Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 28 August 2019 08:48 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04607120072 for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2019 01:48:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRGB5ljH7NQm for <oauth@ietfa.amsl.com>; Wed, 28 Aug 2019 01:48:26 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.18.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9E8612002F for <oauth@ietf.org>; Wed, 28 Aug 2019 01:48:26 -0700 (PDT)
Received: from [91.13.158.20] (helo=[192.168.71.123]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <torsten@lodderstedt.net>) id 1i2tct-0005Kg-Rh; Wed, 28 Aug 2019 10:48:23 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <674CC181-FE18-4BED-83DC-916EF86E7AA8@lodderstedt.net>
Content-Type: multipart/signed; boundary="Apple-Mail=_7627747C-7517-4A1E-904F-955B69BDCA24"; protocol="application/pkcs7-signature"; micalg=sha-256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 28 Aug 2019 10:48:23 +0200
In-Reply-To: <CALAqi_-Ku6Hh3DQDXGR+83Q8jofMzVBcW=7GUnFFzsoG+Ka_1g@mail.gmail.com>
Cc: oauth <oauth@ietf.org>, Nat Sakimura <nat.sakimura@oidf.org>, John Bradley <ve7jtb@ve7jtb.com>
To: Filip Skokan <panva.ip@gmail.com>
References: <CALAqi_-Ku6Hh3DQDXGR+83Q8jofMzVBcW=7GUnFFzsoG+Ka_1g@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/N3vxtrefaYRcos-l80bvSljX35w>
Subject: Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Aug 2019 08:48:29 -0000

Hi Filip,

In my understanding, duplication of request parameters outside of the request object was necessary in the OIDC variant in order to retain OAuth compliance. JAR as an OAuth extension will not require the client to duplicate OAuth request parameters outside of the request object.  

There might potentially be reasons for merging (different) URI request parameters with parameters passed in the request object in cases where long living request objects are used.  

kind regards,
Torsten. 

> On 27. Aug 2019, at 13:46, Filip Skokan <panva.ip@gmail.com> wrote:
> 
> Hello everyone,
> 
> in an earlier thread I've posed the following question that might have gotten missed, this might have consequences for the existing implementations of Request Objects in OIDC implementations - its making pure JAR requests incompatible with OIDC Core implementations.
> 
> draft 14 of jwsreq (JAR) introduced this language
> 
> The client MAY send the parameters included in the request object
> duplicated in the query parameters as well for the backward
> compatibility etc.  However, the authorization server supporting this
> specification MUST only use the parameters included in the request
> object. 
> 
> Server MUST only use the parameters in the Request Object even if the
> same parameter is provided in the query parameter.  The Authorization
> 
> The client MAY send the parameters included in the request object
> duplicated in the query parameters as well for the backward
> compatibility etc.  However, the authorization server supporting this
> specification MUST only use the parameters included in the request
> object. 
> 
> Nat, John, everyone - does this mean a JAR compliant AS ignores everything outside of the request object while OIDC Request Object one merges the two with the ones in the request object being used over ones that are sent in clear? The OIDC language also includes sections which make sure that some required arguments are still passed outside of the request object with the same value to make sure the request is "valid" OAuth 2.0 request (client_id, response_type), something which an example in the JAR spec does not do. Not having this language means that existing authorization request pipelines can't simply be extended with e.g. a middleware, they need to branch their codepaths.
> 
> Is an AS required to choose which of the two it follows?
> 
> Thank you for clarifying this in advance. I think if either the behaviour is the same as in OIDC or different this should be called out in the language to avoid confusion, especially since this already exists in OIDC and likely isn't going to be read in isolation, especially because the Request Object is even called out to be already in place in OIDC in the JAR draft.
> 
> Best,
> Filip
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth