[OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode
Brian Campbell <bcampbell@pingidentity.com> Fri, 27 December 2019 19:04 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10622120B4C for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 11:04:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q_I379eoUKil for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 11:03:59 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B4271208E0 for <oauth@ietf.org>; Fri, 27 Dec 2019 11:03:59 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id v201so21243436lfa.11 for <oauth@ietf.org>; Fri, 27 Dec 2019 11:03:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=7H9590KM3lZB9tzgeW2WQcVLsyUJPsRYW0+62/27vms=; b=ZjRz7CSEeJpx/Bq/7V4+nShHUFkNjUj2tp6SGjphOkKxasE8minS4JbhMHJLiVOyIa zJuKesdzm+PkdoeHOvfj0TZsZg4pDe/xR+qTPZMYWqWfvBNOEXro1/+XXtvrHinMVgMH 4ZkctHMcYQaK52v8yG5Q2g6lP3jsRHxp2cosgzG4ROPYPiHK7uMMTkOrN73t/HAin+ik jzk8rbWEUud0lKl0QPZZa10/0miUHgtQioEe3x8QsH8yOdQ+GP+QvooNFca215CBD/Hm HR/PDTXMbAzHbnhvX0fzmUKEAmEp3RSJ7R6Cu+GOXwgZbcStJdlE/Oiq0TeZ8653OwOO H3qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7H9590KM3lZB9tzgeW2WQcVLsyUJPsRYW0+62/27vms=; b=N+a085AUEAaSMoarlmd8hCMof+TqZjnQCx6h+t9yXw3hd4tn3ia6czYChdQ0Inv2bE +QhA6vmYFCFbbd9arOIexW9tskKOc2L09j9R4E9QAJCl49nO1y5c7am2X7Q4Fbn8dqdk TI2PBiqQriFHFZap2LA3qtyZpWguUsedqCtQuWc0Ru7hVOruQjn+ipA++JLF46DPPtxp eMIbvQKeMzEQbt1EvWCMHKwv/uBTu/+qa4+QIuPF3xw1ul4JDSkA6DTexkNjlKsqTbsq w7hyzHM3F8GLTSEPRb7bwLi0rt0kPsdFEiSkQRsNAruvcZvHVrbcEo5rRsNuP54M+jKB qFAg==
X-Gm-Message-State: APjAAAUYdlqmsuh7/MBkb5SreoIXnB7ptfGpL3Wanv9P+rNmmeAm5eqC hLGlBIl2O3ilnn8Ws6eSuOyezxgFmHC33wMKMRqu0NdNpacscX2YZphU85hA57bHBKPzT6OBwXI GQzu92tJ6P09BT19eC3c=
X-Google-Smtp-Source: APXvYqxr8B5BThbZDxGvULjp2yj6i27H9nSR7sMh21ogh1425voxQJPlIlcgkI1A7DtoY4M+zJXvtZi1UMe3hkFILZI=
X-Received: by 2002:ac2:4884:: with SMTP id x4mr29213148lfc.92.1577473437021; Fri, 27 Dec 2019 11:03:57 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 27 Dec 2019 12:03:30 -0700
Message-ID: <CA+k3eCRCs3W9th9b01iCJ4c-wEzuovP=GZaTs+cZNyLkOWXLsA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000db4f1a059ab42770"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RucZHKuRf6HCsWUyJDK0XRwub3w>
Subject: [OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 19:04:02 -0000
We have a-sometimes used scenario where a client makes an authorization/authentication request with a "token id_token" response type and "form_post" response mode (nonce is also sent and exact redirect URI matching is done at the AS). The access token is never exposed in any URLs and access token injection is prevented by the at_hash claim in the id token. That seems to me like a legitimate and reasonable usage scenario. However, it would fall on the wrong side of the SHOULD NOT in Section 3.1.2 of the Security BCP-to-be <https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.1.2>, which has: In order to avoid these issues, clients SHOULD NOT use the implicit grant (response type "token") or any other response type issuing access tokens in the authorization response, such as "token id_token" and "code token id_token", unless the issued access tokens are sender-constrained and access token injection in the authorization response is prevented. I know this particular text has been discussed over and over again so I hate to revisit it. But based on the aforementioned scenario I think maybe it still doesn't quite hit the mark. Access token injection is prevented. The token leakage scenarios mentioned in that section are all avoided. And while I know sender-constrained is recommended elsewhere in the draft, it's not really a realistic option for the majority of deployments. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] -security-topics-13 and OIDC response … Brian Campbell
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Filip Skokan
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Brian Campbell
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Brian Campbell
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Torsten Lodderstedt
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Daniel Fett
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Daniel Fett
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Brian Campbell
- Re: [OAUTH-WG] -security-topics-13 and OIDC respo… Mike Jones
- Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and… Daniel Fett