IETF Logo Mail Archive

[OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode

Brian Campbell <bcampbell@pingidentity.com> Fri, 27 December 2019 19:04 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10622120B4C for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 11:04:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q_I379eoUKil for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 11:03:59 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4271208E0 for <oauth@ietf.org>; Fri, 27 Dec 2019 11:03:59 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id v201so21243436lfa.11 for <oauth@ietf.org>; Fri, 27 Dec 2019 11:03:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=7H9590KM3lZB9tzgeW2WQcVLsyUJPsRYW0+62/27vms=; b=ZjRz7CSEeJpx/Bq/7V4+nShHUFkNjUj2tp6SGjphOkKxasE8minS4JbhMHJLiVOyIa zJuKesdzm+PkdoeHOvfj0TZsZg4pDe/xR+qTPZMYWqWfvBNOEXro1/+XXtvrHinMVgMH 4ZkctHMcYQaK52v8yG5Q2g6lP3jsRHxp2cosgzG4ROPYPiHK7uMMTkOrN73t/HAin+ik jzk8rbWEUud0lKl0QPZZa10/0miUHgtQioEe3x8QsH8yOdQ+GP+QvooNFca215CBD/Hm HR/PDTXMbAzHbnhvX0fzmUKEAmEp3RSJ7R6Cu+GOXwgZbcStJdlE/Oiq0TeZ8653OwOO H3qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7H9590KM3lZB9tzgeW2WQcVLsyUJPsRYW0+62/27vms=; b=N+a085AUEAaSMoarlmd8hCMof+TqZjnQCx6h+t9yXw3hd4tn3ia6czYChdQ0Inv2bE +QhA6vmYFCFbbd9arOIexW9tskKOc2L09j9R4E9QAJCl49nO1y5c7am2X7Q4Fbn8dqdk TI2PBiqQriFHFZap2LA3qtyZpWguUsedqCtQuWc0Ru7hVOruQjn+ipA++JLF46DPPtxp eMIbvQKeMzEQbt1EvWCMHKwv/uBTu/+qa4+QIuPF3xw1ul4JDSkA6DTexkNjlKsqTbsq w7hyzHM3F8GLTSEPRb7bwLi0rt0kPsdFEiSkQRsNAruvcZvHVrbcEo5rRsNuP54M+jKB qFAg==
X-Gm-Message-State: APjAAAUYdlqmsuh7/MBkb5SreoIXnB7ptfGpL3Wanv9P+rNmmeAm5eqC hLGlBIl2O3ilnn8Ws6eSuOyezxgFmHC33wMKMRqu0NdNpacscX2YZphU85hA57bHBKPzT6OBwXI GQzu92tJ6P09BT19eC3c=
X-Google-Smtp-Source: APXvYqxr8B5BThbZDxGvULjp2yj6i27H9nSR7sMh21ogh1425voxQJPlIlcgkI1A7DtoY4M+zJXvtZi1UMe3hkFILZI=
X-Received: by 2002:ac2:4884:: with SMTP id x4mr29213148lfc.92.1577473437021; Fri, 27 Dec 2019 11:03:57 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 27 Dec 2019 12:03:30 -0700
Message-ID: <CA+k3eCRCs3W9th9b01iCJ4c-wEzuovP=GZaTs+cZNyLkOWXLsA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000db4f1a059ab42770"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RucZHKuRf6HCsWUyJDK0XRwub3w>
Subject: [OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 19:04:02 -0000

We have a-sometimes used scenario where a client makes an
authorization/authentication request with a "token id_token" response type
and "form_post" response mode (nonce is also sent and exact redirect URI
matching is done at the AS). The access token is never exposed in any URLs
and access token injection is prevented by the at_hash claim in the id
token.

That seems to me like a legitimate and reasonable usage scenario. However,
it would fall on the wrong side of the SHOULD NOT in Section 3.1.2 of the
Security BCP-to-be
<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.2>,
which has:

   In order to avoid these issues, clients SHOULD NOT use the implicit
   grant (response type "token") or any other response type issuing
   access tokens in the authorization response, such as "token id_token"
   and "code token id_token", unless the issued access tokens are
   sender-constrained and access token injection in the authorization
   response is prevented.

I know this particular text has been discussed over and over again so I
hate to revisit it. But based on the aforementioned scenario I think maybe
it still doesn't quite hit the mark. Access token injection is prevented.
The token leakage scenarios mentioned in that section are all avoided. And
while I know sender-constrained is recommended elsewhere in the draft, it's
not really a realistic option for the majority of deployments.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email