IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metadata

Brian Campbell <bcampbell@pingidentity.com> Tue, 07 January 2020 22:54 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77BC1200B3 for <oauth@ietfa.amsl.com>; Tue, 7 Jan 2020 14:54:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3jsTd03Zd9G for <oauth@ietfa.amsl.com>; Tue, 7 Jan 2020 14:54:23 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFDD3120025 for <oauth@ietf.org>; Tue, 7 Jan 2020 14:54:22 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id w1so1312789ljh.5 for <oauth@ietf.org>; Tue, 07 Jan 2020 14:54:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QnIKO9B36gtS37QQKieC6dLXUBTbLVnChtG5/EIYSBs=; b=AEX4i8oFeFztYCNOcP8Gwu5E5KiELqwfMVdJ0I1Wc8ve3JXaGkanQm81FvKx7WJ/YQ wYXxBC3ttWrgyPH6rpOOR3XUycMi+04n8T7xnBH27xd2bAU333Bp0DpBYm/s1sykhHXW /T4F1e8W28XIfz0QtRFoE63QXMsxbtVYKRvubDEGIIXM+v6QiDckbxjWER5c4Za40NXm 8+nzCDtBrIoISV4stv5wfVXj54z8aWpNlvgp2IYg6IzSMGrIRDlg5LrXOUt6RpSUnMAB mGssB6X72j34wfxlvH2qkYEp833/evpy6CPa+igaH1Iyw9ALG7NZ4TI0Mfpsd1M89y7A pPbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QnIKO9B36gtS37QQKieC6dLXUBTbLVnChtG5/EIYSBs=; b=sPULt+fTM3AqLom+FKGc6z8D4/FoBjrM5siSO7xsrwOEbQl/7GgUqyo5EdYpmYxGO8 vo/EFb23WTaFYQO5WtLluTt0bwpoqZSqlByaLqQWUfcp6ObeKasp8flFvDIhSypt0J/S sk1lUT1zQmXRw3JZ/AuvaG++3owdhKmOAaA3kwGiX0QwgmUAsGkS49xA6pow7Oy5O8RV gazXeDDWlapXyfzHUvZjdLxs3eeM0dRvSWY503SSfDh/ppr4BLxlupIdpDT8nJ+9+T8m LC6dXj1/mhg5YfsrvpeJeQjtSeZHf4+/xBeSDP0ki99PJBQ9R00zL8hLw9yxxPAKnQid 1YXw==
X-Gm-Message-State: APjAAAW7FI2Tmx+lGMuE0acLHIzeAWH2kGzwSQaBF2fjTWRCHBKzxv+6 aOV0zPrQ1UvF7oIRoq9JFhmOCSJ5Klr8t6uFdsAspPS/OpVt5Jq75WVdhdwLJSK0UCIIRQeFss0 qVVpKSi2+VodnqiU8
X-Google-Smtp-Source: APXvYqxyAyZLbeBx27oCWAYEnhD/pCxgzfs7elezvnBbjUgpSiG6Q+uWfMlYYvgshTlG58yFR3a7BaLAIPq9veDZIac=
X-Received: by 2002:a2e:9592:: with SMTP id w18mr1052076ljh.98.1578437660949; Tue, 07 Jan 2020 14:54:20 -0800 (PST)
MIME-Version: 1.0
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net> <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com> <50191CC6-0A19-42B4-87C2-880F53FD3C4F@lodderstedt.net> <05AB19DB-FCD2-4FAA-A470-0978E7B65354@amazon.com> <CA+k3eCS6SdAKjOp67o_zUytnNGnpM4p5UO68CvZeEXg11PWrtg@mail.gmail.com> <801AFC59-B94A-4C9E-A44D-60F4EF6F4EC2@forgerock.com> <38C69B8C-905F-46F1-88BB-016CF7DE2952@amazon.com> <CALAqi_8tM4E0UgOt0Bq-DTx0d-putVWv-grt6=jXVES5GHfMZw@mail.gmail.com> <3c24a635-3d48-7b86-de31-fbf8595cf15f@connect2id.com>
In-Reply-To: <3c24a635-3d48-7b86-de31-fbf8595cf15f@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 07 Jan 2020 15:53:53 -0700
Message-ID: <CA+k3eCS0b+KAzvyHor1BPzkUbWAEwMw2KJw5uGGd68BM2gDefQ@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: Filip Skokan <panva.ip@gmail.com>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, Dave Tonge <dave.tonge@moneyhub.com>, oauth <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
Content-Type: multipart/alternative; boundary="00000000000014e3fa059b94a8fb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_c_qUBpTseu9TEnlsueev6kRBk4>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jan 2020 22:54:27 -0000

A little more context about that proposed wording is in a github issue at
https://github.com/oauthstuff/draft-oauth-par/issues/38, which is different
driver than allowing a PAR endpoint to stash the encrypted request object
rather than decrypting/validating it. But it's kind of the same concept at
some level too - that there are some things that can't or won't be
validated at the PAR endpoint and those then have to be validated at the
authorization endpoint.

I rather like your suggested text, Vladimir, and have mentioned it in a
comment on the aforementioned issue.


On Tue, Jan 7, 2020 at 6:58 AM Vladimir Dzhuvinov <vladimir@connect2id.com>
wrote:

> On 07/01/2020 00:22, Filip Skokan wrote:
>
> We've been discussing making the following change to the language
>
> The AS SHOULD validate the request in the same way as at the authorization
>> endpoint. The AS MUST ensure that all parameters to the authorization
>> request are still valid at the time when the request URI is used.
>>
> Could you expand a bit on the second sentence?
>
> Alternative suggestion:
>
> The AS MUST validate the request in the same way as at the authorization
> endpoint, or complete the request validation at the authorization endpoint.
>
> Vladimir
>
>
> This would allow the PAR endpoint to simply stash the encrypted request
> object instead of decrypting and validating it. All within the bounds of
> "SHOULD - We’d like you to do this, but we can’t always require it". This
> supports "light weight PAR" implementation rather than introducing the
> unnecessary complexity in the form of a second JWKS.
>
> Best,
> *Filip*
>
>
> On Mon, 6 Jan 2020 at 23:00, Richard Backman, Annabelle <richanna=
> 40amazon.com@dmarc.ietf.org> wrote:
>
>> The issue isn’t that the PAR endpoint needs access to one specific
>> request object decryption key that could reasonably be shared across AS
>> endpoints, but that it actually needs access to the private keys for all
>> encryption public keys in the JWK set pointed to by the AS’s jwks_uri
>> metadata property. Since there is no way to designate one particular key as
>> the one to use for encrypting request objects, clients may reasonably use
>> any encryption public key in the JWK set to encrypt a request object. As
>> one example of how this could expose sensitive data to the PAR endpoint, if
>> the PAR endpoint has all the decryption keys for the keys in the AS’s JWK
>> set, it would be able to decrypt ID Tokens sent in id_token_hint request
>> parameters. As more and more use cases develop for encrypting blobs for the
>> AS, this issue will only get worse.
>>
>>
>>
>> The PAR endpoint can’t simply stash the encrypted request object, as it
>> is required to verify the request, according to §2.1:
>>
>>
>>
>> The AS MUST process the request as follows:
>>
>>
>>
>> ...
>>
>>
>>
>> 3.  The AS MUST validate the request in the same way as at the
>>
>>           authorization endpoint. ...
>>
>>
>>
>> This language needs to be more flexible, IMHO, to allow for lightweight
>> PAR endpoints that may not have the information or authority needed to
>> perform all the validation that happens at the authorization endpoint. I
>> need to think about this more before I can say if it would adequately
>> address my concerns, but it’d be a good start and makes sense in its own
>> right.
>>
>>
>>
>> I think it’s pretty risky for us to base decision on an assumption that
>> no one is going to need or want to encrypt pushed request objects,
>> particularly when they’re JWTs, and JWTs have well established support for
>> encryption, and encrypted JWTs are supported by pass-by-value in OIDC and
>> draft-ietf-oauth-jwsreq. But if you insist, here are a few examples for why
>> someone might want to do this:
>>
>>    1. The request object is passed by reference, and accessible on the
>>    public Internet.
>>    2. The request object contains sensitive transaction-related data in
>>    RAR parameters that the client’s authN/authZ stack doesn’t need to have
>>    access to.
>>    3. The AS requires request object encryption to minimize exposure to
>>    the hosted PAR endpoint service it uses.
>>    4. #2, but the threat vector is gaps in end-to-end TLS.
>>    5. Any of the above, but the concern is message integrity, and the AS
>>    requires requested objects to be encrypted for confidentiality and
>>    integrity protection and does not support signed request objects.
>>
>>
>>
>> –
>>
>> Annabelle Richard Backman
>>
>> AWS Identity
>>
>>
>>
>>
>>
>> *From: *Neil Madden <neil.madden@forgerock.com>
>> *Date: *Monday, January 6, 2020 at 6:29 AM
>> *To: *Brian Campbell <bcampbell@pingidentity.com>
>> *Cc: *"Richard Backman, Annabelle" <richanna@amazon.com>, Nat Sakimura <
>> nat@sakimura.org>, Dave Tonge <dave.tonge@moneyhub.com>, Torsten
>> Lodderstedt <torsten@lodderstedt..net <torsten@lodderstedt.net>>, oauth <
>> oauth@ietf.org>
>> *Subject: *[UNVERIFIED SENDER] Re: [OAUTH-WG] PAR metadata
>>
>>
>>
>> Agreed.
>>
>>
>>
>> In addition, I'm not sure why the PAR endpoint would need access to the
>> decryption keys at all. If you're using encrypted request objects then the
>> PAR endpoint receives an encrypted JWT and then later makes the same (still
>> encrypted) JWT available to the authorization endpoint. If the PAR endpoint
>> is doing any kind of decryption or validation on behalf of the
>> authorization endpoint then they are clearly not in separate trust
>> boundaries.
>>
>>
>>
>> -- Neil
>>
>>
>>
>>
>>
>> On 6 Jan 2020, at 13:57, Brian Campbell <
>> bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>>
>>
>>
>> I really struggle to see the assumption that an entity be able to use the
>> same key to decrypt the same type of message ultimately intended for the
>> same purpose as an artificial limit. The same general assumption
>> underlies everything else in OAuth/OIDC (Vladimir's post points to some but
>> not all examples of such). There's no reason for PAR to make a one-off
>> exception. And should there be some deployment specific reason that truly
>> requires that kind of isolation, there are certainly implementation options
>> that aren't compatibility-breaking. And having said all that, I'm honestly
>> a little surprised anyone is thinking much about encrypted request objects
>> with PAR as, at least with my limited imagination, there's not really a
>> need for it.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Fri, Jan 3, 2020 at 2:43 PM Richard Backman, Annabelle <richanna=
>> 40amazon.com@dmarc.ietf.org> wrote:
>>
>> PAR introduces an added wrinkle for encrypted request objects: the PAR
>> endpoint and authorization endpoint may not have access to the same
>> cryptographic keys, even though they're both part of the "authorization
>> server." Since they're different endpoints with different roles, it's
>> reasonable to put them in separate trust boundaries. There is no way to
>> support this isolation with just a single "jwks_uri" metadata property.
>>
>> The two options that I see are:
>>
>> 1. Define a new par_jwks_uri metadata property.
>> 2. Explicitly state that this separation is not supported.
>>
>> I strongly perfer #1 as it has a very minor impact on deployments that
>> don't care (i.e., they just set par_jwks_uri and jwks_uri to the same
>> value) and failing to support this trust boundary creates an artificial
>> limit on implementation architecture and could lead to
>> compatibility-breaking workarounds.
>>
>> –
>> Annabelle Richard Backman
>> AWS Identity
>>
>>
>> On 12/31/19, 8:07 AM, "OAuth on behalf of Torsten Lodderstedt" <
>> oauth-bounces@ietf.org on behalf of torsten=
>> 40lodderstedt.net@dmarc.ietf.org> wrote:
>>
>>     Hi Filip,
>>
>>     > On 31. Dec 2019, at 16:22, Filip Skokan <panva.ip@gmail.com> wrote:
>>     >
>>     > I don't think we need a *_auth_method_* metadata for every endpoint
>> the client calls directly, none of the new specs defined these (e.g. device
>> authorization endpoint or CIBA), meaning they also didn't follow the scheme
>> from RFC 8414 where introspection and revocation got its own metadata. In
>> most cases the unfortunately named `token_endpoint_auth_method` and its
>> related metadata is what's used by clients for all direct calls anyway.
>>     >
>>     > The same principle could be applied to signing (and encryption)
>> algorithms as well.
>>     >
>>     > This I do not follow, auth methods and their signing is dealt with
>> by using `token_endpoint_auth_methods_supported` and
>> `token_endpoint_auth_signing_alg_values_supported` - there's no encryption
>> for the `_jwt` client auth methods.
>>     > Unless it was meant to address the Request Object signing and
>> encryption metadata, which is defined and IANA registered by OIDC. PAR only
>> references JAR section 6.1 and 6.2 for decryption/signature validation and
>> these do not mention the metadata (e.g. request_object_signing_alg) anymore
>> since draft 07.
>>
>>     Dammed! You are so right. Sorry, I got confused somehow.
>>
>>     >
>>     > PS: I also found this comment related to the same question about
>> auth metadata but for CIBA.
>>
>>     Thanks for sharing.
>>
>>     >
>>     > Best,
>>     > Filip
>>
>>     thanks,
>>     Torsten.
>>
>>     >
>>     >
>>     > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>>     > Hi all,
>>     >
>>     > Ronald just sent me an email asking whether we will define metadata
>> for
>>     >
>>     > pushed_authorization_endpoint_auth_methods_supported and
>>     > pushed_authorization_endpoint_auth_signing_alg_values_supported.
>>     >
>>     > The draft right now utilises the existing token endpoint
>> authentication methods so there is basically no need to define another
>> parameter. The same principle could be applied to signing (and encryption)
>> algorithms as well.
>>     >
>>     > What’s your opinion?
>>     >
>>     > best regards,
>>     > Torsten.
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email