IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.0 DPoP for the Implicit Flow

Mike Jones <Michael.Jones@microsoft.com> Tue, 10 March 2020 16:03 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 847A23A1585 for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2020 09:03:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bq1j63tzMF7g for <oauth@ietfa.amsl.com>; Tue, 10 Mar 2020 09:03:46 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-bl2nam06on072c.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe55::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDA213A1599 for <oauth@ietf.org>; Tue, 10 Mar 2020 09:03:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QuFA1wSVuH+9zrC7Hq0pXB5bH/MrGJqbH6w+i3BsWzcfR9ZyC16LxIvRLAKuk5PwBSD6pYx8bkV144xTOZ1iDKM4MiIINH+F+P3II7FwAR5ZQpXd1+gJP/qkx4CfYfTJF41wEdW+Gm923vJFkfUuGNrX6tAiDq1ynznn8Gt6z8bIlWjkOqiwV20NHiKUMXFvVjIWKtaaE4Zp4hJzjY4sSFN1+oKbEpim2W7lFKRs/5m95anViJZ6jzMRoVtyAzh81KQP9yFCxpZikG3ZwYryjY3kHb83gESyhl8wFqo0Ln9t4ECGH8CH8Hn1tDcOI/J3+wDGPeYu961qcpMpNQq8sw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=r/mB4G8zaGmWM6zgNSi1UGHJkDazGddgki0txJIfZB8=; b=bIhfTCedq6rzjVt02uvSW8zJmQ4b/BI4m9UiBaNVR+N8RRPUz0OknMkVQgO5ZUZkRFKRnspJAapOliWgcc6qb8gefuoAZo9NwZJsw/abb23Zb7gSlvONR7LewdMsZMJYwa+QL+KYkZhtA00ChVeAjmtwqeiv1zVEIORZPosae04Feg4HDLTEuIre9TvrJUQdVNNeLN1UIE9ROp1E8syAEiSN+dn4572bomjRYYMvgqbs/n69lni/zvl4yRp6SretiVME5oZo6sR5bbou5SYW6PLI5RfE2OEd2YD1DBjL/yMmTzJ/ucih33NDhvUn2xGZ6mwqSGLQQ7Zti+E6dRypdg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=r/mB4G8zaGmWM6zgNSi1UGHJkDazGddgki0txJIfZB8=; b=SBKIhIy5Z7634We4TfoH8hVqoZ9T1Au9GiGVfcXMPNmFuLWGYGCMJnqF9NccSYwA0yUDst0DP4q2Rhm8cvE+YTnN6/6XMSMddMN3WgoJNOM4aG99iXSQ/A5ddOXP5WfUEqX43GO77WDI9JZD/OBv3e2luM14cSN30T2vNAv+mbA=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by MN2PR00MB0638.namprd00.prod.outlook.com (2603:10b6:208:3a::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2849.0; Tue, 10 Mar 2020 16:03:43 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::fcaa:2e27:4c08:f703]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::fcaa:2e27:4c08:f703%8]) with mapi id 15.20.2848.000; Tue, 10 Mar 2020 16:03:43 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Aaron Parecki <aaron@parecki.com>, Justin Richer <jricher@mit.edu>
CC: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow
Thread-Index: AdX2agUBQrAxPoALSxyQHW5s38krKgAXkyUAAAYLyIAAAHT6AAAEuqew
Date: Tue, 10 Mar 2020 16:03:43 +0000
Message-ID: <MN2PR00MB068682FC0F307BE5AAFAD40EF5FF0@MN2PR00MB0686.namprd00.prod.outlook.com>
References: <CH2PR00MB06784BE1BB83918ABC652C7AF5FF0@CH2PR00MB0678.namprd00.prod.outlook.com> <CAGL6ep+tgKaW=-rXCMk_8HXXNGWYT3sN7GRqY=x4VUW=Qzc+sg@mail.gmail.com> <CC7A1291-553D-4487-BA33-442C482A5D21@mit.edu> <CAGBSGjpupNnLdOHNO_SLrBL6a_PUe=vTpZgN7Lv1QY03H1q6jA@mail.gmail.com>
In-Reply-To: <CAGBSGjpupNnLdOHNO_SLrBL6a_PUe=vTpZgN7Lv1QY03H1q6jA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=77f978f8-1888-441f-8ece-000031274291; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-03-10T16:02:08Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.83.137]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: a7ac3ab8-24c6-4d76-91b2-08d7c50c9b75
x-ms-traffictypediagnostic: MN2PR00MB0638:
x-microsoft-antispam-prvs: <MN2PR00MB063827C9E98461DA2DD86F6DF5FF0@MN2PR00MB0638.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 033857D0BD
x-forefront-antispam-report: SFV:NSPM; SFS:(10001)(10019020)(4636009)(136003)(39860400002)(366004)(396003)(346002)(376002)(189003)(199004)(186003)(478600001)(966005)(71200400001)(26005)(8936002)(86362001)(54906003)(9686003)(55016002)(110136005)(316002)(53546011)(81156014)(8990500004)(6506007)(8676002)(81166006)(7696005)(2906002)(5660300002)(52536014)(76116006)(66446008)(66476007)(64756008)(4326008)(10290500003)(21615005)(66946007)(66556008)(33656002)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR00MB0638; H:MN2PR00MB0686.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: tFV1URl037hn/yfqVhZlCXDy7S887qzAsE4B7ybDfD7kxs8mn/3S/uNsKCiCuxsFjxtMnbbDEW0HuLIpDvHVFiHMN+qBcgvISEvS+7+hTKGN14Qq7GiUcyyZINt2z+pp0CSahzGSeX8Op6mAyvRz8D6rNT6xXrRZt8+7r5NgkbMGJ+hReOehYV65953ac4GDOWDtmjdoUkQjRf8ecOM83otOyWUg5casFHxHq7wmUcm/dZ3aryT/VS+xyHKPMs5evkLAfyg25mLfyYqpGF2rM60B0wGPJqTrp8dtbSMmignNr7LgNFh7cyj2fOYlqqO02ujM/sopBqyA/U+1ijtwrdy3T8Ld7bbYAt2U2pjb4bqlqisbcrYEQCZ11cWHAIZ6F4lavlkxNNm6YhHfTkarBcySIyCNHkuhCfkH8bJ7c3qUrekj9IwORuTgnc0V0vqqGeR7JOXxCR/nmp0u2bwcfZCafndEuQ50AqM8M8mTFZcUpr2wnBkgWLFEqnoBZcjov9ZK3Ogs8IEOYPR2eAu5mAqAXqZHO2J9TCiXM7DORRXtVCqKFINKGoZN7Ai+InoM34CERPO1/nHpLQl/g7JGv7TYk9EaS/1j9syKZBoqb+COe21UZCGB46+i9a0s8dbEpZGs45X1bvPpdA4ypqAH5A==
x-ms-exchange-antispam-messagedata: INPpIfkVjLcrRMTzRiRKrjp8htbM8IKkpoyZFuhpFayEqOh63qsa0zzcul0hKojxe6rmD4cMT7kJnqLL4TzuLBqvQ3h21hvzVdZgXYsxmWnkoo6VFYneUgmdA3fnI+MSUgS6lAFwd1Gj/dhYQTXDaA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB068682FC0F307BE5AAFAD40EF5FF0MN2PR00MB0686namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a7ac3ab8-24c6-4d76-91b2-08d7c50c9b75
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2020 16:03:43.3363 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lzyvyKwWRlDDbs30QdhXkwkLk85ekAvBfxP1hho/n9rndNd1BGlmgeABEQNfYwSKJax805KB2IktM5sIbxcNyg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0638
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TIvs-q4qTN0X3bBEyaKySMNsqII>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: OAuth 2.0 DPoP for the Implicit Flow
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 16:03:56 -0000

Answering Rifaat’s question, per Brian’s comment https://github.com/danielfett/draft-dpop/issues/37#issuecomment-534192398, at IETF 105 there was consensus to at least initially do this work in a separate draft.

                                                       -- Mike

From: Aaron Parecki <aaron@parecki.com>
Sent: Tuesday, March 10, 2020 6:47 AM
To: Justin Richer <jricher@mit.edu>
Cc: Mike Jones <Michael.Jones@microsoft.com>; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>; oauth@ietf.org
Subject: [EXTERNAL] Re: [OAUTH-WG] OAuth 2.0 DPoP for the Implicit Flow

This is my sentiment as well, I would not support this text being added to the DPoP draft.

Aaron



On Tue, Mar 10, 2020 at 6:35 AM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
I for one appreciate it being a separate draft as I don’t agree with this solution but do think we should move forward with DPoP.

 — Justin


On Mar 10, 2020, at 6:40 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> wrote:

Mike,

What was the reason for creating a separate draft for this?
Why cannot this be folded into the exiting DPoP draft?

Regards,
 Rifaat


On Mon, Mar 9, 2020 at 8:12 PM Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:40microsoft.com@dmarc.ietf.org>> wrote:
As I previously described<https://self-issued.info/?p=1967>, members of the OAuth working group have developed a simplified approach to providing application-level proof-of-possession protections for OAuth 2.0 access tokens and refresh tokens.  This approach is called OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP).  Among other benefits, it does not require a complicated and error-prone procedure for signing HTTP requests, as some past approaches have.

However, the DPoP specification to date has assumed that the client is using the OAuth authorization code flow.  As promised at the last IETF meeting, we’ve now published a simple companion specification that describes how DPoP can be used with the OAuth implicit flow – in which access tokens are returned directly from the authorization endpoint.  The specification is mercifully brief because very little had to be added to supplement the existing DPoP spec to enable use of DPoP with the implicit flow.  Thanks to Brian Campbell and John Bradley for whiteboarding this solution with me.

Finally, in a related development, it was decided during the OAuth virtual interim meeting today to call for working group adoption of the core DPoP draft.  That’s an important step on the journey towards making it a standard.

The specification is available at:

  *   https://tools.ietf.org/html/draft-jones-oauth-dpop-implicit-00

An HTML-formatted version is also available at:

  *   https://self-issued.info/docs/draft-jones-oauth-dpop-implicit-00.html

                                                       -- Mike

P.S.  This notice was also posted at https://self-issued.info/?p=2063 and as @selfissued<https://twitter.com/selfissued>.

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
--
----
Aaron Parecki
aaronparecki.com<http://aaronparecki.com>
@aaronpk<http://twitter.com/aaronpk>

v2.23.0 | Report a Bug | By Email