IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

Daniel Fett <fett@danielfett.de> Thu, 23 January 2020 12:25 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3266812004C for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 04:25:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KJELAaWH6Eni for <oauth@ietfa.amsl.com>; Thu, 23 Jan 2020 04:25:55 -0800 (PST)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5AD2120074 for <oauth@ietf.org>; Thu, 23 Jan 2020 04:25:54 -0800 (PST)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id F06D619D61 for <oauth@ietf.org>; Thu, 23 Jan 2020 12:25:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1579782352; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SgHoElvVX42K4XEhXM+pV6EnOo+hGCxOCRzLgxE00ws=; b=lBlHe7B8ojDjvjBbT8/Py7CK8fLoJfTsan81vENN/6fJYM8vYa3EkKEu2wOhuA2Lv41YrV HKTBhGuV+BwS/a6KGRjEP/wJdkbaYUU9xlo8sQHNCOeOk+Dpr6yEzd+z7rJ9x3ZbpYyvEw F7j/k005xt/n6urFsq/L2zkfh1o2+j4=
To: oauth@ietf.org
References: <CA+k3eCTnzX7M1XgduH_Wa2y1pMVY7_AigNTrhBmL214by5z_Ew@mail.gmail.com> <ACFB6963-EBA4-4351-B3F4-D659513E6AA5@lodderstedt.net> <CA+k3eCQwXuR0Wm43c4RY9z5MLHQLv+C8z8AX6APRqZu+SRXRXA@mail.gmail.com> <BL0PR00MB0836155876E1356943AA669AF5250@BL0PR00MB0836.namprd00.prod.outlook.com> <CC357459-1DEA-4EBB-B603-A399457DAB90@amazon.com> <CA+k3eCTZVmgv82UDzDP-VLD+TXVWnvmWQH9va5p8A5MkrA=5DQ@mail.gmail.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <8c67db9b-4d14-b2f2-2b64-8852653e81e5@danielfett.de>
Date: Thu, 23 Jan 2020 13:25:51 +0100
MIME-Version: 1.0
In-Reply-To: <CA+k3eCTZVmgv82UDzDP-VLD+TXVWnvmWQH9va5p8A5MkrA=5DQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------D28DF7BD52933056F7262DA0"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1579782352; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SgHoElvVX42K4XEhXM+pV6EnOo+hGCxOCRzLgxE00ws=; b=HaNnguYOK+435cQRHBa70AT+JdGiYI1f4tSYjaT56foAXKWRKH8Kh5cLlemrQq+xOLDMe9 9nqs9yI5RIzVAYD6TE2cNqCSU5Yx3Ohye501nEeCfXh70gBtUamB9j79sKO+Zr2JyhPbxP 76BqxJkG08mMEX38rxhhlaT77NotGEo=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1579782352; a=rsa-sha256; cv=none; b=axyLH68IskE1fW3Dw/7XOR4ZxtZNPaois2jtICSWrPFs/bLUoTKKq9Noz+L2hk366ebot/BLatnGYXbFF+NYKvwoln0zgvgMDJZJjo8bEdf5BLfRZRVDbHeOmZMpwQzaVjl7thYK9HvQZyyl3L5X/Wia80zkKZSW6IGPatlPgfQ=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bheSRPZAg5gnn4LdM1rsNe9gVkg>
Subject: Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 12:25:59 -0000

After thinking about this a bit more, I think Brian's proposal makes
sense. Reading closely, it actually makes the advice stronger.
Sender-constrained tokens are a SHOULD somewhere else, so that still
applies. I will adopt the wording into the BCP (unless I hear protests).

-Daniel

Am 09.01.20 um 23:37 schrieb Brian Campbell:
> The scenario I described in the beginning of this thread
> (response_type=token+id_token and response_mode=form_post) started out
> a bit more humbly as a way to facilitate a simple and efficient
> cross-domain sign-on with id_token response type and form_post
> response mode. Somewhat analogous to SAML SSO using the POST binding.
> All the transactional data flows through the browser in the front
> channel so no additional calls from the client/RP to the AS/OP are
> needed. And no short-lived-transactional data has to be shared amongst
> AS nodes (or between geographic locations).  There are some nice
> aspects to front channel flows.
>
> Then along came the desire to have the ability to periodically refresh
> the user attributes associated with the session created off of SSO at
> the client/RP so as to have fresh data on which to base access control
> decisions. That was done by adding an access token into the mix, hence
> the response_type=token+id_token with response_mode=form_post, and the
> RP using it to periodically call the user info endpoint. Of course
> this isn't the same as an ID-token-only-front-channel SSO but it still
> retains some of the same benefits being a mostly front channel flow.
>
> I don't know how niche these cases are or even how often they are
> actually put into use in actual deployments. But the token+id_token
> and form_post flow was fresh in my mind for unrelated reasons when I
> was re-reviewing the security BCP draft, which made me think again
> about the SHOULD NOT wording in Section 3.1.2. And that led me to this
> thread and my proposed text that would let the SHOULD for using
> sender-constrained access tokens stand on its own and adjust the
> qualification on the SHOULD NOT for implicit style access tokens to
> focus on the issues that are particular to those flows. This doesn't
> actually change the underlying meaning of the draft because
> sender-constrained access tokens are still a SHOULD. But I think it
> would make the draft more cohesive in terms of where and why certain
> recommendations are made.
>
>
>
>
>
>
>
> On Thu, Jan 2, 2020 at 2:53 PM Richard Backman, Annabelle
> <richanna@amazon.com <mailto:richanna@amazon..com>> wrote:
>
>     Brian and others with similar use cases (Filip?):
>
>      
>
>     The current text does not prohibit your approach, provided you’ve
>     done the due diligence required by BCP 14 to go against a SHOULD
>     NOT. Could you provide more detail on the scenarios where you have
>     opted to use these implicit-based solutions? Is it impractical or
>     infeasible to use an authorization code-based approach in these
>     scenarios? If this is a particularly niche use case, then it may
>     not be worth including in the BCP (that’s basically what SHOULD
>     NOT is for). But if it’s more broadly applicable, then it may be
>     worth tweaking the “unless…” clause of that paragraph.
>
>      
>
>     – 
>
>     Annabelle Richard Backman
>
>     AWS Identity
>
>      
>
>      
>
>     *From: *OAuth <oauth-bounces@ietf.org
>     <mailto:oauth-bounces@ietf.org>> on behalf of Mike Jones
>     <Michael.Jones=40microsoft.com@dmarc.ietf.org
>     <mailto:40microsoft.com@dmarc.ietf.org>>
>     *Date: *Saturday, December 28, 2019 at 9:47 AM
>     *To: *Brian Campbell <bcampbell@pingidentity.com
>     <mailto:bcampbell@pingidentity.com>>, Torsten Lodderstedt
>     <torsten=40lodderstedt.net@dmarc.ietf.org
>     <mailto:40lodderstedt.net@dmarc.ietf.org>>
>     *Cc: *oauth <oauth@ietf.org <mailto:oauth@ietf.org>>
>     *Subject: *Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC
>     response types + form_post response mode
>
>      
>
>     I agree with Brian's suggested text changes.
>
>     -- Mike
>
>     ------------------------------------------------------------------------
>
>     *From:*Brian Campbell <bcampbell@pingidentity.com
>     <mailto:bcampbell@pingidentity.com>>
>     *Sent:* Saturday, December 28, 2019 5:33:24 AM
>     *To:* Torsten Lodderstedt
>     <torsten=40lodderstedt.net@dmarc.ietf.org
>     <mailto:40lodderstedt.net@dmarc.ietf.org>>
>     *Cc:* Mike Jones <Michael.Jones@microsoft.com
>     <mailto:Michael.Jones@microsoft.com>>; oauth <oauth@ietf.org
>     <mailto:oauth@ietf.org>>
>     *Subject:* Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC
>     response types + form_post response mode
>
>      
>
>     The requirement for replay/injection prevention at resource
>     servers is still there in section 3.2. This change only drops it
>     as a specific qualification on that SHOULD NOT for flows that send
>     access tokens in the authorization response. And instead focuses
>     that qualification on the additional risks that come with sending
>     access tokens in the authorization response. To me, this feels
>     more consistent. 
>
>      
>
>     Looking again at section 3, I'd suggest also moving the fourth
>     paragraph of section 3.1.2 into section 3.2 so that the
>     description of sender-constrained is in the subsection that is
>     about sender-constraining. 
>
>      
>
>     On Fri, Dec 27, 2019, 5:00 PM Torsten Lodderstedt
>     <torsten=40lodderstedt.net@dmarc.ietf.org
>     <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote:
>
>         Your proposal sounds reasonable on first sight. But thinking
>         again, it would mean to keep token injection prevention in
>         authorization responses a requirement while dropping the
>         requirement for replay/injection prevention at resource
>         servers. To me this feels inconsistent.
>
>
>
>             Am 28..12.2019 um 00:02 schrieb Brian Campbell
>             <bcampbell=40pingidentity.com@dmarc.ietf.org
>             <mailto:40pingidentity.com@dmarc.ietf.org>>:
>
>             I'm not suggesting that it should be a recommended flow.
>             But recommending against it, as the text does now, seems
>             overreaching and unnecessary. I know *consensus* was
>             previously found on the text in -13 but best I can recall
>             that discussion was mostly around Nat advocating to allow
>             room for some future self-issued IDP type case and the
>             conversation kind of got hung up on that.
>
>              
>
>             Here's some proposed text, which I think still largely
>             captures the intent of the BCP while not explicitly
>             recommending against legitimate cases like the one I
>             brought here or Nat's or something like JARM.
>
>              
>
>                In order to avoid these issues, clients SHOULD NOT use
>             the implicit
>                grant (response type "token") or other response types
>             issuing
>                access tokens in the authorization response, unless
>             access token injection
>
>                in the authorization response is prevented and the
>             aforementioned token leakage
>
>                vectors are mitigated.
>
>              
>
>             The draft already recommends sender-constrained access
>             tokens elsewhere in the document. It doesn't need to be
>             repeated as a qualifying condition around this SHOULD NOT.
>
>              
>
>             I am a proponent of PoP/HoK/sender-constrained access
>             tokens (as hopefully is evident from several attempts at
>             bringing/doing related work here) but I do worry that the
>             recommendation in the draft is sufficiently unachievable
>             to the vast majority that it might undermine the
>             credibility of the document. But I get the aspirational
>             aspect of it and, other than some suggested tweaks
>             <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailarchive.ietf.org%2Farch%2Fmsg%2Foauth%2FRKujONej-92dT5lr9cLu6hHnw8I&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cfc28d513b04f489b371d08d78b9a9488%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637131368342096923&sdata=3fCGjTOAD43xXLzFaw3d6VC1kY43QvBfzNwdNfDckE0%3D&reserved=0>,
>             am resigned to see it stay in the document. But let's let
>             that recommendation stand on its own in the document and
>             not also tie it to other considerations. 
>
>              
>
>              
>
>             On Fri, Dec 27, 2019 at 1:41 PM Torsten Lodderstedt
>             <torsten=40lodderstedt.net@dmarc.ietf.org
>             <mailto:40lodderstedt.net@dmarc.ietf.org>> wrote:
>
>                 As Brian said, we have discussed this several times
>                 and this text found consensus.
>
>                  
>
>                 Using post reduces the attack surface but does not
>                 allow to bind the access token to the legitimate
>                 client. We are recommending sender constrained access
>                 tokens in the BCP. So recommending a flow that does
>                 not support sender constrained access tokens is a
>                 contradiction.
>
>                  
>
>                 What do other WG members think?
>
>
>
>                     Am 27.12.2019 um 21:28 schrieb Mike Jones
>                     <Michael.Jones=40microsoft.com@dmarc.ietf.org
>                     <mailto:40microsoft.com@dmarc.ietf.org>>:
>
>                     I agree with Brian. Please update the text to
>                     describe this already safe usage.
>
>                     -- Mike
>
>                     ------------------------------------------------------------------------
>
>                     *From:*OAuth <oauth-bounces@ietf.org
>                     <mailto:oauth-bounces@ietf.org>> on behalf of
>                     Brian Campbell
>                     <bcampbell=40pingidentity.com@dmarc.ietf.org
>                     <mailto:40pingidentity.com@dmarc.ietf.org>>
>                     *Sent:* Friday, December 27, 2019 11:03:30 AM
>                     *To:* oauth <oauth@ietf.org <mailto:oauth@ietf.org>>
>                     *Subject:* [EXTERNAL] [OAUTH-WG]
>                     -security-topics-13 and OIDC response types +
>                     form_post response mode
>
>                      
>
>                     We have a-sometimes used scenario where a client
>                     makes an authorization/authentication request with
>                     a "token id_token" response type and "form_post"
>                     response mode (nonce is also sent and exact
>                     redirect URI matching is done at the AS). The
>                     access token is never exposed in any URLs and
>                     access token injection is prevented by the at_hash
>                     claim in the id token.
>
>                      
>
>                     That seems to me like a legitimate and reasonable
>                     usage scenario. However, it would fall on the
>                     wrong side of the SHOULD NOT in Section 3.1.2 of
>                     the Security BCP-to-be
>                     <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-security-topics-13%23section-3....1..2&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cfc28d513b04f489b371d08d78b9a9488%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637131368342096923&sdata=mfnQwsGUZgz0PgEZoqOl%2BsszPYxncmFbgBaJs4qex38%3D&reserved=0>,
>                     which has:
>
>                      
>
>                        In order to avoid these issues, clients SHOULD
>                     NOT use the implicit
>                        grant (response type "token") or any other
>                     response type issuing
>                        access tokens in the authorization response,
>                     such as "token id_token"
>                        and "code token id_token", unless the issued
>                     access tokens are
>                        sender-constrained and access token injection
>                     in the authorization
>                        response is prevented.
>
>                      
>
>                     I know this particular text has been discussed
>                     over and over again so I hate to revisit it. But
>                     based on the aforementioned scenario I think maybe
>                     it still doesn't quite hit the mark. Access token
>                     injection is prevented. The token leakage
>                     scenarios mentioned in that section are all
>                     avoided. And while I know sender-constrained is
>                     recommended elsewhere in the draft, it's not
>                     really a realistic option for the majority of
>                     deployments.
>
>
>                     */CONFIDENTIALITY NOTICE: This email may contain
>                     confidential and privileged material for the sole
>                     use of the intended recipient(s).. Any review,
>                     use, distribution or disclosure by others is
>                     strictly prohibited..  If you have received this
>                     communication in error, please notify the sender
>                     immediately by e-mail and delete the message and
>                     any file attachments from your computer. Thank you./*
>
>                     _______________________________________________
>                     OAuth mailing list
>                     OAuth@ietf.org <mailto:OAuth@ietf.org>
>                     https://www.ietf.org/mailman/listinfo/oauth
>                     <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cfc28d513b04f489b371d08d78b9a9488%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637131368342106891&sdata=qO6%2BY%2FMoef0lyx4HwNLV8ID5DguAe3XjCQyxtvoFrPo%3D&reserved=0>
>
>
>             */CONFIDENTIALITY NOTICE: This email may contain
>             confidential and privileged material for the sole use of
>             the intended recipient(s).. Any review, use, distribution
>             or disclosure by others is strictly prohibited..  If you
>             have received this communication in error, please notify
>             the sender immediately by e-mail and delete the message
>             and any file attachments from your computer. Thank you./*
>
>
>     */CONFIDENTIALITY NOTICE: This email may contain confidential and
>     privileged material for the sole use of the intended
>     recipient(s).. Any review, use, distribution or disclosure by
>     others is strictly prohibited.  If you have received this
>     communication in error, please notify the sender immediately by
>     e-mail and delete the message and any file attachments from your
>     computer. Thank you./*
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited..  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any
> file attachments from your computer. Thank you./
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email