Re: [OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)
John Bradley <ve7jtb@ve7jtb.com> Fri, 12 September 2014 15:32 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D56621A6F6D for <oauth@ietfa.amsl.com>; Fri, 12 Sep 2014 08:32:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OfDcQd1PMxk9 for <oauth@ietfa.amsl.com>; Fri, 12 Sep 2014 08:32:18 -0700 (PDT)
Received: from mail-qa0-f53.google.com (mail-qa0-f53.google.com [209.85.216.53]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88F9D1A6F17 for <oauth@ietf.org>; Fri, 12 Sep 2014 08:32:18 -0700 (PDT)
Received: by mail-qa0-f53.google.com with SMTP id n8so887529qaq.40 for <oauth@ietf.org>; Fri, 12 Sep 2014 08:32:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=Wf5dT3wXexyZ1xLtEjPjaBRDjNFtk+nPgV3nbrdR9Rk=; b=LhxReRuPzoTy0lomsW2Ek0AEom7yTKBmVK2ojgM2N7O29o3rjhfjc9R9FrSdzmy1YW /YoE31obNqDhpMRlpUa/MtU2z8FhRSFvGmYH5XOucKVVukFZzSh524mtAB/eyEMjQyI0 945bE2q2pzRLCL0SrHQnpscX7j6y3ag+2J80sXBUIBTc+Lduc45N4TSzRlCsnND4UF9a 579QfGutiq+NnX7R4IYSHCmAZcBJEuEKy/JFn29Spt6eaXWDolDC05hDOlVp3o7H6r1j 34q61kDRapqvpBmpibPG1ZIT2/CC2hHvUsEW7euRw6RmYdF6+7iXSGN4dpNMnHLkIUZt fLpQ==
X-Gm-Message-State: ALoCoQk0BX8mqq/XptPDbHR23uBTDhkf/iD9CB9PZvpC2Y/OjzA+3GpH6Gq7JiCJPvmxT/NqhDOJ
X-Received: by 10.140.30.227 with SMTP id d90mr3913469qgd.55.1410535935088; Fri, 12 Sep 2014 08:32:15 -0700 (PDT)
Received: from [192.168.1.37] (181-163-122-71.baf.movistar.cl. [181.163.122.71]) by mx.google.com with ESMTPSA id i17sm3199389qay.47.2014.09.12.08.32.08 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 12 Sep 2014 08:32:14 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_58F1FC55-DB71-4CC6-98EB-192036AB68F0"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <AC1D34BF-6EDD-4EFE-A0FD-AE4C2B43B2D4@mitre.org>
Date: Fri, 12 Sep 2014 12:32:02 -0300
Message-Id: <DAA0D24D-538D-4928-8B52-E227CBBB1CD3@ve7jtb.com>
References: <CA+k3eCT4u1h9zDa_6z9jx9RpQQvVCyRAO4+NmJPN6FpKWRYWAw@mail.gmail.com> <AC1D34BF-6EDD-4EFE-A0FD-AE4C2B43B2D4@mitre.org>
To: "Justin P. Richer" <jricher@mitre.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/XeZCeDEaBj6sUxyvZ6iLWiT5Hzs
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] client_secret_expires_at redux again (was Re: Dynamic Client Registration Sent to the IESG)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2014 15:32:21 -0000
Yes the JWKS expiry is logically controlled by the client. If it is going to roll those keys it should be using a jwks_uri if there is no management API to push a new JWKS. In general symmetric client secrets create key management problems. My preference is to move to asymmetric keys. John B. On Sep 12, 2014, at 11:08 AM, Richer, Justin P. <jricher@mitre.org> wrote: > It used to be simply "expires_at" but after discussion on the list it was changed to "client_secret_expires_at", since the client's secret is the most likely part to expire and need to be refreshed. Of course this refresh makes the most sense if you're implementing the management spec where you can actually do something other than re-register, but it's still handy for the client to know that its server-issued credentials won't be good anymore at a certain point. > > Since the JWKS is provided by the client and not by the server, the server doesn't really need to tell the client when it expires. > > The parameter is not passed back if there is no client_secret, such as a public or implicit client. There's text in the security considerations about expiring those kinds of clients* but after discussion on the list it was decided that it's too specific to a server policy to try to signal. Plus, nobody seems to do that today. Client secrets *do* expire in some setups, but client IDs don't, in my personal experience. > > -- Justin > > > * And I just noticed that this paragraph still mentions the "delete action", so we need to clean that part up in the next revision. > > On Sep 11, 2014, at 6:19 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > >> Why does expiration only apply to the client secret[1]? If there's a need for the AS to set an expiration, isn't it broader than that and apply to the whole client or the client id? If there's a need to signal an expiration time on the client secret, doesn't it follow that the client's JSON Web Key Set (the jwks parameter) might also need to be expired? And what about strictly implicit clients or other public clients, is there no case that an AS would want to expire them? >> >> I realize I've asked this before (more than once) but I've never gotten an answer. To me, whats in this draft that's on its way to the IESG is awkward and/or incomplete. >> >> I believe that either the client_secret_expires_at should be removed from draft-ietf-oauth-dyn-reg or it should be changed to something that isn't specific to the client secret - something like client_expires_at or client_id_expires_at. >> >> [1] client_secret_expires_at in https://tools.ietf.org/html/draft-ietf-oauth-dyn-reg-20#section-4.1 >> >> On Wed, Sep 10, 2014 at 5:50 PM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >> Hi all, >> >> I have just sent the Dynamic Client Registration document to the IESG. >> The final shepherd write-up for the document can be found here: >> http://datatracker.ietf.org/doc/draft-ietf-oauth-dyn-reg/shepherdwriteup/ >> >> Ciao >> Hannes >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] client_secret_expires_at redux again (… Brian Campbell
- Re: [OAUTH-WG] client_secret_expires_at redux aga… Richer, Justin P.
- Re: [OAUTH-WG] client_secret_expires_at redux aga… John Bradley
- Re: [OAUTH-WG] client_secret_expires_at redux aga… Brian Campbell