.org> > *Cc: *oauth <oauth@ietf.org> > *Subject: *Re: [OAUTH-WG] MTLS and in-browser clients using the token > endpoint > > > > Yes, that would work. > > > > On Fri, Feb 1, 2019 at 2:28 PM George Fletcher <gffletch= > 40aol.com@dmarc.ietf.org> wrote: > > What if the AS wants to ONLY support MTLS connections. Does it not specify > the optional "mtls_endpoints" and just use the normal metadata values? > > On 1/15/19 8:48 AM, Brian Campbell wrote: > > It would definitely be optional, apologies if that wasn't made clear. It'd > be something to the effect of optional for the AS to include and clients > doing MTLS would use it when present in AS metadata. > > > > On Tue, Jan 15, 2019 at 2:04 AM Dave Tonge <dave.tonge@momentumft.co.uk> > wrote: > > I'm in favour of the `mtls_endpoints` metadata parameter - although it > should be optional. > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf..org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited.. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] MTLS and in-browser clients using the … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … Dave Tonge
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … George Fletcher
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
- Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
- Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
- Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
- Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
- Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Dominick Baier
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell