Re: [OAUTH-WG] MTLS token endoint & discovery
George Fletcher <gffletch@aol.com> Tue, 12 February 2019 21:00 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CD1A128B36 for <oauth@ietfa.amsl.com>; Tue, 12 Feb 2019 13:00:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TB6NrV5JOBCZ for <oauth@ietfa.amsl.com>; Tue, 12 Feb 2019 13:00:34 -0800 (PST)
Received: from sonic312-21.consmr.mail.bf2.yahoo.com (sonic312-21.consmr.mail.bf2.yahoo.com [74.6.128.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126C2130E98 for <oauth@ietf.org>; Tue, 12 Feb 2019 13:00:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1550005232; bh=p5rIR4uXbagLUNWdKqa+l0GRuPXv7melVGwaEa7yrx0=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=jT0I2/h2BtTW9qopzEETbh0ZLg+f6/GrPIXhks3Q5ZqBih7ufQbTnLaHXDBl16ZIbHVDutL+dQGkDg+axKpPCg8QjoRr6fqBAG6TbblcQpZt5KZCsXD2k9caazMBNFs/F0pEuOfTvEP3v/+0CjYETOtvPouZ4v2CuMmyh7fhn286VbSkpUAluTd0CS1XePLx8nNWdcdwfWTtJSQmnTnx8vykg30ezJKXFYwIqVr5M/svFLw9Yr5VR4SOD5TFTTklly/YeYMDACEqk0z65c8MlyhaktiGCSoE/die9YenVjmebO1ruFSo1k9S8AHG8W77dSCSllLlYr68BZVwGP43Pw==
X-YMail-OSG: Mt6anpkVM1mSiSmENhaFi8KFRq27Gbf6H8bFv7rRNeZmyaOSTMz_VsggwPMgexj aX72.DFtfRayghnW.qsoWP7KLp2Ni2ePNI6OjB3lAKAw6G20bVLdW5HB8KRfQHOsSCgrlZO4_nOu .0YwG0hMzWBNqKAko1Jl0AHseWAOF0WWzyrVScBnX7w9wigXcchOrCO_33X.QF0E89XS4yT56N96 JrDxJOcvQ6bgwzDhcyd6Sw3MHR3UxWueSh.IdGJOaGXK8BMeKctHSCaOKEC94QN7VuE2fumjK9zW furxund4_OQA967A7ysxYr8TLFLCmn0RSnfT9tUNFvkiayJFnTn5UNvei1xNOidtPs4MgET31GBv C1vVSJK3V5vAB2EVQDd1Lh5nYbprAJWXTuTvik_BMAsdPCflKAzNMkQyqGsfZPJJYaXIVWcwNYi9 DgjY0oeKh1Q1Kn0rir9CRdf.h2kliEXi_mbY2QxvNlOh28DYSNTOHBerKj5fiMXj9G9ASDC4Q7R1 yAERVto1oQNP33ZRF.szGvpwa8y3lcpsePLmFVUdEuDz03DrQSVVuJHoz6WbDwOS3YE2tVQT7Atp 6ALyJHOXoo0xulIZeCuyg_Zg98gmPJZat9xB9TM8iitFOZ1ATX_8eU5T44yubxsCdQJsjCD09D.E scikx.dmvm9SoX5XuFcHXMg5IOhpCapfZ_Yp6DM5KVVfKrwpgcMMJt9FFFJdOtRLanBWsjpw18qO N1ZQ7V5THlRy2WEtg8lEN7ljhr67Ruy5qFNqwkLU7n7AflfCxr908K8Bd75ml2IOwmsi0U6xqq9y PluwGIln9GP9mNrz2p1q3hmxMxL9SVhkMPbejLS9kzvbmNqdoGBA8PmtJrE_bGGTv5erQJB4meJ. O4WhGlsdFjpA6t9S8May4SDjbqddIYlh41KQHOb6deS0wvei11ar1e34vbzt1VKdaLJEgm2Ojxza WXllGjlweLh9zu_Yy4LMD9RS6MWLp9Bz_VQAWGv30L8FcjiWpPM5HY29NHAeYBjuAPuKcBDhXqXc fTGha1ZPrG79e3yQOvm1Mx1.BwItZQSmg6Zodm5fMYfsz2mh4kcwEtS0GslEncFlc
Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.bf2.yahoo.com with HTTP; Tue, 12 Feb 2019 21:00:32 +0000
Received: from nat-wireless-users3.cfw-a-gci.net.dulles.office.oath (EHLO [172.130.136.180]) ([184.165.3.238]) by smtp408.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 370830ca2d5f2b5d09f90a0a9d7714ed; Tue, 12 Feb 2019 21:00:31 +0000 (UTC)
To: Justin Richer <jricher@mit.edu>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, Brian Campbell <bcampbell@pingidentity.com>, Dominick Baier <dbaier@leastprivilege.com>, oauth <oauth@ietf.org>
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <CC05C965-3308-4449-A1E2-EDA0119BE5D2@amazon.com> <CA+k3eCTXLJuQAjSgskfv95_cqnepmBDSzbidLSZsOS33SkLFEA@mail.gmail.com> <54A2B8BD-2794-45B6-969B-E6155A1B7EBE@amazon.com> <CA+k3eCRCxPnHNDpPugNaETqdogMun259Vzru4QPn0qBVuxckpA@mail.gmail.com> <CA+k3eCSYPR2TSFQc_Unbc-sexN8SFmp7PD4qjUFUo3Ju7hg7fQ@mail.gmail.com> <CA+k3eCT6s+zFsK0E1aXf3jMhJyPOQ=GpgnFYJNH7X13WuAR6qA@mail.gmail.com> <18CD2B6D-5FA9-45B1-9334-EB785F40A6A9@amazon.com> <CA+k3eCT+pF_aya_9OWB7e_XsSF1KdYz7ys+KjYX6QVEZi84n_Q@mail.gmail.com> <CAO7Ng+tR1OiwbSTokF8KNaP0KM7pyaLwTOUdor-dnGv4Rk4yng@mail.gmail.com> <CA+k3eCQK=+Bk9pUok7kPOs-DtGMgcgYOqsVQ=ejXQ6KEp7ZGpA@mail.gmail.com> <CAO7Ng+tGnf1fvWjsewexUidiJo06ZdQZbFthTrJZRqSYVB+t0g@mail.gmail.com> <CA+k3eCQy7G9AVMAsKUwGdVUGtGDNdV1A39571jNXoctPE+fEHA@mail.gmail.com> <DDDC7C84-60FF-43CD-BC1F-E13CD6937655@amazon.com> <46105936-5ab5-af0f-764e-c9a1a2b6a66f@aol.com> <542035A2-06B8-43E5-94FD-06FD398E7B60@mit.edu>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <3b1eaea7-59e8-88f9-dad9-43fac049e9b5@aol.com>
Date: Tue, 12 Feb 2019 16:00:30 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <542035A2-06B8-43E5-94FD-06FD398E7B60@mit.edu>
Content-Type: multipart/alternative; boundary="------------50D23FAB62D4DEFAE19F0960"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZBeWiQ2GHBdT-AxVWqVw8OBzom0>
Subject: Re: [OAUTH-WG] MTLS token endoint & discovery
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Feb 2019 21:00:42 -0000
Unfortunately, even the concept of "signed_metadata" in RFC 8414 isn't very specific and allows for arbitrary claims to be signed forcing a client to merge values giving the signed claims precedence in the merged output (if the client supports signed_metadata). I agree with your concerns about arbitrarily specifying some endpoints as MTLS only and others as not. It just seems cleaner to say "this is the metadata for the AS with MTLS required" and "this is the metadata for the AS without MTLS required". The mixing seems like its almost assured to be implemented incorrectly. Thanks, George On 2/12/19 3:36 PM, Justin Richer wrote: > The problem with this idea is that there’s not a single canonical > place for OAuth2 stuff under .well-known, according to the discovery > document. OIDC has one, UMA2 has one, and I’m sure there are other > flavors as well. It would not make sense for there to be a new one > just for MTLS-enabling all of these OAuth-powered protocols. > > — Justin > >> On Feb 12, 2019, at 3:27 PM, George Fletcher >> <gffletch=40aol.com@dmarc.ietf.org >> <mailto:gffletch=40aol.com@dmarc.ietf.org>> wrote: >> >> I prefer this approach to an embedded JSON object. Possibly even just >> making the MTLS version its own directly referencable config under >> .well-known. >> >> Thanks, >> George >> >> On 2/12/19 2:47 PM, Richard Backman, Annabelle wrote: >>> I’m not opposed to introducing a metadata change, if the scenario is >>> relevant and other approaches can’t adequately address it – and I’ll >>> readily grant that we probably don’t want to depend on consistency >>> of browser behavior at the intersection of client certificates and >>> Access-Control-Allow-Credentials. But care needs to be taken in >>> designing that metadata to avoid violating or otherwise negatively >>> impacting usage of RFC8414. >>> Along those lines, instead of adding an “mtls_endpoints” metadata >>> parameter, we could add an “mtls_alternate_metadata” parameter whose >>> value is the URL of an alternate metadata document intended for >>> clients using mTLS. An mTLS-optional AS could have two different >>> metadata documents for mTLS and non-mTLS clients, reducing the >>> mTLS-optional scenario to the mTLS-only scenario. This sidesteps the >>> challenges of aligning the “either/or” semantics of mTLS-optional >>> with some of the rigid parameter definitions in RFC8414 (see: >>> token_endpoint, token_endpoint_auth_methods_supported). >>> -- >>> Annabelle Richard Backman >>> AWS Identity >>> *From:*OAuth<oauth-bounces@ietf.org>on behalf of Brian >>> Campbell<bcampbell=40pingidentity.com@dmarc.ietf.org> >>> *Date:*Tuesday, February 12, 2019 at 10:58 AM >>> *To:*Dominick Baier<dbaier@leastprivilege.com> >>> *Cc:*oauth<oauth@ietf.org> >>> *Subject:*Re: [OAUTH-WG] MTLS token endoint & discovery >>> Thanks for the input, Dominick. >>> I'd said previously that I was having trouble adequately gauging >>> whether or not there's sufficient consensus to go ahead with the >>> update. I was even thinking of asking the chairs about a consensus >>> call during the office hours meeting yesterday. But it got canceled. >>> And looking again back over the discussion, I don't believe a >>> consensus call is necessary. There's been a lot of general >>> discussion over the last several weeks during which several folks >>> have stated support for the proposal while there's been only one >>> voice of direct dissent. That seems like rough enough consensus and, >>> as such, I plan to make the change in the next revision of the >>> document (which should be done soon). Chairs, please let me know, if >>> you believe the situation warrants a different course of action. >>> On Mon, Feb 11, 2019 at 11:01 PM Dominick Baier >>> <dbaier@leastprivilege.com <mailto:dbaier@leastprivilege.com>> wrote: >>> >>> IMHO that’s a reasonable and pragmatic option. >>> Thanks >>> ——— >>> Dominick >>> >>> On 11. February 2019 at 13:26:37, Brian Campbell >>> (bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>) >>> wrote: >>> >>> It's been pointed out that the potential issue is not >>> isolated to the just token endpoint but that revocation, >>> introspection, etc. could be impacted as well. So, at this >>> point, the proposal on the table is to add a new optional AS >>> metadata parameter named 'mtls_endpoints' that's value we be >>> a JSON object which itself contains endpoints that, when >>> present, a client doing MTLS would use rather than the >>> regular endpoints. A straw-man example might look like this >>> >>> { >>> "issuer":"https://server.example.com >>> <https://server.example.com/>", >>> "authorization_endpoint":"https://server.example.com/authz", >>> "token_endpoint":"https://server.example.com/token", >>> "token_endpoint_auth_methods_supported":[ >>> "client_secret_basic","tls_client_auth", "none"], >>> "userinfo_endpoint":"https://server.example.com/userinfo", >>> "revocation_endpoint":"https://server.example.com/revo", >>> "jwks_uri":"https://server.example.com/jwks.json", >>> *"mtls_endpoints":{ >>> "token_endpoint":"https://mtls.example.com/token", >>> "userinfo_endpoint":"https://mtls.example.com/userinfo", >>> "revocation_endpoint":"https://mtls.example.com/revo >>> <https://mtls..example.com/revo>" >>> }* >>> } >>> >>> A client doing MTLS would look for and give precedence to an >>> endpoint under "mtls_endpoints" while falling back to use >>> the normal endpoint from the top level of metadata when/if >>> its not in "mtls_endpoints". >>> >>> The idea being that "regular" clients (those not doing MTLS) >>> will use the regular endpoints. And only the host/port of >>> the endpoints listed in mtls_endpoints will be set up to >>> request TLS client certificates during handshake. Thus any >>> potential impact of the CertificateRequest message being >>> sent in the TLS handshake can be avoided for all the other >>> regular clients that are not going to do MTLS - including >>> and most importantly in-browser javascript clients where >>> there can be less than desirable UI presented to the end-user. >>> I'm struggling, however, to adequately gauge whether or not >>> there's sufficient consensus to go ahead with the update. >>> There's been some support for it voiced. As well as talk of >>> other approaches that could be alternatives or additional >>> measures. And also some vocal opposition to it. >>> On Sat, Feb 9, 2019 at 3:09 AM Dominick Baier >>> <dbaier@leastprivilege.com >>> <mailto:dbaier@leastprivilege.com>> wrote: >>> >>> We are currently implementing MTLS in IdentityServer. >>> Our approach will be that we’ll offer a separate token >>> endpoint that supports client certs. Are you planning on >>> adding an official endpoint name for discovery? Right >>> now we are using “mtls_token_endpoint”. >>> Thanks >>> ——— >>> Dominick >>> >>> On 7. February 2019 at 22:36:55, Brian Campbell >>> (bcampbell=40pingidentity.com@dmarc.ietf.org >>> <mailto:bcampbell=40pingidentity.com@dmarc.ietf.org>) wrote: >>> >>> Ah yes, that makes sense. Thanks for clarifying. And >>> it is indeed a good reminder that even a seemingly >>> innocuous change that should be backwards compatible >>> can break things unexpectedly.. >>> On Thu, Feb 7, 2019 at 8:57 AM Richard Backman, >>> Annabelle <richanna@amazon.com >>> <mailto:richanna@amazon.com>> wrote: >>> >>> The case I’m referencing didn’t specifically >>> involve AS metadata. We had clients in the wild >>> that assumed that all the properties in the JSON >>> object returned from our userinfo endpoint were >>> scalar strings. This broke when we introduced a >>> new property whose value was a JSON object. It >>> was a good reminder that even a seemingly >>> innocuous change that should be backwards >>> compatible can force more work on clients than >>> we expect. >>> -- >>> Annabelle Richard Backman >>> AWS Identity >>> *From:*Brian Campbell >>> <bcampbell@pingidentity.com >>> <mailto:bcampbell@pingidentity.com>> >>> *Date:*Wednesday, February 6, 2019 at 11:30 AM >>> *To:*"Richard Backman, Annabelle" >>> <richanna=40amazon.com@dmarc.ietf.org >>> <mailto:40amazon.com@dmarc.ietf.org>> >>> *Cc:*"Richard Backman, Annabelle" >>> <richanna@amazon.com >>> <mailto:richanna@amazon.com>>, oauth >>> <oauth@ietf.org <mailto:oauth@ietf.org>> >>> *Subject:*Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: >>> MTLS and in-browser clients using the token endpoint >>> And I'm honestly really struggling to see what >>> could have gone wrong with or how >>> token_endpoint_auth_methods broke something with >>> the user info endpoint. If you have the time >>> and/or it'd be informative to this here little >>> discussion, please explain that one a bit more. >>> On Wed, Feb 6, 2019 at 12:15 PM Brian Campbell >>> <bcampbell@pingidentity.com >>> <mailto:bcampbell@pingidentity.com>> wrote: >>> >>> "far" should have said "fair" in the >>> previous message >>> On Tue, Feb 5, 2019 at 4:35 PM Brian >>> Campbell <bcampbell@pingidentity.com >>> <mailto:bcampbell@pingidentity.com>> wrote: >>> >>> It may well be due to my own >>> intellectual shortcomings but these >>> issues/questions/confusion-points are >>> not resonating for me as being problematic. >>> The more general stance of "this isn't >>> needed or worth it in this document" (I >>> think that's far?) is being heard though. >>> On Tue, Feb 5, 2019 at 1:42 PM Richard >>> Backman, Annabelle >>> <richanna=40amazon.com@dmarc.ietf.org >>> <mailto:40amazon.com@dmarc.ietf...org>> >>> wrote: >>> >>> (TL;DR: punt AS metadata to a >>> separate draft) >>> >>> AS points #1-3 are all questions I >>> would have as an implementer: >>> >>> 1. Section 2 of RFC8414 >>> <https://tools.ietf.org/html/rfc8414#section-2>says >>> token_endpoint “is REQUIRED >>> unless only the implicit grant >>> type is supported.” So what does >>> the mTLS-only AS put here? >>> 2. The claims for these other >>> endpoints are OPTIONAL, >>> potentially leading to >>> inconsistency depending on how >>> #1 gets decided. >>> 3. The example usage of the >>> token_endpoint_auth_methods >>> property given earlier is >>> incompatible with RFC8414, since >>> some of its contents are only >>> valid for the non-mTLS >>> endpoints, and others are only >>> valid for the mTLS endpoints. >>> Hence this question. >>> 4. This introduces a new metadata >>> property that could impact how >>> other specs should extend AS >>> metadata. That needs to be >>> addressed. >>> >>> I could go on for client points but >>> you already get the point. Though >>> I’ll share that #3 is real and once >>> forced me to roll back an update to >>> the Login with Amazon userinfo >>> endpoint…good times.😃 >>> I don’t necessarily think an AS >>> metadata property is wrong per se, >>> but understand that you’re bolting a >>> layer of flexibility onto a standard >>> that wasn’t designed for that, and I >>> don’t think the metadata proposal as >>> it’s been discussed here >>> sufficiently deals with the fallout >>> from that. In my view this is a >>> complex enough issue and it’s for a >>> nuanced enough use case (as far as I >>> can tell from discussion? Please >>> correct me if I’m wrong) that we >>> should punt it to a separate draft >>> (e.g., “Authorization Server >>> Metadata Extensions for mTLS >>> Hybrids”) and get mTLS out the door. >>> -- >>> Annabelle Richard Backman >>> AWS Identity >>> *From:*OAuth <oauth-bounces@ietf.org >>> <mailto:oauth-bounces@ietf.org>> on >>> behalf of Brian Campbell >>> <bcampbell=40pingidentity.com@dmarc.ietf.org >>> <mailto:40pingidentity.com@dmarc.ietf.org>> >>> *Date:*Monday, February 4, 2019 at >>> 5:28 AM >>> *To:*"Richard Backman, Annabelle" >>> <richanna=40amazon.com@dmarc.ietf.org >>> <mailto:40amazon.com@dmarc.ietf.org>> >>> *Cc:*oauth <oauth@ietf.org >>> <mailto:oauth@ietf.org>> >>> *Subject:*Re: [OAUTH-WG] [UNVERIFIED >>> SENDER] Re: MTLS and in-browser >>> clients using the token endpoint >>> Those points of confusion strike me >>> as somewhat hypothetical or >>> hyperbolic. But your general point >>> is taken and your position of being >>> anti additional metadata on this >>> issue is noted. >>> All of which leaves me a bit >>> uncertain about how to proceed. >>> There seem to be a range of opinions >>> on this point and gauging consensus >>> is proving elusive for me. That's >>> confounded by my own opinion on it >>> being somewhat fluid. >>> And I'd really like to post an >>> update to this draft about a month >>> or two ago. >>> On Fri, Feb 1, 2019 at 5:03 PM >>> Richard Backman, Annabelle >>> <richanna=40amazon.com@dmarc.ietf.org >>> <mailto:40amazon.com@dmarc.ietf...org>> >>> wrote: >>> >>> Confusion from the AS’s perspective: >>> >>> 1. If I only support mTLS, do I >>> need to include both >>> token_endpoint_uri and >>> mtls_endpoints? Should I >>> omit token_endpoint_uri? Or >>> set it to the empty string? >>> 2. What if I only support mTLS >>> for the token endpoint, but >>> not revocation or user info? >>> 3. How do I specify >>> authentication methods for >>> the mTLS token endpoint? >>> Does >>> token_endpoint_auth_methods >>> apply to both the mTLS and >>> non-mTLS endpoints? >>> 4. I’m using the OAuth 2.0 >>> Device Flow. Do I include a >>> mTLS-enabled >>> device_authorization_endpoint >>> under mtls_endpoints? >>> >>> Confusion from the client’s >>> perspective: >>> >>> 1. As far as I know, I’m a >>> public client, and don’t >>> know anything about mTLS, >>> but the IT admins installed >>> client certs in their users’ >>> browsers and the AS expects >>> to use that to authenticate me. >>> 2. My AS metadata parser >>> crashed because the >>> mTLS-only AS omitted >>> token_endpoint_uri. >>> 3. My AS metadata parser >>> crashed because it didn’t >>> expect to encounter a JSON >>> object as a parameter value. >>> 4. The mTLS-only AS didn’t >>> provide a value for >>> mtls_endpoints, what do I do? >>> 5. I don’t know what that “m” >>> means, but they told me to >>> use HTTPS, so I should use >>> the one with “tls” in its >>> name, right? >>> >>> Yes, you can write normative >>> text that answers most of these. >>> But you’ll have to clearly cover >>> a lot of >>> similar-but-slightly-different >>> scenarios and be very explicit. >>> And implementers will still get >>> it wrong. The metadata change >>> introduces opportunities for >>> confusion and failure that do >>> not exist now, and forces them >>> on everyone who supports mTLS. >>> In contrast, the 307 redirect is >>> only required when an AS wants >>> to support both, and is >>> unambiguous in its behavior and >>> meaning. >>> -- >>> Annabelle Richard Backman >>> AWS Identity >>> *From:*Brian Campbell >>> <bcampbell=40pingidentity.com@dmarc.ietf.org >>> <mailto:40pingidentity.com@dmarc.ietf.org>> >>> *Date:*Friday, February 1, 2019 >>> at 3:17 PM >>> *To:*"Richard Backman, >>> Annabelle" <richanna@amazon.com >>> <mailto:richanna@amazon.com>> >>> *Cc:*George Fletcher >>> <gffletch@aol.com >>> <mailto:gffletch@aol.com>>, >>> oauth <oauth@ietf.org >>> <mailto:oauth@ietf.org>> >>> *Subject:*[UNVERIFIED SENDER] >>> Re: [OAUTH-WG] MTLS and >>> in-browser clients using the >>> token endpoint >>> It doesn't seem like that >>> confusing or large of a change >>> to me - if the client is doing >>> MTLS and the given endpoint is >>> present in `mtls_endpoints`, >>> then it uses that one. Otherwise >>> it uses the regular endpoint. It >>> gives an AS a lot of flexibility >>> in deployment options. I >>> personally think getting a 307 >>> approach deployed and working >>> would be more complicated and >>> error prone. >>> It is a minority use case at the >>> moment but there are forces in >>> play, like the push for >>> increased security in general >>> and to have javascript clients >>> use the code flow, that suggest >>> it won't be terribly unusual to >>> see an AS that wants to support >>> MTLS clients and javascript/spa >>> clients at the same time. >>> I've personally wavered back and >>> forth in this thread on whether >>> or not to add the new metadata >>> (or something like it). With my >>> reasoning each way kinda >>> explained somewhere back in the >>> 40 or so messages that make up >>> this thread. But it seems like >>> the rough consensus of the group >>> here is in favor of it. >>> On Fri, Feb 1, 2019 at 3:18 PM >>> Richard Backman, Annabelle >>> <richanna=40amazon.com@dmarc.ietf.org >>> <mailto:40amazon.com@dmarc.ietf...org>> >>> wrote: >>> >>> This strikes me as a very >>> prominent and confusing >>> change to support what seems >>> to be a minority use case. >>> I’m getting a headache just >>> thinking about the text >>> needed to clarify when the >>> AS should provide >>> `mtls_endpoints` and when >>> the client should use that >>> versus using >>> `token_endpoint.` Why is the >>> 307 status code insufficient >>> to cover the case where a >>> single AS supports both mTLS >>> and non-mTLS? >>> -- >>> Annabelle Richard Backman >>> AWS Identity >>> *From:*OAuth >>> <oauth-bounces@ietf.org >>> <mailto:oauth-bounces@ietf.org>> >>> on behalf of Brian Campbell >>> <bcampbell=40pingidentity.com@dmarc.ietf.org >>> <mailto:40pingidentity.com@dmarc.ietf.org>> >>> *Date:*Friday, February 1, >>> 2019 at 1:31 PM >>> *To:*George Fletcher >>> <gffletch=40aol.com@dmarc.ietf.org >>> <mailto:40aol.com@dmarc......ietf.org>> >>> *Cc:*oauth <oauth@ietf.org >>> <mailto:oauth@ietf.org>> >>> *Subject:*Re: [OAUTH-WG] >>> MTLS and in-browser clients >>> using the token endpoint >>> Yes, that would work. >>> On Fri, Feb 1, 2019 at 2:28 >>> PM George Fletcher >>> <gffletch=40aol.com@dmarc.ietf.org >>> <mailto:40aol.com@dmarc.ietf.org>> >>> wrote: >>> >>> What if the AS wants to >>> ONLY support MTLS >>> connections. Does it not >>> specify the optional >>> "mtls_endpoints" and >>> just use the normal >>> metadata values? >>> >>> On 1/15/19 8:48 AM, >>> Brian Campbell wrote: >>> >>> It would definitely >>> be optional, >>> apologies if that >>> wasn't made clear. >>> It'd be something to >>> the effect of >>> optional for the AS >>> to include and >>> clients doing MTLS >>> would use it when >>> present in AS metadata. >>> On Tue, Jan 15, 2019 >>> at 2:04 AM Dave >>> Tonge >>> <dave.tonge@momentumft.co.uk >>> <mailto:dave.tonge@momentumft.co.uk>> >>> wrote: >>> >>> I'm in favour of >>> the >>> `mtls_endpoints` >>> metadata >>> parameter - >>> although it >>> should be optional. >>> >>> >>> /CONFIDENTIALITY >>> NOTICE: This email >>> may contain >>> confidential and >>> privileged material >>> for the sole use of >>> the intended >>> recipient(s). Any >>> review, use, >>> distribution or >>> disclosure by others >>> is strictly >>> prohibited.. If you >>> have received this >>> communication in >>> error, please notify >>> the sender >>> immediately by >>> e-mail and delete >>> the message and any >>> file attachments >>> from your computer. >>> Thank you./ >>> >>> _______________________________________________ >>> >>> OAuth mailing list >>> >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> >>> https://www.ietf..org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> */CONFIDENTIALITY NOTICE: >>> This email may contain >>> confidential and privileged >>> material for the sole use of >>> the intended recipient(s). >>> Any review, use, >>> distribution or disclosure >>> by others is strictly >>> prohibited.. If you have >>> received this communication >>> in error, please notify the >>> sender immediately by e-mail >>> and delete the message and >>> any file attachments from >>> your computer. Thank you./* >>> >>> >>> */CONFIDENTIALITY NOTICE: This >>> email may contain confidential >>> and privileged material for the >>> sole use of the intended >>> recipient(s). Any review, use, >>> distribution or disclosure by >>> others is strictly prohibited.. >>> If you have received this >>> communication in error, please >>> notify the sender immediately by >>> e-mail and delete the message >>> and any file attachments from >>> your computer. Thank you./* >>> >>> >>> */CONFIDENTIALITY NOTICE: This email >>> may contain confidential and >>> privileged material for the sole use >>> of the intended recipient(s). Any >>> review, use, distribution or >>> disclosure by others is strictly >>> prohibited.. If you have received >>> this communication in error, please >>> notify the sender immediately by >>> e-mail and delete the message and >>> any file attachments from your >>> computer. Thank you./* >>> >>> >>> */CONFIDENTIALITY NOTICE: This email may contain >>> confidential and privileged material for the >>> sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by >>> others is strictly prohibited. If you have >>> received this communication in error, please >>> notify the sender immediately by e-mail and >>> delete the message and any file attachments from >>> your computer. Thank you./* >>> >>> >>> */CONFIDENTIALITY NOTICE: This email may contain >>> confidential and privileged material for the sole >>> use of the intended recipient(s). Any review, use, >>> distribution or disclosure by others is strictly >>> prohibited.. If you have received this communication >>> in error, please notify the sender immediately by >>> e-mail and delete the message and any file >>> attachments from your computer. Thank >>> you./*_______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> */CONFIDENTIALITY NOTICE: This email may contain >>> confidential and privileged material for the sole use of the >>> intended recipient(s). Any review, use, distribution or >>> disclosure by others is strictly prohibited. If you have >>> received this communication in error, please notify the >>> sender immediately by e-mail and delete the message and any >>> file attachments from your computer. Thank you./* >>> >>> >>> */CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). >>> Any review, use, distribution or disclosure by others is strictly >>> prohibited.. If you have received this communication in error, >>> please notify the sender immediately by e-mail and delete the >>> message and any file attachments from your computer. Thank you./* >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] MTLS and in-browser clients using the … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … John Bradley
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … Neil Madden
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … David Waite
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Benjamin Kaduk
- Re: [OAUTH-WG] MTLS and in-browser clients using … Dave Tonge
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Filip Skokan
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … George Fletcher
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] MTLS and in-browser clients using … Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS and in-browser clients using … Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Justin Richer
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS and i… Brian Campbell
- [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Brian Campbell
- Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
- Re: [OAUTH-WG] MTLS token endoint & discovery Justin Richer
- Re: [OAUTH-WG] MTLS token endoint & discovery George Fletcher
- Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
- Re: [OAUTH-WG] MTLS token endoint & discovery Richard Backman, Annabelle
- Re: [OAUTH-WG] MTLS token endoint & discovery Filip Skokan
- Re: [OAUTH-WG] MTLS token endoint & discovery Dominick Baier
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Dominick Baier
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Phil Hunt
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Filip Skokan
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… George Fletcher
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Neil Madden
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… David Waite
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Richard Backman, Annabelle
- Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: MTLS token… Brian Campbell