Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments

Neil Madden <neil.madden@forgerock.com> Sun, 07 June 2020 12:26 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D90DC3A0794 for <oauth@ietfa.amsl.com>; Sun, 7 Jun 2020 05:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xbac19FLHric for <oauth@ietfa.amsl.com>; Sun, 7 Jun 2020 05:26:44 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AE473A078F for <oauth@ietf.org>; Sun, 7 Jun 2020 05:26:44 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id u13so12668426wml.1 for <oauth@ietf.org>; Sun, 07 Jun 2020 05:26:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=heTS95f0epuub2KXWcRoshcllVSNoBA2Ne103T5ck2Y=; b=T2TjNEwm3TL0BaPcvAr/KyAw9+qAPxI5C+WRQX9OpOmq0peOvd+hM1xIYDehnxdqOi iwmw7yMSsLq1uOqr4odw4tgHmZ6ZySChZwRwGGM7RMoeu85tNq+6w+uaM0LPflKrFzsG s095V4cQln307pcriBJnvg/rWVCZ2hxj96CHs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=heTS95f0epuub2KXWcRoshcllVSNoBA2Ne103T5ck2Y=; b=qha4V7XUg//L4M0HNgjZlGaUeJ/1uU2tQIbnvP4RqG8KvBNx56jLA3SlpeYhfeMORI Ys4ixPXd05T/xOSZtxBIiuYSf2KxvDIrdV1q696hDILfv1U3MMCJy8qWPq4mUD91n2rm bnOQ5c7Lps8yy9I1M5y3JmyeZZg0Es//qPpFF8AukNqeuWvwo+NBU+42iabI1iKEqnoq NE/1/u1fRhMaCqcm+nwSZbWupotjtI4O3XougJ+SQNn6PkjJPywJYcCk3dzjtEzG0Nur xKCSuD9HvovLE6X3WHoqR+kt1vM3InVIj/8Gj3+IJoz//StGs9G1hiketS3iT/6Uuljs Kz/Q==
X-Gm-Message-State: AOAM530fxAP7aTlBfFghZEf0TJRhKrfc1L3gCkZoIlkP6pOibp0OL99Q AO7EGAazGpUjODiPyqJ+sbiepQ==
X-Google-Smtp-Source: ABdhPJx8V7lYky4BEUdGzNwg4ce3ADHdTgDI+0axc0ja5SWpJ/1WPCAr1UMBznvj4oBYxRt+RwDOUw==
X-Received: by 2002:a1c:2045:: with SMTP id g66mr10241272wmg.53.1591532802509; Sun, 07 Jun 2020 05:26:42 -0700 (PDT)
Received: from [10.0.0.3] (214.249.143.150.dyn.plus.net. [150.143.249.214]) by smtp.gmail.com with ESMTPSA id o10sm18388033wrq.40.2020.06.07.05.26.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Jun 2020 05:26:42 -0700 (PDT)
Content-Type: multipart/alternative; boundary=Apple-Mail-B928F2DC-EF16-4E8E-8632-418F36BB66F6
Content-Transfer-Encoding: 7bit
From: Neil Madden <neil.madden@forgerock.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 7 Jun 2020 13:26:41 +0100
Message-Id: <375FA230-5700-42A5-B933-2A37D296BCDF@forgerock.com>
References: <4CAC2CCD-E776-455D-914C-7BBBA1912B32@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
In-Reply-To: <4CAC2CCD-E776-455D-914C-7BBBA1912B32@gmail.com>
To: Nov Matake <matake@gmail.com>
X-Mailer: iPhone Mail (17E262)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WDaexkwXrK9-GbyN9n5LemJaFH8>
Subject: Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jun 2020 12:26:48 -0000

Answers inline: 

> On 7 Jun 2020, at 13:07, Nov Matake <matake@gmail.com> wrote:
> 
> So, you mean…
> 
> If a frontend client want to use
> * sender-constrained code, bearer access token and sender-constrained refresh token, use DynReg.

I’m not really sure what a sender-constrained code would be, but I suspect the right answer here is PKCE + DPoP. PKCE basically is PoP for auth codes. 

> * sender-constrained code, sender-constrained access token and sender-constrained refresh token, use DynReg + DPoP.

PKCE + DPoP

> * bearer code, sender-constrained access token and sender-constrained refresh token, use DPoP only.

Sure, but you should always use PKCE, so PKCE + DPoP. 

> * bearer code, bearer access token and bearer refresh token, use neither.
> 
> is my understanding correct??

Just use PKCE + DPoP. (Or a different PoP mechanism, eg mTLS cert-bound tokens, or etc). 

> 
>> 2020/06/07 20:49、Neil Madden <neil.madden@forgerock.com>のメールt;のメール:
>> 
>> There are multiple issues with using dynamic client registration for this. If a user uninstalls and later reinstalls an app then they can end up with multiple registrations for the same client, which makes it harder for them to manage access. Additionally, client registrations typically don’t expire so the AS doesn’t know when it can remove unused clients.
>> 
>> Besides, this ship already sailed with mTLS cert-bound refresh tokens. 
>> 
>> Neil
>> 
>>>> On 7 Jun 2020, at 12:34, Nov Matake <matake@gmail.com> wrote:
>>>> 
>>> Confidential clients can also use DPoP.
>>> 
>>>> 2020/06/07 20:25、Torsten Lodderstedt <torsten@lodderstedt.net>のメールt;のメール:
>>>> 
>>>> If the client would register for every transaction.
>>>> 
>>>> And don’t forget, DPoP also supports sender constrained access to resource servers, which dyn registration does not.
>>>> 
>>>>>> Am 07.06.2020 um 13:04 schrieb Nov Matake <matake@gmail.com>om>:
>>>>>> 
>>>>> Since each client instance has at least one key, those are same level of state management.
>>>>> 
>>>>>> 2020/06/07 16:24、Torsten Lodderstedt <torsten@lodderstedt.net>のメールt;のメール:
>>>>>> 
>>>>>> There are similarities in this particular use case but I would argue DPoP is more light weight than dynamic client registration, less state management in particular.
>>>>>> 
>>>>>>>> Am 07.06.2020 um 05:41 schrieb Nov Matake <matake@gmail.com>om>:
>>>>>>>> 
>>>>>>> DPoP-bound refresh token seems feature duplication with dynamic client registration.
>>>>>>> 
>>>>>>>> 2020/06/07 7:57、Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>のメールt;のメール:
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> > Am 05.06.2020 um 22:17 schrieb George Fletcher <gffletch=40aol.com@dmarc..ietf.org>:
>>>>>>>>> > 
>>>>>>>>> > Secondly, I do think we need a way to allow for the refresh_token to be bound while leaving the access_tokens as bearer tokens. This adds useful security without impacting existing RS deployments.
>>>>>>>>> 
>>>>>>>>> +1 that’s a very useful feature_______________________________________________
>>>>>>>> AFAIK a refresh_token is always bound. What am I missing here?
>>>>>>>> -- 
>>>>>>>> Francis Pouatcha
>>>>>>>> Co-Founder and Technical Lead at adorys
>>>>>>>> https://adorsys-platform.de/solutions/
>>>>>>>> _______________________________________________
>>>>>>>> OAuth mailing list
>>>>>>>> OAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>> 
>>>>> 
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>