Re: [OAUTH-WG] FYI per a request on the last conference call, this is a method for making client registration stateless.

John Bradley <ve7jtb@ve7jtb.com> Tue, 15 October 2013 10:43 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE6DF11E81C9 for <oauth@ietfa.amsl.com>; Tue, 15 Oct 2013 03:43:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.298
X-Spam-Level:
X-Spam-Status: No, score=-3.298 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_34=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-F4tF+QfdPT for <oauth@ietfa.amsl.com>; Tue, 15 Oct 2013 03:43:42 -0700 (PDT)
Received: from mail-qe0-f43.google.com (mail-qe0-f43.google.com [209.85.128.43]) by ietfa.amsl.com (Postfix) with ESMTP id BA4A311E81C7 for <oauth@ietf.org>; Tue, 15 Oct 2013 03:43:39 -0700 (PDT)
Received: by mail-qe0-f43.google.com with SMTP id nc12so6125653qeb.30 for <oauth@ietf.org>; Tue, 15 Oct 2013 03:43:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=TkJmgwCCuFyV9PCeTFY4U7/kD+Ifexp7MusukXX7C2Q=; b=Rhzz/4AhdnZFiMrTy4wIgeDWXKx+FRht4BmVNMFXzUN6V2/5Fqt1DFJSzQNrZWotET ANSHkk0MMdQKnJhWdYcSPKdbRMovsu9gQjImBC1lL2JyGJ2OEw8IQzmclejm6WNPfAAn e45o/0PCeKCuCMqt3QA5OcofR7bRaK8w37/m1+y+WMyv0r89r2h3WiYKpvy2gNgA6HAv zrfzJ/U8NJEGHn+h2spki4VTxngOksEP4y3qYrrVW9D4ABti/NwNFtbEQ9SvNBltQFaO 0dyZlrf7ucjNV8plE8TecbXWlrziqbE0l28EXKey/cNRzSDvzyaI7X5NkI+ZEciR5Oup AUew==
X-Gm-Message-State: ALoCoQlsC5O4mPwBGfi0cHRtGnBa8oPFWKHKTIYTs1dZvGlxpTbZ+Z9qIpjDGB1aTG/R31CGMuyQ
X-Received: by 10.49.117.133 with SMTP id ke5mr15261734qeb.53.1381833818702; Tue, 15 Oct 2013 03:43:38 -0700 (PDT)
Received: from [192.168.1.216] (190-20-0-56.baf.movistar.cl. [190.20.0.56]) by mx.google.com with ESMTPSA id n7sm154308496qai.1.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 15 Oct 2013 03:43:37 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_5C62CAD6-43D1-4683-9A75-B771CB80F148"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAD+AFDt7dKSW1=JEF+0ZiNjV7UJb=j8xWAiEx8Zh5Z2PzCV_kw@mail.gmail.com>
Date: Tue, 15 Oct 2013 07:43:09 -0300
Message-Id: <31253A3D-F51B-4D5D-A6DC-CCA107396581@ve7jtb.com>
References: <E2658D78-4EF8-433F-B007-15457EE353C4@ve7jtb.com> <CAD+AFDt7dKSW1=JEF+0ZiNjV7UJb=j8xWAiEx8Zh5Z2PzCV_kw@mail.gmail.com>
To: Pedro Felix <pmhsfelix@gmail.com>
X-Mailer: Apple Mail (2.1510)
Cc: oauth list <oauth@ietf.org>
Subject: Re: [OAUTH-WG] FYI per a request on the last conference call, this is a method for making client registration stateless.
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2013 10:43:47 -0000

It is intended for confidential clients.

In 2 it states that you may encrypt the JWT.   

If asymmetric authentication using the assertion profile is used the registration endpoint would put the client's public key in the JWT and would not need to encrypt it.

I expect that encrypting the JWT with integrity AES+HMAC would be a good solution for clients using symmetric secrets.  

The exact method for doing this can be determined by the AS as it is a token from the AS to the AS there are no interoperability issues with the symmetric case.

In the case of a client using asymmetric assertion profile authentication it is possible that the registration endpoint is not tightly coupled to the registration endpoint.
A single registration endpoint could issue stateless client_id that are accepted and verified by multiple AS.  In this case the format of the JWT needs standardization for interoperability.

John B.



On 2013-10-15, at 6:06 AM, Pedro Felix <pmhsfelix@gmail.com> wrote:

> Hi,
> 
> Is this applicable to public (non-confidential) clients only? For confidential clients, the verification of the client_secret doesn't seem to be addressed by this proposal (token endpoint interactions).
> We could however extend it to address this scenario, namely by using encrypted JWTs with client_secret verification information.
> 
> Thanks
> Pedro
> 
> 
> 
> On Tue, Oct 15, 2013 at 1:01 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
> A new version of I-D, draft-bradley-stateless-oauth-client-00.txt
> has been successfully submitted by John Bradley and posted to the
> IETF repository.
> 
> Filename:	 draft-bradley-stateless-oauth-client
> Revision:	 00
> Title:		 Stateless Client Identifier for OAuth 2
> Creation date:	 2013-10-15
> Group:		 Individual Submission
> Number of pages: 4
> URL:             http://www.ietf.org/internet-drafts/draft-bradley-stateless-oauth-client-00.txt
> Status:          http://datatracker.ietf.org/doc/draft-bradley-stateless-oauth-client
> Htmlized:        http://tools.ietf.org/html/draft-bradley-stateless-oauth-client-00
> 
> 
> Abstract:
>   This draft provides a method for communicating information about an
>   OAuth client through its client identifier allowing for fully
>   stateless operation.
> 
> 
> 
> 
> 
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
> 
> The IETF Secretariat
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth