Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns
Filip Skokan <panva.ip@gmail.com> Thu, 16 April 2020 08:06 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 447BA3A115B for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 01:06:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W7Oj6RA1EF02 for <oauth@ietfa.amsl.com>; Thu, 16 Apr 2020 01:06:06 -0700 (PDT)
Received: from mail-yb1-xb32.google.com (mail-yb1-xb32.google.com [IPv6:2607:f8b0:4864:20::b32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBC633A1157 for <oauth@ietf.org>; Thu, 16 Apr 2020 01:06:05 -0700 (PDT)
Received: by mail-yb1-xb32.google.com with SMTP id e17so1572341ybq.0 for <oauth@ietf.org>; Thu, 16 Apr 2020 01:06:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3OYcN2kTb4cEy+jXmkiLyfYlyHvtONEQD8DCM1Gvl0g=; b=kBpY8ULD20QA+Tt0qsKDvc54M3K2THgQkdeA8Lm7W72C+6WGHAwF4Z03wIaPHKWvTH 3r0HbbXZR/hHdXlhnn3uJAI+RdaACGWQkzEX3lXRJ9cpAOqvKuiq/LkU5ECK9jsYiC8z x/isVXKKh1LBLXehIG7perXsgJKjD+vSCrZ19/H5NM2blJjLpheqS2FhTaeCS+Fa7HJF lBp+d5zl7YPREdVgGFyPdhVQGgibX4I3jtxkkhde2V/gfj1U3uR4awqCtxXjtXmxVMZJ qCHb8WRJlWt/GpglGVgzVhtLlX341ctvr5Fnv/ZsHDwf+9Bp40xnJ+kcTLVlToONrCIT cV0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3OYcN2kTb4cEy+jXmkiLyfYlyHvtONEQD8DCM1Gvl0g=; b=JpqHZFIYslFCRy9EBEEA6hZ+z61f8qa0HTqnWirm59gpMW3aVHtlL8/uqKL0UUssin nBMi7yLRZkim4vqrNVCnJKg/KOzi2ZF8rUuUuDWnzMr1DeaLUrGpDoFKg0BiZfFht/eV 1clNtVkAa0UCDhxLKaIcJp2joI+Use9yUSpBSEIoc8GhJH3bKEw2yUpRFr1K6go631E0 mEGoSWkuNC5Lez5aM54rSDODwaikgSue/aP8p/RMx8YCmlrqz55w7v6N9ZOSYbF1zBs4 fKklpe/RlJjNA8xVu5GKKybqhavUUQoUPwxsJI+kcxupdoBaZNXDyqTVgfJwbvOQfLBK 0w2w==
X-Gm-Message-State: AGi0PuZ39nh/pxDwi3nb9Fulsgzxli31n7Gub3NGoyyj8/e9lxT9TA3B ceaSrZVMDT53eVmgFFm+uC+RKjClpLUrHOpcSg==
X-Google-Smtp-Source: APiQypLp6fO77CFtZs44kN/q1YuoLaNcQY9Ki0q+h8mBW+ZJi0RI/9D0VylPTWRWo1tOKmDpvRHZaKBr699KBo90XII=
X-Received: by 2002:a25:aa69:: with SMTP id s96mr14648061ybi.85.1587024364892; Thu, 16 Apr 2020 01:06:04 -0700 (PDT)
MIME-Version: 1.0
References: <CALAqi_-9+JYBMSSBnX9PUZkvrPrGTtS8wrJduoPCxMs9+FguPQ@mail.gmail.com> <CA+k3eCRsvETUJUZ=+n2CvQ=y_Lgn+cKgmaAoXBW8WyVJu6yzzg@mail.gmail.com>
In-Reply-To: <CA+k3eCRsvETUJUZ=+n2CvQ=y_Lgn+cKgmaAoXBW8WyVJu6yzzg@mail.gmail.com>
From: Filip Skokan <panva.ip@gmail.com>
Date: Thu, 16 Apr 2020 10:05:28 +0200
Message-ID: <CALAqi_9C3ndhWX8Th_ow_Jp-3wM-m=ED-B22bmJyD-KULLDXug@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000084fcc905a363e757"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aGokLbrtNmK8n39N6-zw0lO0LWA>
Subject: Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Apr 2020 08:06:15 -0000
> > I'm still somewhat on the fence as to the pros and cons of using a new > token type and authorization scheme. But the draft has gone with a new one. > Would it have really helped this situation, if it'd stuck with "bearer"? Or > would it just be less obvious? > If we had stuck "bearer" than i wouldn't have raised this topic, since existing RS would most likely ignore the cnf claim and the resource server calls would continue to work, obviously without taking advantage of the available sender check. As I wrote the preceding rambling paragraph I am starting to think that > more should be said in the draft about working with RSs that don't support > DPoP. Which isn't really what you were asking about. But maybe would cover > some of the same ground. I agree. The AS is the one that does the binding (which includes checking the > proof) so I don't see how sending two proofs would really work or help the > situation? :facepalm: indeed, sorry. S pozdravem, *Filip Skokan* On Tue, 14 Apr 2020 at 23:39, Brian Campbell <bcampbell@pingidentity.com> wrote: > Hi Filip, > > My attempts at responses to your questions/comments are inline: > > On Tue, Apr 14, 2020 at 2:14 AM Filip Skokan <panva.ip@gmail.com> wrote: > >> I've wondered about the decision to use a new scheme before >> <https://github.com/danielfett/draft-dpop/issues/41#issuecomment-490096716> but >> this time i'd like to challenge the immediate usability of the future spec >> for one specific case - sender constraining public client Refresh Tokens. >> > > I'm still somewhat on the fence as to the pros and cons of using a new > token type and authorization scheme. But the draft has gone with a new one. > Would it have really helped this situation, if it'd stuck with "bearer"? Or > would it just be less obvious? > > >> >> If at all, it is going to take time for RS implementations to recognize >> the new `DPoP` authorization scheme, let alone process it properly. In the >> meantime, i'd still like to have the option to bind issued public client >> refresh tokens using DPoP without affecting the access tokens. In doing so >> i get an immediate win in sender constraining the refresh tokens but not >> introducing a breaking change for the RS. >> >> >> - Do you see this as something an AS implementation is just free to >> do since it's both the issuer and recipient of a refresh token? >> >> That's my first thought, yes. > > >> >> - Should this be somehow baked in the draft? >> >> I'm not sure. Do you think it needs to be? I'm not sure what it would say > though. > > In such a case the AS could bind the RT to the given dpop proof and either > not bind the AT while returning token_type=Bearer or bind the AT while > returning token_type value DPoP. In the latter case the AT would almost > certainly still work as a bearer token at the RS and the client that knew > the RS's needs could send it as such with an `Authorization: Bearer <at>`. > Or if it didn't know the RS's needs, it could start with `Authorization: > DPoP <at>` which would get a 401 with `WWW-Authenticate: Bearer` at which > point it could send `Authorization: Bearer <at>`. > > As I wrote the preceding rambling paragraph I am starting to think that > more should be said in the draft about working with RSs that don't support > DPoP. Which isn't really what you were asking about. But maybe would cover > some of the same ground. > > > >> >> - Do you think client registration metadata could be used to signal >> such intent? >> >> I think it certainly could. But it seems maybe too specific to warrant > metadata. > > >> >> - Do you think the protocol should have signals in the messages >> themselves to say what the client wants to apply DPoP to? >> >> My initial thought here is no. Take the case of a client working with an > AS that supports DPoP and one RS that does and one RS that doesn't. I can't > really even think what signaling might look like there or how it could be > made to be generally useful. > > >> >> - What if AS and RS don't have a shared support DPoP JWS Algorithm? >> Do we disqualify such cases or allow for sending two proofs, one for the AS >> to bind refresh tokens to, one for the RS to bind access tokens to? >> >> The AS is the one that does the binding (which includes checking the > proof) so I don't see how sending two proofs would really work or help the > situation? > > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
- [OAUTH-WG] DPoP - new authorization scheme / imme… Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Brian Campbell
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Brian Campbell
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Justin Richer
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … George Fletcher
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP - new authorization scheme / … John Bradley
- [OAUTH-WG] DPoP draft-ietf-oauth-dpop-0 Client co… Denis
- Re: [OAUTH-WG] DPoP draft-ietf-oauth-dpop-0 Clien… Benjamin Kaduk