IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators

Sergey Beryozkin <sberyozkin@gmail.com> Tue, 29 November 2016 10:49 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E000129679 for <oauth@ietfa.amsl.com>; Tue, 29 Nov 2016 02:49:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MzKwJw3eBBLC for <oauth@ietfa.amsl.com>; Tue, 29 Nov 2016 02:49:33 -0800 (PST)
Received: from mail-wj0-x232.google.com (mail-wj0-x232.google.com [IPv6:2a00:1450:400c:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD06D12946C for <oauth@ietf.org>; Tue, 29 Nov 2016 02:49:29 -0800 (PST)
Received: by mail-wj0-x232.google.com with SMTP id mp19so141562279wjc.1 for <oauth@ietf.org>; Tue, 29 Nov 2016 02:49:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=lnhmG+GhClq5YyN8uvFqPLybVIqjgORW9SbN1EEzT24=; b=ymh6lb00VgACd8aEUEFLu4NI3fHeA1xTEW1XjvXloMTHX0CcxATF2i1QAY7h6NP7jy vw22isHubppxD61T4HfBzFTox6x+sl9DcxoEqRa43SA8dvmpnBbQVGp17SCuskmU2qFY 1+5wyzMevB4eAQP1GFAgE6VjC7PlFj2QlDYzT7oP23khcJTXC0ME5TRsH0jHecRmdDlO 1KM8q4al5aqPVec6SUFb7HZcQB7WlpHdW11t/c/V1OTOwuGtmk1iluljwcEoJJ6eqLMc kNaP9hVXBKxcIEx0pI3aSpom563jScoEdy5N4FVUQH24cjbi/+8t9dPEJACxvH5l9huA wnIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=lnhmG+GhClq5YyN8uvFqPLybVIqjgORW9SbN1EEzT24=; b=h80xXHz5C/dCSv1G5YvN+gg9Bl1DGkQjigczRzB/CginSVSEzncp0IMgbXfnrm6Wvf mqbjFpOKrX0oPBpK2T+3eixA8zAz4l+NDlezJLYeWQE6aeLqs+Rikta+P10hyOhXM7vR uyT4R2ItpuRbUeN3asVg9qcYmvP1F7wl5ImkYT1rRHAs81IJwJX7bVNcCNa0XhiYcqju 60IieB4dRsd6UfBn9VyIHVyq5IQBRyiWUh3Ntg5vlsNqNavWU95sIcXDZO0kd0hYkpZ4 0ftYSt3nC7mK6wcRJCRoI+zcIVWi1x01cV3+lEOwWqdwU5mGUV8PUqJBqeoUNVmhHziG e6LA==
X-Gm-Message-State: AKaTC01HJEwlMgZF5ZMUBGcDSO4XLUx99qXJU+T5ad674mYJRv+qXtCa0mRpFHUZiz5rVw==
X-Received: by 10.194.235.98 with SMTP id ul2mr22400976wjc.229.1480416568101; Tue, 29 Nov 2016 02:49:28 -0800 (PST)
Received: from [10.36.226.98] ([80.169.137.53]) by smtp.googlemail.com with ESMTPSA id b15sm2165411wma.5.2016.11.29.02.49.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Nov 2016 02:49:27 -0800 (PST)
To: John Bradley <ve7jtb@ve7jtb.com>, Justin Richer <jricher@mit.edu>
References: <c607334a-edcd-2be6-1796-7b31e070bad0@gmail.com> <BFE837C1-C2A8-4393-A6E1-3F56E45AC12C@mit.edu> <CD883FC7-531B-4BDF-91FF-33F0FBC102BD@ve7jtb.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <6c46d3a4-ad0d-3b49-7a15-7532634702e9@gmail.com>
Date: Tue, 29 Nov 2016 10:49:26 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CD883FC7-531B-4BDF-91FF-33F0FBC102BD@ve7jtb.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dVdJRGjfyqHBOIZ-49WuYHoZrfE>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 10:49:35 -0000

Hi John, All

I've been alway thinking that the reason an audience can be an array (as 
indicated for ex by the JWT spec, etc) is because a client application 
may need to talk to more than one RS in order to complete a single 
action for the current user (ex, the client will not talk to either RS1 
or RS2 but first to RS1 and then will complete the action by talking to 
RS2).

Why else would a JWT access token have an array of audience values ?
https://tools.ietf.org/html/rfc7519#section-4.1.3

I agree the resource indicators can help on its own - in case no 
audiences for a given client have been pre-registered or as you 
suggested - to point to a specific resource at the runtime, with this 
(resource) URI being validated against the pre-registered values.

But also, pre-registering a single audience during the client 
registration (dynamic or static) can minimize the need to use the 
resource indicators at the runtime.

I did not quite understand what you were explaining about registering 
RSs with the client - I guess that client will know in advance which 
RS(s) it will need to talk to do its work,

Many thanks, Sergey




On 28/11/16 22:58, John Bradley wrote:
> To make something like this work with a loose coupling between the RS and AS the format of the AT would also need to be specified.
>
> To this point the WG has avoided standardizing AT.
>
> Most AS probably believe they know what RS the token is going to be used at based on scopes.
> Taking those tokens and using them at other RS is arguably at-least out of scope or arguably not allowed by the current specs.
>
> People are perhaps abusing the specs and sending AT to RS that are not properly audienced and can be replayed between RS.
> This is really bad from a security perspective with bearer tokens.
>
> I do however see a valid use case.
>
> Registering RS with the client is not a bad idea, however if you register more than one without the client saying at runtime what RS the token is for they can still be replayed.
> The client depending on design could still be tricked by a RS or something else to get a token audienced to a different RS if the AS dosen't know where the client is sending the token.
>
> I don’t think registering RS gets around the need for the resource indicator draft https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators
>
> Typically we have thought about a tight coupling between the RS and AS,  but now it seems people are putting more of the intelligence/burden on the the client.
>
> in a more dynamic system the RS might provide a list of AS that it accepts tokens form and the client might dynamically register with one of them.
>
> I suspect Sergey’s AS is doing something in between.
>
> I am hesitant to pick off just dynamic registration as there are a number of interrelated issues that need to be thought through to prevent security issues.
>
> John B.
>
>
>
>
>
>
>> On Nov 28, 2016, at 3:47 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>> I would consider that a totally reasonable extension. You will need to define what the behavior is if the client doesn’t provide a value for that field: is there a default? Are there no resources available to the client?
>>
>> — Justin
>>
>>> On Nov 28, 2016, at 12:21 PM, Sergey Beryozkin <sberyozkin@gmail.com> wrote:
>>>
>>> Hi All
>>>
>>> Our AS allows for the manual client registration with the UI offering an option to assign the audience/resource URIs to a given Client registration with all the associated future access tokens inheriting them.
>>>
>>> The client will not have to follow the resource indicator registration as recommended at [1] - the administrator who registers the clients sets the audiences.
>>>
>>> We'd like to achieve the same with the dynamic client registration but my colleague noted the client metadata in the dynamic registration request has no 'audience' property.
>>>
>>> We will consider supporting either an 'audience' or 'resource' property - does it sound reasonable ?
>>>
>>> By the way, as far as [1] is concerned, should a 'resource' property support an array of audiences ? (To support a case a client needed to talk to several RSs to complete a given action)
>>>
>>> Thanks, Sergey
>>>
>>> [1] https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email