Re: [OAUTH-WG] OAuth and OpenID Connect enterprise profiles

"Peck, Michael A" <> Wed, 04 March 2020 20:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 116143A0863 for <>; Wed, 4 Mar 2020 12:55:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id QH811FFJQ5VD for <>; Wed, 4 Mar 2020 12:55:21 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0BC3A3A0862 for <>; Wed, 4 Mar 2020 12:55:20 -0800 (PST)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id 838EB6C0025; Wed, 4 Mar 2020 15:55:19 -0500 (EST)
Received: from (unknown []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 79ACE6C0035; Wed, 4 Mar 2020 15:55:19 -0500 (EST)
Received: from ( []) by (Postfix) with ESMTP id 5DD4F80C53B; Wed, 4 Mar 2020 15:55:19 -0500 (EST)
Received: by (Postfix, from userid 600) id 48XmNl2Ldyz3DYh6; Wed, 4 Mar 2020 20:54:44 +0000 (UTC)
Received: from ( []) by (Postfix) with ESMTPS id 48XmN06dm1z3DYcR; Wed, 4 Mar 2020 20:54:39 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=UDMwcNU0kl9r11tmKyB10aXUwJDKTj0ttnR0A3soY4+1B55ZxfGaeXUvJ7/SulxBwuaAkkovc5T+RVXGZMOPbdhutjTvCea7G3crpsihX9gt7Sy7CRGmB5YiFHFcQ59DLQrKWvex06ISNAmhvyiY7qDQJ2wc7AiEcoFdb24HMumrZaYKtatxdFzkW66BZfTKHSVZ04r7PNAZAvQ3iL61gL2gqeFaDMs+2WrC+AEybaPdcXcQxzYMlPzWDYRK6SKNd30Rs1fWaXlHodWhzgQmJXSRmPdW5S0ABU4bUUKHjMdAf83VPCOzFIFBN3p5QcP48AGWoKoIPN1PjfjLvPdDuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=ZCAxWIPe6p2/zE/66cBV/rZI9M2EFLdmk+jhAlIJa2o=; b=YQ5DLiFBqQHaawrf9ZVDDhCAA/ASIH/jFeflZhegoCyNrk1g05bguMGx7CREhXXtL9pToWyjsk8J2lZEBcx2JLPGmXX8tyjUnjSwfcOfC6TyB42+VHGAw9qVClIOOkBiwDL9OIs7oATrUII9q5iGsMCCC4QYhqowL4C+9rqBP/qIeq9qNH0Wp9uQBvv3oEiVuQWT6geOwp5thKAk7K27vDV509VzrAKsm+laraLRCpqFb5VrpvibmHFOJD2uOMqcBx9dxxYVTGusEhuke678HXlkjqH4t78MsEgsXQeX+IKc7LlHfU1WbTRWUGkKPLZsIIJ/HeaLHqXn6CPj1iQJ3g==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
Received: from (2603:10b6:5:16e::27) by (2603:10b6:5:16e::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.18; Wed, 4 Mar 2020 20:54:39 +0000
Received: from ([fe80::545:c39:15d9:b7f8]) by ([fe80::545:c39:15d9:b7f8%7]) with mapi id 15.20.2772.019; Wed, 4 Mar 2020 20:54:39 +0000
From: "Peck, Michael A" <>
To: Daniel Fett <>, "" <>
CC: OAuthOIDCProfiles <>
Thread-Topic: [OAUTH-WG] OAuth and OpenID Connect enterprise profiles
Thread-Index: AQHV8mceRl7rEiFR80S6yBReCDqJPw==
Date: Wed, 04 Mar 2020 20:54:38 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ce39c5ba-29e7-4755-349d-08d7c07e4150
x-ms-traffictypediagnostic: DM6PR09MB3627:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0332AACBC3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(376002)(396003)(136003)(39860400002)(189003)(199004)(110136005)(6486002)(478600001)(5660300002)(8936002)(4326008)(2906002)(966005)(107886003)(86362001)(71200400001)(316002)(2616005)(8676002)(76116006)(66446008)(33656002)(66476007)(186003)(66574012)(6506007)(53546011)(64756008)(81166006)(81156014)(66946007)(6512007)(66556008)(26005)(91956017)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR09MB3627;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1LP4yNTNY8t84mE+R46PFTsOuyrgZpHG+lxRStuUOWWN3iFOf9mGRd5bxGtMDgGRp093/NdLyRw9L9m2kbAPSZoZPl8cMrvYLr8hxqaokxeBDEGBTxLD+Ja2C6bW43GIKScHhQo4w+SzEqR67or4Z9fKKGhXJr3oG+b2EYIPPKGioRjkzFGZNdob5meKev/NBl3wdnRrTc90aZU6bti50jCd1O2nR1pGtgpYRlrrpRpJHvjZG8oWbtN60KyZpTQhwlfeCvSUT6M3TqtJizCsvIzQmOzViOYpVB8geF9AcCvzQQUmNEmPo2MmBSaLUUzRhDaMuGtc9hSiSLYTNbh5TMPaCB6C6+fFjHz58Bis3c51DuGzhC8p5x0pl0WlGW7EPj/QYbf/lQ2SjlhH+8Chy6toVsaK4kwQbE03zl0omfcoT1cl8iHlqoHNzyk5zq4fguxzpCaKp1T9W2DvDWCxRJLxcqFPbxdWC10plgLaiHs=
x-ms-exchange-antispam-messagedata: nxXWpR258BNyPLhNr2H2hwhj/0cYLg8uMnTUrlYWl910db76HE0wLUrtSGCMgl7fLZz0mutMIrqJGI/9TWNOFe63ok7uN/JE6XTlKOiW1/zDk70MsuWc748fwavJVW1lDGeTU99r5Rq9T2RDHCZ2uA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: ce39c5ba-29e7-4755-349d-08d7c07e4150
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Mar 2020 20:54:38.9202 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3zl9EoFYNQeRMZq39gQACQrdMGOafOLesbY52Emp5jttVwKLY7IYw3JTTzO1F97O
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR09MB3627
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from:to:cc:subject:date:message-id:content-type:content-id:content-transfer-encoding:mime-version;s=selector1; bh=ZCAxWIPe6p2/zE/66cBV/rZI9M2EFLdmk+jhAlIJa2o=; b=aZeNmpUYflPrON5NyCx4+pRu3C6b+BQwa6sdqP9tPr8FPlxlA2an/t3Ry8LZBf3Ko5TeuCTo5g0aBAr3TFAw+WDKIbiGCvpBrpV0Z45ZngKKkt9Dil8oRr9/ss5k1FW0oLmXm5gf8qSmzLjM4ydQHBBm/9bf2X9HdCTV6IJQE8Y=
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth and OpenID Connect enterprise profiles
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 Mar 2020 20:55:23 -0000


Thank you for your feedback!

We’re definitely interested in aligning with FAPI and with the proposed OAuth 2.1, as that could greatly simplify what we need to specify in our enterprise profiles if we can point to one or both as a baseline, and help provide a common set of requirements for implementations.  We’ll compare with the FAPI 2.0 Baseline profile and bring any specific comments over to its mailing list.

Generally we stated requirements as mandatory that we believe many current implementations already can meet, and stated requirements as recommended that we want to encourage implementations to meet. For example PKCE seems to be widely implemented by authorization servers but not yet by many clients. Certainly we’re open to input, and I’m glad to see the strict requirements that are in the current version of the FAPI 2.0 Baseline profile.

By “front-end web server” we mean a user-facing (user connects to it from their browser) web server (running on a separate endpoint from the user agent/browser). The web server is acting as an OAuth client to call a backend protected resource (such as a database) on behalf of the user and generally presenting the results back to the user agent/browser.  We will try to clarify our terminology. This use case is described in our profile’s section 1.5.1. (Part of the motivation of our use case text is to describe how OAuth can address enterprise needs to those who may be unfamiliar with OAuth.)

We’ll fix section 3.7, thanks!

That’s a good point about Section 6 of our profile and the Security BCP. We already took the contents of the Security BCP into account throughout the profile. One thought is to just remove our Section 6, as the TLS requirement is already stated elsewhere, and the blanket statements to comply with RFC6749 and RFC6819 appear redundant and could complicate compliance testing.


From: Daniel Fett <>
Date: Tuesday, March 3, 2020 at 9:17 AM
To: Michael Peck <>, "" <>
Cc: OAuthOIDCProfiles <>
Subject: [EXT] Re: [OAUTH-WG] OAuth and OpenID Connect enterprise profiles

Hi Michael et al., 

Thanks for the document, it is an interesting read! I like the "Security Rationale" section in particular. Very useful!

In general, this seems to go into a similar direction as the FAPI 2.0 Baseline profile we are currently developing in the FAPI WG [1]. It might be worthwhile to compare the two.

Some other points from a first read:
(All page numbers as printed, not the PDF page count.)

- Why is PKCE not mandatory for confidential clients? It provides a strong second layer of defense when authorization codes are stolen.

- I found the description "front-end web server application" somewhat confusing (Section 2.1.1, p. 9) - The client runs on the server's backend, I assume? On the front-end (browser), it should be a public client.
- In Section 3.7 (p. 22), the first and second paragraph seem to contradict each other. First one says "RECOMMENDED lifetimes", second one says "MUST have a valid lifetime no greater than one hour". 
- I was surprised that the Security BCP does not show up in Section 6.



Am 02.03.20 um 20:53 schrieb Peck, Michael A:
Hello all,

For anyone who may be interested: MITRE, in support of the U.S. Government, has developed tailored OAuth and OpenID Connect profiles for use in enterprise environments. We have leveraged previous standards efforts (e.g. work in the IETF and in the OpenID Foundation) and have detailed requirements to use the standards in a secure and interoperable manner to address enterprise environment use cases.

These profiles should be considered informational as we seek feedback from subject matter experts. We’re interested in working with standards bodies and others to move these concepts forward. We welcome any comments and suggestions at .

The profiles can be found at:

Michael Peck
The MITRE Corporation

OAuth mailing list