IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC

Francis Pouatcha <fpo@adorsys.de> Wed, 13 May 2020 03:16 UTC

Return-Path: <fpo@adorsys.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 596363A07B6 for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 20:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y-2WEjt0IPpJ for <oauth@ietfa.amsl.com>; Tue, 12 May 2020 20:15:58 -0700 (PDT)
Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B79C63A0484 for <oauth@ietf.org>; Tue, 12 May 2020 20:15:57 -0700 (PDT)
Received: by mail-wm1-x331.google.com with SMTP id d207so7820029wmd.0 for <oauth@ietf.org>; Tue, 12 May 2020 20:15:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eAScNggKAIM6iwkhgY8la76TAuUgyWF2kuPT9BqPlyI=; b=e360xwIknfj2rgYRjGqzMUQF3UVZvB47gmO1H6tVM4Ev794/qqn1UchQuOYDg0Wqhb ZutpwK0YlNYmvbjySN1RMWW/+laHwTXkV3IYxxchK1LHlnnW6DCH49nXcdjLmOvo055W hwDdmUpUl6LfDIWdqNZmoeRHY6HUZKAZxMzTc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eAScNggKAIM6iwkhgY8la76TAuUgyWF2kuPT9BqPlyI=; b=ESPOHIaYzrGrf2ibZQgTa53cmPOtOS/AthHN4vQKqrJ5tVtf5YE3N5kXMNCuLzjefI 63J4tFKiOozYCxu1N6YnStrdqR5eVHuoS8TQVFd3i8LZwtpuF9KdkKhoy3u1pTbcB3zL Pzdc1QkcdtB/1aHe/1eBjFCSWY+TW9r0dQZSFBZddocONG+EIJVvXWn7q/JFbRkHVAOy G2TY0XIO5WdE0mD55P65DKS5ZOz+X/QJAlNPs9RjtttIQBiGvwBTsQ8zjLh7YF5PwLjS HZueCsYUfqw7lFDhiiaNm93UdsQgwFjSZL2mjp4VDUb8pavjddIZY1tRmAHzXLTVktnk 082A==
X-Gm-Message-State: AOAM5331Phcc4Megs6oTtttnrqd1DKm0ecBy6FLSJpgyXzsoGL0q84uS 22BC/88YpEhXilWopcucIB/zEMarPhtcIfxohS/ZpLLa2F67yw==
X-Google-Smtp-Source: ABdhPJxCPnc5jP5yJUnJavalQ/NWj34RVnmKT30a8+20AKgtNrOwH5W6DnedSS4+MIaaSTU2JmtNP+SgVkrbyZLzRdo=
X-Received: by 2002:a1c:5985:: with SMTP id n127mr684436wmb.64.1589339755782; Tue, 12 May 2020 20:15:55 -0700 (PDT)
MIME-Version: 1.0
References: <CAOW4vyNY768vqFtxxHXNd2u+VXFoiW=+BG+AJNW0Ee9H13V3zQ@mail.gmail.com> <77C31557-E3C3-4A02-9579-DEFB2CD5A683@manicode.com> <CAOW4vyM3Vi4eHCCn1x5-0K0S8pP5qtpTByNYS4DP8EaSqiWn5Q@mail.gmail.com> <CAGBSGjrhRpKaG9UdLy+OphSYwPAK7d=kVJNRkkdDV=HHjKMynQ@mail.gmail.com> <94617b561b934791933f171f5baa51cb@novatec-gmbh.de>
In-Reply-To: <94617b561b934791933f171f5baa51cb@novatec-gmbh.de>
From: Francis Pouatcha <fpo@adorsys.de>
Date: Tue, 12 May 2020 23:15:44 -0400
Message-ID: <CAOW4vyOQM5QutZScJ619pYLV3bKhtu1zT55QXgtNmA4drAUJwQ@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000923c0305a57eff3a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RgAvJrNG8KuFK-ccD33La3lpD6g>
Subject: Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2020 03:16:00 -0000

The draft  draft-parecki-oauth-v2-1-02 mentions in the abstract:
"This specification replaces and obsoletes the OAuth 2.0
Authorization Framework described in RFC 6749."  Believe me we will witness
a lot of client calls asking for the replacement of ROPC  flows.

There is no way we can omit ROPC without providing an equivalent
alternative (From the perspective of simplicity). Even with the exact match
of redirect-uri included in oAuth-2.1, there is still a lot of hazard
associated with redirection on a user controlled device. The security BCP
(draft-ietf-oauth-security-topics-15) is still far from covering all use
cases as there are too many parameters involved in the redirection thread
models, as redirect-uri travel  through client devices, as client device
operating system decides which url get forwarded to which user agent, as
user default web browser might change in the course of a redirection flow,
...

The only really secure relationship between a user agent and a server is a
one  time established connection in which the user (RO) in control of
that user agent instance can prove ownership of some credentials without
leaving the context of the loaded application loaded by that user agent. In
oAuth2.0 this behavior is only guaranteed by the ROPC flow (Client
credential flow not being considered an end user flow). Each flow requiring
redirection leads to offloading and reloading of the application context of
the resource owner in the target user agent. User device configuration
might lead to reload in a different user agent leading to more confusion.

RFC8628 does not solve the problem. Once again, it is essential to
distinguish between an oAuth Client and a resource owner (RO). Resource
owner authorization flows can not be replaced by oAuth client
authorizations flows. Even if the oAuth Client runs on the user devices. It
is essential from AS to distinguish between client credentials  and
resource owner credentials, else we will break a lot of authorization
models out there.

As we do not have an equivalent alternative for ROPC, we have to raise the
attention of  implementers by mentioning that ROPC  must only be used if
AS / oAuth Client can guarantee security of the RO credentials exposed to
the oAuth Client. Without this, oAuth2.1 can not be a replacement of
oAuth2.0 but just a security BCP.

Related Topic:
We can have a better theoretical analysis of redirection thread models, if
oAuth2.1 includes draft-ietf-oauth-par-01. As this will solidify
redirection based approaches by limiting the quantity of information pushed
by oAuth Client over client devices to AS.

The oAuth2.1 as presented now is still not secure enough to replace
oAuth2.0-ROPX and not secure enough to be accepted in some critical
environments. In order to increase acceptance:
- Include ROPC  with provision/warning on sharing RO password with oAuth
Client.
- Include PAR to solidify redirection based flow.

On Tue, May 12, 2020 at 3:50 PM Falk Andreas <Andreas.Falk@novatec-gmbh.de>
wrote:

> > Keep in mind that while the Security BCP explicitly forbids the use of
> the Password grant in OAuth 2.0, technically OAuth 2.1 just never includes
> it in the first place. Subtle difference.
>
>
> As RFC 6749 clearly targets third-party applications, ROPC never has been
> a good fit.  It always felt like a bad workaround just for legacy
> applications.
>
>
> I am primarily looking at OAuth 2.1 from a developer's perspective.
> Unfortunately, developers often look for a shortcut and the easiest way to
> implement a required use case.
>
> You can find many entries on StackOverflow directing developers to use
> ROPC instead of a "complicated" redirection flow.
>
> Frameworks like Spring Security or Angular clearly follow a "secure by
> default" approach, this may also be a good direction to follow in future
> specifications.
>
>
> As Jim already pointed out, I also consider the ROPC being an
> authentication flow (for trusted first-party applications) and this use
> case is covered by OIDC.
>
>
> Same as for PKCE an AS may still provide ROPC in an OAuth 2.0
> compatibility mode to not break existing apps.
>
>
> That is why I support OAuth 2.1 omitting ROPC.
>
>
> Andreas Falk
>
> ------------------------------
> *From:* OAuth <oauth-bounces@ietf.org> on behalf of Aaron Parecki <
> aaron@parecki.com>
> *Sent:* 12 May 2020 20:19
> *To:* Francis Pouatcha
> *Cc:* OAuth WG
> *Subject:* Re: [OAUTH-WG] OAuth 2.1 - recalling ROPC
>
> > We are not talking about ROPC mandating  OAuth2, but about OAuth-2.1
> forbidding the user of ROPC.
>
> Keep in mind that while the Security BCP explicitly forbids the use of the
> Password grant in OAuth 2.0, technically OAuth 2.1 just never includes it
> in the first place. Subtle difference.
>
> Aaron Parecki
>
>
> On Tue, May 12, 2020 at 10:23 AM Francis Pouatcha <fpo=
> 40adorsys.de@dmarc.ietf.org> wrote:
>
>>
>>
>> On Tue, May 12, 2020 at 9:50 AM Jim Manico <jim@manicode.com> wrote:
>>
>>> Forgive me if this question is late or poor context, but wouldn’t OIDC
>>> be a better replacement for ROPC since it’s essentially a authentication
>>> flow?
>>>
>>> What use case for ROPC mandates OAuth2 over OIDC?
>>>
>> We are not talking about ROPC mandating  OAuth2, but about OAuth-2.1
>> forbidding the user of ROPC.
>>
>>
>>> --
>>> Jim Manico
>>> @Manicode
>>>
>>> On May 11, 2020, at 11:00 PM, Francis Pouatcha <fpo=
>>> 40adorsys.de@dmarc.ietf.org> wrote:
>>>
>>> 
>>> I am against OAuth 2.1 discarding the use of ROPC (Resource Owner
>>> Password Credentials) with the following reasoning:
>>>
>>> Auth Code Grant:
>>> There are  many use cases on the market where redirection based flows do
>>> not work.. As  we see in the "OAuth 2.1 - require PKCE?" thread, the
>>> complexity of user agents on non controllable client devices still make
>>> user agent redirection a challenge.
>>>
>>> Client Credentials Grant:
>>> Requires the registration of an oAuth client.
>>> - Citing the iot device use cases Beena which do not have a comfortable
>>> way to have iot devices register with AS.
>>> - This is a registration flow for the oAuth client role  and for the RO
>>> (Resource Owner). Remember resource owner credentials might be sourced from
>>> system external to the AS  like company's LDAP. oAuth Client Credentials
>>> are generally managed by the AS.
>>> For these reasons, we shall not use Client Credential Grant to manage RO
>>> authorization.
>>>
>>> ROPC:
>>> Having an oAuth Client proxy the auth request of the RO to the AS only
>>> presents a security risk if the oAuth Client is a third party application.
>>> Therefore, the decision on whether to accept ROPC for a specified client
>>> shall be left to the AS. Discarding this use case will take a lot of
>>> business from oAuth servers back to the old market.
>>>
>>> Beside this, I mentioned in my previous post that there are use cases in
>>> the market where permanent passwords are replaced with one time passwords.
>>>
>>> A lot of work is also being done in the direction of having the RO send
>>> signed proof of ownership to the AS through the ROPC  flow using the
>>> password field.
>>>
>>> Therefore, I am ok with raising the attention of  implementers the same
>>> way we are doing with PKCE,  mentioning that ROPC  must only be used if  AS
>>> / oAuth Client can guarantee security of the RO credentials exposed to the
>>> oAuth Client.
>>>
>>> /Francis
>>> --
>>> Francis Pouatcha
>>> Co-Founder and Technical Lead at adorys
>>> https://adorsys-platform.de/solutions/
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>> --
>> Francis Pouatcha
>> Co-Founder and Technical Lead at adorys
>> https://adorsys-platform.de/solutions/
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

-- 
Francis Pouatcha
Co-Founder and Technical Lead at adorys
https://adorsys-platform.de/solutions/

v2.23.0 | Report a Bug | By Email