IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

Brian Campbell <bcampbell@pingidentity.com> Fri, 27 December 2019 23:02 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74E2B12013B for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 15:02:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_J4URM7dYhw for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 15:01:58 -0800 (PST)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50ED31200B6 for <oauth@ietf.org>; Fri, 27 Dec 2019 15:01:58 -0800 (PST)
Received: by mail-lf1-x134.google.com with SMTP id y1so21601784lfb.6 for <oauth@ietf.org>; Fri, 27 Dec 2019 15:01:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=r9Z8OC34vdueDgYpgaR0ymZkkyB1j2vNL3RKysg0Xog=; b=E81fBEgJ9BwlG3Z05QdA59Euba/z1RDPqRNlgf+3LqiABi+jUiv73P9dgR3LN+Rqo7 3oz8aS3aKQLLbzOf40UBBV4GhoIjKlqWgnwFucJeIxyEtXIy/Gxi0H12ojkfylJsaACm m5Bf9jMoXUSjgtecjssCVNu9dFeAJJAULyjUXAqZG9Rxdb1Q4sIXbTvRMnGBda4L0ipV d1YoTDTI+CsYlP0GAMO+bcprVWK3qJSs1H5YdhLe6FsGcohcYNgFbK5VHZ4eMWozwIbc 6JsNpjrhTTB1dc5glCWXSkrVdxfFeoV7YCPiVATggxKccHDj66TsCtz/ie4XPzRDn73e u1uQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=r9Z8OC34vdueDgYpgaR0ymZkkyB1j2vNL3RKysg0Xog=; b=hnlxH4BYTpKYOxLzf1Z/PJs0mqk3ztauP7Vk7tmOSOL2u8LOLnOA9FInqXErVhslHV XhuWrmBn25mH0AqkR6VNyK875SaXOTmJwQ4ptXmoh0WLQpZVTlUggVVoGdaiyUxZAgf7 274jOAhr/I2CSs+e+rqAl2Bk2GEeYmQbf7UxAgu5RQzfM5+QSCSsNo+e2vq19vLCzTn0 un9brMwWuEQp0zuauA6Vm09pwpzsx/mDaXrQRPphSIVk+W8M5s7/KeYA7DI0lGmrJ73E 7iICLV8//TJUKPU0w/aHbjUv09hnC0gSxiLwDa32iJi2WwrSLrZI2nIE4jYIoD9je9Ue ROrg==
X-Gm-Message-State: APjAAAUx/TD1O/ImLRp1LADroBkiwwECHrZJ5DfC74P5LIGvZDNL4XUJ /WpqLObIqoCIhhrLihj+dzIXNwhAVDtGzwWfjphV5hv8nZepUn+XT8PX3Z7n0M7+O4bm7b2pcF9 rGiTX5a1DnFx4ug==
X-Google-Smtp-Source: APXvYqx+UkXREgpdxuCl2Rn/S3qS9mn21Za00i/ItHxMAotVRqikbGrzTWQ9X8/wGTmq6L1AFatwa9lmT3xn+ZTqx/c=
X-Received: by 2002:a19:5057:: with SMTP id z23mr30033015lfj.132.1577487716345; Fri, 27 Dec 2019 15:01:56 -0800 (PST)
MIME-Version: 1.0
References: <DM6PR00MB08478D98FE0A4A2AADAF479AF52A0@DM6PR00MB0847.namprd00.prod.outlook.com> <0D6C9677-D8B5-4005-95FE-4F783EB28961@lodderstedt.net>
In-Reply-To: <0D6C9677-D8B5-4005-95FE-4F783EB28961@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 27 Dec 2019 16:01:29 -0700
Message-ID: <CA+k3eCTnzX7M1XgduH_Wa2y1pMVY7_AigNTrhBmL214by5z_Ew@mail.gmail.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
Cc: Mike Jones <Michael.Jones@microsoft.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f8885a059ab77a66"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PPodXVI2TTCCICywU6ZD2k_TABc>
Subject: Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 23:02:01 -0000

I'm not suggesting that it should be a recommended flow. But recommending
against it, as the text does now, seems overreaching and unnecessary. I
know *consensus* was previously found on the text in -13 but best I can
recall that discussion was mostly around Nat advocating to allow room for
some future self-issued IDP type case and the conversation kind of got hung
up on that.

Here's some proposed text, which I think still largely captures the intent
of the BCP while not explicitly recommending against legitimate cases like
the one I brought here or Nat's or something like JARM.

   In order to avoid these issues, clients SHOULD NOT use the implicit
   grant (response type "token") or other response types issuing
   access tokens in the authorization response, unless access token
injection
   in the authorization response is prevented and the aforementioned token
leakage
   vectors are mitigated.

The draft already recommends sender-constrained access tokens elsewhere in
the document. It doesn't need to be repeated as a qualifying condition
around this SHOULD NOT.

I am a proponent of PoP/HoK/sender-constrained access tokens (as hopefully
is evident from several attempts at bringing/doing related work here) but I
do worry that the recommendation in the draft is sufficiently unachievable
to the vast majority that it might undermine the credibility of the
document. But I get the aspirational aspect of it and, other than some
suggested tweaks
<https://mailarchive.ietf.org/arch/msg/oauth/RKujONej-92dT5lr9cLu6hHnw8I>,
am resigned to see it stay in the document. But let's let that
recommendation stand on its own in the document and not also tie it to
other considerations.


On Fri, Dec 27, 2019 at 1:41 PM Torsten Lodderstedt <torsten=
40lodderstedt.net@dmarc.ietf.org> wrote:

> As Brian said, we have discussed this several times and this text found
> consensus.
>
> Using post reduces the attack surface but does not allow to bind the
> access token to the legitimate client. We are recommending sender
> constrained access tokens in the BCP. So recommending a flow that does not
> support sender constrained access tokens is a contradiction.
>
> What do other WG members think?
>
> Am 27.12.2019 um 21:28 schrieb Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org>:
>
> 
> I agree with Brian. Please update the text to describe this already safe
> usage.
>
> -- Mike
>
> ------------------------------
> *From:* OAuth <oauth-bounces@ietf.org> on behalf of Brian Campbell
> <bcampbell=40pingidentity.com@dmarc.ietf.org>
> *Sent:* Friday, December 27, 2019 11:03:30 AM
> *To:* oauth <oauth@ietf.org>
> *Subject:* [EXTERNAL] [OAUTH-WG] -security-topics-13 and OIDC response
> types + form_post response mode
>
> We have a-sometimes used scenario where a client makes an
> authorization/authentication request with a "token id_token" response type
> and "form_post" response mode (nonce is also sent and exact redirect URI
> matching is done at the AS). The access token is never exposed in any URLs
> and access token injection is prevented by the at_hash claim in the id
> token.
>
> That seems to me like a legitimate and reasonable usage scenario. However,
> it would fall on the wrong side of the SHOULD NOT in Section 3.1.2 of the
> Security BCP-to-be
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-13%23section-3..1..2&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cee48992fa75642e2cbf908d78aff8d77%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637130702523877347&sdata=LJfYSigLXqZjLNl%2Bx1ycBSHJn6UKJFXhr5As1zb1g98%3D&reserved=0>,
> which has:
>
>    In order to avoid these issues, clients SHOULD NOT use the implicit
>    grant (response type "token") or any other response type issuing
>    access tokens in the authorization response, such as "token id_token"
>    and "code token id_token", unless the issued access tokens are
>    sender-constrained and access token injection in the authorization
>    response is prevented.
>
> I know this particular text has been discussed over and over again so I
> hate to revisit it. But based on the aforementioned scenario I think maybe
> it still doesn't quite hit the mark. Access token injection is prevented.
> The token leakage scenarios mentioned in that section are all avoided. And
> while I know sender-constrained is recommended elsewhere in the draft, it's
> not really a realistic option for the majority of deployments.
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email