Re: [OAUTH-WG] Client authentication on token revocation
Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 20 August 2020 10:52 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFF713A08AF for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2020 03:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NIwLXIyUZ1s4 for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2020 03:52:23 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFA773A08AB for <oauth@ietf.org>; Thu, 20 Aug 2020 03:52:22 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id m20so1236400eds.2 for <oauth@ietf.org>; Thu, 20 Aug 2020 03:52:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rnfkrc/JOvVAvAN+se3gIShJ0+sSffA7RTq11LcJQSY=; b=jnDLGC80yUZwWt0qhK9GmDOXKyWG/nGIuY2aq33FApPRtN1teZ4gjG1yx5gIQOWiNn 7cTHtijk74+g6ItyHLJKv8RZn1+bjNl1w1ejUxR5zfApa1VmZZFuz35UrCyziUoPKTnL jcI01p2jBp51+AP9+Lo7OzW5tV+z/M1m8Z/vSLOh81gFDQjCzY2gLmUwNdGetAjQYKRU INdjX3v5mrbAUxvOn+mBgYBn+a+jH4sq2PofzJGJhXzGpnMkIuNWEFk+bfsJowjxt2zO J525OnNY6eALa2zXvngCI1PzDyAwlduOiFDMFmEGGsaKuyFwZMpdtg3/urWO06i0HjIq 6MxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=rnfkrc/JOvVAvAN+se3gIShJ0+sSffA7RTq11LcJQSY=; b=V8dMpJru7Es1TZHIP+5gQP9eHbVfcygiCsN4L8mzPsPTNHd8xjA+XkZiugKIRR15zX LlOInFJ1grvoVGZLEAMG6/waIPgDBwrM1oh8yj3jVeAOzIhWI2wXHN6dlWUAHtGKvGL+ 8XyrzU3VwLIVPfbkes58PgpDWNBtlEnMC0HlUPTXCl/ncmJuxbNMsxPAWGIcxvHUiMbW qLdu4nOwGBgG2kjqtyxMdqPXbC53jErcA3NTUl/zepQe8nXhQctI0vM/y3VqNcokYX6S TFofHlOi7m0gLyvbLOVdIxLP84lkWOvQhEe8BGqWBOGQ71OpZNXwO0JuySF2qHKHj5S/ luJw==
X-Gm-Message-State: AOAM532LLckYvTw19xMWYKzzAJAur0rVOTiisCg+Dst4iyQ692xhXS82 mk9WgIdKfa+2KrQ2/3gGWyYKTA==
X-Google-Smtp-Source: ABdhPJwfPJLrmh1X8rSvn5yDRkHZ+sne/Xv5Qv6ravW0Fv7iEyzN6SJDzCHYAiYFyQHhwlHstqe8vg==
X-Received: by 2002:a05:6402:145a:: with SMTP id d26mr1248524edx.283.1597920741092; Thu, 20 Aug 2020 03:52:21 -0700 (PDT)
Received: from p200300eb8f1e2aeb4ce42ed7e308c687.dip0.t-ipconnect.de (p200300eb8f1e2aeb4ce42ed7e308c687.dip0.t-ipconnect.de. [2003:eb:8f1e:2aeb:4ce4:2ed7:e308:c687]) by smtp.gmail.com with ESMTPSA id u6sm1220651ejf.98.2020.08.20.03.52.20 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Aug 2020 03:52:20 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <CAGXsc+Z6rYsktb+bokg6i2myG_FB4cWHrfX5+d6bQW+LcWg=ig@mail.gmail.com>
Date: Thu, 20 Aug 2020 12:52:19 +0200
Cc: oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <46A7D36F-C999-4CA5-AA7F-F955316C4855@lodderstedt.net>
References: <CAGXsc+Z6rYsktb+bokg6i2myG_FB4cWHrfX5+d6bQW+LcWg=ig@mail.gmail.com>
To: Emond Papegaaij <emond.papegaaij@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NVZ_ySeQyLZlCy6JbTwzdBuskaw>
Subject: Re: [OAUTH-WG] Client authentication on token revocation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 10:52:25 -0000
Hi Emond, I tend to agree with your assessment. Revoking bearer tokens without client authentication seems to be better than leaving the attacker the option to use them to invoke resources. However, if the attacker cannot use the access tokens (e.g. because they are sender constrained), the attacker could revoke tokens issued to a confidential client as a kind of DoS attack. best regards, Torsten. > On 20. Aug 2020, at 11:02, Emond Papegaaij <emond.papegaaij@gmail.com> wrote: > > Hi all, > > We are currently implementing the token revocation endpoint (RFC 7009) > on our authorization server and do not understand why it requires > client authentication. When a party (a valid client or not) gets hold > of a valid access token in whatever way, the least damaging it could > do with it, is to revoke it. The current spec allows an attacker to > misuse this token for access to the resource server, but forbids it to > revoke it. This seems strange to me. > > Section 5 of RFC 7009 does not help in this either. It starts to > explain that this authentication is needed to prevent malicious > clients from guessing tokens, but ends with the fact that if this were > possible, much worse damage could be done by using the guessed token > on the resource server. We plan to skip the authentication all > together and simply revoke any valid token presented. How would you > recommend we deal with this? > > Best regards, > Emond Papegaaij > Topicus KeyHub > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Client authentication on token revocat… Emond Papegaaij
- Re: [OAUTH-WG] Client authentication on token rev… Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication on token rev… Emond Papegaaij