Re: [OAUTH-WG] DPoP Binding JWT proposal
Dick Hardt <dick.hardt@gmail.com> Mon, 30 November 2020 16:29 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8B4D3A0E31 for <oauth@ietfa.amsl.com>; Mon, 30 Nov 2020 08:29:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id niTsbyZjy-wI for <oauth@ietfa.amsl.com>; Mon, 30 Nov 2020 08:29:24 -0800 (PST)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D4203A0E24 for <oauth@ietf.org>; Mon, 30 Nov 2020 08:29:24 -0800 (PST)
Received: by mail-lj1-x22d.google.com with SMTP id r18so18860885ljc.2 for <oauth@ietf.org>; Mon, 30 Nov 2020 08:29:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lry4zoq5cRrZ/Fqeg/Ue2Eww/wqQR65STcu5kMZ1XpQ=; b=mRSEZvyQXPvacAY5VqcvVB4otqtL04EsiIOVmp1Ejtxe5LuJdSuLsS0H8ARjRlrBZO fsa+SVCMY8vxQdGaWOFsXgtmTP8/REVzfqKE4xvMqKfTOLbdzJfbFSqZpeBcNdHof0O+ +3W/HWfSH+mzfsBHNEkzJClluNhtwVFFknBOzdxbXY8hn8e25D7ju/oZN0l7WpAA6hJL 3emPOMGZAXHdMneVs1pPvFRJbE655mmA1BHeibkRYRXK5/g4zZMII2KAR1iYGu8TvGq9 XWBANGJafDA/NxTZHxChkL7qjquDst6JGB2heuC24FVSmib53XBmooJX2X4sVO4fuTi5 rTvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=lry4zoq5cRrZ/Fqeg/Ue2Eww/wqQR65STcu5kMZ1XpQ=; b=VOJanzpptgLQfuMZt8sP2+9CT1VwfO6sQ19wXSqkyJLLQNZwczDitj4Cgyzbs+ELWH JTzqMuGeeUhV/yncaeFFkZUpwoZfn+Bb+5KovauWh1qmfVqRAd4tQwBCCinrh5ZkUCN7 AAmwr5p8xzyTfjmhIPyTnDLXmS8WrAbjkFKU74gp+orz/+iP9T+UkdHYSKmJnlXeSRQj +tXX78vRZwD2JyZQIU8oFuw6qo5D8xrYNgicjzpVqIMxtEvRJvs2WxDZDB4C7bRKwcPc yD5/Rj31sFdLAOAjjMioCg6fOS1eUyXHk53yGw9yn3oQS3e1LgA0/jCRoM7XmDHe7oKg 2FKg==
X-Gm-Message-State: AOAM532ZLx/9argXPu5ZpPhDkP9OpdqZoErqOhRKOTuMm41vQnfxcfPU L+LqG3z1kS4p5BMl/RZStQqyS6HdI3uHJ0k7cNR22ALBPDU=
X-Google-Smtp-Source: ABdhPJyN1ZAzuWKT5YNgsL/dgLymm43Zzozrz57p9JIyd1kbw6P+NN+pqezYmWQWiIv2xluKn+CpZq9ibo/BYyrN8NM=
X-Received: by 2002:a2e:9793:: with SMTP id y19mr9998402lji.437.1606753761865; Mon, 30 Nov 2020 08:29:21 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-t6-fN+r75AkJCkfQOLWSYJYQsUXrKz88pK+bsr7KGnQQ@mail.gmail.com>
In-Reply-To: <CAD9ie-t6-fN+r75AkJCkfQOLWSYJYQsUXrKz88pK+bsr7KGnQQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 30 Nov 2020 08:28:45 -0800
Message-ID: <CAD9ie-umWM6uCoyE6198L9EbQQBzL7TB2+90Ofz0-t0=mbRscw@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000037bc7305b55583d0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bn7XFf1QCspAcVzsj-OmreBYR5E>
Subject: Re: [OAUTH-WG] DPoP Binding JWT proposal
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2020 16:29:27 -0000
Pushing this to the top of the stack in case there is interest in separating the binding mechanism from the RT / AT so that existing RTs / ATs can be used. ᐧ On Fri, Nov 6, 2020 at 2:12 PM Dick Hardt <dick.hardt@gmail.com> wrote: > Hello > > After reviewing the DPoP spec, and reflecting on implementations I have > worked with, I wanted to see if there was interest in a DPoP Binding JWT. > > The use case is to enable existing deployments to add support for DPoP > without having to replace their existing refresh token and access tokens, > and the processing of them as the DPoP Binding JWT processing can be added > as an independent software layer. > > The processing overhead is minimized as the DPoP Binding JWT > verification can be cached for an access token, > adding only one JWT verification for the lifetime of the access token. > > DPoP Binding JWTs using asymmetric cryptographic algorithms, provide the > increased security of public / private key for existing deployments using > access tokens signed with shared secrets such as HMAC. > > /Dick > > > *X. DPoP Binding JWT* > Deployments that do not want to modify their existing access tokens or > resource tokens to contain > the DPoP thumbprint can include DPoP Binding JWTs in the response from > the AS and present them in > calls to the RS. A DPoP Binding JWT contains the DPoP thumbprint and a > hash of the access token > or refresh token, and is signed by the AS. > > The use of DPoP Binding JWTs enables existing deployments to add > proof-of-possession assurance to > existing deployments by adding a middle layer service or software > without modifying the processing > of refresh tokens or access tokens. > > > > *X.1 DPoP Binding JWT Syntax* > * "typ": type header, value "dpop-binding+jwt" > > * "jti": unique id > * "iat": time created > * "jkt": JWK SHA-256 Thumbprint of the DPoP public key > > If binding an access token > * "ath": SHA-256 hash of the access token > > If binding an refresh token > * "rth": SHA-256 hash of the refresh token > > Example DPoP Binding JWT for an access token: > > { > "typ":"dpop-binding+jwt", > "alg":"ES256", > "jwk": { > "kty":"EC", > "x":"l8tFrhx-34tV3hRICRDY9zCkDlpBhF42UQUfWVAWBFs", > "y":"9VE4jf_Ok_o64zbTTlcuNJajHmt6v9TDVrU0CdvGRDA", > "crv":"P-256" > } > }.{ > "jti":"-BwC3ESc6acc2lTc", > "iat":1562262616, > "jkt":"0ZcOCORZNYy-DWpqq30jZyJGHTN0d2HglBV3uiguA4I", > "ath":"N0d2HglBV3uiguA4I0ZcOCORZNYy-DWpqq30jZyJGHT" > } > > > > *X.2 Checking DPoP Bindings* > Check the DPoP Binding JWT is valid > Check the DPoP Binding JWT "jkt" value matches the thumbprint of the > DPoP public key > Check the DPoP Binding JWT "ath" value matches the SHA-256 hash of the > access token > or > Check the DPoP Binding JWT "rth" value matches the SHA-256 hash of the > refresh token > > > *X.3 Token Response* > The AS sets the "token_type" parameter to "DPoP-Binding". > The AS returns the DPoP Binding JWT for the access token in the > "access_token_binding" parameter, > and the DPoP Binding JWT for the refresh token in the > "refresh_token_binding" parameter. > > HTTP/1.1 200 OK > Content-Type: application/json;charset=UTF-8 > Cache-Control: no-store > Pragma: no-cache > > { > "access_token":"2YotnFZFEjr1zCsicMWpAA", > "access_token_binding":"eyJ0eXAiOiJkcG9w....", > "token_type":"DPoP-Binding", > "expires_in":3600, > "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA" > "refresh_token_binding":"eyJ0eXAiOiJkcG9w....." > "example_parameter":"example_value" > } > > > *X.4 Resource access* > The client presents the access token DPoP Binding JWT in the > "DPoP-Binding" HTTP header. > > GET /protectedresource HTTP/1.1 > Host: resource.example.org > Authorization: DPoP eyJhbGciOiJFUzI1NiIsImtpZCI6IkJlQUxrYiJ9.eyJzdWI > iOiJzb21lb25lQGV4YW1wbGUuY29tIiwiaXNzIjoiaHR0cHM6Ly9zZXJ2ZXIuZXhhbX > BsZS5jb20iLCJhdWQiOiJodHRwczovL3Jlc291cmNlLmV4YW1wbGUub3JnIiwibmJmI > joxNTYyMjYyNjExLCJleHAiOjE1NjIyNjYyMTYsImNuZiI6eyJqa3QiOiIwWmNPQ09S > Wk5ZeS1EV3BxcTMwalp5SkdIVE4wZDJIZ2xCVjN1aWd1QTRJIn19.vsFiVqHCyIkBYu > 50c69bmPJsj8qYlsXfuC6nZcLl8YYRNOhqMuRXu6oSZHe2dGZY0ODNaGg1cg-kVigzY > hF1MQ > DPoP: eyJ0eXAiOiJkcG9wK2p3dCIsImFsZyI6IkVTMjU2IiwiandrIjp7Imt0eSI6Ik > VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR > nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE > QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiJlMWozVl9iS2ljOC1MQUVCIiwiaHRtIj > oiR0VUIiwiaHR1IjoiaHR0cHM6Ly9yZXNvdXJjZS5leGFtcGxlLm9yZy9wcm90ZWN0Z > WRyZXNvdXJjZSIsImlhdCI6MTU2MjI2MjYxOH0.lNhmpAX1WwmpBvwhok4E74kWCiGB > NdavjLAeevGy32H3dbF0Jbri69Nm2ukkwb-uyUI4AUg1JSskfWIyo4UCbQ > DPoP-Binding: eyJ_an_example_DPoP_binding_JWT_0eXAiOiJkcG9wK2p3dCIsI > VDIiwieCI6Imw4dEZyaHgtMzR0VjNoUklDUkRZOXpDa0RscEJoRjQyVVFVZldWQVdCR > nMiLCJ5IjoiOVZFNGpmX09rX282NHpiVFRsY3VOSmFqSG10NnY5VERWclUwQ2R2R1JE > QSIsImNydiI6IlAtMjU2In19.eyJqdGkiOiJlMWozVl9iS2ljOC1MQUVCIiwiaHRtIj > oiR0VUIiwiaHR1IjoiaHR0cHM6Ly9yZXNvdXJjZS5leGFtcGxlLm9yZy9wcm90ZWN0Z > WRyZXNvdXJjZSIsImlhdCI6MTU2MjI2MjYxOH0.lNhmpAX1WwmpBvwhok4E74kWCiGB > NdavjLAeevGy32H3dbF0Jbri69Nm2ukkwb-uyUI4AUg1JSskfWIyo4UCbQ > > > > ᐧ >
- [OAUTH-WG] DPoP Binding JWT proposal Dick Hardt
- Re: [OAUTH-WG] DPoP Binding JWT proposal Dick Hardt