IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP introspection not including verification

Justin Richer <jricher@mit.edu> Fri, 15 March 2024 04:57 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190D2C14F691 for <oauth@ietfa.amsl.com>; Thu, 14 Mar 2024 21:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5I8s4oJ6kUDo for <oauth@ietfa.amsl.com>; Thu, 14 Mar 2024 21:57:15 -0700 (PDT)
Received: from BN1PR04CU002.outbound.protection.outlook.com (mail-eastus2azon11022010.outbound.protection.outlook.com [52.101.56.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85CCBC14F680 for <oauth@ietf.org>; Thu, 14 Mar 2024 21:57:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HOkMjXN7UyJ30oaIC+k2/QrUxymOoDRgNFDNmZrFvVdr8PT3KLUp94PrXSQNbY319c+PRQtCtJ5DT5fbIN6burj8RgmnI+FEt1xd7vRXCnfmPOrYSRK5D0K4meo+0Ccoe2xwOmcFKNBLNIwNb56Fl1iN7+sayNHpkN7EaWjaPC+/oy+XLeGN4Y/0oTjxv9AS4Vg7ms/fBbjZUWNLuWpAAWJpQywLVmoR+Tyq4tYb2tYf8UOJyAWErGY9Cnn9WjBNH4shDsAJAwFxnx5WGJy6rMhfJeJZohGC1f0hsb4XaHrLR+am7oyNa437sxZLdQVGJa+MH/qjaVCWjfhCLfNL3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iQCtkpSJl/zsCE6oFftMgilrtJj9q37uElpRmbmR4TY=; b=lJXBqYKxUot7zn9a0/RIhCJH/DV40zfnUlS5HCR+XPrfN9/2679KyU6FZhFfRc29tpWiqHnAqfzncrZ194JxPOlELwWW2hBgMYXnd3v44KoVskJAqurVwZ8fBROQSguJQwqj45+FtqpQ8YoP/Wfpm8nWXUAl1kWBUhOKMrNl8TEyEaHHtzxDPOgxNFavR7aNZpDQvrB54G1DMuOJP1CCy1+3D1oz8Xr452/uIUpBFbNqNNoRAWjN0maWQmgI+eq4rRwra4xI5pexCB82gDYvU7aOX2f1+jIgj3dzu1wZsbh0+MbxLUtTgFGtl3OGEKE1pnXu0EEPCjmj1eLzDoRYNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iQCtkpSJl/zsCE6oFftMgilrtJj9q37uElpRmbmR4TY=; b=tuSM9ekmzYCzQ/MjPPmY9E2ncEeCcDTilrUTRL7qrByfOGfHuYGRQHEus4HOoS1l6bPh0LFXiVGU2g4nv1TgXFFOzXDkZbwmI5tuwYtvBQ76InYsptgqkhjqd1rPXpE6nQN4BherY+oHPOe18S5eqGUb87R/5866MLDmSWI2PCE=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by SJ0PR01MB6493.prod.exchangelabs.com (2603:10b6:a03:29f::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.22; Fri, 15 Mar 2024 04:57:12 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::167:b38f:bb84:ecef]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::167:b38f:bb84:ecef%3]) with mapi id 15.20.7386.017; Fri, 15 Mar 2024 04:57:12 +0000
From: Justin Richer <jricher@mit.edu>
To: "Dick.Hardt@gmail.com" <Dick.Hardt@gmail.com>
CC: "rfc9449@ietf.org" <rfc9449@ietf.org>, Daniel Fett <fett@danielfett.de>, Brian Campbell <bcampbell@pingidentity.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] DPoP introspection not including verification
Thread-Index: AQHacz+CumVynbkBm0ywNbyWa6GIerE4Q++A
Date: Fri, 15 Mar 2024 04:57:12 +0000
Message-ID: <36D69C8F-1947-4A1B-81AB-778465E6CEF7@mit.edu>
References: <CAD9ie-u5cuo_=Rrfez2k1SJ6mSSAJiN61SL44ktEaqj+_wKRMA@mail.gmail.com>
In-Reply-To: <CAD9ie-u5cuo_=Rrfez2k1SJ6mSSAJiN61SL44ktEaqj+_wKRMA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|SJ0PR01MB6493:EE_
x-ms-office365-filtering-correlation-id: b4f14a4c-8d9a-431a-f4a6-08dc44ac6064
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MF1R2TB2h52aW6DwyXik32YR86TZWQQzNEgJOLC5l4AuGuLKP4Ip2o3IX1MHcWBntS52Khav34+eEDqkqg6qhXWFkCKQ07igKPPwGtlsqK3qZNDqyaZYCmjIuGz+QpckLkw0FP31aXnkvFPdOgD3gJSnlpdPDHW/eyeHTMMOocQRdoPYzSbHdw6WSRuQ7ASG/O4jclM3q2zCVl8wUYGhnVJGBDlxVvHtY6byzxiSU7gwWJGtOSVAH4hj+WhE7ApI3t3UZieVZRIvkBOoJ1VF79UH6E5+Ul2XOqZCH0eRwVjJB3ccIoFO3BVHSAEtqlWjGoqp0VEJrDVtGwkGeHTAAeji34D7S+ydaftDNJis6f+k/X72rPndRXm+dGhx07Kq7bgVkLGjvS+WZ9jcc4HQtrgU4AXxRvWS+Vje2zp9tLNYR8lKh8/L7b1AX5/b1kjxZsN+25N+fvu0T//5qQfUBhrLO2hYMzWQKZO4gcjosxuAv9ZTsk7NEWnJK/c6xYtK4pwgjy2d+3IXKWBo9q7aV0WNZwymXtdJN6SSJGemyjOnfBZfFwSLhJuMAxhLFAsPi6sot1GzOZgJMv7CUHQLv+rMuxjw1WPs2u15wWkNI9daul8jUGieu467GPp61PYkyeSz5TdtQoSA5vLcDECIkofFlHYpB9AZqQVWCxX0vzA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV8PR01MB8677.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(366007)(1800799015)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hBA5K56uiP4LOyDoqLgjWDAtPfEHSt2Zw78RtjGqqSPe9yPK5kcXXhWkee3+E9aNq5qt4ENKUE6yqWW1uPbc/T3Xen41Of0lF4K6Kbe2iLWzkct1aUvgKcJ+nYV1rPvGQyc7XNERbZzrtWLTeKSeH7Qu1q2OyX8Fo5aPsc/cBwKzfmH/3w5V6qv4YEmQkrAvSAPHBXbeM7jPBn+5MV1GWmB0wYgw4TDsnJP4luUjzAd40VKWoUye8HwUkJlNQxGfXm24I6jgm444mFtFllp48utIQWu7dQK7UKUMM+CuVGSYTBtPYADyeDlHPJAgyqbHD7Nm25LPnUCKXOagdM8gBE8/2VROnFZ8N1jM/UqC/2uM8kz4cxrRplB/y0KEBBPbyTrgxLwHn2GY2guU0djx7bNmVbv3zR+P5NvW65Jyanmg1Fn3PStwbRYdPBte6GQQFlouZ64F4WQHHJUIAqmXOadGWlDTfXQ62WZjHP+t5JIIs1JfKsTrY1gt6lb/w8uXusdTlj+qDwzPLAkBjST5z2ZhZCs6VZfeZQiVMJXwYLCNx9VPsbibFBhQPsfRBSW3jnnXKUKjBKFwDk3KMriohBRRjLfEURE6yoat9e31hqWV76a0V0WDc0+dX4t4e+DO2t7h/J/2Fr2FT9inwLCMrW4cU77piKOgh3W8L0RbBzi2bIIvuQLwtHBE+T4GIMtCWE+dL/wz99tmV7TtCviPxvjuAF0gtXcn/502JPHDtVBWQRqfDJYCgON8YLl4w9pQk/GY2tsY9KDzPcmtt0anSyQpwA7kAcbqxnv4rzejQtLfkyfrRlaoVVkNeVUuPiRkCEa5IkmYp6+ZaNixgDsXZGBydpRJnHvJweFC8p2oKwsqrsPzUS5e1Y8reQ8zBhl1z4gWh8LCpmfdd3Qo9XzyiRvtJupf/Bwuql3LxBmCB7Fsa6ctUuEvR3GA09OQMNHzuXboq7jv5mWOhk8uRTv8t6yZueAsohlN82Q6aSPpQ3l3DmYnpF1IHydnKZpfULNSCvEt+3L5JQ1UrjUYhtk5r4lRwK+m91VCWTpG8h6ft+zHplOGecee9ohj7qI4sQlNEK2ZDluttKWJk8mVl4Ump8iSQC9BfBP/eZHUkjikYYEByhyIJSC2kETiVFTjqiBI0VX82A3IlnFFVUfzXA1oZdHHCURT3U4iQ0qos8XooVBjfoKcIe+KSFR+O29whE6Ra7p1iJkzXJ44DR78v/K3kKe5GBUJCvV8aYdLcrJjQDo/cBb+VYZbBxIm0NWffNiN+zN1hwVHKdTqTrdZss9MP1n0SHKHmMPc6Gx0MaUO6JjuE18uJdtoYP4LYFsgq4YqQCWVJNsjanYGTP2yOsmJ3XgxW4p70LvuQnZxS24HL7ZM+lhwhpN8V1uiX4fvDbiLllwjSW9BAuyaT2b8U73N7CCYlUst3wL47z7c5eAW/oThf/dQoU8CgpR4Wcp09iCLj/4VJAWMIJo+LpSZcvZSL+BixT9SPb4U51QvrV0pIvB1a/bIh0r0M7kf+KfyiE1VUEoz/RbDHKvNfzY0Xm8WgmZOGNHO4taXpdO2NPWMw46D8zESYIi3iwxsZLmQG6zk
Content-Type: multipart/alternative; boundary="_000_36D69C8F19474A1B81AB778465E6CEF7mitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b4f14a4c-8d9a-431a-f4a6-08dc44ac6064
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2024 04:57:12.1769 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u7+sAuwQbKDAYg4qpDrAdHA2sWZH0usTS7xj0aFT7pwRfPBOHQnONyvWzraaxUAy
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR01MB6493
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SBvf5AD1ysodAm-EiPu7XKFIn3w>
Subject: Re: [OAUTH-WG] DPoP introspection not including verification
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2024 04:57:18 -0000

While I don’t have an answer for the question asked, I do want to note that in order to do a proper validation, the introspection request would have to include the values of the DPoP proof, but also the expected HTM and HTU values from the RS, as the AS would not know these directly.

— Justin

On Mar 10, 2024, at 4:05 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

Hey

I was reading over RFC 9449 and was surprised that introspection did not take the DPoP header so that the introspection endpoint could do the check on the DPoP proof rather than forcing the Resource Server to do it.

https://datatracker.ietf.org/doc/html/rfc9449#name-jwk-thumbprint-confirmation-

Curious what was the reasoning behind this?

/Dick
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email