Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object

Benjamin Kaduk <kaduk@mit.edu> Thu, 16 January 2020 04:53 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C119120A70 for <oauth@ietfa.amsl.com>; Wed, 15 Jan 2020 20:53:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id brMDV0NzgyyA for <oauth@ietfa.amsl.com>; Wed, 15 Jan 2020 20:53:12 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55AC7120A3F for <oauth@ietf.org>; Wed, 15 Jan 2020 20:53:12 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 00G4r3mr019346 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Jan 2020 23:53:05 -0500
Date: Wed, 15 Jan 2020 20:53:02 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: Takahiko Kawasaki <taka@authlete.com>, IETF oauth WG <oauth@ietf.org>
Message-ID: <20200116045302.GG80030@kduck.mit.edu>
References: <79C4475C-FDEB-42C8-8A44-7BFE4DBF9453@gmail.com> <110a95d9-2981-6d2b-9cbf-9658be3585cc@connect2id.com> <CAANoGhK0-n6V_RogvVZ=8J8AQCEUUVJQn4_7wSWYixeQM8aZsw@mail.gmail.com> <CH2PR00MB0843D5044E11E0F4CE5F5D09F53B0@CH2PR00MB0843.namprd00.prod.outlook.com> <CAANoGhJB4mYSFiWKt3T=cObH7uCW0s3Zpv2m92+YaAY2Oy4mqw@mail.gmail.com> <2aca5c38-bb20-497e-14ed-f4a9245a9439@connect2id.com> <7baae999-47c1-f749-6c51-f45022ab1a3d@ve7jtb.com> <3d9ffc74-6c9c-48a1-0c98-65a7465e8dbc@connect2id.com> <CAHdPCmNHeUyDjrc32oQPZ5g3oars-XY3vq2p3qt2LzzkZMTw5w@mail.gmail.com> <89345e9b-8191-f01d-71a6-453ec197796f@connect2id.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <89345e9b-8191-f01d-71a6-453ec197796f@connect2id.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ceJfEQCxjB0XWWR0IWBWgec3w_c>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 04:53:17 -0000

On Wed, Jan 15, 2020 at 11:02:33PM +0200, Vladimir Dzhuvinov wrote:
> 
> On 14/01/2020 19:20, Takahiko Kawasaki wrote:
> > Well, embedding a client_id claim in the JWE header in order to
> > achieve "request parameters outside the request object should not be
> > referred to" is like "putting the cart before the horse". Why do we
> > have to avoid using the traditional client_id request parameter so
> > stubbornly?
> >
> > The last paragraph of Section 3.2.1
> > <https://tools.ietf.org/html/rfc6749#section-3.2.1> of RFC 6749 says
> > as follows.
> >
> >     /A client MAY use the "client_id" request parameter to identify
> >     itself when sending requests to the token endpoint.  In the
> >     "authorization_code" "grant_type" request to the token endpoint,
> >     *an unauthenticated client MUST send its "client_id" to prevent
> >     itself from inadvertently accepting a code intended for a client
> >     with a different "client_id".*  This protects the client from
> >     substitution of the authentication code.  (It provides no
> >     additional security for the protected resource.)/
> >
> >
> > If the same reasoning applies, a client_id must always be sent with
> > request / request_uri because client authentication is not performed
> > at the authorization endpoint. In other words, */an unauthenticated
> > client (every client is unauthenticated at the authorization endpoint)
> > MUST send its "client_id" to prevent itself from inadvertently
> > accepting a request object for a client with a different "client_id"./*
> >
> Identifying the client in JAR request_uri requests can be really useful
> so that an AS which requires request_uri registration to prevent DDoS
> attacks and other checks can do those without having to index all
> request_uris individually. I mentioned this before.
> 
> I really wonder what the reasoning of the IESG reviewers was to insist
> on no params outside the JAR JWT / request_uri.
> 
> I'm beginning to realise this step of the review process isn't
> particularly transparent to WG members.

Could you expand on that a bit more?  My understanding is that the IESG
ballot mail gets copied to the WG precisely so that there is transparency,
e.g., the thread starting at
https://mailarchive.ietf.org/arch/msg/oauth/lkOhwiDj_hCI55BQRdiR9R0JwgI
Which admittely is from almost three years ago, but that's the earliest
that I found that could be seen as the source of this behavior.

-Ben

P.S. some other discussion at
https://mailarchive.ietf.org/arch/msg/oauth/-tUrNY1X9eI_tQGI8T-IGx4xHy8 and
https://mailarchive.ietf.org/arch/msg/oauth/Uke1nxRlgx62EJLevZgpWCz_UwY and
so on.