Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt

Neil Madden <> Fri, 22 November 2019 10:23 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE93A120822 for <>; Fri, 22 Nov 2019 02:23:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oA0gOFRF7L6l for <>; Fri, 22 Nov 2019 02:23:31 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E7D61207FD for <>; Fri, 22 Nov 2019 02:23:30 -0800 (PST)
Received: by with SMTP id 8so6985095wmo.0 for <>; Fri, 22 Nov 2019 02:23:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=MD4YNH3bske2KLjGsswKrFeJikR4PNVBGCD19qVxXPA=; b=OxMVPIPMKLk2uzajDsKveAtCs9bTGAgR0UFbJLa9aimNUkxK2qGgFIEzgwjxay7Udc 3lsMNTciN0zX2GUv22J6FlaBnD1g8/BmeTGrrESB0ep+bQWHzrQx0p9OLWZrAuGqBVlz jp4wffi24RykTYHG0UEeAUT8vQrjUfauZADWI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=MD4YNH3bske2KLjGsswKrFeJikR4PNVBGCD19qVxXPA=; b=mYUJXBCQBXbeKElDlU8ufzYY2nNGcMKg630Jb7tO8qgwY+wCV7Fot1iDARuo9ZvKZ9 aaUBDTgbucBdn6nj5IbrDfWXrp77GcvcLrUQTqXPgWJcZ6fhYc46GILJumRpSHIINpaj AjuzwhQOoVYUULOORExhMK6coq9NoXqCun1Xpb2tOdaTdi8qpZnTy6/ClePRkC5oO6EO q9xIa98cctbKfKxj9iypY16MxKosvwumgj3/i9KrOwoGlFnEK6a3gkSWaMsA3Ete4QMX uFhL0VjtircuuqqHvdcDprdWGquz4FdKzEHgonjTyF3hxyQXuaQ/eFNgz1uDUN6kOgfl qk/w==
X-Gm-Message-State: APjAAAVvSuDnZhvoalBU5Qt5ZLBIx7c0wRIjWAB+sPDvD0UAiIvvkzp7 QzX6pwNp9/fKFNIC9DQNW1PGrA==
X-Google-Smtp-Source: APXvYqybNzNZzyHVBYijcCAI2lzX+Tk/+PnhrNQnH6K716RC+RNFNx7jAVGFU2gFbSdUM69WC+Bb4A==
X-Received: by 2002:a1c:23c1:: with SMTP id j184mr15134810wmj.83.1574418209398; Fri, 22 Nov 2019 02:23:29 -0800 (PST)
Received: from [] ( []) by with ESMTPSA id x7sm7071616wrq.41.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2019 02:23:28 -0800 (PST)
From: Neil Madden <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3F0BA50E-DD75-48F4-ADF3-40244582E78F"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.10\))
Date: Fri, 22 Nov 2019 10:23:26 +0000
In-Reply-To: <>
Cc: Torsten Lodderstedt <>, oauth <>
To: Aaron Parecki <>
References: <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3601.0.10)
Archived-At: <>
Subject: Re: [OAUTH-WG] New Version Notification for draft-fett-oauth-dpop-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 22 Nov 2019 10:23:34 -0000

It's not a different threat profile. This is the same assumption people made when introducing HttpOnly cookies, which just led to attackers switching to proxy everything through the browser as per things like <> . (This is actually nicer for the attacker as their requests then appear to come from the legitimate user, masking their true origin and allowing them to carry out attacks bypassing the corporate firewall). DPoP is not a protection against XSS and shouldn't be sold as such.

-- Neil

> On 22 Nov 2019, at 10:19, Aaron Parecki <> wrote:
> The main concern about token replay in a SPA is that the access token may be extracted from the app, such as via XSS. Using the Web Crypto API has the advantage of being able to generate a public private key pair where the JS code can't access the private key at all, it can only be used to sign things, making it impossible for an attacker to extract an access token and use it for anything. You might then say that if a JS app is vulnerable to XSS then the attacker could just call the signing API anyway, which is a concern, but that's a different threat profile. 
> Aaron
> On Fri, Nov 22, 2019 at 6:08 PM Neil Madden < <>> wrote:
> On 22 Nov 2019, at 07:53, Torsten Lodderstedt < <>> wrote:
> > 
> > 
> > 
> >> On 22. Nov 2019, at 15:24, Justin Richer < <>> wrote:
> >> 
> >> I’m going to +1 Dick and Annabelle’s question about the scope here. That was the one major thing that struck me during the DPoP discussions in Singapore yesterday: we don’t seem to agree on what DPoP is for. Some (including the authors, it seems) see it as a quick point-solution to a specific use case. Others see it as a general PoP mechanism. 
> >> 
> >> If it’s the former, then it should be explicitly tied to one specific set of things. If it’s the latter, then it needs to be expanded. 
> > 
> > as a co-author of the DPoP draft I state again what I said yesterday: DPoP is a mechanism for sender-constraining access tokens sent from SPAs only. The threat to be prevented is token replay.
> I think the phrase "token replay" is ambiguous. Traditionally it refers to an attacker being able to capture a token (or whole requests) in use and then replay it against the same RS. This is already protected against by the use of normal TLS on the connection between the client and the RS. I think instead you are referring to a malicious/compromised RS replaying the token to a different RS - which has more of the flavour of a man in the middle attack (of the phishing kind).
> But if that's the case then there are much simpler defences than those proposed in the current draft:
> 1. Get separate access tokens for each RS with correct audience and scopes. The consensus appears to be that this is hard to do in some cases, hence the draft.
> 2. Make the DPoP token be a simple JWT with an "iat" and the origin of the RS. This stops the token being reused elsewhere but the client can reuse it (replay it) for many requests.
> 3. Issue a macaroon-based access token and the client can add a correct audience and scope restrictions at the point of use.
> Protecting against the first kind of replay attacks only becomes an issue if we assume the protections in TLS have failed. But if DPoP is only intended for cases where mTLS can't be used, it shouldn't have to protect against a stronger threat model in which we assume that TLS security has been lost.
> -- Neil
> _______________________________________________
> OAuth mailing list
> <>
> <>
> -- 
> ----
> Aaron Parecki
> <>
> @aaronpk <>