IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode

Torsten Lodderstedt <torsten@lodderstedt.net> Fri, 27 December 2019 20:41 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1A112006F for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 12:41:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C26OgfTd7rHH for <oauth@ietfa.amsl.com>; Fri, 27 Dec 2019 12:41:42 -0800 (PST)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAEA31200A1 for <oauth@ietf.org>; Fri, 27 Dec 2019 12:41:41 -0800 (PST)
Received: by mail-wr1-x435.google.com with SMTP id c9so27167715wrw.8 for <oauth@ietf.org>; Fri, 27 Dec 2019 12:41:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=bdXmJciefwk53Fye1Oi8FeOYravyWoRxLF853/Qgyxg=; b=By59F22zEm5PC5rqrrWxM+ucnkjrdC4H3ZsmA3iaLJOu0Pn6ZtyzJcJ53+L4IB/cET aTX8eerIV5/i1pYnHoWtlXT5DZMlG9HpFf4OZK1ZjL94C5RAhUzNmRHb1YAuhsgR59rn svHjV2ZG9GtxMwu9k+peJDYNNyMTmY5Y1Jr1RPaFpSHS6CLIMT6x9+o3Mfs4nANQj/cd a9k7DX6/Qw/xR0ZFVXEYM9foa5GbS4Sjh8zeJF25CjZf/yhGJ2+OcbXUWo5AbUETLIJ5 n13mv/W4ODZYmDb9q2lw/ry9lYH+odQ4qzRzqOW1CB9cDMkT/ZMrMOleu3JCduoR5S9I BVGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=bdXmJciefwk53Fye1Oi8FeOYravyWoRxLF853/Qgyxg=; b=sI7pzPumgg7S+Nxe8mRzfJZCKdHpEthFuoskQeQitwDnSHmj8pOezEv4sycNv0+mnp cn9zIkPkPnR1B9+jvPyiOZtigODSxWCgrWMvG7FxvY1ve2V4lE0lS4ETtVTYSRwEalss IqqunYfJn6P7INRiuFQKSyAoQ/v+dhuxXpHX/Va0W1WK+J4dIkzXe+KPPud7AsmWlSxo 2pOvii4ZkMHJyuyZpOXuq0mgm/uFqunE43EeC2xC993wHVJaR/96yx2zb5EQPX980q8i PJvIDeQWdsUauhQsUgv32GIO1upQqt3PG5blYh6scbATt7836EKGjrALj6LOhxg07wze CWAA==
X-Gm-Message-State: APjAAAW2T4MUODxYzU7B/a29fzFOy6IqjrZC141OU5M57B1c4URz7nZP ub1RFKUtk9wwWXpv0uy2s6vN1Q==
X-Google-Smtp-Source: APXvYqzAo3plk6GyjBrPWnHC+ORRPj/IFb6r5cbwvJ2JEkuKB3RItd+Wz9t+gtFJkCEMLiXwkGm2wA==
X-Received: by 2002:a5d:46d0:: with SMTP id g16mr55022327wrs.287.1577479300378; Fri, 27 Dec 2019 12:41:40 -0800 (PST)
Received: from ?IPv6:2a01:598:818b:b98e:e918:9ad0:f05c:d5d2? ([2a01:598:818b:b98e:e918:9ad0:f05c:d5d2]) by smtp.gmail.com with ESMTPSA id n14sm12101067wmi.26.2019.12.27.12.41.38 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 27 Dec 2019 12:41:38 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail-C58CF7C4-9F86-492E-B256-DDC7339FEB03"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Fri, 27 Dec 2019 21:41:36 +0100
Message-Id: <0D6C9677-D8B5-4005-95FE-4F783EB28961@lodderstedt.net>
References: <DM6PR00MB08478D98FE0A4A2AADAF479AF52A0@DM6PR00MB0847.namprd00.prod.outlook.com>
Cc: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
In-Reply-To: <DM6PR00MB08478D98FE0A4A2AADAF479AF52A0@DM6PR00MB0847.namprd00.prod.outlook.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (17C54)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cbreFteM4dHga3Xcjd7NNL3afUs>
Subject: Re: [OAUTH-WG] [EXTERNAL] -security-topics-13 and OIDC response types + form_post response mode
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Dec 2019 20:41:44 -0000

As Brian said, we have discussed this several times and this text found consensus.

Using post reduces the attack surface but does not allow to bind the access token to the legitimate client. We are recommending sender constrained access tokens in the BCP. So recommending a flow that does not support sender constrained access tokens is a contradiction.

What do other WG members think?

> Am 27.12.2019 um 21:28 schrieb Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>:
> 
> 
> I agree with Brian. Please update the text to describe this already safe usage.
> 
> -- Mike
> 
> From: OAuth <oauth-bounces@ietf.org> on behalf of Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
> Sent: Friday, December 27, 2019 11:03:30 AM
> To: oauth <oauth@ietf.org>
> Subject: [EXTERNAL] [OAUTH-WG] -security-topics-13 and OIDC response types + form_post response mode
>  
> We have a-sometimes used scenario where a client makes an authorization/authentication request with a "token id_token" response type and "form_post" response mode (nonce is also sent and exact redirect URI matching is done at the AS). The access token is never exposed in any URLs and access token injection is prevented by the at_hash claim in the id token. 
> 
> That seems to me like a legitimate and reasonable usage scenario. However, it would fall on the wrong side of the SHOULD NOT in Section 3.1.2 of the Security BCP-to-be, which has:
> 
>    In order to avoid these issues, clients SHOULD NOT use the implicit
>    grant (response type "token") or any other response type issuing
>    access tokens in the authorization response, such as "token id_token"
>    and "code token id_token", unless the issued access tokens are
>    sender-constrained and access token injection in the authorization
>    response is prevented.
> 
> I know this particular text has been discussed over and over again so I hate to revisit it. But based on the aforementioned scenario I think maybe it still doesn't quite hit the mark. Access token injection is prevented. The token leakage scenarios mentioned in that section are all avoided. And while I know sender-constrained is recommended elsewhere in the draft, it's not really a realistic option for the majority of deployments. 
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email