IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

Mike Jones <Michael.Jones@microsoft.com> Fri, 27 December 2019 20:28 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 834A3120137 for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 12:28:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MCEFB9lW2mmR for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 12:28:22 -0800 (PST)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640134.outbound.protection.outlook.com [40.107.64.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3323D12006F for <oauth@ietf.org>; Fri, 27 Dec 2019 12:28:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F8czZ8AUADWsXOing4yj0kMJlXpepYqxjbAPYKOb/BC3eORvAdXUDqUccPH3KyYmhO+tsfITFvWPDv1woPDhIFlAoX9F9oKQ5os+wSE7sjKDTXLahXALw5CfwrWGD8WZamcJDC4Rz/MErCapy09Kv49LKyfn12iCVacGNW5mcHcSYEE7N49e+w2P5Mkf1lhQBT+hd6WqwgcrKxgA70RaI64uEZcZdNsJ49v2Prsca7qOxRvjTg8tYg6H6JMpN4IFimcbs/jRMrlrcvrY2d2JkgT4z3yBUbjmVvm0QslwGsrdK5Jy3akE3hUPL2rv1IGXTfiHB5WHNNrlEP7hzjtgqA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A5gGIIFosrCsddPnTTyKY5/mDBFzX6e4gp6ZgShcQuw=; b=Mh7Vj/k8FIULP6g/cLPkeqThnF6ghXigLHmLbUWzJUPR20ByvZuSM5ZUc9Vma+QJypJbwMExwdUU5dMAdWDbkKOnB1bFbSnZMJyryjem3rKFUf4HGsS9cJdLs7J7XlzZooJ7hCHyKHsVH4iaprL5JjcVfZz2FYfIIA+jOztmbuQli4VpIDwOOd7Fa0CNmPYtRIfQ/cUvJDJ1jlvsMTdBRWIH1uFOh1d9pcW7+DPRZ/Wawrr82WZN9cIAFQRfCOmwvgA527nd7YwJ81e5amTyz2kAAYH6CLvtfADIpks3Oopn9Hv0VlvuYLdPJaPUiDzVz1toeAc2/QgXJIZ3o/7SEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A5gGIIFosrCsddPnTTyKY5/mDBFzX6e4gp6ZgShcQuw=; b=VEpkft2sWTFEB4h41APpLr7n2WYaWj/HBDgSy8Y/ZO4ENTtchjUwdE9R9BF1j5Zp6xMcdh5kGyOF11lGcO/cY2zB/gkiMUzCjVLdSx5m7GKdLHWPf2bDSnz3cD8e15RORz0vTxF3u4MycUQM2xj1soze60a99/PyxEXmNahfop0=
Received: from DM6PR00MB0847.namprd00.prod.outlook.com (20.179.227.78) by DM6PR00MB0751.namprd00.prod.outlook.com (20.179.226.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2624.0; Fri, 27 Dec 2019 20:28:20 +0000
Received: from DM6PR00MB0847.namprd00.prod.outlook.com ([fe80::a141:1c00:178e:79f5]) by DM6PR00MB0847.namprd00.prod.outlook.com ([fe80::a141:1c00:178e:79f5%6]) with mapi id 15.20.2625.000; Fri, 27 Dec 2019 20:28:20 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [EXTERNAL] [OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode
Thread-Index: AQHVvOhu3i7FmmC9Mkq5Fkx+V4A7XKfObhvX
Date: Fri, 27 Dec 2019 20:28:20 +0000
Message-ID: <DM6PR00MB08478D98FE0A4A2AADAF479AF52A0@DM6PR00MB0847.namprd00.prod.outlook.com>
References: <CA+k3eCRCs3W9th9b01iCJ4c-wEzuovP=GZaTs+cZNyLkOWXLsA@mail.gmail.com>
In-Reply-To: <CA+k3eCRCs3W9th9b01iCJ4c-wEzuovP=GZaTs+cZNyLkOWXLsA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-12-27T20:26:47.0256528Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Privileged
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [107.77.205.151]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 07f61412-89f2-4271-8557-08d78b0b5069
x-ms-traffictypediagnostic: DM6PR00MB0751:
x-microsoft-antispam-prvs: <DM6PR00MB07516FB6F9109ABE76862E22F52A0@DM6PR00MB0751.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0264FEA5C3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(136003)(366004)(39860400002)(376002)(346002)(189003)(199004)(66476007)(55016002)(478600001)(5660300002)(8936002)(66946007)(81156014)(10290500003)(8676002)(81166006)(91956017)(76116006)(66556008)(64756008)(66446008)(9686003)(7696005)(52536014)(86362001)(33656002)(2906002)(6506007)(71200400001)(53546011)(15650500001)(316002)(110136005)(8990500004)(186003)(26005); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0751; H:DM6PR00MB0847.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: b0+osop7TMxzqp8bpjgy96btrETX6tGiabkFz1z0tZcWfkUEZUIQwfoL0kg/RemjTMGbVzXfjSp9XzyhQq87OsbOFOCXf4UEK1KIR+5TAHUgmGfxYPEmpo8GcmVKlL4yGw9GB/Elyo3q3x9u2Zz0epQ37Ss7DhN++XQNkpOy2EwES56qUPnotWtlsbPB15GnpMu6Ogb/jHR9owNQ4Bflkyb5zKxjHez5W1lImZD/MjHELjjOfrmqEZrbE1vVafZ3QZqYDcVfDRog3qmcqVBZVuP1bT4CGa9lIA4Hpi5o4fU9Fpo1Ds5aF9cxFSgLA1CJ/Fht4v2C9W9zavfbnm9CJbgcQQfQvlHiQN4+PFg8xFQmiLX1Wybh72FunRHaNfewx0oYCFSSlojydHdBcSwvaQIgG9k20xrJuokPVFOArgAgVqM/o4tu+pzfe/CgZuJ5G97aNjZkottmKd08EtxqSpGmyOU94I77DZNLBgdEj9g=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB08478D98FE0A4A2AADAF479AF52A0DM6PR00MB0847namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 07f61412-89f2-4271-8557-08d78b0b5069
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Dec 2019 20:28:20.5123 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZVhbgETBBLGm3eTHqc83otPHbNgVCB71MP8Sc2huuL7U9PYrZec2fbrFbBOPGvx4yFnFU+g8P+YHO8y36xv2gw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0751
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UgAUi04UAZ2PH9PFZYZWBUjiyrg>
Subject: Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 20:28:26 -0000

I agree with Brian. Please update the text to describe this already safe usage.

-- Mike

________________________________
From: OAuth <oauth-bounces@ietf.org> on behalf of Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Sent: Friday, December 27, 2019 11:03:30 AM
To: oauth <oauth@ietf.org>
Subject: [EXTERNAL] [OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode

We have a-sometimes used scenario where a client makes an authorization/authentication request with a "token id_token" response type and "form_post" response mode (nonce is also sent and exact redirect URI matching is done at the AS). The access token is never exposed in any URLs and access token injection is prevented by the at_hash claim in the id token.

That seems to me like a legitimate and reasonable usage scenario. However, it would fall on the wrong side of the SHOULD NOT in Section 3.1.2 of the Security BCP-to-be<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-13%23section-3.1.2&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cee48992fa75642e2cbf908d78aff8d77%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637130702523877347&sdata=LJfYSigLXqZjLNl%2Bx1ycBSHJn6UKJFXhr5As1zb1g98%3D&reserved=0>, which has:

   In order to avoid these issues, clients SHOULD NOT use the implicit
   grant (response type "token") or any other response type issuing
   access tokens in the authorization response, such as "token id_token"
   and "code token id_token", unless the issued access tokens are
   sender-constrained and access token injection in the authorization
   response is prevented.

I know this particular text has been discussed over and over again so I hate to revisit it. But based on the aforementioned scenario I think maybe it still doesn't quite hit the mark. Access token injection is prevented. The token leakage scenarios mentioned in that section are all avoided. And while I know sender-constrained is recommended elsewhere in the draft, it's not really a realistic option for the majority of deployments.

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.29.0 | Report a Bug | By Email | System Status