IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metadata

Filip Skokan <panva.ip@gmail.com> Mon, 06 January 2020 22:22 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB530120018 for <oauth@ietfa.amsl.com>; Mon, 6 Jan 2020 14:22:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lr6BW6kO1biP for <oauth@ietfa.amsl.com>; Mon, 6 Jan 2020 14:22:21 -0800 (PST)
Received: from mail-yw1-xc33.google.com (mail-yw1-xc33.google.com [IPv6:2607:f8b0:4864:20::c33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45EF612084C for <oauth@ietf.org>; Mon, 6 Jan 2020 14:22:21 -0800 (PST)
Received: by mail-yw1-xc33.google.com with SMTP id i190so22569247ywc.2 for <oauth@ietf.org>; Mon, 06 Jan 2020 14:22:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ISmWmBnjnP3e60Q32jKYiqCMch99wZnFXzu1TgkJ6mo=; b=m03yS4GnOmOtuzbpbIVcYksZSDULpL1TVeXyh+K8aeDH4h7coY95oD+YZhLldCqmaZ SzALz6VPLx1NjkBxUaginRMce+kPR4SaWe5r9TMyiT5WFVYriqO/QvHJALcAqsNNDSjo FE8L5lA/SFjeDj5krd2DLWwZHVCeS8yUEUO2x6/5C/cGjvWGXWA+1ELTMVeYUFI6yDnu kE1/VKTegY9jbSUWFk1wvJyicSx2oxhPVQQcrozXYgVUJ/PPr/4lTkQvcrc4oTuvBKX8 nJoU40IHjvlfR3MPSsvZHBFI114rJgns1bIuUXysggwuJXqgEQY0DP7B3IOuwzbC/LEj j2mQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ISmWmBnjnP3e60Q32jKYiqCMch99wZnFXzu1TgkJ6mo=; b=qOjA3V2p4FhV2gtK5T9VDZL7E49BbhutxsiCHvh/ReGsuLg5ezeetcS5qoVCmBid32 jCzMx0k6UjTlDyu6EtEyKRi20fhmgLHC/abEzFet9UhfXYUPUau3nc6WuVWi/H2mxr8/ q8w4TrbQFS2TkveLfzAnr0MWsD2UunuL/dnMTU6+f/Hw30VRo2iaGPQwxnd6rotsnrkD ZcgrLk1HjKzX3FBYIl9bWhGa1GMUBQmH+TZZARQXtbxjYIhVUhVA6N2sQl2lIwXhElN9 /WBIEycsmB8qlyMzpW9wWKU9Xm44KqrIKhhi0WcWJuZ3f/CR0CHtW8jj1/qJLne/pXEv rymg==
X-Gm-Message-State: APjAAAXgo6lqtLMfIgvSHPgny0hPxfIuqWKeBi6N+/7vwaCw4z0zwWW8 /tZKLBGwr6BwJ2vkbNG7r+EB2bNgke9AM+dakA==
X-Google-Smtp-Source: APXvYqzDwzPgc2TAADv4W+8d9Dm8T/1bYbWHGFBVNzBCYje99K2jRZldGQDQNMjG6aD2FQYh8eGbOQcbTkYE9b0+YEE=
X-Received: by 2002:a81:b604:: with SMTP id u4mr80402087ywh.301.1578349340297; Mon, 06 Jan 2020 14:22:20 -0800 (PST)
MIME-Version: 1.0
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net> <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com> <50191CC6-0A19-42B4-87C2-880F53FD3C4F@lodderstedt.net> <05AB19DB-FCD2-4FAA-A470-0978E7B65354@amazon.com> <CA+k3eCS6SdAKjOp67o_zUytnNGnpM4p5UO68CvZeEXg11PWrtg@mail.gmail.com> <801AFC59-B94A-4C9E-A44D-60F4EF6F4EC2@forgerock.com> <38C69B8C-905F-46F1-88BB-016CF7DE2952@amazon.com>
In-Reply-To: <38C69B8C-905F-46F1-88BB-016CF7DE2952@amazon.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Mon, 06 Jan 2020 23:22:09 +0100
Message-ID: <CALAqi_8tM4E0UgOt0Bq-DTx0d-putVWv-grt6=jXVES5GHfMZw@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Cc: Neil Madden <neil.madden@forgerock.com>, Brian Campbell <bcampbell@pingidentity.com>, Dave Tonge <dave.tonge@moneyhub.com>, oauth <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
Content-Type: multipart/alternative; boundary="000000000000c29085059b801774"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YakVVlnjDCP7mPtxhQrG_sAu7x8>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2020 22:22:24 -0000

We've been discussing making the following change to the language

The AS SHOULD validate the request in the same way as at the authorization
> endpoint. The AS MUST ensure that all parameters to the authorization
> request are still valid at the time when the request URI is used.
>

This would allow the PAR endpoint to simply stash the encrypted request
object instead of decrypting and validating it. All within the bounds of
"SHOULD - We’d like you to do this, but we can’t always require it". This
supports "light weight PAR" implementation rather than introducing the
unnecessary complexity in the form of a second JWKS.

Best,
*Filip*


On Mon, 6 Jan 2020 at 23:00, Richard Backman, Annabelle <richanna=
40amazon.com@dmarc.ietf.org> wrote:

> The issue isn’t that the PAR endpoint needs access to one specific request
> object decryption key that could reasonably be shared across AS endpoints,
> but that it actually needs access to the private keys for all encryption
> public keys in the JWK set pointed to by the AS’s jwks_uri metadata
> property. Since there is no way to designate one particular key as the one
> to use for encrypting request objects, clients may reasonably use any
> encryption public key in the JWK set to encrypt a request object. As one
> example of how this could expose sensitive data to the PAR endpoint, if the
> PAR endpoint has all the decryption keys for the keys in the AS’s JWK set,
> it would be able to decrypt ID Tokens sent in id_token_hint request
> parameters. As more and more use cases develop for encrypting blobs for the
> AS, this issue will only get worse.
>
>
>
> The PAR endpoint can’t simply stash the encrypted request object, as it is
> required to verify the request, according to §2.1:
>
>
>
> The AS MUST process the request as follows:
>
>
>
> ...
>
>
>
> 3.  The AS MUST validate the request in the same way as at the
>
>           authorization endpoint. ...
>
>
>
> This language needs to be more flexible, IMHO, to allow for lightweight
> PAR endpoints that may not have the information or authority needed to
> perform all the validation that happens at the authorization endpoint. I
> need to think about this more before I can say if it would adequately
> address my concerns, but it’d be a good start and makes sense in its own
> right.
>
>
>
> I think it’s pretty risky for us to base decision on an assumption that no
> one is going to need or want to encrypt pushed request objects,
> particularly when they’re JWTs, and JWTs have well established support for
> encryption, and encrypted JWTs are supported by pass-by-value in OIDC and
> draft-ietf-oauth-jwsreq. But if you insist, here are a few examples for why
> someone might want to do this:
>
>    1. The request object is passed by reference, and accessible on the
>    public Internet.
>    2. The request object contains sensitive transaction-related data in
>    RAR parameters that the client’s authN/authZ stack doesn’t need to have
>    access to.
>    3. The AS requires request object encryption to minimize exposure to
>    the hosted PAR endpoint service it uses.
>    4. #2, but the threat vector is gaps in end-to-end TLS.
>    5. Any of the above, but the concern is message integrity, and the AS
>    requires requested objects to be encrypted for confidentiality and
>    integrity protection and does not support signed request objects.
>
>
>
> –
>
> Annabelle Richard Backman
>
> AWS Identity
>
>
>
>
>
> *From: *Neil Madden <neil.madden@forgerock.com>
> *Date: *Monday, January 6, 2020 at 6:29 AM
> *To: *Brian Campbell <bcampbell@pingidentity.com>
> *Cc: *"Richard Backman, Annabelle" <richanna@amazon.com>, Nat Sakimura <
> nat@sakimura.org>, Dave Tonge <dave.tonge@moneyhub.com>, Torsten
> Lodderstedt <torsten@lodderstedt.net>, oauth <oauth@ietf.org>
> *Subject: *[UNVERIFIED SENDER] Re: [OAUTH-WG] PAR metadata
>
>
>
> Agreed.
>
>
>
> In addition, I'm not sure why the PAR endpoint would need access to the
> decryption keys at all. If you're using encrypted request objects then the
> PAR endpoint receives an encrypted JWT and then later makes the same (still
> encrypted) JWT available to the authorization endpoint. If the PAR endpoint
> is doing any kind of decryption or validation on behalf of the
> authorization endpoint then they are clearly not in separate trust
> boundaries.
>
>
>
> -- Neil
>
>
>
>
>
> On 6 Jan 2020, at 13:57, Brian Campbell <
> bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>
>
>
> I really struggle to see the assumption that an entity be able to use the
> same key to decrypt the same type of message ultimately intended for the
> same purpose as an artificial limit. The same general assumption
> underlies everything else in OAuth/OIDC (Vladimir's post points to some but
> not all examples of such). There's no reason for PAR to make a one-off
> exception. And should there be some deployment specific reason that truly
> requires that kind of isolation, there are certainly implementation options
> that aren't compatibility-breaking. And having said all that, I'm honestly
> a little surprised anyone is thinking much about encrypted request objects
> with PAR as, at least with my limited imagination, there's not really a
> need for it.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Fri, Jan 3, 2020 at 2:43 PM Richard Backman, Annabelle <richanna=
> 40amazon.com@dmarc.ietf.org> wrote:
>
> PAR introduces an added wrinkle for encrypted request objects: the PAR
> endpoint and authorization endpoint may not have access to the same
> cryptographic keys, even though they're both part of the "authorization
> server." Since they're different endpoints with different roles, it's
> reasonable to put them in separate trust boundaries. There is no way to
> support this isolation with just a single "jwks_uri" metadata property.
>
> The two options that I see are:
>
> 1. Define a new par_jwks_uri metadata property.
> 2. Explicitly state that this separation is not supported.
>
> I strongly perfer #1 as it has a very minor impact on deployments that
> don't care (i.e., they just set par_jwks_uri and jwks_uri to the same
> value) and failing to support this trust boundary creates an artificial
> limit on implementation architecture and could lead to
> compatibility-breaking workarounds.
>
> –
> Annabelle Richard Backman
> AWS Identity
>
>
> On 12/31/19, 8:07 AM, "OAuth on behalf of Torsten Lodderstedt" <
> oauth-bounces@ietf.org on behalf of torsten=
> 40lodderstedt.net@dmarc.ietf.org> wrote:
>
>     Hi Filip,
>
>     > On 31. Dec 2019, at 16:22, Filip Skokan <panva.ip@gmail.com> wrote:
>     >
>     > I don't think we need a *_auth_method_* metadata for every endpoint
> the client calls directly, none of the new specs defined these (e.g. device
> authorization endpoint or CIBA), meaning they also didn't follow the scheme
> from RFC 8414 where introspection and revocation got its own metadata. In
> most cases the unfortunately named `token_endpoint_auth_method` and its
> related metadata is what's used by clients for all direct calls anyway.
>     >
>     > The same principle could be applied to signing (and encryption)
> algorithms as well.
>     >
>     > This I do not follow, auth methods and their signing is dealt with
> by using `token_endpoint_auth_methods_supported` and
> `token_endpoint_auth_signing_alg_values_supported` - there's no encryption
> for the `_jwt` client auth methods.
>     > Unless it was meant to address the Request Object signing and
> encryption metadata, which is defined and IANA registered by OIDC. PAR only
> references JAR section 6.1 and 6.2 for decryption/signature validation and
> these do not mention the metadata (e.g. request_object_signing_alg) anymore
> since draft 07.
>
>     Dammed! You are so right. Sorry, I got confused somehow.
>
>     >
>     > PS: I also found this comment related to the same question about
> auth metadata but for CIBA.
>
>     Thanks for sharing.
>
>     >
>     > Best,
>     > Filip
>
>     thanks,
>     Torsten.
>
>     >
>     >
>     > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
>     > Hi all,
>     >
>     > Ronald just sent me an email asking whether we will define metadata
> for
>     >
>     > pushed_authorization_endpoint_auth_methods_supported and
>     > pushed_authorization_endpoint_auth_signing_alg_values_supported.
>     >
>     > The draft right now utilises the existing token endpoint
> authentication methods so there is basically no need to define another
> parameter. The same principle could be applied to signing (and encryption)
> algorithms as well.
>     >
>     > What’s your opinion?
>     >
>     > best regards,
>     > Torsten.
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email