IETF Logo Mail Archive

Re: [OAUTH-WG] RAR 05 - Token response with sensitive data in draft-ietf-oauth-rar-05

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 04 September 2021 09:41 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CDAF3A0955 for <oauth@ietfa.amsl.com>; Sat, 4 Sep 2021 02:41:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZYRH-69QbFY for <oauth@ietfa.amsl.com>; Sat, 4 Sep 2021 02:41:13 -0700 (PDT)
Received: from mail-wr1-x433.google.com (mail-wr1-x433.google.com [IPv6:2a00:1450:4864:20::433]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 114C03A0953 for <oauth@ietf.org>; Sat, 4 Sep 2021 02:41:12 -0700 (PDT)
Received: by mail-wr1-x433.google.com with SMTP id n5so2057800wro.12 for <oauth@ietf.org>; Sat, 04 Sep 2021 02:41:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=MOZ/U4vJPy8yJo0b6dDyKcxPq9f/bgXd5PBg1/X9bY0=; b=dxHZFixNltlshtRdhfHqxjWzQMBUJ8WF0SuDNTKXngZLqJQi8xj/H2UppMQuZufQBi FYsChwh+cqTZSk2Op3EuaEuE9hVmunA+jSAB72nNotzXWfGxaXLMFFikSFAKyL1sAZb+ J00RgGs5MV2U1dDfSRjBu0q8xExdVygVwCLmFVi94hrykNtitkieTPGBQrwd9+icsh0k hU7BW6YCozrkwSDMXUcJOabsnfuTT3Ix3Sg5K/34gA8hb5IHn7efiU0InDQPtTMbMFxT DY5yPsmFwVGRd6bI5lEBd8JziATMPDTRBiHLgyoUJHVHqNh0hBM9yfve2erV2R3Y8b2s yOyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=MOZ/U4vJPy8yJo0b6dDyKcxPq9f/bgXd5PBg1/X9bY0=; b=f9PyLO6rgFlsDjT72OYs566Y0/mH/652gyDUSdmPvYYjKbsPWlqMRYZho/P/yePuMh /WkxHdTf0G4jdgzmxlk/FD8G9KST1zLk4NlrGOwipchXzaz7/iQHo4a/Sx9lfFK3PePi dTIYpnVGkEcUTKuK4q4RLdwiqQrTfePoyRZJQKf3+TYFlNAjRCjuMC6kqVVZsJ7lkOVu TJTB59bXMViyzj6gqxDsYno+Mx7u6KuhPpkA0ivwHxd2nobU4H1YGbkjYk9JhMwwrF4p P+uwG/sJ9XEfCl+VqN9pkESXmlVgKODtjNTVTuFjAL9+NelNIrgcW8zao1Abkh0DILgV NMGg==
X-Gm-Message-State: AOAM533Qp4bZHVmM0PU09qXKA/hf93vDdrY6WSY7gS7eor/lMwFuYTbm 6yoVEOm27C8Rkkp4hIXogiWFsSgSjdl4tA==
X-Google-Smtp-Source: ABdhPJziNDrTRw/Ve6wvZbg42LYxesvnuggqo9aVLPG1gYC2afg+f0gd9B1V4oTIHg+FsJEQxhMbeg==
X-Received: by 2002:adf:eb4c:: with SMTP id u12mr3232885wrn.111.1630748469119; Sat, 04 Sep 2021 02:41:09 -0700 (PDT)
Received: from smtpclient.apple (p4fc0815a.dip0.t-ipconnect.de. [79.192.129.90]) by smtp.gmail.com with ESMTPSA id t14sm1614913wmi.12.2021.09.04.02.41.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 04 Sep 2021 02:41:08 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail-2CEECCB1-59C4-48C9-A46F-3862996FAB7C"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Sat, 04 Sep 2021 11:41:06 +0200
Message-Id: <0C5C7579-2979-4B64-8163-BA254B07CFC1@lodderstedt.net>
References: <250c6a12d1ab42a4869a0a9689ad1625@oc11expo18.exchange.mit.edu>
Cc: oauth <oauth@ietf.org>, Justin Richer <jricher@mit.edu>
In-Reply-To: <250c6a12d1ab42a4869a0a9689ad1625@oc11expo18.exchange.mit.edu>
To: Jacob Ideskog <jacob.ideskog@curity.io>
X-Mailer: iPad Mail (18G82)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RmcPNVr8syHZ1CBF1UnT9jDOxnU>
Subject: Re: [OAUTH-WG] RAR 05 - Token response with sensitive data in draft-ietf-oauth-rar-05
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Sep 2021 09:41:19 -0000

The AS intentionally shares the list of accounts in the mentioned example with the client. The assumption is the client asks for access to some accounts and the user decides which accounts to grant the client access to. This means the AS is authorized by the user to share this data.

The privacy considerations section already has text about sharing data with resource servers. I suggest to add some text re data sharing with clients.

Would that work for you?

> Am 04.09.2021 um 03:12 schrieb Justin Richer <jricher@mit.edu>:
> 
> This is a fair point... The privacy and security considerations talk about this a bit as I recall, but likely need to in more depth and specificity. This is an intentional message channel to the client from the AS, but if the AS is blindly sending all information it might be saying more than it means to say to an entity that doesn't need that detail to function. Scopes have similar issues, but this structure adds more opportunities for mistakes just due to the possible increased complexity. 
> 
> -Justin
> ________________________________________
> From: OAuth [oauth-bounces@ietf.org] on behalf of Jacob Ideskog [jacob.ideskog@curity.io]
> Sent: Friday, September 3, 2021 10:42 AM
> To: oauth
> Subject: [OAUTH-WG] RAR 05 - Token response with sensitive data in draft-ietf-oauth-rar-05
> 
> Hi all,
> 
> I have a question about section 7.0 and 7.1 in draft-ietf-oauth-rar-05 that describes the token response.
> 
> The authorization_details values could be sensitive in their nature. The example in section 7.1 highlights this nicely. The accounts array is empty when the client requests it, but is enriched by the AS and returned to the client in the token response.
> 
> This means that the AS may leak potentially sensitive information to the client in a new place. Before this was only possible in the ID Token or UserInfo or if the AS returned a JWT as an access token which the client popped open (even though it shouldn't).
> 
> I understand that the spec considers this an option for the AS to enrich or not. I think the enrichment is good and necessary, but with the side-effect of it ending up in the token response it becomes an issue.
> 
> Is the token response a mirror of the authorization_details claim in the corresponding access token, or can it be a masked version?
> 
> Perhaps the security considerations section should be updated with a statement with regards to the fact that the client may see claim data only intended for the RS?
> 
> Regards
> Jacob Ideskog
> 
> 
> 
> --
> Jacob Ideskog
> CTO
> Curity AB
> -------------------------------------------------------------------
> Sankt Göransgatan 66, Stockholm, Sweden
> M: +46 70-2233664
> j<mailto:jacob@twobo.com>acob@curity.io<mailto:acob@curity.io>
> curity.io<https://www.google.com/url?q=http://curity.io&source=gmail-imap&ust=1631322760000000&usg=AOvVaw0O7NO5RiGVK6v1SxLCSz4k>
> -------------------------------------------------------------------
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/oauth&source=gmail-imap&ust=1631322760000000&usg=AOvVaw2Fa1GyOiE6a7mRCghwMI5J

v2.23.0 | Report a Bug | By Email