Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)

Brian Campbell <bcampbell@pingidentity.com> Thu, 05 September 2019 00:18 UTC

MIME-Version: 1.0
References: <156763159047.22689.9306520600745069059.idtracker@ietfa.amsl.com> <CA+k3eCTu91h3X7BjJgjQ6QQU1oWXnRPM3X0EjRbi6ri=a5tSew@mail.gmail.com> <20190904235531.GE78802@kduck.mit.edu>
In-Reply-To: <20190904235531.GE78802@kduck.mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 04 Sep 2019 18:17:32 -0600
Message-ID: <CA+k3eCQ0bShTn4cbzeP7hs-g+wbfP6JzUsA=xmtjyhaehmAL0Q@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-oauth-resource-indicators@ietf.org, oauth <oauth@ietf.org>, oauth-chairs@ietf.org
Content-Type: multipart/alternative; boundary="00000000000007b6fc0591c341ec"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XvrfYCXjEtbBUBVC-S51DLJirKk>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-resource-indicators-05: (with COMMENT)
Precedence: list

On Wed, Sep 4, 2019 at 5:55 PM Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Wed, Sep 04, 2019 at 05:19:27PM -0600, Brian Campbell wrote:
> > Thanks Ben, for the review and non-objectional ballot.
> >
> > On Wed, Sep 4, 2019 at 3:13 PM Benjamin Kaduk via Datatracker <
> > noreply@ietf.org> wrote:
> >
> > > Benjamin Kaduk has entered the following ballot position for
> > > draft-ietf-oauth-resource-indicators-05: No Objection
> > >
> > > Section 3
> > >
> > >    An access token that is audience restricted to a protected resource
> > >    that obtains that token legitimately cannot be used to access
> > >    resources on behalf of the resource owner at other protected
> > >    resources.  The "resource" parameter enables a client to indicate
> the
> > >
> > > nit: This sentence has a pretty strange construction.  I think the
> > > intent is to say that that a token, legitimately presented to a
> > > resource, cannot then be taken by that resource server and
> > > illegitimately present it somewhere else for access to other resources.
> > > But with the current wording we seem to be missing part of the part
> > > where some entity obtains the token with intent for illegitimate
> access.
> > >
> >
> > Yes, despite the pretty strange construction, you have the correct
> intent.
> > I'll work on improving that sentence (borrowing heavily from your words
> > there).
> >
> >
> >
> > >    Some servers may host user content or be multi-tenant.  In order to
> > >    avoid attacks that might confuse a client into sending an access
> > >    token to a resource that is user controlled or is owned by a
> > >    different tenant, it is important to use a specific resource URI
> > >    including a path component.  This will cause any access token issued
> > >    for accessing the user controlled resource to have an invalid
> > >    audience if replayed against the legitimate resource API.
> > >
> > > I'm not entirely sure what this is trying to say.  What is the
> > > "legitimate resource API"?  Why would a token be issued for accessing a
> > > user-controlled resource if that's something we're trying to avoid
> > > having confused clients access?
> > >
> >
> > Um... so on rereading that I might say that it's also "pretty strange".
> >
> > What it was trying to somehow say is similar to the previous nit about
> > audience-restricted not being usable at the resource for whom the weren't
> > intended. But saying so in the context of a multi-tenant environment.
> > Basically it's trying to say that, in a multi-tenant environment, the
> > resource URI and subsequent token audience need to have something that
> > identifies the tenant so as to prevent the token from being used by one
> > tenant to illegitimately access resources at a different tenant. I'll
> work
> > on trying to improve that text to better explain all that.
>
> Ah, yes, that's a very good point to make.  I'm happy to look at some draft
> text if you want.
>

Thanks, here's what I've got now for this and the previous item in sec 3.
Suggestions welcome.

3.  Security Considerations

   An audience-restricted access token, legitimately presented to a
   resource, cannot then be taken by that resource to present it
   elsewhere for illegitimate access to other resources.  The "resource"
   parameter enables a client to indicate the protected resources where
   the requested access token will be used, which in turn enables the
   authorization server to apply the appropriate audience restrictions
   to the token.

   Some servers may host user content or be multi-tenant.  In order to
   avoid attacks where one tenant uses an access token to illegitimately
   access resources owned by a different tenant, it is important to use
   a specific resource URI including any portion of the URI that
   identifies the tenant, such as a path component.  This will allow
   access tokens to be audience-restricted in a way that identifies the
   tenant and prevent their use, due to an invalid audience, at
   resources owned by a different tenant.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

[OAUTH-WG] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk via Datatracker
Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Brian Campbell
Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Benjamin Kaduk
Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Brian Campbell
Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Benjamin Kaduk
Re: [OAUTH-WG] Benjamin Kaduk's No Objection on d… Brian Campbell