IETF Logo Mail Archive

Re: [OAUTH-WG] draft-fett-oauth-dpop-00

Filip Skokan <panva.ip@gmail.com> Fri, 29 March 2019 16:39 UTC

Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48EC61200CC for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2019 09:39:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ryevp1f-mjry for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2019 09:39:13 -0700 (PDT)
Received: from mail-oi1-x22e.google.com (mail-oi1-x22e.google.com [IPv6:2607:f8b0:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D0ED12004C for <oauth@ietf.org>; Fri, 29 Mar 2019 09:39:13 -0700 (PDT)
Received: by mail-oi1-x22e.google.com with SMTP id w139so2140481oie.9 for <oauth@ietf.org>; Fri, 29 Mar 2019 09:39:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Bm9Ubhm9o+wh9A62V6dK1lvyBG0Tpgy812mr9ivboaM=; b=F1dT+KdmjWzWnHOm68oULS/Ll7pdz5gmqNjzHwV2JWfbIGM3WhAI+SChPNt0DOfN3r ODJdU1iaH9BBJvUIGHuJowPgDOVY9ihEFGQBdA3laViAR9tDhXZvVGlgvWxYsu+8WoXm Jz9uHadg/ESj+GYQ299ZPtjE6IdKBGFAHpEt9+zpXtn8O8Rdfp0r2OeTiOqQ2YRIf164 nqDfTj4FYhHOpUBut04j9cNARgWSl1ZwtQ7J2xDP+yV7aepv6GQxkCimTWazY49a2qpP FnltorqoRXPqz4C1FNphSFYSa8hAACNQOPqBFDjqlnh0rF9Usho8R/5KwBGk0l9PO5EO 0IrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Bm9Ubhm9o+wh9A62V6dK1lvyBG0Tpgy812mr9ivboaM=; b=rzjh7AuFvlz2N17wtaMYAxBHVnPFIGVdcTpW3SjRYtGO9M6rLO02QTOK9JHPNFSn5c SITUDehZBfM2l8J2Jzoz38LCRbLBmZxwUHIfGPVYuBHyZVVaDsnMMQUErDlba5x4MyCT Kc9oeVbNWVbN6nlu9GWugXhVwT5ZRVJ5wLxMwQsUONYyjAS91ETViRB6VjiS9rS+WgTT 1RHSqMyOEWHgFdv14sJ46SnK7rDHKcYvMr1xus82hV8OZXqe11L0gxHbZ6KLiALEeS/e 06VCHfhyHS/NlM7mwEVnsTO9oPcb6zRurfeKfLzss4cWvLQAkvgEvrkYKItxJLHVh0Wa +oWQ==
X-Gm-Message-State: APjAAAXSJAOmIIFFLzVbyWZFMky6zlPw2yoLTQxMkyVM3vYK71KMzrsZ d9Klh+LNWa6ESRTTf4NyaPVGd24xxPXOg1HdwQ==
X-Google-Smtp-Source: APXvYqzb0irP3yqkI3HjyUhey7eslmqekGIX5fXTOXSG/87ltTAUZliaHsfzrvV5wUb0MU9HE5vAiQs10XEy04N/PUc=
X-Received: by 2002:aca:aa91:: with SMTP id t139mr4389880oie.174.1553877552690; Fri, 29 Mar 2019 09:39:12 -0700 (PDT)
MIME-Version: 1.0
References: <0a9af6f6-1b5d-244d-06af-9d14461b1d69@yes.com> <CALAqi__ZkiuJyvsY9yo3bc8yvMSBdZx+otaNGoYYPxevO8B_yg@mail.gmail.com>
In-Reply-To: <CALAqi__ZkiuJyvsY9yo3bc8yvMSBdZx+otaNGoYYPxevO8B_yg@mail.gmail.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 29 Mar 2019 17:39:01 +0100
Message-ID: <CALAqi_8Vk8sMkGmb+fK5fcCYW9xo8F6F9OZbr5EKju2fGU=W9A@mail.gmail.com>
To: Daniel Fett <danielf+oauth@yes.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008d7f6c05853e4ffb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZwOJqiQFTs42XUrNF4ZMQWfayhQ>
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 16:39:16 -0000

And here's a real simple client-side implementation using

- Webcrypto API
- IndexedDB API
- fetch

https://boiling-escarpment-16732.herokuapp.com/

It's not really a SPA but uses the same browser APIs and no backend other
than a web server hosting the html.

Best,
*Filip Skokan*


On Thu, 28 Mar 2019 at 19:48, Filip Skokan <panva.ip@gmail.com> wrote:

> Hello Daniel, everyone,
>
> I've hacked together an AS implementation to enable client-side
> experimentation using this draft.
>
> You can find this hosted at https://draft-fett-oauth-dpop-00.herokuapp.com (it's
> also the issuer identifier). There's a default client registered and
> dynamic registration is also open, so hack away. It's using the draft
> version with dpop_binding expecting "jwk": { ...jwk } rather then "cnf": {
> "dpop+jwk": { ... jwk } } as the payload claim as suggested by Ludwig.
>
> There are more notes on the index page itself.
>
> Aaron kindly accepted to work on the SPA client-side demonstration, I'm
> not a SPA guru mastermind like Aaron and it would take me ages to deliver
> that particular piece. That being said I did test this with a regular web
> app as well as a CLI client using both code+pkce and dynamic port binding
> as well as device authorization grant client. Works.
>
> Feeding back to the draft
>
>    - i think we should mention the client to provide reasonable
>    expiration value of the dpop JWTs (max minutes). Altho not critical since
>    we require a jti, as an AS i don't wanna cache the used jti values forever
>    :)
>    - the AS should error when the dpop JWT contains private key material
>    - altho implied by the use of "public" and "private" key i think it
>    wouldn't hurt explicitly forbidding "oct" JWKs
>    - i don't see a point in dpop_proof containing the JWK again unless
>    the AS is supposed to do something new with it
>    - it wouldn't hurt mentioning that, kinda following 6750, when
>    dpop_proof is sent it's in a query for GET, in the request body for a POST.
>    my provider for instance will ignore query parameters during a POST. With
>    that said, what about RS endpoints using other methods? Maybe placing the
>    proof in a header isn't a terrible idea afterall.
>
>
> Kind Regards,
> *Filip Skokan*
>
>
> On Thu, 28 Mar 2019 at 11:19, Daniel Fett <danielf+oauth@yes.com> wrote:
>
>> Hi all,
>>
>> I published the first version of the DPoP draft at
>> https://tools.ietf.org/html/draft-fett-oauth-dpop-00
>>
>> Abstract
>>
>>    This document defines a sender-constraint mechanism for OAuth 2.0
>>    access tokens and refresh tokens utilizing an application-level
>>    proof-of-possession mechanism based on public/private key pairs.
>>
>>
>> Thanks for the feedback I received so far from John, Mike, Torsten, and
>> others during today's session or before!
>>
>> If you find any errors I would welcome if you open an issue in the GitHub
>> repository at https://github.com/webhamster/draft-dpop
>>
>> - Daniel
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email