IETF Logo Mail Archive

Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt

"Richer, Justin P." <jricher@mitre.org> Thu, 30 May 2013 15:25 UTC

Return-Path: <jricher@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7D8121F8681 for <oauth@ietfa.amsl.com>; Thu, 30 May 2013 08:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.426
X-Spam-Level:
X-Spam-Status: No, score=-6.426 tagged_above=-999 required=5 tests=[AWL=0.173, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qH0s2r3vJHxK for <oauth@ietfa.amsl.com>; Thu, 30 May 2013 08:25:27 -0700 (PDT)
Received: from smtpksrv1.mitre.org (smtpksrv1.mitre.org [198.49.146.77]) by ietfa.amsl.com (Postfix) with ESMTP id 976D021F8A74 for <oauth@ietf.org>; Thu, 30 May 2013 08:25:25 -0700 (PDT)
Received: from smtpksrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 394361F02A2; Thu, 30 May 2013 11:25:24 -0400 (EDT)
Received: from IMCCAS01.MITRE.ORG (imccas01.mitre.org [129.83.29.78]) by smtpksrv1.mitre.org (Postfix) with ESMTP id 2E2D21F0373; Thu, 30 May 2013 11:25:24 -0400 (EDT)
Received: from IMCMBX01.MITRE.ORG ([169.254.1.137]) by IMCCAS01.MITRE.ORG ([129.83.29.68]) with mapi id 14.02.0342.003; Thu, 30 May 2013 11:25:23 -0400
From: "Richer, Justin P." <jricher@mitre.org>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Thread-Topic: review comments on draft-ietf-oauth-dyn-reg-11.txt
Thread-Index: AQHOXSFKoUPHFo+jJEeuqil8woB+1Jkd179qgABE2QA=
Date: Thu, 30 May 2013 15:25:23 +0000
Message-ID: <83063673-83F0-4A9C-8A01-F39616559E73@mitre.org>
References: <20130524203638.25945.84709.idtracker@ietfa.amsl.com> <5071FA1C-F6F7-43AD-9EDC-13B0D480F97A@mitre.org> <51A3AE0B.1020802@lodderstedt.net> <51A4BF27.50800@mitre.org> <51A72B3E.9050300@lodderstedt.net> <51A76052.6040004@mitre.org> <0a43da90-d30c-43e9-830e-7a26ff31d065@email.android.com>
In-Reply-To: <0a43da90-d30c-43e9-830e-7a26ff31d065@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.31.9.108]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <F5FA8A2D1BA29B459CF139CC51E75EDD@imc.mitre.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review comments on draft-ietf-oauth-dyn-reg-11.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 May 2013 15:25:35 -0000

On May 30, 2013, at 11:18 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

> Hi Justin,
> 
> see below :-)
> 
> Justin Richer <jricher@mitre.org> schrieb:
> 
>> Torsten, thanks -- responses inline.
>> 
>> On 05/30/2013 06:34 AM, Torsten Lodderstedt wrote:
>>> Hi Justin,
>>> 
>>> comments inline.
>>> 
>>>>> 
>>>>> section 1.4
>>>>> 
>>>>> How is the client supposed to identify/distinguish authorization 
>>>>> servers? Based on the Client Registration Endpoint URI? 
>>>>> Authorization server identification is necessary in order to map 
>>>>> client_ids to authorization servers for clients, which are
>> connected 
>>>>> to multiple authorization servers.
>>>> That's a great question -- but I think it's entirely dependent on
>> how 
>>>> discovery and configuration is set up for a client, which is 
>>>> ultimately orthogonal to registration. The way that I've implemented
>> 
>>>> it in our client is based on the OpenID Connect discovery process, 
>>>> which bases everything in the server's configuration off of an 
>>>> "issuer" URL. It would be easy enough to point out here that 
>>>> discovery and differentiation of different servers is out of scope.
>>> 
>>> At least this should be pointed out. I would rather prefer a 
>>> definition how to relate client_id and authz server.
>>> 
>>> I don't think your solution can be generalized for generic OAuth
>> since 
>>> the issuer is only known to OpenID Connect clients. In my opinion, a 
>>> simple, generic concept could be based on the authorization server's 
>>> client registration URL. A more sophisticated approach would be to 
>>> introduce authorization server meta data discovery (as a subset of 
>>> 
>> http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata),
>> 
>>> which might contain an OAuth authz server id.
>> 
>> I'm not comfortable with specifying a discovery or server 
>> differentiation method, but we can at least point out that the means by
>> 
>> which the client differentiates servers is out of scope.
> 
> OK, wfm.
> 
>>>>> section 1.4.1 f
>>>>> 
>>>>> Why does the client secret expire while the access token ist still 
>>>>> valid? Secret and token are stored at the same
>>>>> locations so an attacker may obtain both at once.
>>>> Secrets are used at the token endpoint, so the attack surface is 
>>>> slightly different. Since you can only use the registration access 
>>>> token at the registration endpoint, you can use it to rotate your 
>>>> other credentials.
>>> 
>>> I understand the mechanism. I don't see the benefit given the
>> _slight_ 
>>> difference in attack surface. In my opinion, the only difference
>> might 
>>> be on the server side, between HTTPS termination and actual endpoint 
>>> business logic. So it might limit the impact if an attacker, for 
>>> example, obtains client secrets from server log files. Is this threat
>> 
>>> worth to use different credentials with different lifecycles?
>> 
>> That's getting into a different question, the question of the utility
>> of 
>> the registration access token. We need that because not all clients
>> have 
>> a client_secret (some just don't have any authn, some will use signing 
>> or assertions), among other reasons talked about in section 1.3. The 
>> fact that their lifecycles are independent simply stems from the fact 
>> that they're separate credentials, and that it's more likely desirable 
>> to have the client_secret expire in the real world. Also, note that you
>> 
>> don't have to expire either of them. Or you can expire both of them at 
>> the same time but have some way to keep an expired credential around
>> for 
>> one-last-refresh-call or something, you can do that.
> 
> I understand. After thinking about it again I think it makes sense to have different credentials in order to keep client mgnt and the OAuth flow independent.
> 
>>>>> "token_endpoint_auth_method"
>>>>> What is the use case for dynamic registration of public clients? In
>> 
>>>>> my opinion, public clients exist because OAuth 2.0 core does not 
>>>>> provided a mechanism to provision secrets to the different
>> instances 
>>>>> of an installed/native app. Dynamic registration closes this gap,
>> so 
>>>>> any installed app may retrieve a distinct secret.
>>>> 
>>>> This gap-closing is true for some classes of client that used to
>> have 
>>>> to be public, like many native apps. But there are still clients
>> that 
>>>> have no use for a client secret, like in-browser clients that use
>> the 
>>>> implicit flow. Now if these clients are also talking to multiple
>> auth 
>>>> servers, they'll each need a client_id at the auth server (because 
>>>> there's no practical way to publish a "public" client ID to *all* 
>>>> auth servers). A discussion in the security considerations about the
>> 
>>>> limitations and usefulness of this use case is probably worthwhile, 
>>>> so I'll make a note to do that.
>>> 
>>> yes, clients using the implicit grant need a way to register. But
>> they 
>>> don't use the token endpoint. As this is about token endpoint 
>>> authentication, I still don't see the need to have a "none" method
>> there.
>> 
>> The "none" method is needed because without it, a server will grant
>> (and 
>> expect) a client_secret from a client that has no business having one 
>> (and no need for one).
> 
> So you are saying this parameter is used to distinguish public and confidential clients?

Yes, that's one key way that it can be used. On the grand scale, this parameter just says what kind of authn credential the client is using. In core OAuth, the only real distinction is "it has one or not", which is the difference between a public and confidential client. This parameter lets you make that distinction as well as going deeper.

> 
>> 
>>> 
>>>> 
>>>>> 
>>>>> "client_secret_post vs client_secret_basic"
>>>>> BASIC and POST are essentially the same just different ways to send
>> 
>>>>> the client secret. If an authorization server supports both, both 
>>>>> should work for any client. So are both methods treated
>> differently?
>>>> I agree, and this was one of my original arguments for making this 
>>>> field plural (or plural-able), but there hasn't been WG support for 
>>>> that so far.
>>> 
>>> I'm not arguing to make it plural. I think the authentication method 
>>> is just "client_secret".
>> 
>> That was also an option that was brought up, but in the OIDC WG the 
>> counter-argument was (as I recall) that the two are syntactically 
>> separate and there's a desire to restrict to a single type, such as 
>> disabling client_secret_post. Basically, to make it unambiguous.
> 
> Ok. 
> 
> Best regards,
> Torsten.
> 
>> 
>>> 
>>>> 
>>>>> 
>>>>> "jwks_uri"
>>>>> What is this data used for? the OAuth JWT Bearer Token Profiles?
>>>> 
>>>> That's one, but it's really for any higher-level protocol that uses 
>>>> signing and encryption. There are several out there that are using 
>>>> JOSE on top of OAuth to do things, so we felt it was worthwhile to 
>>>> have one standard place to have the client say "here's my public
>> key".
>>> 
>>> ok, understood.
>>> 
>>> best regards,
>>> Torsten.
>>>> 
>>>> -- Justin
>>>> 
>>>>> 
>>>>> best regards,
>>>>> Torsten.
>>>>> 
>>>>> Am 24.05.2013 23:10, schrieb Richer, Justin P.:
>>>>>> New Dynamic Registration draft is published, incorporating much of
>> 
>>>>>> the discussion from the group this week.
>>>>>> 
>>>>>> Some normative changes that should have minimal impact:
>>>>>>  - "expires_at" is now "client_secret_expires_at"
>>>>>>  - "issued_at" is now "client_id_issued_at"
>>>>>>  - creation of an IANA registry for token_endpoint_auth_method
>>>>>>  - removal of two underdefined values from 
>>>>>> token_endpoint_auth_method (client_secret_jwt and
>> private_key_jwt), 
>>>>>> these are now defined in an extension (OpenID Connect
>> Registration)
>>>>>> 
>>>>>> And several editorial changes:
>>>>>> 
>>>>>>  - new "client lifecycle" section that describes how different 
>>>>>> kinds of clients can use the dynamic registration protocol, how a 
>>>>>> client's credentials get refreshed, and the relationship between 
>>>>>> the Client Identifier and the Client software
>>>>>>  - new "registration tokens and credentials" section describing 
>>>>>> the different kinds of tokens and credentials used in the 
>>>>>> registration process, what they're for, and why they're all
>> separate
>>>>>>  - clarified the definitions of several fields like policy_uri
>> and 
>>>>>> tos_uri
>>>>>> 
>>>>>> Thanks for all the great feedback, and please keep the
>> constructive 
>>>>>> commentary coming!
>>>>>>  -- Justin
>>>>>> 
>>>>>> On May 24, 2013, at 4:36 PM, <internet-drafts@ietf.org>
>>>>>>  wrote:
>>>>>> 
>>>>>>> A New Internet-Draft is available from the on-line
>> Internet-Drafts 
>>>>>>> directories.
>>>>>>> This draft is a work item of the Web Authorization Protocol 
>>>>>>> Working Group of the IETF.
>>>>>>> 
>>>>>>>    Title           : OAuth 2.0 Dynamic Client Registration
>> Protocol
>>>>>>>    Author(s)       : Justin Richer
>>>>>>>                          John Bradley
>>>>>>>                          Michael B. Jones
>>>>>>>                          Maciej Machulak
>>>>>>>    Filename        : draft-ietf-oauth-dyn-reg-11.txt
>>>>>>>    Pages           : 34
>>>>>>>    Date            : 2013-05-24
>>>>>>> 
>>>>>>> Abstract:
>>>>>>>   This specification defines an endpoint and protocol for
>> dynamic
>>>>>>>   registration of OAuth 2.0 Clients at an Authorization Server
>> and
>>>>>>>   methods for the dynamically registered client to manage its
>>>>>>>   registration.
>>>>>>> 
>>>>>>> 
>>>>>>> The IETF datatracker status page for this draft is:
>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg
>>>>>>> 
>>>>>>> There's also a htmlized version available at:
>>>>>>> http://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-11
>>>>>>> 
>>>>>>> A diff from the previous version is available at:
>>>>>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dyn-reg-11
>>>>>>> 
>>>>>>> 
>>>>>>> Internet-Drafts are also available by anonymous FTP at:
>>>>>>> ftp://ftp.ietf.org/internet-drafts/
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>> _______________________________________________
>>>>>> OAuth mailing list
>>>>>> OAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> 
>>>> 
>>> 
>

v2.23.0 | Report a Bug | By Email