Re: [OAUTH-WG] Dynamic Client Registration - client_secret_expires_at
Travis Spencer <travis.spencer@curity.io> Fri, 30 November 2018 19:45 UTC
Return-Path: <travis.spencer@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FD7E130F96 for <oauth@ietfa.amsl.com>; Fri, 30 Nov 2018 11:45:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hAyNBSnGramw for <oauth@ietfa.amsl.com>; Fri, 30 Nov 2018 11:45:01 -0800 (PST)
Received: from mail-ot1-x32a.google.com (mail-ot1-x32a.google.com [IPv6:2607:f8b0:4864:20::32a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E461130F81 for <oauth@ietf.org>; Fri, 30 Nov 2018 11:45:00 -0800 (PST)
Received: by mail-ot1-x32a.google.com with SMTP id n8so2317846otl.6 for <oauth@ietf.org>; Fri, 30 Nov 2018 11:45:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nLVyF4J3emTnLZ7ShNjN91gCLr3OIRN4S5Lg53rI1RI=; b=Z8YZI46DZA5SeO1+u8pn33dAIcp1NIl40HsEJwyFFPBA5iXl/3wVZY1DTKAdeugRDg RmRHMK28uhSiJWGqn2GBnLKwJ2IId8AyryhcMWFNYE5xYxtyqGLGWmRHrsLCCN55ocZ9 NXdIghVrIvonTLf6crwqNlZqelUiZPrylcf570aPqQkjhgp41WeaWveLFhorI+L5szkJ xZGq91cNf0mHOA5kygZvPC1teTk/li65rezsy6asue0mmBSMZbj89DDiCiUlLdwvvivd W5INcc1eeXBNmw1062CQlTTXmcKx7x++VCRddjTt4TXfrPmF/K/cEQm8637XwNH/qckN fw/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nLVyF4J3emTnLZ7ShNjN91gCLr3OIRN4S5Lg53rI1RI=; b=htEOASgxHlo8Nki8hT52eGdBAn7AudPEiUM6LIWfG4K00V8ryNHSKFgNMWYTLkRFej qDBZiQIoVIGHxt89mAyIXeukDHvbtELzETbEVWwXx6DUOtrKEl5N3wdUJa4WRjjSLVaz 8XMHnUWFJyGHU3a5+v9mL7Ltm3E6pFQ/0RlPIyAb9IT6QBJ28ddEWYqKGpKaKU2flBOI GKqeP/rRZIAOZ4FV9CiTnmuc2reqNVhbCibFmW4k7rNM0jQXB9zHl3fqdgipdabnNcD6 KYKd1oIfIewOTai95gcyYiTj8E13k3UP2kN1PHugd1X2q3SOLIduNROMXpW8ciwqqLjQ wZqQ==
X-Gm-Message-State: AA+aEWbDeRsR7F7n6xXoqrCIngfOtUixXDxuSYO+AMYVx7jEF8tdZd/0 2ryFVNh2Ozq+F8Qy9zWmfVD03g3RUqkZnmhDBBgEOQ==
X-Google-Smtp-Source: AFSGD/UPppjT3AAAoxYk1JhZoDODPJiJUGLwHDWsaAURw3CSxRPWUmi/wWgIlR1sQ3vLlg86DIfrXo0rr6MzmLfE05o=
X-Received: by 2002:a9d:60b:: with SMTP id 11mr4155996otn.200.1543607100324; Fri, 30 Nov 2018 11:45:00 -0800 (PST)
MIME-Version: 1.0
References: <CALAqi_91zXPaD91kzj4ZNE55XPwoaqGa_Ks5NAN0kkEQvMRTLg@mail.gmail.com>
In-Reply-To: <CALAqi_91zXPaD91kzj4ZNE55XPwoaqGa_Ks5NAN0kkEQvMRTLg@mail.gmail.com>
From: Travis Spencer <travis.spencer@curity.io>
Date: Fri, 30 Nov 2018 20:44:48 +0100
Message-ID: <CAEKOcs0KSaj7PqQTZ2J7FkEq+ihNcXMhxO-DCusoWNGr0KyUuQ@mail.gmail.com>
To: panva.ip@gmail.com
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e34da9057be70858"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/btwuj7cb5Uixyg-nLcVvX3gvS3E>
Subject: Re: [OAUTH-WG] Dynamic Client Registration - client_secret_expires_at
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 19:45:03 -0000
On Tue, Nov 20, 2018 at 12:45 PM Filip Skokan <panva.ip@gmail.com> wrote: > This is my best shot at an implementable policy when it comes to clients > with expired client secrets: *"all operations requiring a secret will be > rejected when an expired one is presented"* > This is a good list and hopefully something that would find its way into a spec and not be buried in an email archive. With this info, its a lot easier to make use of this feature of the spec. Thanks for sharing it, Filip. it is not valid for client secret based endpoint auth (basic, post, client > secret jwt), the AS will reject with 401 invalid_client in those cases > Or instead of invalid_client, need_info. it will not be used for validating symmetrically signed request object > (JAR), the AS will reject the authorization request with ...? > 400 invalid_request_object it will not be used by the AS to symmetrically sign id tokens, userinfo, > introspection or authorization responses (JARM), the AS will reject the > requests with ...? > 403 need_info. In the case of introspection, a client secret can't be used to sign the JWT if application/jwt was requested because access will be denied will be denied before that point. So, that's 401 (first point above) anything else? > Revoke -- 401
- [OAUTH-WG] Dynamic Client Registration - client_s… Filip Skokan
- Re: [OAUTH-WG] Dynamic Client Registration - clie… Travis Spencer