Re: [OAUTH-WG] OAuth Digest, Vol 137, Issue 110

Andre Triverio <andretriveriocjm@gmail.com> Fri, 03 April 2020 13:22 UTC

Return-Path: <andretriveriocjm@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00B443A0805 for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2020 06:22:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ag7uD8gCu8Wl for <oauth@ietfa.amsl.com>; Fri, 3 Apr 2020 06:22:16 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9355C3A0806 for <oauth@ietf.org>; Fri, 3 Apr 2020 06:22:16 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id d11so7874227qko.3 for <oauth@ietf.org>; Fri, 03 Apr 2020 06:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=I1HA3BjTSn2FN9ey3hwQH8Ey67xvia60Koi7sZkESds=; b=rGj4zHqwNU7XGgohIiaHGW3K9fld8CCNJ+dLqEXX3jCVtsqDNHypHXMiAZ1JfjwoQx oqlAE6ARX/f7fq6CfEL76TEsdq9FVCZns2kdzgIBOEd9i/ynN6u8jq+StRhKTfTyjTLJ NB3JAGLsvanIAcDSTEdFdQm0HhDBDgZV0cryhSiMlMhIcS5NYJelWjjOPF6iAJ1ad1J+ jRaZtoebYtDHZcMv5pwolWmemc56D6EVUHgV5H4fprFN5Hd3VhCqSI6ETpnzzFtba+CZ XM86I1bPBiU5oNbxANNesrm/7HtVFwFpzLtGmmtzvDQ/7mH/KQiCP+xLkLj1jp6GntLB NiAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=I1HA3BjTSn2FN9ey3hwQH8Ey67xvia60Koi7sZkESds=; b=ZjzvTcJEwtM9cOfkw/F1eDCvGHmAedthKPkxR0irxLQOmgHJavLAF/2MqoYayZ9Lbx 9yJMjra2sJGMCybKFiXgq3GssonIdI0eyVYREff7qP+6qlXeaQ1qAaSRuK+vakTL/04Z OJvgByMHeD/QT2miZ9X634GdInQTtgUBfB8kBaHZlf/qn926/QRv3FLeLb/nwABQoX+j iLQ0lpP392kyOKpsQlunxTeQfKIAEX7Yf2rt9MxjOJe5dVdXHntdg387TuRTsJneCx8/ jGcXLosx+OgidW5+t1aj8wwGGmcWgRiO3xbkynX51faivaB7MTNdm0/UTa1XraIPIPTc YtpQ==
X-Gm-Message-State: AGi0PubT5C4ZbpOvffq31kSfgWHpPT8J/GvahNAy9laUkU78JJs2BhHz 8ZZMjBlQqA+IOJ6MAXV59Ox2GnKAb6NeHKWG8FYsTauUxDY=
X-Google-Smtp-Source: APiQypLzP/8PnEls04naMxI88sVbEjcfFYpyil/yZ1QOrYdo8XYD2XzwC9T/aLqciNtWozlJMy9of8VLTQNAD8Qy1yE=
X-Received: by 2002:a37:884:: with SMTP id 126mr8333248qki.72.1585920135340; Fri, 03 Apr 2020 06:22:15 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.214.1585586308.31256.oauth@ietf.org>
In-Reply-To: <mailman.214.1585586308.31256.oauth@ietf.org>
From: Andre Triverio <andretriveriocjm@gmail.com>
Date: Fri, 03 Apr 2020 15:22:04 +0200
Message-ID: <CAJjaZpt552j-SpiK=mpd7kaDQt5qTAADyOYJ-Qik7GcKiiCMdg@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004f28c105a262ce76"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OjCoseba0Doa3UAp5ccSaN8nvEU>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 137, Issue 110
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 13:22:21 -0000

Allez-vous cesser de m'envoyer des mails !
Je n'en veux pas !
Et pour se desabonner, tout est fait pouir ne pas y réussir !

Le lun. 30 mars 2020 à 18:41, <oauth-request@ietf.org> a écrit :

> Send OAuth mailing list submissions to
>         oauth@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.ietf.org/mailman/listinfo/oauth
> or, via email, send a message with subject or body 'help' to
>         oauth-request@ietf.org
>
> You can reach the person managing the list at
>         oauth-owner@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OAuth digest..."
>
>
> Today's Topics:
>
>    1. RAR - Example JWT for Payment (Jared Jennings)
>    2. Re: Error Responses in JWT Profile for OAuth 2.0 Access
>       Tokens (Karl McGuinness)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 30 Mar 2020 08:18:49 -0500
> From: Jared Jennings <jaredljennings@gmail.com>
> To: oauth <oauth@ietf.org>
> Subject: [OAUTH-WG] RAR - Example JWT for Payment
> Message-ID:
>         <
> CAMVRk+LP6be1-dZ3bmpsT+3OPXWs_cP7gvsNEA7-T7Km1UEeOQ@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I have a question about the example and maybe it's more for
> clarification than anything.
>
> The example contains type and also location.
> A couple of things
> 1. Would it add clarity if the domain was the same for both? vs.
> someorg.com
> / example.com
> 2. While only an example, would it bring clerity to past examples if the
> type was https://schema.example.com/payment_initiation and the location
> was
> https://api.example.com/payments
>
> or am I missing something what the values represent?
>
> Here's the example I am referring to on page 17.
>
> {
>       "iss": "https://as.example.com",
>       "sub": "24400320",
>       "aud": "a7AfcPcsl2",
>       "exp": 1311281970,
>       "acr": "psd2_sca",
>       "txn": "8b4729cc-32e4-4370-8cf0-5796154d1296",
>       "authorization_details": [
>          {
>             "type": "https://www.someorg.com/payment_initiation",
>             "actions": [
>                "initiate",
>                "status",
>                "cancel"
>             ],
>             "locations": [
>                "https://example.com/payments"
>             ],
>             "instructedAmount": {
>                "currency": "EUR",
>                "amount": "123.50"
>             },
>             "creditorName": "Merchant123",
>             "creditorAccount": {
>                "iban": "DE02100100109307118603"
>             },
>             "remittanceInformationUnstructured": "Ref Number Merchant"
>          }
>       ],
>       "debtorAccount": {
>          "iban": "DE40100100103307118608",
>          "user_role": "owner"
>       }
>    ]
>
>
> -Jared
> Skype:jaredljennings
> Signal:+1 816.730.9540
> WhatsApp: +1 816.678.4152
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://mailarchive.ietf.org/arch/browse/oauth/attachments/20200330/cdb44a38/attachment.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 30 Mar 2020 16:38:04 +0000
> From: Karl McGuinness <kmcguinness@okta.com>
> To: "vittorio.bertocci=40auth0.com@dmarc.ietf.org"
>         <vittorio.bertocci=40auth0.com@dmarc.ietf.org>
> Cc: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0
>         Access Tokens
> Message-ID: <90853492-D222-463A-9DB0-BA0EC82826B1@okta.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi Vittorio,
>
> I was chatting with Aaron offline about this issue and my concern is the
> addition of Authentication Information Claims in this spec opens up more
> interoperability issues that can?t be addressed with just a JWT Access
> Token spec.
>
> OAuth 2.0 AFAIK, doesn?t define any behaviors around resource owner
> authentication assurance with respect to issuing, introspecting, or
> presenting access tokens.
>
>   *   Token introspection
>   *   Token validation error responses
>   *   Token refresh
>   *   Client Remediation (oidc defined prompt=login, max_age, and
> acr_values)
>   *   Metadata
>
> This spec is defining AS behaviors that are orthogonal to the format and
> should be available via token introspection for example
>
>
> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-2.2.1
>
>
> The claims listed in this section reflect in the access token the the
>    types and strength of authentication that the authentication server
>    enforced prior to returning the authorization response to the client.
>    Their values are fixed, and remain the same across all access tokens
>    that derive from a given authorization response, whether the access
>    token was obtained directly in the response (e.g., via the implicit
>    flow) or after one or more token exchanges (e.g., obtaining a fresh
>    access token using a refresh token, or exchanging one access token
>    for another via [RFC8693<https://tools.ietf.org/html/rfc8693>]
>
>
> I was hoping one of the outcomes of this spec was toolkit/sdk interop for
> clients and resource servers.   I don?t see how this possible if all the
> semantics around requesting, validating, and remediating resource owner
> authentication assurance is implementation specific.   The end-to-end
> scenarios are not achievable with just OAuth 2.0 which breaks interop.
>
> I think there is a real need to define resource owner authentication
> assurance interoperability for access tokens, but I fear this may require
> its own spec.
>
> -Karl
>
> Karl McGuinness
> Chief Product Architect
> www.okta.com<http://www.okta.com/>
>
> On Mar 25, 2020, at 12:59 PM, vittorio.bertocci=40auth0.com@dmarc.ietf.org
> <mailto:vittorio.bertocci=40auth0.com@dmarc.ietf.org> wrote:
>
> This message originated outside your organization.
>
> Thanks Aaron!
> You are right, we could be clearer re:errors. AFAIK the only errors we can
> rely on from an RS are in RFC6750, and the entire section is about what to
> look for in an incoming AT to validate, hence it doesn't look like we have
> much choice but to return invalid_token for every error in the validation
> checks enumerated in Section 4. I can definitely add a paragraph to that
> effect (does it have to be a section?).
>
> The re-authentication part is tricky. Technically we are still rejecting
> the
> incoming token, hence the above should still apply.
> I am not aware of tools we can use from the primitives defined in the
> OAuth2
> family of standards for telling people how to make reauthentication happen-
> and making reauth happen can be quite involved. In Azure AD there are semi
> proprietary mechanisms that can be used to signal the need to repeat
> authentication, say for triggering a step-up auth, by sending back together
> with the error response a challenge that can in turn be used by the client
> to communicate policy requirements to the AS (which is assumed to support
> OIDC and accept/understand those policies in form of claim). Giving
> equivalent guidance but relying only on standards seems tricky, especially
> without making strong assumptions about how auth happens (e.g can we assume
> OIDC?).
> To solve this for the profile, I see two main ways forward:
> A) We warn the reader that it's on them to decide how to signal the reauth
> requirement from the API to the client, and how to use that in the client
> to
> AS subsequent authorization request
> B) We venture in devising a standard mechanism for propagating errors that
> require reauth, basically extending RFC6750 with a new use case (perhaps by
> detailing extra info to be put in WWW-Authenticate?).
>
> I can see how B) might be useful in general, but it doesn't seem
> particularly tied to the fact that the ATs being discussed here are JWTs...
> hence I'd be inclined to declare it out of scope here, tho I would really
> love for us to devise a standard solution for it _somewhere_.
> WDYT?
>
>
>
> -----Original Message-----
> From: OAuth <oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org>> On
> Behalf Of Aaron Parecki
> Sent: Wednesday, March 25, 2020 12:07 PM
> To: OAuth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
> Subject: [OAUTH-WG] Error Responses in JWT Profile for OAuth 2.0 Access
> Tokens
>
> Section 4 talks about validating JWT Access Tokens
>
> https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-04#section-4
>
> It has a list of things the RS MUST do when validating a request made with
> a
> JWT access token. This section contains phrases like "...and reject
> tokens..." and "MUST be rejected if...", without clear instructions on
> *how*
> to reject this request. For these, I could infer that the RFC6750 error
> code
> "invalid_token" is the correct response, but these could benefit from being
> more explicit about that here.
>
> Step 7 says:  "the resource server SHOULD check the auth_time value and
> request re-authentication..." But there are no instructions on how the RS
> should respond to indicate that the client should request
> re-authentication.
> This sounds like a different response than "invalid_token" to me, but in
> any
> case, regardless of what the correct response is, Section 4 really needs a
> description of how to respond in these error cases.
>
> ----
> Aaron Parecki
> aaronparecki.com
> @aaronpk
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> https://mailarchive.ietf.org/arch/browse/oauth/attachments/20200330/6db2d3fd/attachment.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ------------------------------
>
> End of OAuth Digest, Vol 137, Issue 110
> ***************************************
>


-- 
André Triverio, CJM