Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Brian Campbell <> Fri, 14 May 2021 22:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 557BA3A428C for <>; Fri, 14 May 2021 15:35:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pYZNEZoDMDiz for <>; Fri, 14 May 2021 15:35:34 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 012AE3A4289 for <>; Fri, 14 May 2021 15:35:33 -0700 (PDT)
Received: by with SMTP id m11so514568lfg.3 for <>; Fri, 14 May 2021 15:35:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=0aMSnQGmFzDeldFasfgneUaHRnd9OQbbBRZfMCkNmmw=; b=K3GYazVlMYiToqE53BXqmjQ40EMdtK5TE2YxI9SUrf/YAllwvK6UPfBiVEgq/e1bHI rALMEA4a4mzZRF6uS/iFoqlQBmYvgKl/Tvrlr7RvYvpNVIExZwHTi7jCmkEvDZ3O6JkZ RsLcxrG5tQciFjNnEbtWnKKNS/DFkZcMfAcbcMt5+ghqh49BCSDTgWGDGJgTOImmoLv2 vKlmVGJke8Ht3/AtMfiCsjHzstzf4wZCkXErpgaXsox2X7eLTD1Cgp2BU5gEnIrheFbk jt4JHAcfCk4eGhrJx9PGZbBkoypOiZH49DvzsCVAqvXICMsXPWxUKxXdka+CmHLPxDQt EHlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=0aMSnQGmFzDeldFasfgneUaHRnd9OQbbBRZfMCkNmmw=; b=fhhC9gmrEInZnMYXXbBQ/VUc97Nv+1wJ2SEaoxyJbWBUt1OAeOAURFq4WM5mnn7ZW9 JM9sm9UPeA6GFrVXsT8zK6RpZaJj3HSSsZZkHlx+C3SDfLbxoyeOSoy8DddeaqPOJ+4F RigIORPVlkSn0t6IdJyhVLbmthKp66BgBmQv13KIE7yyJZ6C02+pCSPhs5O9hRkHERAC 1QXmImXSybURegSib03dJfE6hFFfZMlq1s4VIcJ4x+PsKR58PmAbmyekFvQIV+B7Faqx b0+vEDoFQX3E3YHpdHxLtA/+Ov+nJswdVmLVXVRM5UrDDL/6LS0kJKPp1uqxX44VDbFN obXA==
X-Gm-Message-State: AOAM532ZB/M4SWzqZtezghYxxr4gKObdDqI6e6h0ttElKZQoE42vSlf/ ZCQETn9MCq2WUYRNSMtgUzmRc7KZfuveSND9SaMS6ugskv+DpaxeItmUMGnQcox+okIPi6UuS+S Ag91rduMq5wP1VQ==
X-Google-Smtp-Source: ABdhPJxom8aRxiwnmo0Ojcljpbo+EnfYNPD8wY9Jd9nw9Fjm2PvIP6WzXnAn2+xr4BTanHU5zmDb4Kuiiw5Z9aw4nVk=
X-Received: by 2002:a05:6512:3387:: with SMTP id h7mr25894169lfg.77.1621031726963; Fri, 14 May 2021 15:35:26 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Fri, 14 May 2021 16:35:00 -0600
Message-ID: <>
To: Rifaat Shekh-Yusef <>
Cc: Karsten Meyer zu Selhausen <>, oauth <>
Content-Type: multipart/alternative; boundary="000000000000417bb405c251dc6e"
Archived-At: <>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 May 2021 22:35:41 -0000

Overall it looks pretty good to me.
One little nit is that I don't love this text from the end of sec 2.4 that
talks about JARM:

'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
[JARM] forbids the use of additional parameters in the authorization
response. Therefore, the iss parameter MUST NOT be used when JARM is used.
However, JARM responses contain an iss claim that provides the same
protection if it is validated as described in Section 2.4.'

JARM doesn't exactly forbid additional parameters but rather just wraps up
all the authorization response parameters as claims in a JWT which is
itself sent as a single form/query/fragment parameter. So really the iss
authorization response parameter of this draft is still sent as a claim of
the JARM JWT. It just happens to be the same as the iss claim value that
JARM is already including.

On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef <>

> All,
> We have not seen any comments on this document.
> Can you please review the document and provide feedback, or indicate that
> you have reviewed the document and have no concerns.
> Regards,
>  Rifaat & Hannes
> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
>> wrote:
>> Hi all,
>> the latest version of the security BCP references
>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>> There have not been any concerns with the first WG draft version so far:
>> I would like to ask the WG if there are any comments on or concerns with
>> the current draft version.
>> Otherwise I hope we can move forward with the next steps and hopefully
>> finish the draft before/with the security BCP.
>> Best regards,
>> Karsten
>> --
>> Karsten Meyer zu Selhausen
>> Senior IT Security Consultant
>> Phone:	+49 (0)234 / 54456499
>> Web: | IT Security Consulting, Penetration Testing, Security Training
>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on:
>> Hackmanit GmbH
>> Universitätsstraße 60 (Exzenterhaus)
>> 44789 Bochum
>> Registergericht: Amtsgericht Bochum, HRB 14896
>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>> _______________________________________________
>> OAuth mailing list
> _______________________________________________
> OAuth mailing list

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._