Re: [OAUTH-WG] explicit/implicit signaling to reveal TB ID
Justin Richer <jricher@mit.edu> Sat, 01 October 2016 11:44 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C17912B1C7; Sat, 1 Oct 2016 04:44:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.516
X-Spam-Level:
X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wX0GlKiEH1VN; Sat, 1 Oct 2016 04:44:23 -0700 (PDT)
Received: from dmz-mailsec-scanner-4.mit.edu (dmz-mailsec-scanner-4.mit.edu [18.9.25.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0255612B0C1; Sat, 1 Oct 2016 04:44:22 -0700 (PDT)
X-AuditID: 1209190f-6e7ff70000004040-12-57efa194bfbe
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id E9.7C.16448.491AFE75; Sat, 1 Oct 2016 07:44:21 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u91BiJR0016885; Sat, 1 Oct 2016 07:44:20 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u91BiIKf016833 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 1 Oct 2016 07:44:19 -0400
To: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>, IETF Tokbind WG <unbearable@ietf.org>
References: <CA+k3eCRqKNk2hex1xRR3oR-nZSb1uvGi7Uj2g13f1W6FcqLsow@mail.gmail.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <07fa6f54-1ea3-7877-b624-981e5cdc754b@mit.edu>
Date: Sat, 01 Oct 2016 07:44:16 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CA+k3eCRqKNk2hex1xRR3oR-nZSb1uvGi7Uj2g13f1W6FcqLsow@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------98687EFF35F97A20E6C72B2F"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupgleLIzCtJLcpLzFFi42IRYrdT15268H24we5buhar/99ktDj59hWb xbnHC5kcmD2WLPnJ5HH36EWWAKYoLpuU1JzMstQifbsEroxNZ26zFVxzrVjy/xxzA+NPwy5G Dg4JAROJjV0OXYxcHEICbUwSb6c8YoFwNjBKdBx5xgTh3GKSWNQ+lbWLkZNDWMBZ4tXXt+wg tohAuUTHlS8sIJOEBAIkVm7iAAmzCahKTF/TwgRi8wpYSezv7wCzWQRUJN6uOMgCYosKxEjs nzWTGaJGUOLkzCdgcU6BQIk3fy+A2cwCYRKNN9oYJzDyzUJSNgtJCsK2lbgzdzczhC0vsf3t HChbV2LRthXsMPHmrbOZFzCyrWKUTcmt0s1NzMwpTk3WLU5OzMtLLdI10cvNLNFLTSndxAgK ZE5J/h2Mcxq8DzEKcDAq8fCeiHoXLsSaWFZcmXuIUZKDSUmU16jofbgQX1J+SmVGYnFGfFFp TmrxIUYJDmYlEV73BUA53pTEyqrUonyYlDQHi5I4b9eMA+FCAumJJanZqakFqUUwWRkODiUJ 3kkgjYJFqempFWmZOSUIaSYOTpDhPEDDb4ANLy5IzC3OTIfIn2LU5Tg298ZaJiGWvPy8VClx 3kXzgYoEQIoySvPg5oASUMLbw6avGMWB3hLmNQOmIyEeYPKCm/QKaAkT0JL8o29AlpQkIqSk GhhnFH7Lu/jU6PEvU5MXix6YGjoHmU7aMmk5m8jr+bJdB6TtraIE+p2MOtUu+Ss3RP/OvBfw 3+7Lu80L7i58pDFnaeL1Fa5ntpyZ18HP8Sv89Cum0qQ2qedv1zku3h0Q19d6g0spa/th943h asfLhMvNDK4tNLxXvtkoK2nO633KDwV/zPebrhmkxFKckWioxVxUnAgA1+fqrRsDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Yv_eEgf7dyvG8cY8mPv7AhuKqhg>
Subject: Re: [OAUTH-WG] explicit/implicit signaling to reveal TB ID
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Oct 2016 11:44:25 -0000
+1 to this. I think we also need to keep in mind that it's incredibly common for an OAuth client to talk to multiple resource servers with a single token from a single authorization server that's been configured (and agreed upon, out of band) to protect those resource servers. The client doesn't know or care about the details of the deployment, it just knows that it can get a token to work across various parts of the API. -- Justin On 9/30/2016 4:03 PM, Brian Campbell wrote: > Sending this to both the Tokbind and OAuth lists. > > There is text now in HTTPSTB that says that a TB ID must only be > conveyed to a different server, if the associated server explicitly > singles to do so. Specifically these two snippets, > > https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-5 > <https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-5> has > > However, such applications MUST only convey Token Binding IDs to > other servers if the server associated with a Token Binding ID > explicitly signals to do so, e.g., by returning an Include-Referred- > Token-Binding-ID HTTP response header field. > > > and > https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-7.3 > <https://tools.ietf.org/html/draft-ietf-tokbind-https-06#section-7.3> has > > Also, applications must take care to only reveal Token Binding IDs to > other endpoints if the server associated with a Token Binding ID > explicitly signals to do so, see Section 5 > "Implementation Considerations". > > > This seems like it might be problematic for token binding of OAuth > access tokens. Many/most OAuth flows don't begin at the resource sever > (token consumer) but at the authorization server (token provider) so > there's not an opportunity for such an explicit signal. And even when > a request is made to the resource sever (token consumer) without a > token or with a bad token, there isn't a redirect but rather a 40x is > returned (see https://tools.ietf.org/html/rfc6750#section-3 > <https://tools.ietf.org/html/rfc6750#section-3>). > > The relationship between OAuth servers is much more of an implicit > thing in how the OAuth client application (different than a browser > client) interacts with those severs. And there's correlatable info > already flowing between the two so revealing a referred TB doesn't > make the privacy situation any different. But it can greatly improve > the security of the access tokens. > > Can the text in HTTPSTB be reworked slightly to allow for an implicit > okay or a prearrangement to reveal referred Token Binding IDs for > applications which are not web browsers? Otherwise OAuth clients will > have to ignore that MUST or a token (pun intended) but really > meaningless signal will have to be invented for OAuth (like maybe a > new auth-param with the WWW-Authenticate Response Header Field from > RFC 6750. > > > > > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] explicit/implicit signaling to reveal … Brian Campbell
- Re: [OAUTH-WG] explicit/implicit signaling to rev… Justin Richer