Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
Brian Campbell <bcampbell@pingidentity.com> Wed, 22 July 2020 21:55 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A81123A0598 for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 14:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyv5uR83XnVi for <oauth@ietfa.amsl.com>; Wed, 22 Jul 2020 14:55:22 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEF123A0593 for <oauth@ietf.org>; Wed, 22 Jul 2020 14:55:21 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id i19so2175841lfj.8 for <oauth@ietf.org>; Wed, 22 Jul 2020 14:55:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YYdlVISumMoTe7FPd+WJiAMHKgHE7esqbUSPNeGYbVo=; b=SwVIDdIG84+vYKMNGVdobteQaXZRlv6++EYkzxSMT6bZCHdQ61XRtUC6N4F88weiIL 7AOObIMR1AjFECj3S/Wx4Q+q+Kfq47D8DeQdr7NhDClYl0/o97SdgkgfKx16aC8Y3b7K xbqFKXh0vnwlxouUGHno0PeEkwesnvOsUb4OxQCiD4b9Dvd/WPgh7XY6teMr9yXKV2RW Jexvspa1Uw9GCt5PWnlJ6j9Xp2U/Z2WyyFxt0JIGDr43QGKNog+9iGcvZS+j3e1osG05 2liy67cXq+RdkI5xjOpfII94ExSzVS99nYviLfKsAT3i6vC5j+ta1X1PT77uTDMKNcVg gi/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YYdlVISumMoTe7FPd+WJiAMHKgHE7esqbUSPNeGYbVo=; b=saS9OZKLHfPCDpi7FKySm8Rz/nixDESVRGyqElx4wfjBk5p65gOVIaaYvsAXzhpFtP Xbqof1d6U/mxs7MVSq7oXxMYlXysr/061JIoGqc9d7e85FXTGWEzlBYwQZYaZ1O5vURc qwDGa2JRyUSzf0Bn3o9KlASKS8nPDPDOQa3DFn/hKxE7c+qals5OgudLssWLligot8pq s+0Y+FMYVBnZIioqpkC7Cyuqe/Gbp8jmuFyIfRlY4ec05PckTF9sLSPBqTC3hDZ3wgVO zI0JaVKreZa/ylCyt2/g7/kvpC5HfUD7V1OQdltINqDMWiOIzPHis7aKQucE/3WcW/dj jW9g==
X-Gm-Message-State: AOAM530YW7LJ24Yh2ljwBcMBC7oOEgtel54FnkHob7Fv3dssy9JXlaJ5 pdzsC0yH+sN36J9nBjxOC2L8KZ31Gr/xFk3ck2yaa6bVwu+3g9hLlqwQCZ5KNmOLZC29BOGXBBW J/exW0fmMLuwhMA==
X-Google-Smtp-Source: ABdhPJye6ovhpY/c44Ji6Aj2EOL+S0O7Igl0pPL1M2pYJoV4HDZoJsB1ixSWkWgA7MmDz/EAgdLUmxGYXN+c7x2Vrwg=
X-Received: by 2002:a19:e009:: with SMTP id x9mr668318lfg.11.1595454919497; Wed, 22 Jul 2020 14:55:19 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRa9gMimtJ3917GaJPdTQGdCBskLEim0kVeh-qeB8EszQ@mail.gmail.com> <CAO7Ng+u16x7G0JTZg=oZnOWj6n3H39w_jk2fKXh2jc70n71KLw@mail.gmail.com>
In-Reply-To: <CAO7Ng+u16x7G0JTZg=oZnOWj6n3H39w_jk2fKXh2jc70n71KLw@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 22 Jul 2020 15:54:52 -0600
Message-ID: <CA+k3eCSQTkp1gBnuXJv-1i_-9gLkVBGzeSx_XYyhnnF_=bg68g@mail.gmail.com>
To: Dominick Baier <dbaier@leastprivilege.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb78c505ab0ecb4e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VXB_cJnvLvzU9_b8dckp-mmWgas>
Subject: Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a client authentication JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jul 2020 21:55:24 -0000
Because it wouldn't actually prevent it in this case due to JWT assertion client authentication (a.k.a. private_key_jwt) having come about well before the JWT BCP and the established concept of using the 'typ' header to prevent cross-JWT confusion. Thus there's no validation rule regarding the 'typ' header defined in RFC 7523 for JWT client authentication. Explicitly typing the request object JWT doesn't do anything to prevent it from being used in the context of previously existing JWT applications like client auth. On Wed, Jul 22, 2020 at 10:32 AM Dominick Baier <dbaier@leastprivilege.com> wrote: > Why not use a typ header as suggested by the JWT BCP? > > ——— > Dominick Baier > > On 22. July 2020 at 17:37:41, Brian Campbell ( > bcampbell=40pingidentity.com@dmarc.ietf.org) wrote: > > The TL;DR here is a somewhat tentative suggestion that a brief security > consideration be added to > https://datatracker.ietf.org/doc/draft-ietf-oauth-jwsreq/ > <https://datatracker..ietf.org/doc/draft-ietf-oauth-jwsreq/> that > prohibits the inclusion of a 'sub' claim containing the client id value in > the request object JWT so as to prevent the request object JWT (which is > exposed to the user agent) from being erroneously accepted as a valid JWT > for client authentication. > > Some more details and the discussion that led to this here email can be > found at https://github.com/oauthstuff/draft-oauth-par/issues/41 > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited... If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any file > attachments from your computer. Thank you.*_______________________________________________ > > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] swapping a jwsreq/JAR JWT for a client… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Dominick Baier
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Mike Jones
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Brian Campbell
- Re: [OAUTH-WG] swapping a jwsreq/JAR JWT for a cl… Benjamin Kaduk