IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP - Document Shepherd Review

Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> Thu, 28 July 2022 01:23 UTC

Return-Path: <rifaat.s.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25176C157B4F for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2022 18:23:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gbbEaYXYj4oB for <oauth@ietfa.amsl.com>; Wed, 27 Jul 2022 18:23:28 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB9DBC14CF00 for <oauth@ietf.org>; Wed, 27 Jul 2022 18:23:27 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id u5so360796wrm.4 for <oauth@ietf.org>; Wed, 27 Jul 2022 18:23:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XSpOdG3HZ+wp4ZxOp2slpqBI9LC38hMMmoBDw0ogX8w=; b=Sr2byM7XQBfR6wcXDFC23bbonrB21R5Xg2U5PVM/vraSExhdpccrad+Gqf8ldyydZY dpbRVTKestbF9XfCASUq1DLKoYfZpHFngWASmynemi6uohb5+i48ruQ39JE1iu4f0lya ra4YKyCgk8sj4xjymp95mj1UsBndlyqV0ToiDRc2Hbzagv5aS7k4UCpMThs2RSEDJMdG NmqaVjWeF5kkRk8RYiAWiLZeHoFWC/ELcBo0VRCbq1/b3qyUezUC7hT5d7Sa14QPlepk rLF6EHj3WgXsDwv/oQbV7VMlNqz8Fxt2RVhfnEdOzwO1kOv+0/qEcTUbBKy1htWkoidW vQ9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XSpOdG3HZ+wp4ZxOp2slpqBI9LC38hMMmoBDw0ogX8w=; b=F67lwcze5E5MytgBiwE/RcdcGhDAVcKMWmS4vnBmc6rts0ql80HYy+RqzbiAb5H00W ijc/V+uW1bpehjloyLBxAIpRNRaYAh22JvpmgnBnxr0WGZXVPvYDFHTsTW6W/Wh/El4D omne8jSCpctXSQwOeh2UTo9PcQMDfJw1rGj3Y4vL4OtbjjcRavvipWtAS6IrSHO6HTPf bCjvZttTbEUai4kMWJCcbRibZfkxsWcdi9FH8yX9NAuX8kCGaFWg/5TMHDM+kqNqSfxr e62g5j46msC9uiQWwXnt/L6wJVcvbqcDzmEX+KMGtsjHMFXlJgD7u4bUMwS3CwVs9+pd GuPg==
X-Gm-Message-State: AJIora/rmtxzcQWMoEptdgdaz1hR0swZ4E81jgPeHO32vTP9nY87Nk5t G2BZCiwy80VLtzTu8rYyeBbGowPIaqUI3R0evrU=
X-Google-Smtp-Source: AGRyM1tmf/Zh0nfN1lpVqXHFUCe69vU00eTF8iUcOyNf2JKXEVg2tVNjLD3hDjyw9vtBKB0PH2MIfLCupnAFwkydI4g=
X-Received: by 2002:a5d:6d84:0:b0:21e:824d:59bf with SMTP id l4-20020a5d6d84000000b0021e824d59bfmr13363106wrs.291.1658971405446; Wed, 27 Jul 2022 18:23:25 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP_0LLLmwdPa2sjsp8mmjOO2woQbdLf3XyPzUsJ_CuogXQ@mail.gmail.com> <CA+k3eCRyoncwUGu3cpnsXut6t8u2UUD9ZmBYYTCf7J9e3tpfzQ@mail.gmail.com> <CADNypP-nrgPHHbmxUZke=9UdpHWhv9wnd-v5vdC-36jgSSNBUw@mail.gmail.com> <CA+k3eCR5uZwGnnqN13WpPOeE0TseCACi=K3NDwu5k4NWtfex8A@mail.gmail.com> <CA+k3eCS4WjaW3A7VUnkb+Wtq3HTogqi2uG6EQppcKOkC9r7d2w@mail.gmail.com>
In-Reply-To: <CA+k3eCS4WjaW3A7VUnkb+Wtq3HTogqi2uG6EQppcKOkC9r7d2w@mail.gmail.com>
From: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Date: Wed, 27 Jul 2022 21:23:14 -0400
Message-ID: <CADNypP_PDCdeW3P2-02H7AjWXXGspz+sJnX6RQs1MQLiWLUxNQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005071d205e4d36194"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SKdRY1c0N-6JFFTYcvTZsYmA0o8>
Subject: Re: [OAUTH-WG] DPoP - Document Shepherd Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 01:23:32 -0000

Brian,

Thanks for all the hard work that you put into this important document.
We do not mind it when you are vibrant; we know that you always have good
intentions 😀

Regards,
 Rifaat



On Wed, Jul 27, 2022 at 6:44 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Thanks Rifaat and others for the vibrant* discussions about the DPoP draft
> in the side meeting yesterday.
>
> I thought it'd be appropriate to share/reiterate the three action items
> we'd agreed on during the meeting (as I remember anyway):
>
>    1. Justin to review the text about why we have the AT hash and either
>    create a PR adding additional motivations or say that what we have is
>    already sufficient
>    2. Danial to add some text to further explain decisions with respect
>    to PAR
>    3. Brian (aka me) to add a parenthetical remark to the Signature
>    Algorithms subsection listing 'ES256'
>
> PR's for the latter two are here
> <https://github.com/danielfett/draft-dpop/pull/165> and here
> <https://github.com/danielfett/draft-dpop/pull/166> respectively.  And
> yes, this message is, at least in part, a passive-aggressive reminder to
> Justin about #1.
>
> The slides that I used to try and help guide the discussions are attached.
> They are admittedly rather suboptimal but I'm including them for the sake
> of transparency (and because they have a couple of photos).
>
>
> * my apologies for being overly vibrant at times
>
>
>
>
> On Wed, Jul 6, 2022 at 4:32 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> Thanks Rifaat!
>> I will make those changes in the document source and come to Philly
>> prepared to discuss the other items. One of the side meetings seems like a
>> good forum for that, good idea.
>>
>> On Tue, Jul 5, 2022 at 11:14 AM Rifaat Shekh-Yusef <
>> rifaat.s.ietf@gmail.com> wrote:
>>
>>> Thanks Brian!
>>> See my replies inline below.
>>>
>>>
>>> On Thu, Jun 30, 2022 at 6:52 PM Brian Campbell <
>>> bcampbell@pingidentity.com> wrote:
>>>
>>>> Thanks for shepherding Rifaat. And apologies for the slow reply. My
>>>> attempts at answering questions and responding to comments are inline
>>>> below.
>>>>
>>>>
>>>> On Fri, Jun 3, 2022 at 11:55 AM Rifaat Shekh-Yusef <
>>>> rifaat.s.ietf@gmail.com> wrote:
>>>>
>>>>> The following is my review as a document shepherd:
>>>>>
>>>>> Section 4.3
>>>>>
>>>>> Last sentence
>>>>>
>>>>> Since the document uses “SHOULD”, this implies that there are some
>>>>> valid cases where this is not needed.
>>>>>
>>>>> Should a text be added to explain when this is not needed?
>>>>>
>>>>
>>>>
>>>> What about giving a bit more context about why they should? Changing
>>>> that sentence to say, "To reduce the likelihood of false negatives, servers
>>>> SHOULD employ Syntax-Based Normalization (Section 6.2.2
>>>> <https://rfc-editor.org/rfc/rfc3986> of [RFC3986]) and Scheme-Based
>>>> Normalization (Section 6.2.2 <https://rfc-editor.org/rfc/rfc3986> of [
>>>> RFC3986]) before comparing the htu claim." And also maybe changing it
>>>> to a little "should".
>>>>
>>>> Yes, that works.
>>> I suggest keeping it as "SHOULD" to encourage implementers to use this,
>>> unless they have a really good reason not to.
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 6.1
>>>>>
>>>>>    1.
>>>>>
>>>>>    First sentence - what is the reason for using “SHOULD”, instead of
>>>>>    “MUST” in this case?
>>>>>
>>>>>
>>>>
>>>> Good question. I think it was a bit of carryover from OAuth in general
>>>> not strictly defining access token format or content. And wanting to not
>>>> encroach on that. But that's kinda covered/allowed for in general by
>>>> Section 6 already. And Section 6.2 is effectively the same as 6.1 but for
>>>> introspection and it doesn't use "SHOULD". I think the “SHOULD” in the first
>>>> sentence of 6.1 should be removed thereby making it an implicit must - like
>>>> "when using JWT, this is how it is". That would align with the way it's
>>>> described for introspection. Also leaves some room for hash algorithm
>>>> agility via a new confirmation method member (described in
>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#name-access-token-and-public-key)
>>>> without going against a "MUST"
>>>>
>>>>
>>> I am fine with removing the "SHOULD" to make it an implicit must.
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>    1.
>>>>>
>>>>>    The DPoP Proof contains a hash of the Access Token, and the Access
>>>>>    Token contains a hash of the public key in the DPoP Proof.
>>>>>
>>>>> Why do you need both? Would one of these be sufficient?
>>>>>
>>>>
>>>>
>>>> The latter (AT containing a hash of the public key in the DPoP Proof)
>>>> is needed and largely sufficient for the main goals of binding the AT to a
>>>> key held by the client. The former (DPoP Proof containing a hash of
>>>> the AT) was added later via very rough WG consensus - it can prevent some
>>>> esoteric swapping of tokens that I never really understood to be honest and
>>>> also limits the impact of using maliciously precomputed and exfiltrated
>>>> proofs (
>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-2-6
>>>> talks about it a bit). Use of the nonce mechanism, which was added to
>>>> the draft even later, also (and better) protects against precomputed
>>>> and exfiltrated proofs. The value of the AT hash in the proof seems
>>>> somewhat questionable. To me anyway. But removing it at this point is
>>>> potentially problematic due to inertia, existing
>>>> implementations/deployments, rough WG consensus, and more.
>>>>
>>>>
>>> I think that at least a text is needed to justify this, and explain the "
>>> it can prevent some esoteric swapping of tokens" issue.
>>> Maybe we can discuss this during one of the side meetings in Philly.
>>>
>>>
>>>
>>>>
>>>>
>>>
>>>>> Section 7.1
>>>>>
>>>>>    1.
>>>>>
>>>>>    “if the request does not include valid credentials or does not
>>>>>    contain an access token sufficient for access, the server can
>>>>>    respond with a challenge to the client to provide DPoP authentication
>>>>>    information.”
>>>>>
>>>>>
>>>>> Should the “can” be replaced with a “SHOULD”?
>>>>>
>>>>
>>>>
>>>> FWIW, there was some discussion around that sentence that included some
>>>> pushback on dropping the "can".
>>>> https://github.com/danielfett/draft-dpop/issues/119 and
>>>> https://github.com/danielfett/draft-dpop/pull/122 have the
>>>> conversation. I'm rather hesitant to try and change it after all that.
>>>>
>>>>
>>>>
>>> Ok
>>>
>>>
>>>
>>>>
>>>>>
>>>>>    1.
>>>>>
>>>>>    Also, I think it would be clearer if you can explicitly state what
>>>>>    the authorization server should do when it does not challenge the client,
>>>>>    which I am assuming will be something along the lines of: “the
>>>>>    authorization server issues an error response per Section 5.2 of RFC6749“
>>>>>
>>>>>
>>>>
>>>> The section in question is about protected resource access so anything
>>>> about the authorization server wouldn't be appropriate there. The protected
>>>> resource / RS always has the option to simply fail the request and can do
>>>> that however it sees fit. I'm not sure how to state that in the document
>>>> text. Or if anything should be stated, honestly.
>>>>
>>>> Ok
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 7.2
>>>>>
>>>>>    1.
>>>>>
>>>>>    “Specifically, such a protected resource MUST reject a DPoP-bound
>>>>>    access token received as a bearer token per [RFC6750
>>>>>    <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>
>>>>>    ].”
>>>>>
>>>>>
>>>>> I think that I understand what you are trying to say with this
>>>>> sentence, but the way the sentence reads is confusing to me.
>>>>>
>>>>> I am assuming what you are trying to say is something along the lines
>>>>> of “a dpop protected resource must reject a request that provides a bearer
>>>>> token”. Is that correct? If so, can you please rephrase the sentence to
>>>>> make it clearer?
>>>>>
>>>>
>>>>
>>>> That's not quite correct. That paragraph
>>>> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#section-7.2-1>
>>>> (copied below) is attempting say that a protected resource that will
>>>> accept either "Authorization: Bearer <bearer token>" or "Authorization:
>>>> DPoP <dpop-bound token>" is required to reject a request that uses the
>>>> Bearer scheme with a DPoP-bound access token. This is to prevent
>>>> downgraded usage of a bound access token without demonstrating possession
>>>> of the key to which it is bound.
>>>>
>>>> "Protected resources simultaneously supporting both the DPoP and Bearer
>>>> schemes need to update how evaluation of bearer tokens is performed to
>>>> prevent downgraded usage of a DPoP-bound access token. Specifically, such a
>>>> protected resource MUST reject a DPoP-bound access token received as a
>>>> bearer token per [RFC6750
>>>> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-09.html#RFC6750>
>>>> ]."
>>>>
>>>> Got it.
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>    1.
>>>>>
>>>>>    “A protected resource that supports only [RFC6750
>>>>>    <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-08.html#RFC6750>]
>>>>>    and is unaware of DPoP would most presumably accept a DPoP-bound access
>>>>>    token as a bearer token”
>>>>>
>>>>>
>>>>> Wouldn't such a resource server check the value of the
>>>>> WWW-Authenticate header to make sure it contains the Bearer scheme, which
>>>>> means that the request is most likely to be declined?
>>>>>
>>>>
>>>>
>>>> What that is trying to say is that a protected resource that only does
>>>> or knows about the RFC6750 Bearer scheme ("Authorization: Bearer <token>")
>>>> will almost certainly accept a bound access token sent via the Bearer
>>>> scheme.
>>>>
>>>> Ok
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 10.1
>>>>>
>>>>> Why define two different mechanisms to achieve the same thing?
>>>>>
>>>>> This seems to add complexity without an obvious benefit.
>>>>>
>>>>
>>>>
>>>> This is a bit of a tricky area. The benefit with PAR is the direct
>>>> request from client to AS, which allows for an actual DPoP proof to be used
>>>> for the eventual binding of the authorization code to the key. Also the
>>>> client doesn't have to do the JWK hash in that case. Whereas the normal
>>>> authorization request is indirect via the browser and just a hash of the
>>>> key is given for the code binding with the dpop_jkt parameter. And the
>>>> client has to compute the hash. But PAR is just an alternative way to pass
>>>> the authorization parameters (like dpop_jkt) so it's kinda awkward to use
>>>> things together like this.
>>>> https://github.com/danielfett/draft-dpop/issues/103 and
>>>> https://github.com/danielfett/draft-dpop/pull/111 have some discussion
>>>> around this but there was some in person talk too so that's not complete.
>>>>
>>>> I don't love that there's two different mechanisms here. But it's what
>>>> we were able to come up with given all the factors. Certainly open to
>>>> considering improvements but am pretty much at a loss of what that might
>>>> be.
>>>>
>>>> Let's discuss this during one of the side meetings in Philly
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 11.6
>>>>>
>>>>> Should the algorithms be explicitly called out? Or at least reference
>>>>> a document that calls out such algorithms?
>>>>>
>>>>
>>>>
>>>> There isn't a single such document and it's not necessarily a static
>>>> list of algorithms. I was about to say we could point to the JOSE alg
>>>> registry but glancing again at it
>>>> https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms
>>>> and I suspect that'd confuse more than help. We could perhaps list
>>>> some/many of the algs with the qualification that it's not an exclusive or
>>>> complete list? But I'm not sure how useful that would be, to be honest.
>>>>
>>>> If you do not specify any algorithm, how do you ensure interop?
>>> I think this is worth a discussion in Philly
>>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> Section 11.7
>>>>>
>>>>> Why is OAuth Token Binding included?
>>>>>
>>>>
>>>>
>>>> Yeah, that doesn't make sense to encourage its use because it's not a
>>>> viable thing to use. OAuth Token Binding should be removed from Section
>>>> 11.7. Was that what you were getting at? That particular text in the
>>>> paragraph that mentions token binding has been in the draft for a long time
>>>> and honestly never made a lot of sense to me. So I could envision removing
>>>> more. But that's maybe more than you were aiming for.
>>>>
>>>> I am actually in favor of removing it
>>>
>>>
>>>
>>>>
>>>>>
>>>>> Section 11.8
>>>>>
>>>>> Why not include algorithm agility to make sure the mechanism is ready
>>>>> to allow for more secure algorithms in the future?
>>>>>
>>>>
>>>> Algorithm agility is a whole can of worms that can be accomplished in
>>>> different ways with different amounts of added complexity and potential
>>>> vulnerabilities and issues of interop and MTI. Section 11.8 describes how
>>>> DPoP allows for algorithm agility (without using the exact words) by
>>>> suggesting that new dpop binding cnf method and/or AT hash claim be
>>>> defined using a "better" hash algorithm if/when the need arises (OAuth
>>>> 2.0 Mutual-TLS takes a similar approach FWIW). The intent of doing it
>>>> that way was to keep things as simple as possible in the spec right now
>>>> without completely closing the door on future needs. .
>>>>
>>>> This is another topic that is worth a discussion in Philly.
>>>
>>> Regards,
>>>  Rifaat
>>>
>>>
>>>
>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>
>>>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*

v2.23.0 | Report a Bug | By Email