Re: [OAUTH-WG] Client assertions to endpoints other than the token endpoint
Brian Campbell <bcampbell@pingidentity.com> Fri, 31 May 2019 19:55 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5F61200EA for <oauth@ietfa.amsl.com>; Fri, 31 May 2019 12:55:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1OxxNg9Sw-QD for <oauth@ietfa.amsl.com>; Fri, 31 May 2019 12:55:02 -0700 (PDT)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB45B120046 for <oauth@ietf.org>; Fri, 31 May 2019 12:55:01 -0700 (PDT)
Received: by mail-it1-x132.google.com with SMTP id m3so17797225itl.1 for <oauth@ietf.org>; Fri, 31 May 2019 12:55:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=SYHp3cwEq7WW/fCnUs2EYObcfwIVostidszosbavUks=; b=UlQAsnWirHHXIioEXJ/msBRCzED/rh09ii/ZknnjLuIj6xJSnwv5tIDV7GQkdpezG/ oYS+AbK7m1Xv9ImfJT1cA+z8ZFOUQdJqkKIM+HceKb1W5PzBfpzfFJF1siDBvZS0bfLl lftWu0eY3rmZSe9eZVeag+XcVMch/JB/fE/GI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=SYHp3cwEq7WW/fCnUs2EYObcfwIVostidszosbavUks=; b=rVO2HT5O4e9KMVA6cz4+LEbrL2uEu3+N1SnO2DhSHKr1eRbhwbF866j2g1/WHf8ueS +Iaik90XcYT+eGVexz77xHXh6FIVwBzGUfz2CqVnDzCpAvM4SxgAEE8nfyra1F0o75/f Dmrpvuv8H44TMVuyloGoEmVgWxTmwHR15dDN65W5OeG/mF1hDIEpMT2PEtsWM2aaxTBP yJ9mGZrWFedzabVwJY6W7WoXTLHkJ+jxGy5s5sSzuKNM3lGtDEu2uCYkQIoIw1MbQbmK R9Xfiv283ruQpbhvjYuzZSIOmRooTr78ROd2VJxf+Da39OUEaFJANzEXl1Lnsa8oX4Oq nu9A==
X-Gm-Message-State: APjAAAWShNewik6z574Fj2GgTpUFcXxhdFJ26F/XIxauN/iYcXj1Tf4g Ro0DtYKEtHgvdIrsTR9/Oc7QIguI2J3BUdCo9q7HuujIme9RYTw/JRNdld3R/KpDi2rJTNREq1S JbVVWCP+20HeAEQ==
X-Google-Smtp-Source: APXvYqzSdsLFLflKFA1wDbs1WmtjyqytHybuQ+DHx4qjH8hxKtu1voXSq4DvpLJHQZJZBWhVON/bXeYMw4eYkjCmJW0=
X-Received: by 2002:a24:378b:: with SMTP id r133mr7980427itr.154.1559332501068; Fri, 31 May 2019 12:55:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAP-T6TRfq1Bo5L3MoNKKTLQ+M9aTSb-z0-j=y0GaXabEW+s6Lg@mail.gmail.com> <fdc06fa2-19ee-0cd6-9968-c7ece4aa5c30@aol.com>
In-Reply-To: <fdc06fa2-19ee-0cd6-9968-c7ece4aa5c30@aol.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 31 May 2019 13:54:34 -0600
Message-ID: <CA+k3eCR3OkuB+ju1w3vVphXtDsAQnEpK6DW5hrKTWbqsQ6eLtg@mail.gmail.com>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
Cc: Dave Tonge <dave.tonge@momentumft.co.uk>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d043ab058a34630c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YSIGsyBjtvOkCHJkmvs_AHp9Y9U>
Subject: Re: [OAUTH-WG] Client assertions to endpoints other than the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2019 19:55:05 -0000
Yeah, the discussion was/is definitely about "other endpoints at the AS" like revocation, introspection, device authorization, etc. On Fri, May 31, 2019 at 12:47 PM George Fletcher <gffletch= 40aol.com@dmarc.ietf.org> wrote: > So if by "other endpoints" we mean "other endpoints at the AS" then I > think issuer makes a lot of sense and could be recommended value. > > However, if the client assertion is being sent to an endpoint not managed > by the AS, then it should use a value that identifies that "audience". In > this case, something more akin to the "resource identifier" of the endpoint > is probably best. Abeit, that is still a very fuzzy definition :) > > On 5/28/19 11:28 AM, Dave Tonge wrote: > > Dear OAuth WG > > We have an issue that we are discussing in the OIDF MODRNA work group > relating to the Client Initiated Back Authentication spec (which is an > OAuth 2 extension). As the issue affects the wider OAuth ecosystem we > wanted to post it here and gain feedback from the OAuth Working Group. > > Full details of the issue are here:?? > https://bitbucket.org/openid/mobile/issues/155/aud-to-use-in-client_assertion-passed-to??(including > a helpful context setting by Brian), but the summary is: > > *What audience value should a Client use when using a client assertion > (RFC7521) to authenticate at an endpoint other than the token endpoint?* > > The three options we have are: > 1.??the token endpoint (as RFC7521 says) > 2. the endpoint the assertion is being sent to (e.g. revocation, > backchannel) > 3. the issuer > > We are leaning towards requiring the Authorization Server to accept any of > the above values, but recommending that the Client use the issuer value. > > The reasons for this are: > 1. All of the above values are arguably valid, so in the interest of > interoperability the AS should accept them all. > 2. We see no clear security benefit to requiring the audience to be the > value of the endpoint the assertion is being sent to, and therefore think > that the issuer value is the one we should recommend that clients use.?? > > We would be grateful for your feedback on this issue and believe it would > be in the best interest of the ecosystem for there to be a consistent > approach to this across OAuth 2 extensions and profiles. > > Thanks > > Dave Tonge > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Client assertions to endpoints other t… Dave Tonge
- Re: [OAUTH-WG] Client assertions to endpoints oth… George Fletcher
- Re: [OAUTH-WG] Client assertions to endpoints oth… Brian Campbell