IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Filip Skokan <panva.ip@gmail.com> Tue, 15 January 2019 09:30 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A25F0130E2B for <oauth@ietfa.amsl.com>; Tue, 15 Jan 2019 01:30:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JSS9gDr7BNK8 for <oauth@ietfa.amsl.com>; Tue, 15 Jan 2019 01:30:47 -0800 (PST)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE028130DEA for <oauth@ietf.org>; Tue, 15 Jan 2019 01:30:46 -0800 (PST)
Received: by mail-ot1-x32f.google.com with SMTP id i20so1920284otl.0 for <oauth@ietf.org>; Tue, 15 Jan 2019 01:30:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ge4iKDCSq5twaJcX4qiO8uhPpAug9w1KZrKd8vXndog=; b=rDV+6xRgRUa3gkgp1Eu8oaVhG+beTaDRulIkMxClx4rVFxGh5D0+F+JnNsq2XBKssd zDVTuhXamQDOswx3DRmWteNCY+Tu5vkPrDn9eUFeHSFB/pXoSkgR7WXKNspKZ/mk0SUZ Sng0F4IsbXQLxaJ2KnB+P1q9FBMuXgwNpn2qvSj6OZFLZFbpeEW1ni2GqsLNAIz8txGZ 6Tjv91uQh8qslXRoODU+DK+Tfy4M/Xb0tHLBv5y6D4Yhrf1hpXJGSQCH083+XJ3uqeb5 a8SNzxzgxOMrF/xOqJj5GC+mzho84hxHfl01cH2jpYUv4gWTEancrOUC4w7Jf4mNZH5i 71UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ge4iKDCSq5twaJcX4qiO8uhPpAug9w1KZrKd8vXndog=; b=ZZUuhCILRuWuolGA7fINdxQBVFiI4aHUresQ+AXjPOSKuQRJdEltw18Ah28EZDPa7n D/zjSujWc0vgXHowTd4Sogu83t/pvs5shgbK0hiQnEv8IuK4j4ecOMGU/x7AtEHwl+GH xO1lPV4CYVbjuNYctUFRLKiOhvrqI+e0c/te9yvy/dR4DXn8j1DwYgTYZxtSbVZtGSgx VP6uK1OPrsqGFtzkjTT3DHAQAvx/aa0LWpVdywtyM47xztLMQIwz+N4zfDk8GDesaRrE MMV2FSmWTWT5k1ruSkJEwp8i1P5z0cTjPUNvNQCJRQGrxJgDmdcHueJj6UKbt32tywnP 1coA==
X-Gm-Message-State: AJcUukcfZ+oM9hr0auH4AD6mJuwwj7ffSHWUNitLB/ycMmyCCPRczy2F g8WZwupMyc0uYUNmWTdLFnll1UudQsu9ABR5ZnEojuw=
X-Google-Smtp-Source: ALg8bN5W+z+UVTV880USNP23M4p5RKyugSU4kBHeNq8wE6RSZyLeVdcboebjrSJSMT9qg0wjixyWK8MWjxEoFOVwu6M=
X-Received: by 2002:a9d:1c97:: with SMTP id l23mr1841343ota.276.1547544645944; Tue, 15 Jan 2019 01:30:45 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <548FF68E-7775-4FE0-829F-1E9CC6EA8E3F@alkaline-solutions.com> <1119DDAE-8044-43C9-A6D4-6032B3BB62B8@forgerock.com> <9D007408-3BCC-4165-BCA4-083BD7602E7D@alkaline-solutions.com> <CA+k3eCQi1sz2bDOMEATpN9ZvXd+VJydQXG03WKuLczG5kz2z+Q@mail.gmail.com> <CAP-T6TTD-nLGoPHqJ042SzotLorb2mzoWgLxsausWHhRPZr8xA@mail.gmail.com>
In-Reply-To: <CAP-T6TTD-nLGoPHqJ042SzotLorb2mzoWgLxsausWHhRPZr8xA@mail.gmail.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Tue, 15 Jan 2019 10:30:34 +0100
Message-ID: <CALAqi_8CoYiy04eEKnWD=mjhRoB+y8nN8qeKre3Zcp5rAHxpMA@mail.gmail.com>
To: Dave Tonge <dave.tonge@momentumft.co.uk>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e54ba8057f7bd0f1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/R5by-aA7fSNg87jYWRWJOROyv0c>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2019 09:30:53 -0000

I'm in favour of both 307 and metadata.

   - case 307 - I don't recall ever encountering an http client software
   that wouldn't have an option for following redirects, same for a server
   side frameworks not having the option to do a 307 response with a location
   header.
   - case 307 - Relying purely on a new metadata doesn't help in the
   scenario David put forth earlier about clients not being aware of using
   mtls, a device policy of sorts.
   - case metadata - no second request if the client knows there's an mtls
   endpoint it should use.

Maybe we should specify both as optional for an AS to deploy and a client
to be ready for?

S pozdravem,
*Filip Skokan*


On Tue, Jan 15, 2019 at 10:05 AM Dave Tonge <dave.tonge@momentumft.co.uk>
wrote:

> I'm in favour of the `mtls_endpoints` metadata parameter - although it
> should be optional.
> While a 307 redirect seems kind of elegant I worry, like you,  that not
> all clients would handle it appropriately.
> There would probably need to be an error defined for clients who attempt
> to use `tls_client_auth` at the regular endpoint.
>
> Dave
>
> On Mon, 14 Jan 2019 at 22:29, Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> Trying to summarize things somewhat here and focus in hopefully towards
>> some decision. There's basically an idea on the table to add an AS metadata
>> parameter to the draft-ietf-oauth-mtls doc that would be a JSON object
>> which contains endpoints that a client doing MTLS would use rather than the
>> regular endpoints. A straw-man example might look like this (with
>> mtls_endpoints being that new parameter).
>>
>> {
>>   "issuer":"https://server.example.com",
>>   "authorization_endpoint":"https://server.example.com/authz",
>>   "token_endpoint":"https://server.example.com/token",
>>   "token_endpoint_auth_methods_supported":[
>> "client_secret_basic","tls_client_auth", "none"],
>>   "userinfo_endpoint":"https://server.example.com/userinfo",
>>   "revocation_endpoint":"https://server.example.com/revo",
>>   "jwks_uri":"https://server.example.com/jwks.json",
>>
>>
>>
>>
>> *  "mtls_endpoints":{
>> "token_endpoint":"https://mtls.example.com/token
>> <https://mtls.example.com/token>",    "userinfo_endpoint":"https://mtls
>> <https://server.example.com/token>.example.com/userinfo
>> <http://example.com/userinfo>",    "revocation_endpoint":"https://mtls
>> <https://server.example.com/token>..example.com/revo
>> <http://example.com/revo>"  }*
>> }
>>
>> The idea behind this is that "regular" clients (those not doing MTLS)
>> will use the regular endpoints. And only the host/port of the endpoints
>> listed in mtls_endpoints will be set up to request TLS client certificates
>> during handshake.. Thus any potential impact of the CertificateRequest
>> message being sent in the TLS handshake can be avoided for all the other
>> regular clients that are not going to do MTLS - including and most
>> importantly in-browser javascript clients where there can be less than
>> desirable UI presented to the end-user.
>>
>> The arguments in favor of that seem to be basically that it allows for AS
>> deployments to support MTLS while still allowing for a "not broken" UX for
>> end-users of clients (in-browser javascript clients) that aren't doing
>> MTLS. And that it's not much in terms of adding to the spec and complexity
>> of implementations.
>>
>> The arguments against it seem to be 1) the bad UX isn't really that bad
>> and/or will only happen to a subset of users 2) there are other things that
>> can be done, such as 307ing or renegotiation/post-handshake client auth, to
>> avoid the bad UX.
>>
>> Speaking for myself, I'm kinda torn on it.
>>
>> I will say that, in addition to the folks that have pointed out that
>> renegotiation just isn't possible in some cases, my experience trying to do
>> something like that in the past was not particularly successful or
>> encouraging. That could have been my fault, of course, but still seems a
>> relevant data point. I also have my doubts about the actual difficulty of
>> getting an AS to issue a 307 like response for requests based on the
>> calling client and the likelihood that some/all OAuth client software would
>> handle it appropriately.
>>
>>
>> On Fri, Jan 11, 2019 at 12:32 PM David Waite <
>> david@alkaline-solutions.com> wrote:
>>
>>>
>>>
>>> > On Jan 11, 2019, at 3:32 AM, Neil Madden <neil.madden@forgerock.com>
>>> wrote:
>>> >
>>> > On 9 Jan 2019, at 05:54, David Waite <david@alkaline-solutions.com>
>>> wrote:
>>> >>
>>> >>> On Dec 28, 2018, at 3:55 PM, Brian Campbell <bcampbell=
>>> 40pingidentity.com@dmarc.ietf.org> wrote:
>>> >>>
>>> >> <snip>
>>> >>
>>> >>> All of that is meant as an explanation of sorts to say that I think
>>> that things are actually okay enough as is and that I'd like to retract the
>>> proposal I'd previously made about the MTLS draft introducing a new AS
>>> metadata parameter. It is admittedly interesting (ironic?) that Neil sent a
>>> message in support of the proposal as I was writing this. It did give me
>>> pause but ultimately didn't change my opinion that it's not worth it to add
>>> this new AS metadata parameter.
>>> >>
>>> >> Note that the AS could make a decision based on the token endpoint
>>> request - such as a policy associated with the “client_id”, or via a
>>> parameter in the ilk of “client_assertion_type” indicating MTLS was desired
>>> by this public client installation. The AS could then to TLS 1.2
>>> renegotiation, 1.3 post-handshake client authentication, or even use 307
>>> temporary redirects to another token endpoint to perform mutual
>>> authentication.
>>> >
>>> > Renegotiation is an intriguing option, but it has some practical
>>> difficulties. Our AS product runs in a Java servlet container, where it is
>>> pretty much impossible to dynamically trigger renegotiation without
>>> accessing private internal APIs of the container. I also don’t know how you
>>> could coordinate this in the common scenario where TLS is terminated at a
>>> load balancer/reverse proxy?
>>> >
>>> > A 307 redirect could work though as the server will know if the client
>>> either uses mTLS for client authentication or has indicated that it wants
>>> certificate-bound access tokens, so it can redirect to a mTLS-specific
>>> endpoint in those cases.
>>>
>>> Agreed. There are trade-offs for both. As you say, I don’t know a way to
>>> have say a custom error code or WWW-Authenticate challenge to trigger
>>> renegotiation on the reverse proxy - usually this is just a static,
>>> location-based directive.
>>>
>>> >
>>> >> Both the separate metadata url and a “client_assertion_type”-like
>>> indicator imply that the client has multiple forms of authentication and is
>>> choosing to use MTLS. The URL in particular I’m reluctant to add support
>>> for, because I see it more likely a client would use MTLS without knowing
>>> it (via a device-level policy being applied to a public web or native app)
>>> than the reverse, where a single client (represented by a single client_id)
>>> is dynamically picking between forms of authentication.
>>> >
>>> > That’s an interesting observation. Can you elaborate on the sorts of
>>> device policy you are talking about? I am aware of e.g. mobile device
>>> management being used to push client certificates to iOS devices, but I
>>> think these are only available in Safari.
>>>
>>> The primary use is to set policy to rely on device level management in
>>> controlled environments like enterprises when available. So an AS may try
>>> to detect a client certificate as an indicator of a managed device, use
>>> that to assume a device with certain device-level authentication, single
>>> user usage, remote wipe, etc. characteristics, and decide that it can
>>> reduce user authentication requirements and/or expose additional scopes.
>>>
>>> On more thought, this is typically done as part of the user agent
>>> hitting the authorization endpoint, as a separate native application may be
>>> interacting with the token endpoint, and in some operating systems the
>>> application’s network connections do not utilize (and may not have access
>>> to) the system certificate store.
>>>
>>> In terms of user agents, I believe you can perform similar behavior
>>> (managed systems using client certificates on user agents transparently) on
>>> macOS, Windows, Chrome, and Android devices, Chrome (outside iOS) typically
>>> inherits device level policy. Firefox on desktop I assume you can do that
>>> in limited fashion as well.
>>>
>>> -DW
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited...  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any file
>> attachments from your computer. Thank you.*
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email