Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 02 December 2014 12:39 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EC781A1B12 for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 04:39:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yhMEWiiT1O8u for <oauth@ietfa.amsl.com>; Tue, 2 Dec 2014 04:39:20 -0800 (PST)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BED0B1A1A65 for <oauth@ietf.org>; Tue, 2 Dec 2014 04:39:19 -0800 (PST)
Received: by mail-wi0-f177.google.com with SMTP id l15so20800052wiw.4 for <oauth@ietf.org>; Tue, 02 Dec 2014 04:39:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=ZyMzeaSqvEH3nVCVExCyQodRXFoNu1G33kz0YsTuwLk=; b=x3uTini7+s1Z+1CfLcCW5XTIYJZjmHmD/Q90hFLpBgO1afcP4lE8Xu2LSFqY3eNzKg JNEZEWconNW7avLDgakT6UxlYkttDku8QU+o643ECA26XTwQB1ItfXeV07TLqcyOSDgf ykgE8iUV6NDt0Wj6wBPAENR76SnNY93s0Cx3ugRhyI8G4kF6+I8GOZ6f3HZKBKV4j4oe Taxs4OsqR3xmlcNFrP7VDQkStTt7+rCz+6HyIawQ0nYqYlh6f36SHRtzW6EHFHm/1qk/ Sff0Pr5tVjIXPdx3UwRtwIZZR0VFfwPfY9u9Yb4kJCO8Mq1lUfyFEH1nlvsh0jr1Use/ GIUA==
X-Received: by 10.180.95.8 with SMTP id dg8mr19259312wib.33.1417523958517; Tue, 02 Dec 2014 04:39:18 -0800 (PST)
Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id s9sm32607353wiz.12.2014.12.02.04.39.17 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Dec 2014 04:39:17 -0800 (PST)
Message-ID: <547DB2F4.2040407@gmail.com>
Date: Tue, 02 Dec 2014 12:39:16 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, oauth@ietf.org
References: <547DA128.9090606@gmx.net> <547DA2DE.4050400@gmail.com> <547DAA6B.2020602@gmx.net>
In-Reply-To: <547DAA6B.2020602@gmx.net>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/UxNVLHPwnF-WBKyA5dNnAVzB66c
Subject: Re: [OAUTH-WG] Review of draft-ietf-oauth-introspection-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 12:39:22 -0000

Hi Hannes

Thanks for the clarifications, comments below...
On 02/12/14 12:02, Hannes Tschofenig wrote:
> Hi Sergey,
>
> On 12/02/2014 12:30 PM, Sergey Beryozkin wrote:
>>>
>>> * Scope
>>>
>>> I think the document needs to be very clear that is only applicable to
>>> bearer tokens (and not to PoP tokens). This issue was raised at the last
>>> IETF meeting as well.
>>>
>> Interesting, I was reading the doc yesterday and thought it was good it
>> was not talking about specific access token types :-)
>>
>> I wonder why a pop token can not be introspected in the interoperable
>> way as per the text for the resource server to tale the authorization
>> decision ?
>>
>
> The problem is that the AS needs to have the same context as the RS. In
> the bearer token case, the RS really only needs to pass the the access
> token along but in the PoP case one could imagine a couple of different
> solutions.
>
> A possible solution is that the AS sends the RS the necessary key so
> that the RS is able to verify the MAC or digital signature covering the
> request.
>
> The story would again be different if the PoP solution involves TLS.
>
> Yet another solution would be to also forward the entire request to the
> AS (which I wouldn't do).
>
> This is not specified in the current version of token introspection and,
> from the responses Justin gave at the last IETF meeting, he does not
> want to wait till the PoP work is finished to actually work out the
> details.
>
> Finally, from a security point of view it would be extremely important
> that the AS only provides a key to the RS if the RS is (a) authenticated
> and (b) the audience field from the token matches the RS since otherwise
> the PoP security degrades to a bearer token.

I see the draft specifying an optional resource_id hint (which I read 
being an actual request URI) which is the primary signing material in 
the pop case, the extra parameters like the nonce/timestamp can be 
forwarded along.

I agree it does not make sense to forward the actual body but that is 
probably going to be a very rare case where a body hash is also provided.

Explicitly disallowing the support for the pop tokens in the 
introspection text might the interoperability reach of either pop tokens 
or token introspections in cases where a given RS integrates with a 3rd 
party AS. May be it is a Security Considerations draft issue which would 
make it more open for pop tokens

Thanks, Sergey

>
> Ciao
> Hannes
>
>> Thanks, Sergey
>