Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.0 DPoP for the Implicit Flow

Mike Jones <Michael.Jones@microsoft.com> Tue, 10 March 2020 16:21 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 313DC3A14ED for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2020 09:21:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gFeFNbRTVxNt for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2020 09:21:40 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on0704.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe56::704]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7DDC3A14DE for <oauth@ietf.org>; Tue, 10 Mar 2020 09:21:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nYldZ66n8z4AOlPvQeFc4l+nh8YR18kbI0f+CDNE58aeF8PJmiwmKC1bgLKa+TGj/JKxtolaIh4xm8duxibOZp6EQor2CHgUDu1I0vxzjwSqcb3m73DnFmTNDYIDhDl8YZ0bvny/YYAj9JpCGUciY9Y159dKCKwNQJ1Kqsjw4plw+u4bXvLrrCQ21uH+TxPAjVKfpoxU2PQNdlUMq7CfSVurMW8jb+tQFEjm148x+GsW4ItuwkOm6yJImU4Ylnk2v5AqfaXNdJ5r4qGkJdqt9TJSnAUjfGQCl0hZ4hDSKjdEpMndKTHp4xwd1dL7DbimjRwpARt1B8tjxMYsktG3Nw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=1Xri4qT0llnrZidhQ+IUJ8k/CNzi+0hzIqgeMYuKj3I=; b=fYEBAKdAFSr1XU9mRgODs3wMFzIyByR1mdfI00UqeyJ3dYlIZYddbnFD1lCW1h5nwuiNjM4EfzWsvsQZWjJbqazSwjuoCB7rgEOHArKn49/lOTnYDJNDZ8EVmlQNuV13MSqLKCbCyk1jbGTlE0BLb4CpeHzLq+RK0pXt/5NBwJNEhmhLj8GM7wi0p/aGNYeqLNAY0DM74Mf3j8WIi3Bzl3VVULRmZ/ZeNnQq7wFLUpXBgZt9jth4pURDtjV42tjfW9txkZ/k9rKx+HolsmrlVrEDTZbiR9oM/jCivaOQUBTNkFwLbYq9fb/FBXNbk437htcmAIlupGK+o2QcFGAfhQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=1Xri4qT0llnrZidhQ+IUJ8k/CNzi+0hzIqgeMYuKj3I=; b=ffR/OnvW1JGoeb/GtxpAWd4rl1ebmkUyU68SGyHBkaaXrWAhofwxy93R20YYpFXPJhn/GLMwoXYbesLSsXtVydsrQ4ZsRQTks965vn2SOzDW5Y72l0gAFzs9XdFMIG0TOLenc4TfQwL7dEblq2sgkVdvG15ODTZdpdryphQLmcQ=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0893.namprd00.prod.outlook.com (2603:10b6:208:fd::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2849.0; Tue, 10 Mar 2020 16:21:37 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::fcaa:2e27:4c08:f703]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::fcaa:2e27:4c08:f703%8]) with mapi id 15.20.2848.000; Tue, 10 Mar 2020 16:21:37 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Filip Skokan <panva.ip@gmail.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow
Thread-Index: AdX2agUBQrAxPoALSxyQHW5s38krKgAP6icAABN4N+A=
Date: Tue, 10 Mar 2020 16:21:37 +0000
Message-ID: <MN2PR00MB0686560229292F392C57D399F5FF0@MN2PR00MB0686.namprd00.prod.outlook.com>
References: <CH2PR00MB06784BE1BB83918ABC652C7AF5FF0@CH2PR00MB0678.namprd00.prod.outlook.com> <E69C8489-7B6F-42FC-961E-B38B8CE27B00@gmail.com>
In-Reply-To: <E69C8489-7B6F-42FC-961E-B38B8CE27B00@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=f6549f00-1f9e-449a-bedb-0000cf2a1862; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-03-10T16:18:39Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.83.137]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 20a2700f-fae4-448e-7c2a-08d7c50f1bc2
x-ms-traffictypediagnostic: MN2PR00MB0893:
x-microsoft-antispam-prvs: <MN2PR00MB0893D71AEBD9F2A3048A2F6AF5FF0@MN2PR00MB0893.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 033857D0BD
x-forefront-antispam-report: SFV:NSPM; SFS:(10001)(10019020)(4636009)(346002)(136003)(396003)(376002)(366004)(39860400002)(189003)(199004)(6916009)(6506007)(76116006)(53546011)(66574012)(66446008)(7696005)(64756008)(66556008)(66476007)(66946007)(71200400001)(21615005)(2906002)(8936002)(81166006)(316002)(478600001)(55016002)(86362001)(9686003)(10290500003)(52536014)(186003)(966005)(4326008)(5660300002)(8676002)(81156014)(26005)(8990500004)(33656002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR00MB0893; H:MN2PR00MB0686.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +PzaITCdZ7SWJuMQrTOusdblR+fUYlQpdrglZXLMwVBinFHY+R0VUrdbRb5e7qCyXra+jq+hw0gXFmT3/S6p/aT8pJ0ZG9y2DHn0Qc351aJaBgG//R2ee7ced6qiwfsFIdGzNlj41dfnJaL8B/U+JhK7j2dlmj1g9D1eEAppxCfW2OzXCfeQXO/3OByQMsg3bBEl1qk5gGjvdiG7A8Bp+Bmd2daAi/j5fpudPKX0iXu9sU3BQbqgDfR19pBVY0zux6x7dzz9YN+/bAidHCodZaxdzCdwEb/04GZZZ9oX+jO+PIygMrFZ9hp+nAWZipbBxri7vEW8JIkivmCoF8KBgihsjj+/4MIdL5EnIE/mvEQYkFW272CsgyUITlBl0dbittEADc9gln9kOLuVfLBq2FdUiGsaGfUzURxf+rUCacBj9yDJ+5hkpfXR8Lj5jWYab70GpsLOh2a1mqUcEQu3ZXI0SkIVdppmRrNKjxyGSffn4s/3RRyemxvDU+CqJ8jwkebuxPjE19/L0pfjltrJTzI97q/r2Ivk6qaXE/iVMSAt0CNtTESXQqsSI0EvpMA/J2figvCo0IIkazPhD8XOn62KKVzfY0EuAc/M3C6SkEi2KIdpwXiLeCdYOthOrHvoUf9r4hqhxyElAuyyxIYsFQ==
x-ms-exchange-antispam-messagedata: +J+USGx0kiT5ynrALGqCvWdL36lQJ2JWBFwPJH08v1CA5RSrgFD1h94SnUFRsC9a/Zef0xkdq1HnAT3k9HQdu6x/FUQ0v6pdgsw64DY5B3DM1tOfneSG+YoewwooGP9PrKUFDW6YHCHckZoSiQDt+A==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB0686560229292F392C57D399F5FF0MN2PR00MB0686namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 20a2700f-fae4-448e-7c2a-08d7c50f1bc2
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2020 16:21:37.5563 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 4KcYSs5993gFUuBVpsosNndUBON0zLAgpsyS67oYAkfqzWGxi7c9DEDluGZkTbZs71hVonanREPJzcpLYs58lQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0893
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/0PskpGb05W8KJfYKrjzPOTpo7fw>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.0 DPoP for the Implicit Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 16:21:42 -0000

I haven’t thought about PAR but would welcome thoughts.  In general, I assume that the “htu” value should be the actual endpoint used.  What do others think?

Yes, I agree that the DPoP parameters on the front channel should only apply to the front-channel access token, whereas if you’re using a response_type like “code token”, then you’d want to send a separate DPoP proof JWT to the token endpoint.  I’ll plan to add that to the next draft.

                                                       Thanks,
                                                       -- Mike

From: Filip Skokan <panva.ip@gmail.com>
Sent: Tuesday, March 10, 2020 12:01 AM
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow

Hi Mike,

Thank you for the implicit dpop draft, quick questions

- what htu and htm should be used when used with PAR?
- is it fair to say that authorization request provided dpop parameters only apply to authorization endpoint issued access tokens and in case of hybrid flow - the client sends a new proof with the access token request to the token endpoint?

Best,
Filip

Odesláno z iPhonu


10. 3. 2020 v 1:12, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>>:

As I previously described<https://self-issued.info/?p=1967>, members of the OAuth working group have developed a simplified approach to providing application-level proof-of-possession protections for OAuth 2.0 access tokens and refresh tokens.  This approach is called OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP).  Among other benefits, it does not require a complicated and error-prone procedure for signing HTTP requests, as some past approaches have.

However, the DPoP specification to date has assumed that the client is using the OAuth authorization code flow.  As promised at the last IETF meeting, we’ve now published a simple companion specification that describes how DPoP can be used with the OAuth implicit flow – in which access tokens are returned directly from the authorization endpoint.  The specification is mercifully brief because very little had to be added to supplement the existing DPoP spec to enable use of DPoP with the implicit flow.  Thanks to Brian Campbell and John Bradley for whiteboarding this solution with me.

Finally, in a related development, it was decided during the OAuth virtual interim meeting today to call for working group adoption of the core DPoP draft.  That’s an important step on the journey towards making it a standard.

The specification is available at:

  *   https://tools.ietf.org/html/draft-jones-oauth-dpop-implicit-00

An HTML-formatted version is also available at:

  *   https://self-issued.info/docs/draft-jones-oauth-dpop-implicit-00.html

                                                       -- Mike

P.S.  This notice was also posted at https://self-issued.info/?p=2063 and as @selfissued<https://twitter.com/selfissued>.

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth