Re: [OAUTH-WG] PAR: pushed requests must become JWTs
John Bradley <ve7jtb@ve7jtb.com> Fri, 10 January 2020 19:48 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0BFB1200FF for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 11:48:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zzp0KojqqyMd for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 11:48:40 -0800 (PST)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9724D1200F1 for <oauth@ietf.org>; Fri, 10 Jan 2020 11:48:39 -0800 (PST)
Received: by mail-wr1-x436.google.com with SMTP id z3so2931133wru.3 for <oauth@ietf.org>; Fri, 10 Jan 2020 11:48:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P562vpr8IHDLzgwM969/LhMb2Fn/iDOt7iYAQV2G+64=; b=oGtcOTthvnuIwjlZIjCHSrLijTiR3FIpDB+o2xPl4zdmjJOoIJvRCuzh8vB/t+2jJd ZYA5DD7hVw7HtL1jcliGy8c+4LNrnEV/sznx+ccqgiGqdXBWs5k8QALipmkzXd76SOKj U8Y14Dd/QPqWTKIESJulJUHVzSlRln4EEMBrMPYWP9uOtYQSWg5HiPvyH3eahnQVkk9y wyAJ3LDWCQxiG+1Nc1bVg+UJ4j/YFX2KkhqqokZ6ux71C8czTk8q7ynYNlYpJTUJ1XjJ 8w4dCoiivBY68tVXMj4h3ru9dmKnGG7tLl0vT/ScFGo5rOcAI8CEjBfgOm4akQsBJYIu 0oOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P562vpr8IHDLzgwM969/LhMb2Fn/iDOt7iYAQV2G+64=; b=bSFdFBX9ckFEWAIOp8lf8OBbYJsoEAzlymiuEdEOG39atXalhS19ULgIzrL/SiyJBv F1vVHheheBZ97r+YjOIAW9q1Wfn92IZY1VvA3xUYR2sgYLaOCffSancRMcSn8+sqXoUw EuejHuiaBm0MpWdXrcuJhfqd2Fei1wykMpZ+MYCIHB7D1sF86l2d4DGMEKj3j/LyIRBm VDpg0RAnO29JQuSPD429r77E/fdE+RK8nra0yIOgXy4bS/73QTJt5voFQPaMPI/nYvqN ei/ZgZDV8rnBp1BiAhGpOfUUIOLeqGRiXFVt1zegJdFDL5H8sMsmx9Ywc4Upm/pXhxm0 rCpg==
X-Gm-Message-State: APjAAAV91dY7Rtcxy+Tj2WMlx4C+FdAlskFsJ5jqmBBXC8/aag9JvsTh kEIMixak+S0gZYniXRGq/A1bGF54Si/uB0rev3jCWfCtf58=
X-Google-Smtp-Source: APXvYqz8+2o4Yj+JeR+msnEvs1JyjaA14ZWm3dkpuLEvHXKbBdnrMg8n5u3H+kh9hywfDwtVLBeyxQ6WhgRISUe+vBw=
X-Received: by 2002:a5d:410e:: with SMTP id l14mr4960046wrp.238.1578685717755; Fri, 10 Jan 2020 11:48:37 -0800 (PST)
MIME-Version: 1.0
References: <8D1DD3BF-97B5-416A-B914-6867FD3553B0@amazon.com> <72A27E43-72C6-44D0-8D95-07FBF8CE332F@lodderstedt.net> <CA+k3eCSL5nS81uKbL3sPh9-SesPnaLsGgnO2=R4jjDy-fSVGKw@mail.gmail.com>
In-Reply-To: <CA+k3eCSL5nS81uKbL3sPh9-SesPnaLsGgnO2=R4jjDy-fSVGKw@mail.gmail.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Fri, 10 Jan 2020 16:48:28 -0300
Message-ID: <CAANoGh+9+g=2kzh5k-n5eOVHNX=F6kxWbwrP-u=yG-F_C02i8g@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Nat Sakimura <nat@sakimura.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006b4d40059bce69d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PHdgucHPFPFTYtEyBY0PcM1WQ7Q>
Subject: Re: [OAUTH-WG] PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 19:48:43 -0000
It may be a challenge to change text saying that the contents of the resource could be something other than a request object. If not a request object then what and how is that interoperable are likely AD questions. I could perhaps see changing it to must be a request object, or other format defined by a profile. John B. On Fri, Jan 10, 2020, 3:45 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > Agree and agree. But given that the change suggested by Annabelle has no > impact on the client or interoperability, perhaps Nat or John could work > the change into the draft during the edits that happen during the final > stages of things? > > On Thu, Jan 9, 2020 at 1:56 AM Torsten Lodderstedt <torsten= > 40lodderstedt.net@dmarc.ietf.org> wrote: > >> I would assume given the status of JAR, we don’t want to change it. And >> as I said, this difference does not impact interoperability from client >> perspective. >> >> Am 09.01.2020 um 00:58 schrieb Richard Backman, Annabelle <richanna= >> 40amazon.com@dmarc.ietf.org>: >> >> >> >> It would be more appropriate to add the text to JAR rather than PAR. It >> doesn't seem right for PAR to retcon rules in JAR. Moving the text to JAR >> also highlights the weirdness of giving PAR special treatment. >> >> >> >> What if we changed this sentence in Section 5.2 of JAR: >> >> The contents of the resource referenced by the URI MUST be a Request >> >> Object. >> >> >> >> To: >> >> The contents of the resource referenced by the URI MUST be a Request >> >> Object, unless the URI was provided to the client by the Authorization >> >> Server. >> >> >> >> This would allow for use cases such as an AS that provides pre-defined >> request URIs, or vends request URIs via a client management console, or >> bakes them into their client apps. >> >> >> >> – >> >> Annabelle Richard Backman >> >> AWS Identity >> >> >> >> On 1/8/20, 2:50 PM, "Torsten Lodderstedt" <torsten= >> 40lodderstedt.net@dmarc.ietf.org> wrote: >> >> >> >> Hi, >> >> >> >> you are right, PAR does not require the AS to represent the request >> as a JWT-based request object. The URI is used as internal reference only. >> That why the draft states >> >> >> >> "There is no need to make the >> >> authorization request data available to other parties via this >> >> URI.” >> >> >> >> This difference matters from an AS implementation perspective, it >> doesn't matter from a client's (interop) perspective. >> >> >> >> We may add a statement to PAR saying that request_uris issued by the >> PAR mechanism (MAY) deviate from the JAR definition. >> >> >> >> best regards, >> >> Torsten. >> >> >> >> > On 8. Jan 2020, at 23:42, Richard Backman, Annabelle <richanna= >> 40amazon.com@dmarc.ietf.org> wrote: >> >> > >> >> > Hi all, >> >> > >> >> > The current drafts of PAR (-00) and JAR (-20) require that the AS >> transform all pushed requests into JWTs. This requirement arises from the >> following: >> >> > • PAR uses the request_uri parameter defined in JAR to >> communicate the pushed request to the authorization endpoint. >> >> > • According to JAR, the resource referenced by request_uri >> MUST be a Request Object. (Section 5.2) >> >> > • Request Object is defined to be a JWT containing all the >> authorization request parameters. (Section 2.1) >> >> > >> >> > There is no need for this requirement to support interoperability, >> as this is internal to the AS. It is also inconsistent with the rest of >> JAR, which avoids attempting to define the internal communications between >> the two AS endpoints. Worse, this restriction makes it harder for the >> authorization endpoint to leverage validation and other work performed at >> the PAR endpoint, as the state or outcome of that work must be forced into >> the JWT format (or retrieved via a subsequent service call or database >> lookup). >> >> > >> >> > – >> >> > Annabelle Richard Backman >> >> > AWS Identity >> >> > >> >> > _______________________________________________ >> >> > OAuth mailing list >> >> > OAuth@ietf.org >> >> > https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- [OAUTH-WG] PAR: pushed requests must become JWTs Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR: pushed requests must become J… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR: pushed requests must become J… Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR: pushed requests must become J… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR: pushed requests must become J… Torsten Lodderstedt
- Re: [OAUTH-WG] PAR: pushed requests must become J… Richard Backman, Annabelle
- Re: [OAUTH-WG] PAR: pushed requests must become J… Brian Campbell
- Re: [OAUTH-WG] PAR: pushed requests must become J… John Bradley
- Re: [OAUTH-WG] PAR: pushed requests must become J… Brian Campbell
- Re: [OAUTH-WG] PAR: pushed requests must become J… John Bradley
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Benjamin Kaduk
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Vladimir Dzhuvinov
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Torsten Lodderstedt
- Re: [OAUTH-WG] JARM Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Dave Tonge
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: [UNVERIFIE… Brian Campbell
- Re: [OAUTH-WG] JARM Brian Campbell
- Re: [OAUTH-WG] JARM Takahiko Kawasaki
- Re: [OAUTH-WG] JARM Neil Madden
- Re: [OAUTH-WG] JARM Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Aaron Parecki
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Torsten Lodderstedt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushe… Justin Richer