Re: [OAUTH-WG] Client authentication on token revocation
Emond Papegaaij <emond.papegaaij@gmail.com> Thu, 20 August 2020 12:18 UTC
Return-Path: <emond.papegaaij@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C543A08AA for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2020 05:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEGJem9EhM3k for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2020 05:18:23 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22E6E3A08A9 for <OAuth@ietf.org>; Thu, 20 Aug 2020 05:18:23 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id h16so1264061oti.7 for <OAuth@ietf.org>; Thu, 20 Aug 2020 05:18:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=PTYIm6qNhRfgTjU3ek0/blfx/ieqcK6oRCF/9+A0s98=; b=PVUMp31CZtVsKukRan6l3ML5SHkP7AAktXBSiOTIW8Gv2j/XIncW1tjfmO4RI5eB2K 3/NxW1ZmsQ6x9enUr503spceAOc5oVEKU0qZI7Hzh1slQL6CsuTj5S04moHT36PVMx5r E3mgYA2R14pzPRRA3guo7EEHrlcZWUkuIdgx6Vwb9gMW7OO4mpoAIzCj9ZiiHYmKfSZJ 7Vhi+cF7PoIokgUCSEjtHtAFgypK+aPYyvoGEmMOwHwCO3/6PEuJHpkERETMzM9k2HDW w9culVAyE1k6tSS66S3GUuO5iGKjCVhh4i0JHqIUWQS1yMBBoPryfjiZHv7fGFk+/iWl 2r+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=PTYIm6qNhRfgTjU3ek0/blfx/ieqcK6oRCF/9+A0s98=; b=uM9pfvl2YKFwUQhydCyDR4cBszqXo9LrHPsCgx/DCOFkKsftdobyOpLPQGITobseU+ BLFs1RhOHlgrs5UYBfDXZB+VU/Oqdo21DJdxfUo4nlKa3C2JBxqVOEgKKWV2gthgqiY2 kpzStddkceQY8KUO9scLiDnKSehdpK98dfsNnav827G3KDzx4S0ACT2XG33u6nes8W+O gu/HoIi5XS9X8qTrBioBpUQPiYOJTior6PYo/39l0Ye39y8PV4jRFF28jupyvaxohJHb idyyq6PNKpkIuott+A7PRMQq+R9Nw+mCkrJ9gtwhcQUUh12T9X7RVHbAZfYDOkqoH8Gs ZtpA==
X-Gm-Message-State: AOAM5339cYlWNGCdSt+HPW6WrlDB5inmdXfVAM4ii3Zk7qgfgZzenv8y JsF46xYtV0Y9UfXFjKUsfoDEdTSrmVPxr7O3uoE+P76je3bn4g==
X-Google-Smtp-Source: ABdhPJz0Zfd9ObhmqvXIE/5ye8NTrlLimXQtYMpQB4Q7p7miaY8/kcMFcXjy1bcx5Ef8WLLHR1ykAQQf+4Z76ZWheIE=
X-Received: by 2002:a9d:3da1:: with SMTP id l30mr2049343otc.233.1597925902016; Thu, 20 Aug 2020 05:18:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAGXsc+Z6rYsktb+bokg6i2myG_FB4cWHrfX5+d6bQW+LcWg=ig@mail.gmail.com> <46A7D36F-C999-4CA5-AA7F-F955316C4855@lodderstedt.net>
In-Reply-To: <46A7D36F-C999-4CA5-AA7F-F955316C4855@lodderstedt.net>
From: Emond Papegaaij <emond.papegaaij@gmail.com>
Date: Thu, 20 Aug 2020 14:18:11 +0200
Message-ID: <CAGXsc+YCiLmHBj1Wa7nWCmrCXt4Bg+QLuByLddt+6ZUHyW0JfA@mail.gmail.com>
To: oauth <OAuth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XPRCSodPBiioqZK5t2fqupAu4Pk>
Subject: Re: [OAUTH-WG] Client authentication on token revocation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 12:18:25 -0000
Hi Torsten, Thanks for your insight. I agree, a sender constraint token, such as when using certificate bound tokens from RFC 8705, cannot be used by an attacker. It makes sense to only allow the owner to revoke them, probably using the same mechanism as by which they are bound to the client. For bearer tokens, we will simply skip the validation of the client credentials. Best regards, Emond Papegaaij On Thu, Aug 20, 2020 at 12:52 PM Torsten Lodderstedt <torsten@lodderstedt.net> wrote: > > Hi Emond, > > I tend to agree with your assessment. Revoking bearer tokens without client authentication seems to be better than leaving the attacker the option to use them to invoke resources. > > However, if the attacker cannot use the access tokens (e.g. because they are sender constrained), the attacker could revoke tokens issued to a confidential client as a kind of DoS attack. > > best regards, > Torsten. > > > On 20. Aug 2020, at 11:02, Emond Papegaaij <emond.papegaaij@gmail.com> wrote: > > > > Hi all, > > > > We are currently implementing the token revocation endpoint (RFC 7009) > > on our authorization server and do not understand why it requires > > client authentication. When a party (a valid client or not) gets hold > > of a valid access token in whatever way, the least damaging it could > > do with it, is to revoke it. The current spec allows an attacker to > > misuse this token for access to the resource server, but forbids it to > > revoke it. This seems strange to me. > > > > Section 5 of RFC 7009 does not help in this either. It starts to > > explain that this authentication is needed to prevent malicious > > clients from guessing tokens, but ends with the fact that if this were > > possible, much worse damage could be done by using the guessed token > > on the resource server. We plan to skip the authentication all > > together and simply revoke any valid token presented. How would you > > recommend we deal with this? > > > > Best regards, > > Emond Papegaaij > > Topicus KeyHub > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Client authentication on token revocat… Emond Papegaaij
- Re: [OAUTH-WG] Client authentication on token rev… Torsten Lodderstedt
- Re: [OAUTH-WG] Client authentication on token rev… Emond Papegaaij