IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 28 December 2019 00:00 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95DDD1200CE for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 16:00:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIilvzdM-TjV for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 16:00:06 -0800 (PST)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFCB1120639 for <oauth@ietf.org>; Fri, 27 Dec 2019 16:00:05 -0800 (PST)
Received: by mail-wm1-x332.google.com with SMTP id q9so7762447wmj.5 for <oauth@ietf.org>; Fri, 27 Dec 2019 16:00:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=msbPNGGWUu07DqX3ziNcU3nfJuB8GlXpSfH4j301NWY=; b=qYMnrRYlWdu+FAXJz0l1JSU3STdjlj1rWYMlWs7fCArRcyHP0QJbRAeVNMACMK0q1H YVUxvPqOphGEAB5REunOTe+2ytT2MXmfxC0v+EBEbTQpYaUVgp8vIRGqiVX+4eXUqAEv yH3LfZyPjr1HQLQJOhfKGncdEoSBLaRMkKaqmeC1YvM9W02cpSn7YxRPIvLk7l3mCl14 a5j2JQAuca+cpWU2sVrRm43yT8tTc7fUabMPfejSSPALN40GDNo+HKhqW/lZ67eb7+vq TjMmg/TIdZqfV0fQd09eVCjESzr8DJrzeS2BF4nCvCOjsxtL+MrEJtP4vRHwowUTr301 3Csw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=msbPNGGWUu07DqX3ziNcU3nfJuB8GlXpSfH4j301NWY=; b=f+t+v1IiAs1AzTlCw/t0CEssFALGaZ9dZFEfnR0wCVSe6hY9mUcTiGOJJqNHnxUr/g f8+qktTyc1R2nSedvnpxsdy0M/iHZwl3qVS5kM1+oXiEBXxaWArVYI6MfiqQcSwvQ0Mr SuCGqZKGG3oqPaPq8qWS/8RaofWV+Dkb3TDp8kC00MuK+7UuKjYlL0ePopcaKaN3Q7MP xKVNBKi4tpLYfmIq5YYIybKwUVNQJEPm6RKMckgHlaLnIRHU89ds8QceXnbkKEvOT5EM +pqbMpkEBJUf7KbcGhVCNBZDkdFX9o87+0Og0v3HIyWCr30I6adBXIeiKAbjaJsT5/E8 T+qA==
X-Gm-Message-State: APjAAAVDnE2+IjGryXkn5bv1+/PPLL/hs5hXB6ISZbxqzv1nvj3phzUG d0G44W6pQrBQ5sDBZuL/ZOFlYTdbwmY=
X-Google-Smtp-Source: APXvYqxJx3VTktTTeNwXk98jNOB1WC2XDVaOeH1Blt1mp1IqX3x4Ir3xG9e34ig4vFQ2QCZd+TuaRQ==
X-Received: by 2002:a05:600c:1009:: with SMTP id c9mr22013359wmc.162.1577491203742; Fri, 27 Dec 2019 16:00:03 -0800 (PST)
Received: from ?IPv6:2a01:598:818b:b98e:e918:9ad0:f05c:d5d2? ([2a01:598:818b:b98e:e918:9ad0:f05c:d5d2]) by smtp.gmail.com with ESMTPSA id p5sm36184332wrt.79.2019.12.27.16.00.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 27 Dec 2019 16:00:02 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail-5074200D-A012-4C49-B84B-0F816C2E8673"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Sat, 28 Dec 2019 01:00:01 +0100
Message-Id: <ACFB6963-EBA4-4351-B3F4-D659513E6AA5@lodderstedt.net>
References: <CA+k3eCTnzX7M1XgduH_Wa2y1pMVY7_AigNTrhBmL214by5z_Ew@mail.gmail.com>
Cc: Mike Jones <Michael.Jones@microsoft.com>, oauth <oauth@ietf.org>
In-Reply-To: <CA+k3eCTnzX7M1XgduH_Wa2y1pMVY7_AigNTrhBmL214by5z_Ew@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (17C54)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Pc452T0XvH8Mt4fmo8dlnRu0sbg>
Subject: Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Dec 2019 00:00:09 -0000

Your proposal sounds reasonable on first sight. But thinking again, it would mean to keep token injection prevention in authorization responses a requirement while dropping the requirement for replay/injection prevention at resource servers. To me this feels inconsistent.

> Am 28.12.2019 um 00:02 schrieb Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>:
> 
> 
> I'm not suggesting that it should be a recommended flow. But recommending against it, as the text does now, seems overreaching and unnecessary. I know *consensus* was previously found on the text in -13 but best I can recall that discussion was mostly around Nat advocating to allow room for some future self-issued IDP type case and the conversation kind of got hung up on that. 
> 
> Here's some proposed text, which I think still largely captures the intent of the BCP while not explicitly recommending against legitimate cases like the one I brought here or Nat's or something like JARM. 
> 
>    In order to avoid these issues, clients SHOULD NOT use the implicit
>    grant (response type "token") or other response types issuing
>    access tokens in the authorization response, unless access token injection
>    in the authorization response is prevented and the aforementioned token leakage 
>    vectors are mitigated. 
> 
> The draft already recommends sender-constrained access tokens elsewhere in the document. It doesn't need to be repeated as a qualifying condition around this SHOULD NOT. 
> 
> I am a proponent of PoP/HoK/sender-constrained access tokens (as hopefully is evident from several attempts at bringing/doing related work here) but I do worry that the recommendation in the draft is sufficiently unachievable to the vast majority that it might undermine the credibility of the document. But I get the aspirational aspect of it and, other than some suggested tweaks, am resigned to see it stay in the document. But let's let that recommendation stand on its own in the document and not also tie it to other considerations.  
> 
> 
>> On Fri, Dec 27, 2019 at 1:41 PM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>> As Brian said, we have discussed this several times and this text found consensus.
>> 
>> Using post reduces the attack surface but does not allow to bind the access token to the legitimate client. We are recommending sender constrained access tokens in the BCP. So recommending a flow that does not support sender constrained access tokens is a contradiction.
>> 
>> What do other WG members think?
>> 
>>>> Am 27.12.2019 um 21:28 schrieb Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>:
>>>> 
>>> 
>>> I agree with Brian. Please update the text to describe this already safe usage.
>>> 
>>> -- Mike
>>> 
>>> From: OAuth <oauth-bounces@ietf.org> on behalf of Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
>>> Sent: Friday, December 27, 2019 11:03:30 AM
>>> To: oauth <oauth@ietf.org>
>>> Subject: [EXTERNAL] [OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode
>>>  
>>> We have a-sometimes used scenario where a client makes an authorization/authentication request with a "token id_token" response type and "form_post" response mode (nonce is also sent and exact redirect URI matching is done at the AS). The access token is never exposed in any URLs and access token injection is prevented by the at_hash claim in the id token. 
>>> 
>>> That seems to me like a legitimate and reasonable usage scenario. However, it would fall on the wrong side of the SHOULD NOT in Section 3.1.2 of the Security BCP-to-be, which has:
>>> 
>>>    In order to avoid these issues, clients SHOULD NOT use the implicit
>>>    grant (response type "token") or any other response type issuing
>>>    access tokens in the authorization response, such as "token id_token"
>>>    and "code token id_token", unless the issued access tokens are
>>>    sender-constrained and access token injection in the authorization
>>>    response is prevented.
>>> 
>>> I know this particular text has been discussed over and over again so I hate to revisit it. But based on the aforementioned scenario I think maybe it still doesn't quite hit the mark. Access token injection is prevented. The token leakage scenarios mentioned in that section are all avoided. And while I know sender-constrained is recommended elsewhere in the draft, it's not really a realistic option for the majority of deployments. 
>>> 
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email