Re: [OAUTH-WG] Comments on ietf-oauth-dpop
Nicolas Mora <nicolas@babelouest.org> Tue, 22 March 2022 19:03 UTC
Return-Path: <nicolas@babelouest.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6ED273A005F for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2022 12:03:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=babelouest.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Q99ov5uGGIt for <oauth@ietfa.amsl.com>; Tue, 22 Mar 2022 12:03:33 -0700 (PDT)
Received: from perceval.babelouest.org (perceval.babelouest.org [IPv6:2001:41d0:8:bc0f::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3B303A003E for <oauth@ietf.org>; Tue, 22 Mar 2022 12:03:07 -0700 (PDT)
Received: from webmail.babelouest.org (localhost.localdomain [127.0.0.1]) by perceval.babelouest.org (Postfix) with ESMTPA id 6EC5922C5B for <oauth@ietf.org>; Tue, 22 Mar 2022 15:03:04 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=babelouest.org; s=mail; t=1647975784; bh=lhgq6rYlspo+qzFy4Gxpncgt+IfQCUNt+wdfUeptAw0=; h=Date:From:Subject:To:In-Reply-To:References:From; b=O4zzQGhn2B/XKvuQ7eE6ceC5xPgTkOpFK9l3pct/tfPISyCOpHIMFqZFd4022+FVf sLJiVzp2Ojh2DCpcbHkJ9naSnSb/yH9SC+lrmp0nUPJUs7Pcphm4KO6vZb3TrqRU6j ZgWpe995Z6NoNuj2BxKpsLOve5jZSeCaHCD3FZNXkjkSKMH9uHEN2YUjG7PEqLYVxm 9zgDqQul8GoiAmZSmps9f21WF9kyfGbYlKPSxEQxTAmplfDABdLq4V75ICqagJiHSn Vscw5ltcXxoudIR3vifb0rj+ns2T51OGq9710ZmW1ks+ehcDSW5GR3yUJ6I+loNBqI FzP98yDAi0QgQ==
MIME-Version: 1.0
Date: Tue, 22 Mar 2022 19:03:04 +0000
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: RainLoop/1.16.0
From: Nicolas Mora <nicolas@babelouest.org>
Message-ID: <2bb4c1f0ca4ece28fa02fa135311b079@babelouest.org>
To: oauth@ietf.org
In-Reply-To: <CACW8--PoQLzO3TP6Xi7PwY4vWoBHpUwn9Q3hz_3j375pvAo9gw@mail.gmail.com>
References: <CACW8--PoQLzO3TP6Xi7PwY4vWoBHpUwn9Q3hz_3j375pvAo9gw@mail.gmail.com> <CACW8--PPqWp+AMCWTuFT3Q=w6OFpn2xrS=4Cu8oAd8wBEkDNYg@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ntm0CpLR588MQXpns39UQU1131Y>
Subject: Re: [OAUTH-WG] Comments on ietf-oauth-dpop
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 19:03:40 -0000
Hello,
I would like to add some minor comments to this draft, based on what I've seen so far.
- Resource Server-Provided Nonce
Since a client may have to add different nonces for different RS in the DPoP token, it would be useful to add the issuer in the RS error response, so the client can differntiate nonces more easily.
There may be different RS using the same domain, the client might not know it, and therefore switch nonces again and again between the RS.
Instead, if the RS error response looks like this, there will be no ambiguity:
HTTP/1.1 400 Bad Request
DPoP-Nonce: eyJ7S_zG.eyJH0-Z.HX4w-7v
{
"error": "use_dpop_nonce",
"error_description":
"Authorization server requires nonce in DPoP proof",
"iss": "https://resource.tld/person/"
}
- iat and not synced servers
In addition to Rohan's question about the reasonable lifetime to expect for a DPoP token, I'm wondering what is reasonable to accept concerning iat in the future, where the client's clock may be out of sync. The paragraph 11.1 says "the server MAY accept DPoP proofs that carry an iat time in the reasonably near future". Could we add what a reasonably near future might be? In my implementation there is no gap allowed, so I'm wondering.
/Nicolas
- [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Nicolas Mora
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Joseph Heenan
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Brian Campbell
- Re: [OAUTH-WG] Comments on ietf-oauth-dpop Rohan Mahy