Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushed requests must become JWTs

Justin Richer <jricher@mit.edu> Thu, 30 July 2020 11:27 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D33833A1094; Thu, 30 Jul 2020 04:27:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kFWqiuPi1Eq2; Thu, 30 Jul 2020 04:27:39 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E67793A108A; Thu, 30 Jul 2020 04:27:38 -0700 (PDT)
Received: from [192.168.1.6] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06UBRaNj020597 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 30 Jul 2020 07:27:37 -0400
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <3C919E79-C162-4B5D-A2BE-95825981CF3A@lodderstedt.net>
Date: Thu, 30 Jul 2020 07:27:36 -0400
Cc: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DD371DAF-9AF1-4F1D-8F62-C31E1309F0AF@mit.edu>
References: <869491B5-9AA5-4593-A307-46FAAF7E990D@mit.edu> <7B488048-896B-4F88-976C-909D0BFA16D3@lodderstedt.net> <CAGBSGjp+gudsyu9EsyEZ8-JsUKQQDHL+T15G7=PDa=f7hvBZhQ@mail.gmail.com> <3C919E79-C162-4B5D-A2BE-95825981CF3A@lodderstedt.net>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/d21p-c0RGvBORNybVcxEOydqXxw>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] Re: PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 11:27:41 -0000

Aaron,

The “request_uri” comes from OIDC originally, and is redefined in JAR. The original idea was to have a URL that the AS/IdP would be able to fetch to get a Request Object from, which is why JAR used to have language about “it MUST be fetchable and resolve to a JWT” (or something like that). JAR has backed off that requirement now (I believe), but those roots are still in the name. RAR opts to re-use that mechanism instead of inventing either a new parameter or returning a full Redirection URI.

 — Justin

> On Jul 24, 2020, at 3:12 AM, Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
> 
> Hi Aaron, 
> 
> that’s a very good point. I was also in favour of just providing the client with the URL it needs to send the user to (like XYZ and OAuth do). 
> 
> In the end, we decided to stay with the current approach since it fits with the rest of the existing ecosystem, namely JAR and authorization endpoint discovery. 
> 
> best regards,
> Torsten. 
> 
>> On 24. Jul 2020, at 00:49, Aaron Parecki <aaron@parecki.com> wrote:
>> 
>> I know this is a bit of an old thread to dig up, but as I'm working through this draft again, something is sticking out to me about this.
>> 
>> In every other instance of "*_uri" in OAuth and extensions, the value is a URI (usually https) which will be visited by the user's browser or be sent a POST request from a client. In the case of PAR, this "request_uri" is actually just an identifier that is *added* to an existing URL, the authorization endpoint, not a URL that will be visited itself. This discrepancy is bothering me.
>> 
>> I would have expected that either:
>> 
>> * The PAR response includes a "request_uri" which is the full URL that the client would redirect the user's browser to, OR
>> * The PAR response includes a "request_id" which it adds in the query string to the authorization endpoint and then redirects the browser to
>> 
>> For example:
>> 
>> POST /as/par HTTP/1.1
>> ...
>> response:
>> {
>>      "request_uri": "https://as.example.com/auth?request=bwc4JK-ESC0w8acc191e-Y1LTC2",
>>      "expires_in": 60
>> }
>> 
>> then the user's browser is sent to whatever the value of "request_uri" is
>> 
>> OR
>> 
>> POST /as/par HTTP/1..1
>> ...
>> response:
>> {
>>      "request_id": "urn:ietf:params:oauth:request_uri:bwc4JK-ESC0w8acc191e-Y1LTC2",
>>      "expires_in": 60
>> }
>> 
>> then the "request_id" is added to the authorization endpoint (as currently described by PAR)
>> 
>> https://as.example.com/auth?client_id=s6BhdRkqt3&request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%3Abwc4JK-ESC0w8acc191e-Y1LTC2
>> 
>> My personal preference is the first option, keeping the term "request_uri" but having it actually be the full URI, to simplify the job of the client. In that model, the client doesn't have to mess with building URLs, and actually provides additional flexibility for the AS as well since that endpoint no longer needs to be the exact same URL as the authorization endpoint.. 
>> 
>> ---
>> Aaron Parecki
>> https://aaronparecki.com
>> 
>> 
>> On Thu, Jan 16, 2020 at 8:25 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>> I just thought about another option. What if we change PAR to not use the request_uri parameter but a new parameter, e.g. request_id?
>> 
>> That would decouple both specs. The reason why we use request_uri was to make the life of clients easier since they can use the standard library function for request objects to pass the PAR reference to the AS. Is this worth the trouble?
>> 
>>> Am 16.01.2020 um 16:48 schrieb Justin Richer <jricher@mit.edu>du>:
>>> 
>>> +1 to this approach, and it sounds like JAR might need to come back to go through another round anyway thanks to the breaking changes the IESG pushed into it after it left WGLC.
>>> 
>>> I’d rather see us get this right than publish something many of us think is broken. 
>>> 
>>> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs.
>>> 
>>> — Justin
>>> 
>>>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth