Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-04.txt
Neil Madden <neil.madden@forgerock.com> Wed, 06 October 2021 19:54 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AF8F3A084F for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 12:54:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2-CmWVskXip for <oauth@ietfa.amsl.com>; Wed, 6 Oct 2021 12:54:01 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 296043A085D for <oauth@ietf.org>; Wed, 6 Oct 2021 12:54:01 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id r10so12140438wra.12 for <oauth@ietf.org>; Wed, 06 Oct 2021 12:54:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:date:message-id:references:cc:in-reply-to :to:content-transfer-encoding; bh=KjiMUpK+b7cqvzJ9X3SzsoGHV69ZM4R3JkZE320HTGo=; b=NIVqAw+TMAdPVw2tSfY/cbTDaDsTiNh/NGXjioRPjkrLlhbU7tuOenScMo35WtjGR6 RYKUe9MhslXD/VlrrKWAP81OoxDat7EFVmS/grJbaeXKaCZsFoWoPGL1906VluXr5pue GySTNx4DGVGhLE93pr6r7TqMMrhGFxMHlPgBY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to:content-transfer-encoding; bh=KjiMUpK+b7cqvzJ9X3SzsoGHV69ZM4R3JkZE320HTGo=; b=haF7DDyNpqxokhxtTGqx70FuveoApfG3n/0IWue0IJuXk9h6HSZxWZw1k6GrIzzKSI phq1U16oo7OJQYIHaRmnYV9ZxpZFeLj6kAM1pGq7owH5JvutujSI+BEWgzs6YKRrjOBf 25tyt/lpIVoYPeg5S54KNJibNxK7Dz/j83BvwEMxt+T2ZzCs7HFvzsBeawSf/8cxEUog 7oUBTnQ2Oij2RdOSFTOro/ux6wmPQD0goa/9z2hLg9dxc8ZYIIywxBV5gIrioRLuWZ9Y AAwyc8e99l162+HZA2d2xqTW42CtjIwaKRhtRs6IzAQ3kJNUwmCS+/KEBLZvQ5D98S/j VneQ==
X-Gm-Message-State: AOAM531tiN0gUzDrnqXv0RYOcsD8M4+NXw5yjzKxcyEh+TdmcBPdZ2XY jAIOJYYkG675u+0AEVq1RyJLafzjCHXhx4QmIEFy2yxXSZZyRymShmNhoblGuphHqbRdtrJxDEj tn5+IOw==
X-Google-Smtp-Source: ABdhPJyhYBIgV97dJrckUxUfEyHQWiAtMe5Pg+ZdQLOT3NCdNWPD+67X9IOVLeaHMbP3j40KXZeuQw==
X-Received: by 2002:a05:600c:4109:: with SMTP id j9mr153792wmi.179.1633550039146; Wed, 06 Oct 2021 12:53:59 -0700 (PDT)
Received: from smtpclient.apple (152.249.143.150.dyn.plus.net. [150.143.249.152]) by smtp.gmail.com with ESMTPSA id b190sm12089wmd.25.2021.10.06.12.53.58 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 06 Oct 2021 12:53:58 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 06 Oct 2021 20:53:56 +0100
Message-Id: <BB556582-2CEC-4A73-ABF3-BFB9EB12B0D0@forgerock.com>
References: <PH0PR00MB09970FB8EB1884B8BF5A090CF5B09@PH0PR00MB0997.namprd00.prod.outlook.com>
Cc: oauth@ietf.org
In-Reply-To: <PH0PR00MB09970FB8EB1884B8BF5A090CF5B09@PH0PR00MB0997.namprd00.prod.outlook.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (18H17)
Content-Type: multipart/alternative; boundary="Apple-Mail-97033086-2E8B-40EE-A61D-B28D4F2243FB"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Vllc3XQ0p_4eVFfrtN8B8-TqyZY>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Oct 2021 19:54:07 -0000
Overall I think thus is good, but I have a few comments/suggestions: I think the stateful handling of server-supplied nonces (ie the client reuses the same nonce until the server sends a new one) perhaps needs to be clarified with respect to clients making concurrent requests. Especially clients using multiple access tokens and/or DPoP keys (eg for different users). Is the nonce specific to a particular access token? And we also need to consider a client that is itself a cluster of servers - does such a client need to synchronise nonces across instances? Does the AS/RS need to? (I can imagine this getting quite complex with different requests from different client machines hitting different AS/RS servers). I think probably any use of the DPoP-Nonce response header should also be accompanied by Cache-Control: private (or no-store) and this should be a MUST. I think we’ve also missed that the DPoP header on requests should also have Cache-Control: no-store added, at least when not sending the access token in an Authorization header. It seems slightly odd that the WWW-Authenticate challenge for RS server-supplied nonces isn’t self-contained, but I don’t see anything that says it should be so that is probably ok. (And I can see the consistency argument for using the header). It does seem a shame to pay the cost of a challenge-response roundtrip and not to do a key exchange to speed up subsequent requests, but never mind. — Neil > On 6 Oct 2021, at 17:37, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote: > > > FYI, I wrote about the nonce support at https://self-issued.info/?p=2194 and https://twitter.com/selfissued/status/1445789505902899206. > > -- Mike > > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell > Sent: Monday, October 4, 2021 3:11 PM > To: oauth <oauth@ietf.org> > Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-04.txt > > > WG, > > The collective DPoP co-authors are pleased to announce that a new -04 revision of DPoP has been published. The doc history snippet is copied below for quick/easy reference. The main change here is the addition of an option for a server-provided nonce in the DPoP proof. > > -04 > * Added the option for a server-provided nonce in the DPoP proof. > * Registered the invalid_dpop_proof and use_dpop_nonce error codes. > * Removed fictitious uses of realm from the examples, as they added > no value. > * State that if the introspection response has a token_type, it has > to be DPoP. > * Mention that RFC7235 allows multiple authentication schemes in > WWW-Authenticate with a 401. > * Editorial fixes. > > > ---------- Forwarded message --------- > From: <internet-drafts@ietf.org> > Date: Mon, Oct 4, 2021 at 4:05 PM > Subject: New Version Notification for draft-ietf-oauth-dpop-04.txt > To: ... > > > > A new version of I-D, draft-ietf-oauth-dpop-04.txt > has been successfully submitted by Brian Campbell and posted to the > IETF repository. > > Name: draft-ietf-oauth-dpop > Revision: 04 > Title: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) > Document date: 2021-10-04 > Group: oauth > Pages: 37 > URL: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.txt > Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ > Html: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html > Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop > Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-04 > > Abstract: > This document describes a mechanism for sender-constraining OAuth 2.0 > tokens via a proof-of-possession mechanism on the application level. > This mechanism allows for the detection of replay attacks with access > and refresh tokens. > > > > > The IETF Secretariat > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe <https://preferences.forgerock.com/>
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Mike Jones
- Re: [OAUTH-WG] Fwd: New Version Notification for … Neil Madden
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell