IETF Logo Mail Archive

Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review

Anthony Nadalin <tonynad@microsoft.com> Thu, 24 January 2013 17:21 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7C421F8706 for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 09:21:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.533
X-Spam-Level:
X-Spam-Status: No, score=0.533 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SBRm0HjfdCXl for <oauth@ietfa.amsl.com>; Thu, 24 Jan 2013 09:21:30 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (na01-bl2-obe.ptr.protection.outlook.com [65.55.169.28]) by ietfa.amsl.com (Postfix) with ESMTP id AEB9321F86D9 for <oauth@ietf.org>; Thu, 24 Jan 2013 09:21:24 -0800 (PST)
Received: from BL2FFO11FD003.protection.gbl (10.173.161.202) by BL2FFO11HUB036.protection.gbl (10.173.161.116) with Microsoft SMTP Server (TLS) id 15.0.596.13; Thu, 24 Jan 2013 17:21:15 +0000
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD003.mail.protection.outlook.com (10.173.160.103) with Microsoft SMTP Server (TLS) id 15.0.596.13 via Frontend Transport; Thu, 24 Jan 2013 17:21:15 +0000
Received: from va3outboundpool.messaging.microsoft.com (157.54.51.80) by mail.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.2.318.3; Thu, 24 Jan 2013 17:20:38 +0000
Received: from mail63-va3-R.bigfish.com (10.7.14.239) by VA3EHSOBE004.bigfish.com (10.7.40.24) with Microsoft SMTP Server id 14.1.225.23; Thu, 24 Jan 2013 17:17:12 +0000
Received: from mail63-va3 (localhost [127.0.0.1]) by mail63-va3-R.bigfish.com (Postfix) with ESMTP id 9631C4A011F for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 24 Jan 2013 17:17:12 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.21; KIP:(null); UIP:(null); (null); H:BL2PRD0310HT005.namprd03.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -20
X-BigFish: PS-20(zzbb2dI98dI9371Id6eahc85fh146fI542Izz1ee6h1de0h1202h1e76h1d1ah1d2ah1082kzz1033IL17326ah8275dh18c673h8275bhz31h2a8h668h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h9a9j1155h)
Received-SPF: softfail (mail63-va3: transitioning domain of microsoft.com does not designate 157.56.240.21 as permitted sender) client-ip=157.56.240.21; envelope-from=tonynad@microsoft.com; helo=BL2PRD0310HT005.namprd03.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BY2PR03MB044; H:BY2PR03MB041.namprd03.prod.outlook.com; LANG:en;
Received: from mail63-va3 (localhost.localdomain [127.0.0.1]) by mail63-va3 (MessageSwitch) id 1359047829445618_2153; Thu, 24 Jan 2013 17:17:09 +0000 (UTC)
Received: from VA3EHSMHS006.bigfish.com (unknown [10.7.14.237]) by mail63-va3.bigfish.com (Postfix) with ESMTP id 5A03730059B; Thu, 24 Jan 2013 17:17:09 +0000 (UTC)
Received: from BL2PRD0310HT005.namprd03.prod.outlook.com (157.56.240.21) by VA3EHSMHS006.bigfish.com (10.7.99.16) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 24 Jan 2013 17:17:07 +0000
Received: from BY2PR03MB044.namprd03.prod.outlook.com (10.255.241.148) by BL2PRD0310HT005.namprd03.prod.outlook.com (10.255.97.40) with Microsoft SMTP Server (TLS) id 14.16.257.4; Thu, 24 Jan 2013 17:17:06 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com (10.255.241.145) by BY2PR03MB044.namprd03.prod.outlook.com (10.255.241.148) with Microsoft SMTP Server (TLS) id 15.0.601.3; Thu, 24 Jan 2013 17:17:04 +0000
Received: from BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) by BY2PR03MB041.namprd03.prod.outlook.com ([169.254.9.209]) with mapi id 15.00.0601.000; Thu, 24 Jan 2013 17:16:52 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mitre.org>
Thread-Topic: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
Thread-Index: Ac35p+wOnP9UzK9BQMG59YbBjTobdAAHPkAQAB4kyAAAA1FVAAAAudqAAAAhbLAAAVn2gAAAe9Ow
Date: Thu, 24 Jan 2013 17:16:51 +0000
Message-ID: <5c414d08c1ac4db3aaf2b8eee9adc1c6@BY2PR03MB041.namprd03.prod.outlook.com>
References: <a7b55ec383284cee83ff199f0057acbb@BY2PR03MB041.namprd03.prod.outlook.com> <5101425A.6080905@mitre.org> <269c48631ede4fc59c949b9f43f91c05@BY2PR03MB041.namprd03.prod.outlook.com> <51015D7D.3010600@mitre.org> <2d27b0f214104811a659c12336ce7865@BY2PR03MB041.namprd03.prod.outlook.com> <5101676F.40006@mitre.org>
In-Reply-To: <5101676F.40006@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.168]
Content-Type: multipart/alternative; boundary="_000_5c414d08c1ac4db3aaf2b8eee9adc1c6BY2PR03MB041namprd03pro_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: BY2PR03MB044.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%MITRE.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-CrossPremisesHeadersPromoted: TK5EX14HUBC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC102.redmond.corp.microsoft.com
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(479174001)(199002)(189002)(24454001)(13464002)(52314002)(56776001)(31966008)(76482001)(44976002)(63696002)(59766001)(56816002)(74502001)(5343655001)(15202345001)(512954001)(33646001)(54356001)(74662001)(47446002)(53806001)(4396001)(5343635001)(49866001)(54316002)(550184003)(6806001)(47736001)(16236675001)(47976001)(51856001)(79102001)(50986001)(77982001)(46102001)(16676001)(455564002)(42262001)(24736002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB036; H:TK5EX14HUBC102.redmond.corp.microsoft.com; RD:; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 073631BD3D
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jan 2013 17:21:38 -0000

Basically the spec has a lot of underspecified behaviors which will lead to issues, in security and in expectations of the client.

3. no, as I can't do anything with an auth_code except get a access_token
5. The client does not know what to throw out as it does not know the server's policy
7." no, you've got it backwards. Revoking an access token doesn't revoke the refresh token (that wouldn't make much sense), but revoking a refresh token SHOULD revoke all associated access tokens."  Don't agree, the specification is not clear, currently it's a policy choice in the specification  and thus the issues that this creates. Basically revocation is not well defined in this specification which leads to many issues

From: Justin Richer [mailto:jricher@mitre.org]
Sent: Thursday, January 24, 2013 8:55 AM
To: Anthony Nadalin
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review




1. We have WebFinger lets use that as we have already been through the discovery issues, point being there are security issues at stake here w/o proper knowledge, next thing we know some rouge sever has signed up as a revocation sever.
Tony, I think you're misunderstanding what I'm saying. I completely agree that we should solve discovery and that we should use webfinger -- but this is a bigger problem than just revocation. Let's solve discovery for all of OAuth consistently. How would your rogue server "sign up" as it is? Get its URL into the documentation for a service? I think it's just as big of a problem for someone to say "hey I'm the token endpoint" and get clients to believe it, isn't it? And it's an even bigger problem, especially with bearer tokens, for someone to show up and say "I'm a protected resource!". Which is exactly why I say this needs to be solved for everything together, not just for revocation. Would you like to volunteer to draft a webfinger profile for all extant OAuth endpoints?



3. you can still have one if you have not used it and want to revoke it, I may not want to redeem the auth_code to get a token to revoke it, I may just not want to send the token
What you describe here is no longer token revocation, that's auth code revocation. That's a different operation and shouldn't be enabled by this endpoint. The auth code is supposed to eventually expire anyway, and that after a fairly short period of time. If you haven't gotten a token, you have to no token to revoke so you don't need to call the token revocation endpoint. If you just don't want to send your token, you just don't get to revoke it. What are you actually trying to accomplish by this added complexity?

In any case, it's impractical to implement. It's a big -- and novel -- burden for servers to keep around auth codes and tie them to the tokens that they represent anyway. I know our implementation doesn't track that link, and I doubt that many others do either. The auth codes are meant to be ephemeral.



5. That is just the point, how does one know that the token id revoked
The server will return if it's revoked the token. The effects of that revocation may take time to propagate to all PR's, so calling it "immediate" here could be misleading. As far as the client's concerned, it's immediate as soon as the server returns. This is why the client must throw the token out.





6. very poor choice, as no one know what is going on

7. No I'm not conflating things here at all, please read the text. If I send a access_token and the server's policy says that the refresh_token associated with the access_token is also to be revoked then I have no way to know that "The client MUST NOT use this token again after revocation". What is "this" mean in the sentence, only the token I sent or any revoked token. Also how do I know when the token is actually revoked, could take a week or more given policy?
... no, you've got it backwards. Revoking an access token doesn't revoke the refresh token (that wouldn't make much sense), but revoking a refresh token SHOULD revoke all associated access tokens. That's the what the implementor's note (section 3) says. As far as the client is concerned, that token is dead the moment it gets back a positive response from the revocation endpoint. The "this token" in that sentence above is the token that was sent in with the request, there's no guarantee of what happens with "related" tokens. However, it's a good idea for the server to also throw out active access tokens associated with a refresh token, thus the implementor's note.

Sure, the token could be good for another week, but the client won't care because it's thrown things out. It's not the client's problem anymore. An immediacy requirement at the server is unimplementable in distributed systems. Any related tokens that happened to be revoked that the client tries to use (such as an access token tied to a refresh token that the client just revoked) might fail if the client uses them again.

But the thing is, failed token requests aren't a big deal, because you just start doing OAuth again. The code path is very simple and straightforward and is exactly the same whether or not you're using the revocation endpoint.

 -- Justin







-----Original Message-----

From: Justin Richer [mailto:jricher@mitre.org]

Sent: Thursday, January 24, 2013 8:13 AM

To: Anthony Nadalin

Cc: oauth@ietf.org<mailto:oauth@ietf.org>

Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review





On 01/24/2013 10:58 AM, Anthony Nadalin wrote:

1. we keep punting on discovery, this has an impact on security of

where I send my credentials and token, can't see punting yet again

here

It doesn't make any sense to solve discovery *just* for revocation, which you seem to be advocating. Of course it has an impact on security

-- this is a security protocol we're talking about, that goes without saying. It also impacts security where I send the user for authorization, and everything else that you do.



I would rather see discovery solved properly for all of OAuth including all of its endpoints. UMA has taken a crack at this, there's a draft defining XRD link types, OIDC has a solution for this as well (in the provider configuration .well-known doc).



2. OK, make this explicit in specification

Fair enough. Got specific language to suggest?



3. if you have an auth_code you should be able to use it, agree not

all will have it but some will

You shouldn't have an auth code anymore -- you're supposed to throw it away since it's single use (per 10.5 of RFC6749). Why wouldn't you just use the token? You're guaranteed to have the token in all cases. I see no value in sometimes sending an auth code and sometimes sending a token when I am guaranteed to always have the token.



4. MAY seems a better choice

Possibly -- I think SHOULD is fine here but I'm curious what others say.



5. Make it explicit in the spec one way or the other, too vague now

Explicit how? It can explicitly go either way. From the client's perspective, it's supposed to be immediate. From the server's perspective, it could take a while to actually enforce that.



6. How does one find the policy, as this has an impact on #7

How does one find any other implementation specific policy? There was already a big discussion about this a while ago. It used to be a MUST to cascade, then as I recall, Google objected to it because their access tokens in the wild can't be revoked at all, so revoking a refresh token revokes only that token. The current language allows the server to decide what it has to do.



7. There is a big difference here in enforcement, the client should

not have to enforce this rule, the client may not know due to policy

that revoking 1 token revokes other tokens thus the client would have

to know the servers policy. This should be a SHOULD not MUST

You're conflating things here. If the client revokes the refresh token, they must not use that refresh token again. They can try to use any access or other tokens if they want to, but that refresh token is off the table. The server is allowed to also nuke any access tokens that it wants to, but if the client wants to be really, really sure, it can revoke all of its access tokens separately.



  -- Justin



-----Original Message-----

From: Justin Richer [mailto:jricher@mitre.org]

Sent: Thursday, January 24, 2013 6:17 AM

To: Anthony Nadalin

Cc: oauth@ietf.org<mailto:oauth@ietf.org>

Subject: Re: [OAUTH-WG] draft-ietf-oauth-revocation-04 Review



Not to jump in and answer for Torsten, but I thought I'd  offer at least my understanding of the document:



On 01/23/2013 06:54 PM, Anthony Nadalin wrote:

1.       Since not stated I assume that the Revocation Endpoint can exist on a different server from the Authorization server (or is it assumed that they are 1), if so how is the Revocation Endpoint found?

It could be separate if your architecture can support that. It gets found the same way other OAuth endpoints get found -- configuration documents, some kind of discovery mechanism, or magic. Which is to say, that's not currently OAuth's problem.



2.       Any token type that is supported can be revoked, including refresh token ?

That's the idea. We've implemented this on our OIDC server so that you can also revoke ID Tokens for session management purposes.



3.       Why does one have to send the token, can't this just be an auth_code ?

You don't always use an auth code to get a token (think implicit, client credentials, assertion, or resource owner credentials flows), and auth codes are supposed to be thrown away after use anyway.



4.       Says CORS SHOULD be supported, I think a MAY be better here since a site may have issues supporting CORS

If they have issues, which is to say "A good reason not to", then they don't have to support it. That's the semantics behind "SHOULD", and so it is fine here.



5.       Does not say but is the revocation to be immediate upon the return of the request ?

This is implementation dependent. Large scale distributed implementations could have trouble making this "immediate", but small systems are more likely to be quick. From the client's perspective, if they get back a success response, they shouldn't count on that token being good anymore (see section 2 note about client behavior).



6.       Does the revocation of the access token also revoke the refresh token (if it was provided) ? Or is this a revocation policy decision ?

That's a policy decision.



7.       Section 2 says "the client MUST NOT use this token again", well that seems odd, not sure this should be here as the client could try to use it gain, there is no need to put support in client to prevent this.

Why would a client want to use a token that they just revoked? This is prescribing the desired correct behavior to a client so that client developers will do the right thing when they implement it. Isn't that the point of the spec?



   -- Justin

v2.23.0 | Report a Bug | By Email