IETF Logo Mail Archive

[OAUTH-WG] Re: OAuth Client ID Metadata Document

David Waite <david@alkaline-solutions.com> Thu, 11 July 2024 19:36 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66DCC169411 for <oauth@ietfa.amsl.com>; Thu, 11 Jul 2024 12:36:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z9XQkVJmBv8 for <oauth@ietfa.amsl.com>; Thu, 11 Jul 2024 12:36:45 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4816C15199A for <oauth@ietf.org>; Thu, 11 Jul 2024 12:36:14 -0700 (PDT)
From: David Waite <david@alkaline-solutions.com>
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Message-Id: <5E96F0B7-C808-43EB-9D06-DF81F602760A@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B5D1C42F-C75D-4815-9E60-F3EDEDEC8F5E"
Mime-Version: 1.0
Date: Thu, 11 Jul 2024 13:36:01 -0600
In-Reply-To: <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com>
To: Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>
References: <CAD9ie-uNbO-fJA9XObCQm5+HWiLVxbKVPbL77fVfDSOHqOJfCQ@mail.gmail.com> <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com>
X-Spamd-Bar: -
Message-ID-Hash: 6ESNIO537PYAKARVSZJF6WXGTWZX7PJ7
X-Message-ID-Hash: 6ESNIO537PYAKARVSZJF6WXGTWZX7PJ7
X-MailFrom: david@alkaline-solutions.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dick.Hardt@gmail.com, emelia@brandedcode.com, oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Client ID Metadata Document
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Yfm_aDGOaOLfuIyJ4L_jFf1LCoo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>


> On Jul 8, 2024, at 10:06 AM, Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org> wrote:
> 
> Thanks Dick, I hadn't gotten to post this to the list yet, but thanks for kicking off the discussion!
> 
> FYI there are already a few live implementations of this, and some additional in-progress implementations. There is also some overlap between this and an application of FedCM, which is where some of the initial implementation work has begun. I'll share more details on this and the FedCM work at IETF 120.
> 
> > 1. If an AS supports both registered, and unregistered clients, is there any guidance or requirements on differentiating between them such as NOT issuing other identifiers that start with 'https"? 
> 
> This is probably a good call-out. I am unsure about how many AS's would actually support both types of clients in practice though.

There are multiple resolution methods; consider locally administered metadata, dynamic client registration, this, and OpenID federation to be four such examples. OpenID4VP has several additional examples.

One wants to make sure that the four cannot conflict, such as someone overriding Client ID metadata via OpenID Federation metadata, or attempting to override statically configured metadata via any dynamic mechanism. In OpenID4VP, this is done by adding an additional  client_id_scheme - the client is then known by the pair of scheme and identifier, and two identifiers with the same scheme are considered unrelated.  Solves the issue of how to distinguish several different dynamic schemes with possibly expensive resolution processes.

> > 2. From a security perspective, I worry about the redirect URIs being any arbitrary URL -- perhaps that they need to start with the client_id? Is localhost supported as a redirect URI.
> 
> There will likely be some special handling for localhost client IDs and redirect URIs, particularly for development clients. There is some discussion about this happening on GitHub here: https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/issues/12 
> 
> For the non-development use cases, I think we should further discuss whether the limitation of the redirect URI starting with the client ID is helpful or not. Another set of use cases is native apps using custom URI schemes or even app-claimed HTTPS URLs which might have some more edge cases to consider.

Would this be any different from considerations around using OAuth DCR?

All the metadata is self-asserted - you have to assume that from the standpoint of phishing user access, every value is potentially malicious. You do not want to display the given client name, or given logo, or have links to the TOS or other content which may link to the legitimate party to provide an air of legitimacy..

<snip>

-DW

v2.34.0 | Report a Bug | By Email | System Status