IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP with token exchange where the subject_token and / or actor_token is also DPoP bound

Brian Campbell <bcampbell@pingidentity.com> Fri, 22 July 2022 21:07 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C274C159492 for <oauth@ietfa.amsl.com>; Fri, 22 Jul 2022 14:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7UYQau40aBQA for <oauth@ietfa.amsl.com>; Fri, 22 Jul 2022 14:07:35 -0700 (PDT)
Received: from mail-yw1-x1136.google.com (mail-yw1-x1136.google.com [IPv6:2607:f8b0:4864:20::1136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12818C14F724 for <oauth@ietf.org>; Fri, 22 Jul 2022 14:07:35 -0700 (PDT)
Received: by mail-yw1-x1136.google.com with SMTP id 00721157ae682-31e623a4ff4so59909197b3.4 for <oauth@ietf.org>; Fri, 22 Jul 2022 14:07:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vqhHbbzXrQpbBpY33884A2hsNtZM42Z4QvzNSD8OBHA=; b=DTvFUrMu7Bu5uiJ00WBPsj9GSIFwAwTXlirJohLxrKhnFcajwckzmlbzcGP5qO+2rh H/E2Z4i4WGCtdYHfY1iJO/yp8t+9pOaxZQAoRJR1zIeNXdTPeKn5DOeONqeqMMR7StyD 3fWJOaMjSuD+dlfbKDD0TjCjR5F2NOZenqu7300wQtkpYtSVw6MdjbKPr4j1/OTNlzns edy2gtlZnrqTmMVCTOob0OIC34d9sdW6xY103SCbCW8sj6n96+CQBAlOtuTkT/LftsSZ zX6KKeo16paUhwh+4L4AHhkApwMW6H3Hh3ZUUUFoIqeRgW8uf0VmOJ+ZIuRH2sbInoCz k7YQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vqhHbbzXrQpbBpY33884A2hsNtZM42Z4QvzNSD8OBHA=; b=BBm/N+2HkkcyM6D1wIJp39n2Ey/qrsv6opUSfAMDN9MOrilcY3AfztfowORVgX1mLM YpTtxhUgbJATjThlqitswgD3Jku8grR2EK9KSLUU2wFyuoWJgCj8hxtZQLr1V73ZQ5Om ms9uMUQT5tFO3rR1R95Q9IRrjzM1H9BLw+ZUcDt867EbEeQpihIYZWO+hyj//707BpFt obc9hMWxplI94Nt4wU4ny9h7jY5UD1Pyah7XEm20srcSKBhuIIn9rw28eGDj5xSxmWrI kgewwu21E3W8F+NJFh9+V+/EkP1UP6up3i1adHvWoBchO5A/DlnaqFDuj66C+dezvczB OTbw==
X-Gm-Message-State: AJIora9C8foTtr30w/k1+fu0TE9SVqWYN5hKiDZHVIGsvKsIrnPWUcnN bcjWzFwwXUafpImzdszMsOa7Uf+Kd4cggHxHznReSHbTLs2VwGhKESMnNf4wafQsYWfHFkBlhng nNOXF5TsgJmzp9h3dQUjlqg==
X-Google-Smtp-Source: AGRyM1umFFQV3XFnGuEzG3h/wJkDOpPdKuuUqaGFTwLALoquskDN/YAf14FBLFZ6nBt0eAv8+56HFTPQ2o8n82eo89Q=
X-Received: by 2002:a81:a048:0:b0:31e:76eb:61c8 with SMTP id x69-20020a81a048000000b0031e76eb61c8mr1650135ywg.136.1658524053549; Fri, 22 Jul 2022 14:07:33 -0700 (PDT)
MIME-Version: 1.0
References: <14aa5cd3-ac9a-3189-1077-1e198bee3c5b@connect2id.com> <CAJot-L2L4=OiaRJhZ+9u1HmGRQGruWSdQRyhJQ1USvQwjmQ6Ng@mail.gmail.com> <193be267-467c-10a6-caa3-6dc87ad57ae9@connect2id.com> <c72189c5-fc93-497c-d05e-18279589c998@connect2id.com> <CAJot-L0zHUGQ8yhikm6CRt+U1X==4hxhCS9FUQ-+u+2KhXYD1g@mail.gmail.com> <21e37d7a-7fda-66b6-96ff-f463decc9681@connect2id.com> <CA+k3eCSJKJ8YaoNEKYW2RhUvupnn35tOtN2-7am_zpNtkFWrew@mail.gmail.com> <f0909067-dcd1-899d-380e-1a8bc916f45d@connect2id.com>
In-Reply-To: <f0909067-dcd1-899d-380e-1a8bc916f45d@connect2id.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 22 Jul 2022 15:06:56 -0600
Message-ID: <CA+k3eCR_5ao42qm7ZZX0h57W+GYzmxS5YEcBUbEsKHFGmo596Q@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: Warren Parad <wparad@rhosys.ch>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000010545f05e46b3904"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/b1HFpbE3PKZXhGSmkoxyPeHBNCE>
Subject: Re: [OAUTH-WG] DPoP with token exchange where the subject_token and / or actor_token is also DPoP bound
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jul 2022 21:07:39 -0000

I'm not sure if a token type URI is needed, to be honest. But I think it
would be more in the realm of a URI defined for this particular purpose of
DPoP tokens in token exchange, which would be independent from the DPoP
document itself.

On Mon, Jul 18, 2022 at 10:35 PM Vladimir Dzhuvinov <vladimir@connect2id.com>
wrote:

> Thanks Brian for your response.
>
> Do you think DPoP should have an own token type URI registered?
>
>
> https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#uri
>
> I did not think about the possibility of having the DPoP proof and the
> token value put together in the subject/actor_token parameter. It makes
> good sense because the proof and the token can be considered inseparable,
> i.e. the "complete token".
>
> The DPoP JWT has a well defined syntax, so I am now thinking of appending
> the token to the DPoP JWT with a dot (.) delimiter. This is sufficient to
> make the new string parseable and thus solve the case. Having a std DPoP
> token type URI would be nice for clients to hint to the AS that the
> subject/actor_token is a combination of DPoP proof and access token.
>
> Vladimir
>
> Vladimir Dzhuvinov
>
> On 18/07/2022 21:46, Brian Campbell wrote:
>
> While there are potentially more tokens involved in a RFC 8693 token
> exchange, it's still a single client and it's not evident (to me anyway at
> this point) that there's sufficient need to give it distinct DPoP treatment
> beyond other token endpoint interaction
> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request>s.
> Should the need arise more, I'd suggest maybe considering having the new
> token type define how the token and associated proof be conveyed together
> as the value of the subject/actor_token parameter rather than introducing
> new parameters.
>
> On Mon, Jul 18, 2022 at 9:34 AM Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> I find the token exchange RFC to be quite flexible, it allows the
>> subject_token, actor_token and the output token to be of any type, and
>> there is a mechanism to define (register) new
>> urn:ietf:params:oauth:token-type values. The only concrete need is to
>> define a way to pass the accompanying DPoP proof. I don't think that could
>> have been anticipated at the time when the exchange spec was devised. And
>> the token exchange spec is not explicit in prohibiting extensions.
>>
>> Vladimir
>>
>> Vladimir Dzhuvinov
>>
>> On 18/07/2022 17:03, Warren Parad wrote:
>>
>> I agree this is a problem, but as I see it as a problem for Token
>> Exchange, and the lack of flexibility in that standard, it does not make
>> sense to add to the DPoP spec.
>>
>> On Mon, Jul 18, 2022 at 3:33 PM Vladimir Dzhuvinov <
>> vladimir@connect2id.com> wrote:
>>
>>> I would like to resurrect this thread and propose a new section to the
>>> current DPoP draft which changes nothing in regard to DPoP itself, only
>>> adds new parameters to enable DPoP with OAuth 2.0 token exchange (RFC 8693):
>>>
>>> https://datatracker.ietf.org/doc/html/rfc8693
>>>
>>> Why?
>>>
>>> Token exchange lets a client submit a subject_token (and potentially
>>> actor_token) to obtain a new token from the AS.
>>>
>>> If the submitted token(s) and the minted token are DPoP bound there is a
>>> need to submit a DPoP proof for each one:
>>>
>>>    - A DPoP proof for the subject_token
>>>    - Potentially a DPoP proof for the actor_token (if there is one)
>>>    - A DPoP proof for the token that is going to be minted by the AS
>>>
>>> At present the DPoP spec defines the DPoP header in such a way that only
>>> one DPoP proof may be submitted.
>>>
>>>
>>> The proposal:
>>>
>>> A new section "DPoP with Token Exchange":
>>>
>>> Specifies the following new optional form request parameters for use in
>>> the token exchange grant, so that any DPoP proofs can be submitted together
>>> with the subject_token / actor_token as form parameters:
>>>
>>> subject_token_dpop - To pass the DPoP proof for a subject_token that is
>>> DPoP bound
>>>
>>> actor_token_dpop - To pass the DPoP proof for an actor_token that is
>>> DPoP bound
>>>
>>>
>>> (the existing std token exchange params can be seen here
>>> https://datatracker.ietf.org/doc/html/rfc8693#section-2.1 )
>>>
>>>
>>> Registration of a new token type identifier to indicate the token is a
>>> DPoP access token:
>>>
>>> https://datatracker.ietf.org/doc/html/rfc8693#section-3
>>>
>>>    urn:ietf:params:oauth:token-type:dpop_access_token
>>>       Indicates that the token is an OAuth 2.0 DPoP bound access token issued by the given authorization server.
>>>
>>>
>>> I hope it's not too late to include this addition to the DPoP spec. The
>>> token exchange grant is standard and is seeing use. With the introduction
>>> of DPoP it is likely such tokens will become involved in token exchanges.
>>> We tried a work around where the client uses a single DPoP proof for the
>>> submitted tokens and the one to be minted, but this has issues, including
>>> potential security issues. So I've come to the conclusion that a spec
>>> change of some sort is the proper way to solve this. The proposed solution
>>> has no effect on DPoP core and it preserves the existing token exchange
>>> semantics.
>>>
>>>
>>> Vladimir
>>>
>>> Vladimir Dzhuvinov
>>>
>>> On 25/06/2022 15:23, Vladimir Dzhuvinov wrote:
>>>
>>> Hi Warren,
>>>
>>> The case looks like this:
>>>
>>>    - An OAuth client registered with AS1 for code flow, with AS2 for
>>>    token exchange
>>>    - API1 secured by AS1, API2 secured by AS2
>>>    - For API1 the client obtains DPoP tokens from AS1
>>>    - For API2 the client presents DPoP token from AS1 as grant at AS2
>>>    to obtain its own DPoP token (AS2 trusts selected AS1 token scopes for this)
>>>
>>> So we have a case where the token endpoint at AS2 needs once a DPoP
>>> proof for the submitted access token (in the subject_token form parameter),
>>> and a second time to bind the token that is going to be issued. I.e. a
>>> situation where the token endpoint is also "addressed" as a DPoP aware
>>> protected resource.
>>>
>>> If only one DPoP HTTP header is permitted one work around I see is to
>>> insist on a single DPoP proof for both jobs, by including the "ath" claim
>>> in the proof to the AS2 token endpoint and requiring the client to use the
>>> same JWK with both ASes. Another possibility is to include the DPoP proof
>>> in the form parameters alongside the subject_token, but this will require a
>>> spec change.
>>>
>>> Vladimir Dzhuvinov
>>>
>>> On 25/06/2022 13:33, Warren Parad wrote:
>>>
>>> What's the flow here? Assuming we are talking about RFC 8693, what's the
>>> situation where you would need to do a token exchange, and you actually
>>> have access to the subject's DPoP key? If you have access to the subject's
>>> key, then you are the subject and can request a new token. Or am I missing
>>> something fundamental here?
>>>
>>> Also, according to the RFC, the request must be made with client
>>> authentication, you don't need DPoP, because if the client's credentials
>>> are compromised, you have a different problem. Unless the goal is to DPoP
>>> instead of client credentials, in which case, I think I'm back to the
>>> previous question.
>>>
>>> On Sat, Jun 25, 2022 at 12:19 PM Vladimir Dzhuvinov <
>>> vladimir@connect2id.com> wrote:
>>>
>>>> I have a question to the DPoP spec authors - do you have a suggestion
>>>> how to approach a token exchange case where the client requests a DPoP
>>>> token and the submitted subject(actor)_token is / are also DPoP bound?
>>>>
>>>> My first thought was to simply let the client send two DPoP JWTs, one
>>>> for the submitted token and another for the requested token, and then find
>>>> a way in the AS to figure out which is which, but then I found this in
>>>> section 4.3.1:
>>>>
>>>> To validate a DPoP proof, the receiving server MUST ensure that that
>>>> there is not more than one DPoP HTTP request header field,
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Vladimir
>>>>
>>>> --
>>>> Vladimir Dzhuvinov
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>> _______________________________________________
>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email