Re: [OAUTH-WG] Cache-Control headers for Bearer URI Query Parameter method
Torsten Lodderstedt <torsten@lodderstedt.net> Mon, 11 June 2012 19:17 UTC
Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF9D911E8083 for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 12:17:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Level:
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3tY0cGFYyK0 for <oauth@ietfa.amsl.com>; Mon, 11 Jun 2012 12:17:55 -0700 (PDT)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.31.101]) by ietfa.amsl.com (Postfix) with ESMTP id 0962E21F8518 for <oauth@ietf.org>; Mon, 11 Jun 2012 12:17:54 -0700 (PDT)
Received: from [91.2.79.30] (helo=[192.168.71.36]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from <torsten@lodderstedt.net>) id 1SeA7b-0005zi-D3; Mon, 11 Jun 2012 21:17:51 +0200
Message-ID: <4FD6445B.8020904@lodderstedt.net>
Date: Mon, 11 Jun 2012 21:17:47 +0200
From: Torsten Lodderstedt <torsten@lodderstedt.net>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: Mike Jones <Michael.Jones@microsoft.com>
References: <4E1F6AAD24975D4BA5B16804296739436652FBFC@TK5EX14MBXC284.redmond.corp.microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739436652FBFC@TK5EX14MBXC284.redmond.corp.microsoft.com>
Content-Type: multipart/alternative; boundary="------------030509080908090305020906"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC1vbmxpbmUuZGU=
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Cache-Control headers for Bearer URI Query Parameter method
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2012 19:17:59 -0000
Hi all,
I noticed a difference in usage of cache control headers between bearer
and core spec.
core -27 states:
" The authorization server MUST include the HTTP "Cache-Control"
response header field [RFC2616] with a value of "no-store" in any
response containing tokens, credentials, or other sensitive
information, as well as the "Pragma" response header field [RFC2616]
with a value of "no-cache"."
So a "Pragma" response header field is required instead of the
"Cache-Control" header "private".
As far as I understand, both specs are nearly but not fully equivalent.
Do we need to align both?
regards,
Torsten.
Am 09.06.2012 00:20, schrieb Mike Jones:
>
> Hi Amos,
>
> The OAuth Bearer specification now includes the Cache-Control language
> we'd discussed.
>
> See the fifth paragraph of
> http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-20#section-2.3.
>
> Thanks again,
>
> -- Mike
>
> *From:*oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] *On
> Behalf Of *Mike Jones
> *Sent:* Thursday, May 17, 2012 3:12 PM
> *To:* oauth@ietf.org
> *Subject:* [OAUTH-WG] Cache-Control headers for Bearer URI Query
> Parameter method
>
> Dear working group members:
>
> I'm going through the remaining open issues that have been raised
> about the Bearer spec so as to be ready to publish an updated draft
> once the outstanding consensus call issues are resolved.
>
> Amos Jeffries had cited this requirement in the HTTPbis spec (
> http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1):
>
> o The credentials carried in an Authorization header field are
>
> specific to the User Agent, and therefore have the same effect on
>
> HTTP caches as the "private" Cache-Control response directive,
>
> within the scope of the request they appear in.
>
> Therefore, new authentication schemes which choose not to carry
>
> credentials in the Authorization header (e.g., using a newly
>
> defined header) will need to explicitly disallow caching, by
>
> mandating the use of either Cache-Control request directives
>
> (e.g., "no-store") or response directives (e.g., "private").
>
> I propose to add the following text in order to satisfy this
> requirement. I have changed Amos' MUSTs to SHOULDs because, in
> practice, applications that have no option but to use the URI Query
> Parameter method are likely to also not have control over the
> request's Cache-Control directives (just as they do not have the
> ability to use an "Authorization: Bearer" header value):
>
> Clients using the URI Query Parameter method SHOULD also send a
>
> Cache-Control header containing the "no-store" option. Server success
>
> (2XX status) responses to these requests SHOULD contain a
> Cache-Control
>
> header with the "private" option.
>
> Comments?
>
> -- Mike
>
> -----Original Message-----
> From: Amos Jeffries [mailto:squid3@treenet.co.nz]
> <mailto:[mailto:squid3@treenet.co.nz]>
> Sent: Monday, April 23, 2012 10:13 PM
> To: Mike Jones
> Cc: oauth@ietf.org <mailto:oauth@ietf.org>
> Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
>
> On 24/04/2012 4:33 p.m., Mike Jones wrote:
>
> > What specific language would you suggest be added to what section(s)?
>
> >
>
> > -- Mike
>
> Perhapse the last paragraph appended:
>
> "
>
> Because of the security weaknesses associated with the URI method
>
> (see Section 5), including the high likelihood that the URL
>
> containing the access token will be logged, it SHOULD NOT be used
>
> unless it is impossible to transport the access token in the
>
> "Authorization" request header field or the HTTP request entity-body.
>
> Resource servers compliant with this specification MAY support this
>
> method.
>
> Clients requesting URL containing the access token MUST also send a
>
> Cache-Control header containing the "no-store" option. Server success
>
> (2xx status) responses to these requests MUST contain a Cache-Control
>
> header with the "private" option.
>
> "
>
> I'm a little suspicious that the "SHOUDL NOT" in that top paragraph
> likely should be a MUST NOT to further discourage needless use.
>
> AYJ
>
> >
>
> > -----Original Message-----
>
> > From: oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org> On
> Behalf Of Amos Jeffries
>
> > Sent: Monday, April 23, 2012 7:10 PM
>
> > To: oauth@ietf.org <mailto:oauth@ietf.org>
>
> > Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-v2-bearer-19.txt
>
> >
>
> > On 24.04.2012 13:46, internet-drafts@ietf.org
> <mailto:internet-drafts@ietf.org> wrote:
>
> >> A New Internet-Draft is available from the on-line Internet-Drafts
>
> >> directories. This draft is a work item of the Web Authorization
>
> >> Protocol Working Group of the IETF.
>
> >>
>
> >> Title : The OAuth 2.0 Authorization Protocol:
> Bearer
>
> >> Tokens
>
> >> Author(s) : Michael B. Jones
>
> >> Dick Hardt
>
> >> David Recordon
>
> >> Filename : draft-ietf-oauth-v2-bearer-19.txt
>
> >> Pages : 24
>
> >> Date : 2012-04-23
>
> >>
>
> >> This specification describes how to use bearer tokens in HTTP
>
> >> requests to access OAuth 2.0 protected resources. Any party in
>
> >> possession of a bearer token (a "bearer") can use it to get
>
> >> access to
>
> >> the associated resources (without demonstrating possession of a
>
> >> cryptographic key). To prevent misuse, bearer tokens need to be
>
> >> protected from disclosure in storage and in transport.
>
> >>
>
> >>
>
> >> A URL for this Internet-Draft is:
>
> >> http://www.ietf.org/internet-drafts/draft-ietf-oauth-v2-bearer-19.txt
>
> >
>
> >
>
> > The section 2.3 (URL Query Parameter) text is still lacking explicit
> and specific security requirements. The overarching TLS requirement is
> good in general, but insufficient in the presence of HTTP
> intermediaries on the TLS connection path as is becoming a common
> practice.
>
> >
>
> > The upcoming HTTPbis specs document this issue as a requirement for
> new auth schemes such as Bearer:
>
> >
>
> > http://tools.ietf.org/html/draft-ietf-httpbis-p7-auth-19#section-2.3.1
>
> > "
>
> > Therefore, new authentication schemes which choose not to carry
>
> > credentials in the Authorization header (e.g., using a newly
>
> > defined header) will need to explicitly disallow caching, by
>
> > mandating the use of either Cache-Control request directives
>
> > (e.g., "no-store") or response directives (e.g., "private").
>
> > "
>
> >
>
> >
>
> > AYJ
>
> >
>
> > _______________________________________________
>
> > OAuth mailing list
>
> > OAuth@ietf.org <mailto:OAuth@ietf.org>
>
> > https://www.ietf.org/mailman/listinfo/oauth
>
> >
>
> >
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Cache-Control headers for Bearer URI Q… Mike Jones
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… William Mills
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Mike Jones
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Torsten Lodderstedt
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Phil Hunt
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Amos Jeffries
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Phil Hunt
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Torsten Lodderstedt
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Mike Jones
- Re: [OAUTH-WG] Cache-Control headers for Bearer U… Amos Jeffries