Re: [OAUTH-WG] [Technical Errata Reported] RFC8693 (7511)
Aaron Parecki <aaron@parecki.com> Mon, 08 May 2023 16:00 UTC
Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D71C13AE34 for <oauth@ietfa.amsl.com>; Mon, 8 May 2023 09:00:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xv719ixarymr for <oauth@ietfa.amsl.com>; Mon, 8 May 2023 09:00:42 -0700 (PDT)
Received: from mail-vs1-xe30.google.com (mail-vs1-xe30.google.com [IPv6:2607:f8b0:4864:20::e30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7DA4C13AE25 for <oauth@ietf.org>; Mon, 8 May 2023 09:00:42 -0700 (PDT)
Received: by mail-vs1-xe30.google.com with SMTP id ada2fe7eead31-434891a48b7so740036137.0 for <oauth@ietf.org>; Mon, 08 May 2023 09:00:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1683561640; x=1686153640; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=V40q+lghZE0D5EiDsnKfaLfM/mOzlSlxDP9pIbAm2vQ=; b=CKqUYTm3S5i2oTUc4CIlYFS6PssXA/spNY8/BoBL5or2Fr63yyo//eL5MPwd9CoTxQ u873aWMZfkw/Mto//fBR2yU2JnaqE+xEGTWfSnGi2gugAYDb6TEg0Psa9v6HKw2JDMyh wK9wu1J85aer5Zjx14WLDy1WlhLe+4Bf9qCynGbL1ughyxpXLfOPiDxstbPMIu1ZgY3V Q/bKa0YTv7VPsZoULZGls+AjNo8254rm5ZyNMuu5lcFvEhtqM+7EKdff+cqL3knrUyMF aecO6Y/93a1q/dVYD98WYxkIQTQYqPv/ewnP6Jct5+Lbfgjmex+velgUxY1+q883AX1k 3wXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683561640; x=1686153640; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=V40q+lghZE0D5EiDsnKfaLfM/mOzlSlxDP9pIbAm2vQ=; b=B+DJjOhSQirNLZD+BHhr3VHbMq9eeo1XsdE8UrRadwoTDnn21RyRSSjxmCXecUF1ht GouSNlvIYj/YdUp/Hw7Lb1gOwCl/knludCB8PHHo46DfuOAUdPMRnR7sh4Bw9siiiwXW O6Jrrz8eYS3n6GHEdzgkiDROVlfckRgC5Ux59b2p1lA5g0EZmSThjnWLPF/WJbZ8NV/H rnc1jsoe77qHu+v/ZMJ7VW1xldUzwsvHAyUXFYEGu1CR0TrJqVVJ+5EhipD6wa3js0pD JaqOYRhlVxxUOdgP3+gAZUX3KyU8Q+/7qJOTzyIcqntyrF6oTWyaUuy5/s6muc544jT6 K3dQ==
X-Gm-Message-State: AC+VfDyP9Tj9kMfvuJ853MRJmBYa73DAUMyVNH4yDbhYD49mdZpiy+kT NxK+NO5GaN+ZzvWtPVBJzZ0hYMhrg2SLpNs19sTJjg==
X-Google-Smtp-Source: ACHHUZ7JqO14MEKMgjgT8XBtvaH3ry67LK6uxbPpdY1JnbnyvsDVfuwhRpYPWq9yIMey2mwLDpMrDg==
X-Received: by 2002:a05:6102:7a5:b0:42f:e81b:a803 with SMTP id x5-20020a05610207a500b0042fe81ba803mr3579468vsg.31.1683561640130; Mon, 08 May 2023 09:00:40 -0700 (PDT)
Received: from mail-vs1-f49.google.com (mail-vs1-f49.google.com. [209.85.217.49]) by smtp.gmail.com with ESMTPSA id d7-20020a67c107000000b00434641eccdfsm1184065vsj.26.2023.05.08.09.00.39 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 May 2023 09:00:39 -0700 (PDT)
Received: by mail-vs1-f49.google.com with SMTP id ada2fe7eead31-43013d77b32so1478411137.2 for <oauth@ietf.org>; Mon, 08 May 2023 09:00:39 -0700 (PDT)
X-Received: by 2002:a67:ad04:0:b0:42c:37fe:b810 with SMTP id t4-20020a67ad04000000b0042c37feb810mr3958591vsl.21.1683561638982; Mon, 08 May 2023 09:00:38 -0700 (PDT)
MIME-Version: 1.0
References: <20230508155739.B14AFAEAE@rfcpa.amsl.com>
In-Reply-To: <20230508155739.B14AFAEAE@rfcpa.amsl.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 08 May 2023 09:00:27 -0700
X-Gmail-Original-Message-ID: <CAGBSGjqO9UDhG4bmmYm4nWX_Xx_0xU-fbrubY4xvmrAZZDdXtw@mail.gmail.com>
Message-ID: <CAGBSGjqO9UDhG4bmmYm4nWX_Xx_0xU-fbrubY4xvmrAZZDdXtw@mail.gmail.com>
To: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: mbj@microsoft.com, tonynad@microsoft.com, brian.d.campbell@gmail.com, ve7jtb@ve7jtb.com, chuck.mortimore@visa.com, rdd@cert.org, paul.wouters@aiven.io, hannes.tschofenig@arm.com, rifaat.s.ietf@gmail.com, jesse.estum@gmail.com, oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000072faa605fb30bdb0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bYBf_ke_NHxjHMBoQ_NZ8u2lTao>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC8693 (7511)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 May 2023 16:00:47 -0000
This errata is incorrect and should be rejected. RFC7523 defines two separate uses of JWTs, one is client authentication and the other is an authorization grant. When using RFC7523 as client authentication, you can use any type of authorization grant, including the token exchange grant. See https://datatracker.ietf.org/doc/html/rfc7523#section-2.2 Aaron On Mon, May 8, 2023 at 8:57 AM RFC Errata System <rfc-editor@rfc-editor.org> wrote: > The following errata report has been submitted for RFC8693, > "OAuth 2.0 Token Exchange". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid7511 > > -------------------------------------- > Type: Technical > Reported by: Jesse Estum <jesse.estum@gmail.com> > > Section: 2.1 > > Original Text > ------------- > Client authentication to the authorization server is done using the > normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] > defines password-based authentication of the client, however, client > authentication is extensible and other mechanisms are possible. For > example, [RFC7523] defines client authentication using bearer JSON Web > Tokens (JWTs) [JWT]. The supported methods of client authentication and > whether or not to allow unauthenticated or unidentified clients are > deployment decisions that are at the discretion of the authorization > server. > > Corrected Text > -------------- > Client authentication to the authorization server is done using the > normal mechanisms provided by OAuth 2.0. Section 2.3.1 of [RFC6749] > defines password-based authentication of the client, however, client > authentication is extensible and other mechanisms are possible. The > supported methods of client authentication and whether or not to allow > unauthenticated or unidentified clients are deployment decisions that > are at the discretion of the authorization server. > > Notes > ----- > The specific example of authentication with RFC7523 would require > "grant_type" value of "urn:ietf:params:oauth:grant-type:jwt-bearer", > however this directly conflicts with RFC8693 as it requires "grant_type" > value of "urn:ietf:params:oauth:grant-type:token-exchange". > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC8693 (draft-ietf-oauth-token-exchange-19) > -------------------------------------- > Title : OAuth 2.0 Token Exchange > Publication Date : January 2020 > Author(s) : M. Jones, A. Nadalin, B. Campbell, Ed., J. Bradley, > C. Mortimore > Category : PROPOSED STANDARD > Source : Web Authorization Protocol > Area : Security > Stream : IETF > Verifying Party : IESG > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] [Technical Errata Reported] RFC8693 (7… RFC Errata System
- Re: [OAUTH-WG] [Technical Errata Reported] RFC869… Aaron Parecki
- Re: [OAUTH-WG] [Technical Errata Reported] RFC869… Brian Campbell