Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns
George Fletcher <gffletch@aol.com> Fri, 17 April 2020 15:37 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDAB73A0E77 for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 08:37:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2GfGdyd3FN_y for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 08:37:41 -0700 (PDT)
Received: from sonic302-48.consmr.mail.ne1.yahoo.com (sonic302-48.consmr.mail.ne1.yahoo.com [66.163.186.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D4793A0E75 for <oauth@ietf.org>; Fri, 17 Apr 2020 08:37:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1587137860; bh=Yw5eNIV3M0nXEtGYaQVtHGYecWZeKdhwWHb/ay7IfmA=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=uPWZInlHyuL8Wbm+K2y+wvIaBdOfyeXXl2dgoJMlDug2tKAIM5skadxhz+3uE06XJiwgVcg/ehT71b7Agk0+nzXwBjsKvLHox++Xi88YjaGZh8XeTSyieLBZyUOjxV7DDkfEiiOBHjZccWoDn91H2xpQ/1HJ2MwLLky3eboNMIa9+xqtj1RkO2/PTov5QLjiv9Qr82osbsVDrCfjuafwI68fBldRUS/mT+9I2wYyndnfpPTz+s/NIbokMKJIhioKyaafFFKsz8cIO2JQq7PS0WzPvaUpoBH7VM4FD2V9pt11pa1Tuoz1LRn93ij6MtRZB5xJvW17XuDqInx5vKsXZw==
X-YMail-OSG: zh_FAJAVM1nFZqYB1YtY70Y4PW8eONqktqteHegzL19oclsYxwiFiYmnSKVMG64 0HjJyVTZQAJXVeox5PXGXOFRCOcesfDf_Z9HHcipm164CJVqlHrKsl2NljNzGaADw83SMelWtiXl Ecbo6W5gwcK5EyCYvtn0_9GxgJICJup.MjV_u5BRrsqLZpu0keNTzKQQx3cYE6CTlqywa1bJL9fc cDgj4vMf1ZHKfX_5gAH6W.ohPfqF85jdGotRrvM.IVxPKhqxS3N5l3Bp8oMmD_mXpUYrXv1A9VfW aWaFQl_3CYu9T6mhVFoXujaba_Qs0K7y9dd5p6.Gl_vkSi7j7X9bbRzH7TbZGNXnuQqNJkyOtFoZ E_0iDiRhoVuSDyNdhws.0m0h5hW6C2EMky5fUjZEP1BvCuxK2jdbyxtnyntCZE.I1ZBbgPd.bwSP KGSwbJjbJXHXQHEroprjuj1EqPoAOzaTS7XP5p87zpTbYcexBX4wiYIygNHb0RK2TXYbE4RePOIx aI_394FIzqdeR3fs3aKSPrISdoGYPX.TaXCcvq4_goOi7hMPEfp4CYgSTh7LaKUd49_qrthsB9qz L2fw76hhk7oAIsA7ZQsG5MfO69P217ITsBj02Auhev2JUBT1QlxofFnl1hfTkrR2.hd2.6.2EDOw TYzOvhWnD08FlY0yJ6Zs5.0U8026L4mOW7.oW.RrNorUlHSfChpVm7WEHfduUjtFXThLZ2O8IQ86 AaS_MyNWvp3EEBKsbrT2exyv5rT_ILBsllj0LMtRujw3O6aKPeBCyOB8Gnmu.1WCWNNp3Dce0y7M as5XQm25G.bW6Phn3.y1XZyWTjgP0.RwVb.G3YtZ43sz6scvoDH76GiIF6DkJklbxXLGyWFMIsSR _XH2mRxsZiWl7Ue8yCzLiUB6mwfQ50CT_74GE7nR9GNWHFDUsZ9ov.ZH4gFaqgkJqx.WxPZPMhVJ Z5STLgeNHTCbiTtsolsYQi9.BY8SSQNOgIv.skUxMXXULQAbk9YyIVEgiUdKpKWePPxn75DmJOJF ZuM9TDBme2ietCm8qYAilR7tSD4EWNg3Fkd0hgElzMkTaly13peWTq7Kxammw2f6t1SBBMi0t3n. 3qRkUlMKwQiR2K2wZC5oMjnRAt2uY5wL3AwcOn0y.jf079JevgM9kjzioNZxWrOsJxByqFb1Yf3C 9lzjPnRRSw0zf8NndZlIlVkDE.BiOKjkt0wY01gtfd_iD_FmAXx__WpFnrnfdH_EFVCTZeqnH7Qd munedAoBRIPIl8K8TfiP0flptG4Jwmo5Jzt7aSHHZGeByb9.GdurbjnQ3EOXeP9kX4sDHy4D7dBW vyf81mQl_DflUH3W2Q3RnyTORaju0DbH1JlD3_6LC.SjZoJxNgTO60qGGxgG54si18Pcn9Uiu6zz k5U8t4XKUDzOXlF.UM5upR2jYHTMOpbNA2FZ7pPjzEY_1.TswQTGnszDCL.cknHJKgISNSY1uO8N 4.V8w2ccGX06oXmqhJ1C53L_yg7uDHCBVxhZag8nE3wa2
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 17 Apr 2020 15:37:40 +0000
Received: by smtp414.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID e71b54af3802725e12f272aff28f38cd; Fri, 17 Apr 2020 15:35:38 +0000 (UTC)
To: Filip Skokan <panva.ip@gmail.com>, Justin Richer <jricher@mit.edu>
Cc: oauth <oauth@ietf.org>
References: <CALAqi_-9+JYBMSSBnX9PUZkvrPrGTtS8wrJduoPCxMs9+FguPQ@mail.gmail.com> <CA+k3eCRsvETUJUZ=+n2CvQ=y_Lgn+cKgmaAoXBW8WyVJu6yzzg@mail.gmail.com> <CALAqi_9C3ndhWX8Th_ow_Jp-3wM-m=ED-B22bmJyD-KULLDXug@mail.gmail.com> <1E6724FE-9EBE-4A1F-BE24-099771FACEFD@mit.edu> <CALAqi_9=5ea99VO1xwmU61CiixrNQ_EN2S1UMbU09fM4DmWKkg@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <1d6fb3d7-cd3d-9e46-972c-4c30633a6657@aol.com>
Date: Fri, 17 Apr 2020 11:35:30 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <CALAqi_9=5ea99VO1xwmU61CiixrNQ_EN2S1UMbU09fM4DmWKkg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------6443A878E968421F18845B5D"
Content-Language: en-US
X-Mailer: WebService/1.1.15651 hermes Apache-HttpAsyncClient/4.1.4 (Java/11.0.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/aQ4_o1dM0VorghlIyfIpEMD167k>
Subject: Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 15:37:44 -0000
This brings up interesting rollout questions. Protecting just the refresh_token is easy and a useful security measure (especially if access tokens are short lived). However, once you start issuing DPoP bound access tokens to a client, it means ALL the endpoints that client invokes MUST understand DPoP and know what to do with the header. Depending on how many endpoints that is, spread across N teams (or even companies) this can be problematic. As much as I agree with Justin in regards to the security issues, it may not be possible to force all RPs to update at the same time. This is of course potentially solvable if the client uses unique access tokens per API endpoint AND the AS knows which endpoints support DPoP and which don't. The problem here is that this creates a tight-coupling between RP and AS (at least for the rollout period). On 4/17/20 11:25 AM, Filip Skokan wrote: > I completely agree Justin, as mentioned - i wondered a year ago, I don't > anymore. But i'd like it to be clear that sending a DPoP proof does not > necessarily mean the AS MUST issue a DPoP access token. Depending on the > AS/RS relationship and configuration a regular Bearer may be still be > issued and only the public client's refresh token would be constrained. > > Best, > *Filip* > > > On Fri, 17 Apr 2020 at 17:16, Justin Richer <jricher@mit.edu> wrote: > >> The idea of “Continuing to work without taking advantage of sender >> constraints” is, I would argue, a security hole. Systems are allowed to >> fail security checks but still offer functionality. This is exactly the >> pattern behind allowing an unsigned JWT because you checked the “alg" >> header and it was “none” and so you’re OK with that. Yes, you shouldn’t do >> that, but maybe we could’ve also made this more explicit within JOSE. By >> using the ‘DPoP’ auth scheme, we’re making a clear syntactic change that >> says to the RS “either you know to look for this or you don’t know what it >> is”. >> >> It’s one of the problems I have with how the OAuth MTLS spec was written. >> By re-using the “Bearer” scheme there, I believe we’ve made a mistake that >> allows things to fall through in an insecure fashion. The same argument >> against it — ease of porting existing deployments — was raised there as >> well, and it won in the end. I hope we can do better this time. >> >> — Justin >> >> On Apr 16, 2020, at 4:05 AM, Filip Skokan <panva.ip@gmail.com> wrote: >> >> I'm still somewhat on the fence as to the pros and cons of using a new >>> token type and authorization scheme. But the draft has gone with a new one. >>> Would it have really helped this situation, if it'd stuck with "bearer"? Or >>> would it just be less obvious? >>> >> If we had stuck "bearer" than i wouldn't have raised this topic, since >> existing RS would most likely ignore the cnf claim and the resource server >> calls would continue to work, obviously without taking advantage of the >> available sender check. >> >> As I wrote the preceding rambling paragraph I am starting to think that >>> more should be said in the draft about working with RSs that don't support >>> DPoP. Which isn't really what you were asking about. But maybe would cover >>> some of the same ground. >> >> I agree. >> >> The AS is the one that does the binding (which includes checking the >>> proof) so I don't see how sending two proofs would really work or help the >>> situation? >> >> :facepalm: indeed, sorry. >> >> S pozdravem, >> *Filip Skokan* >> >> >> On Tue, 14 Apr 2020 at 23:39, Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >>> Hi Filip, >>> >>> My attempts at responses to your questions/comments are inline: >>> >>> On Tue, Apr 14, 2020 at 2:14 AM Filip Skokan <panva.ip@gmail.com> wrote: >>> >>>> I've wondered about the decision to use a new scheme before >>>> <https://github.com/danielfett/draft-dpop/issues/41#issuecomment-490096716> but >>>> this time i'd like to challenge the immediate usability of the future spec >>>> for one specific case - sender constraining public client Refresh Tokens. >>>> >>> I'm still somewhat on the fence as to the pros and cons of using a new >>> token type and authorization scheme. But the draft has gone with a new one. >>> Would it have really helped this situation, if it'd stuck with "bearer"? Or >>> would it just be less obvious? >>> >>> >>>> If at all, it is going to take time for RS implementations to recognize >>>> the new `DPoP` authorization scheme, let alone process it properly. In the >>>> meantime, i'd still like to have the option to bind issued public client >>>> refresh tokens using DPoP without affecting the access tokens. In doing so >>>> i get an immediate win in sender constraining the refresh tokens but not >>>> introducing a breaking change for the RS. >>>> >>>> >>>> - Do you see this as something an AS implementation is just free to >>>> do since it's both the issuer and recipient of a refresh token? >>>> >>>> That's my first thought, yes. >>> >>>> - Should this be somehow baked in the draft? >>>> >>>> I'm not sure. Do you think it needs to be? I'm not sure what it would >>> say though. >>> >>> In such a case the AS could bind the RT to the given dpop proof and >>> either not bind the AT while returning token_type=Bearer or bind the AT >>> while returning token_type value DPoP. In the latter case the AT would >>> almost certainly still work as a bearer token at the RS and the client that >>> knew the RS's needs could send it as such with an `Authorization: Bearer >>> <at>`. Or if it didn't know the RS's needs, it could start with >>> `Authorization: DPoP <at>` which would get a 401 with `WWW-Authenticate: >>> Bearer` at which point it could send `Authorization: Bearer <at>`. >>> >>> As I wrote the preceding rambling paragraph I am starting to think that >>> more should be said in the draft about working with RSs that don't support >>> DPoP. Which isn't really what you were asking about. But maybe would cover >>> some of the same ground. >>> >>> >>> >>>> - Do you think client registration metadata could be used to signal >>>> such intent? >>>> >>>> I think it certainly could. But it seems maybe too specific to warrant >>> metadata. >>> >>> >>>> - Do you think the protocol should have signals in the messages >>>> themselves to say what the client wants to apply DPoP to? >>>> >>>> My initial thought here is no. Take the case of a client working with an >>> AS that supports DPoP and one RS that does and one RS that doesn't. I can't >>> really even think what signaling might look like there or how it could be >>> made to be generally useful. >>> >>> >>>> - What if AS and RS don't have a shared support DPoP JWS Algorithm? >>>> Do we disqualify such cases or allow for sending two proofs, one for the AS >>>> to bind refresh tokens to, one for the RS to bind access tokens to? >>>> >>>> The AS is the one that does the binding (which includes checking the >>> proof) so I don't see how sending two proofs would really work or help the >>> situation? >>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited... >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] DPoP - new authorization scheme / imme… Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Brian Campbell
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Brian Campbell
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Justin Richer
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … George Fletcher
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP - new authorization scheme / … John Bradley
- [OAUTH-WG] DPoP draft-ietf-oauth-dpop-0 Client co… Denis
- Re: [OAUTH-WG] DPoP draft-ietf-oauth-dpop-0 Clien… Benjamin Kaduk