IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)

Warren Parad <wparad@rhosys.ch> Tue, 24 August 2021 10:14 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446943A1EC3 for <oauth@ietfa.amsl.com>; Tue, 24 Aug 2021 03:14:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yg6BT9vBvOwM for <oauth@ietfa.amsl.com>; Tue, 24 Aug 2021 03:14:31 -0700 (PDT)
Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C08933A1EC7 for <oauth@ietf.org>; Tue, 24 Aug 2021 03:14:30 -0700 (PDT)
Received: by mail-yb1-xb33.google.com with SMTP id j13so18805854ybj.9 for <oauth@ietf.org>; Tue, 24 Aug 2021 03:14:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cHDON6NOpMtASwDysgFtFgBYhHFcVNHoTgXNOGpCc7U=; b=gIFsCgnCLz0OYZ0/vGqbH7umFfzzkGvPIJxAekIiMhCUDop9i/dmdKYdjf4uxM9Yhl ffdHm2aM0OdOTCKlYjEbOx+cPY0jq8PhvZPsYsr51LmtYf+LfYWw7h/1gf+J8i6vx4l2 uHct5v0/t7HyzdgULC+YKPbCspwI2FG26G898KOs40K61hHNB8mE2gl8N7Yt9jRI4pLZ haqruHDx2lU94r9lVuyW829S2nm5saXw79C33632BDhudt8ODEBtaU47ugvL4KDMPh+V ItTnZRakUoTgbSJ2Iv7evDX/5bkATy2mR82CvfslpKyKmmlxk3QeJPx6xBiOyalJSn5b ya4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cHDON6NOpMtASwDysgFtFgBYhHFcVNHoTgXNOGpCc7U=; b=NLtMY0bfFytB6C4h7MpZ/1x91fV5jou5nznW2bz9zOgbn/bMDlSm2X+pCT11WiaeB0 AK23nlYZH1cjFnsQfJ7q775FMXmYbRwm3KWMRZda02KskkMaSAF2aYkOrL0q0HMFGf4j TaWvS41YSHCIoIIIavn+1ncGVLVxPlCKCZdOfIq3xOrNnvJg15aFt1Ld9eD/jSZ9mQEL hOTlOvGsQcHGvqjZSr5gELBSr35wPzMoof5fuzK3RXAwuEvZyw2rrysgot749jzop18a B8nnwkPquJVTAqARlsYyCXXQFnEmUG8zMuKe+UYRsGV1OlDY1qSsL4toqXzeYqmG7jB1 nMzA==
X-Gm-Message-State: AOAM531/XJiYcr/pxkSy104JEoDa0DrrZ1OZSnPeRojC96vKdO6+9cf+ b+tL2cRbgHkVV3LNMdnF4zeDPemU2b7wHqT4SgPo
X-Google-Smtp-Source: ABdhPJwbCAx28+HZpDngT5Zzv2DJpYRqDbwwxbE/Jb6dGEhmWUU8yLeqH7q5Qy/fJ2yK4Mtu4BuNX8jiajcgdpKjtL4=
X-Received: by 2002:a25:440b:: with SMTP id r11mr47685278yba.44.1629800068646; Tue, 24 Aug 2021 03:14:28 -0700 (PDT)
MIME-Version: 1.0
References: <20210822091434.93EFCF40723@rfc-editor.org> <80CE09CD-E462-4CB6-B4CC-EF4A7BE9F854@mit.edu> <CAGXsc+bDeg3RDFgP449YX-LYZOaa8JXn4Ea3jJfjA-HHJxmrwg@mail.gmail.com>
In-Reply-To: <CAGXsc+bDeg3RDFgP449YX-LYZOaa8JXn4Ea3jJfjA-HHJxmrwg@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Tue, 24 Aug 2021 12:14:17 +0200
Message-ID: <CAJot-L2zsiX4XhZ5ymjQh-Sakneo-=A3pTMAiMWk--zJe2Jc8A@mail.gmail.com>
To: Emond Papegaaij <emond.papegaaij@gmail.com>
Cc: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000259c8105ca4b6669"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/dj1XPzB8GFL5nS-P-MD6mvnAr78>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC7009 (6663)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Aug 2021 10:14:37 -0000

I think it is worth pointing out, if we were to agree with the errata, that
this particular use case probably isn't relevant:

Our client in this case was a command line tool, which only requests the
> client credentials on login. It then fetches an access token and stores
> this locally. The client credentials are not stored by default.


Unless I misunderstand, I'll take "client credentials" to mean client Id
and client credentials via a client credentials grant. And therefore, is
not the correct flow to be used in a command line tool. Client credentials
are used in private when there are many user agents that could connect
through it, I would not recommend this as the solution here, and even if it
were, you would indeed have access to the client id and secret, so it would
not be a problem to use them to revoke the token.

However, I believe there is something fundamentally broke here, because
there are two use cases which are in conflict with each other:

   - I as a user, at any time want to revoke one of, access token, refresh
   token, or granted scopes associated with my identity by directly
   communicating with an AS. I never want to make this request through a
   client, and more specifically, I never want a client to determine whether
   or not I'm allowed to revoke these.
   - I as a user, at no time want to allow a client, for whom I did not
   give permission to revoke my refresh token nor revoke granted scopes. It
   should not be the case that one client sharing the token with another
   client (either intentionally or accidentally) would be allowed to change
   the requested scopes nor make decisions about the validity of my current
   access token or delegated refresh token.

Given the latter we see that it must be the case that refresh tokens,
access tokens, and associated grants MUST NOT be allowed to be revoked
without client authentication. This means that the original RFC is indeed
correct, and that the errata is not. But, this does not enable the former
case nor encourage a solution that works in scope of retaining control over
resources that the user agent owns. However, it is worth mentioning that it
doesn't prevent, as it still allows an AS to implement additional
mechanisms for direct user revocation, if desired.

That being said I would be in favor of enumerating a *flow* to safely
instruct the AS to revoke directly by the user, but it cannot be done by
amending the revocation endpoint.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Tue, Aug 24, 2021 at 9:44 AM Emond Papegaaij <emond.papegaaij@gmail.com>
wrote:

> On Mon, Aug 23, 2021 at 9:42 PM Justin Richer <jricher@mit.edu> wrote:
>
>> I personally don’t agree with this errata. Token Revocation was never
>> meant to act as a protected resource, but rather as a function of the AS.
>> The client is known to the AS and so authentication is expected here.
>>
>
> We ran into this very issue some time ago. Our client in this case was a
> command line tool, which only requests the client credentials on login. It
> then fetches an access token and stores this locally. The client
> credentials are not stored by default. The current spec required us to
> request the client credentials to revoke the access token on logout.
> Personally, I see no point in requiring the the client to authenticate, it
> already possesses an access token, which it can use for whatever it wants
> to and the possession of the token should be enough evidence that the
> client previously authenticated. Revoking the token seems to be the least
> harmful one can do with a token.
>
> For more information see:
> https://mailarchive.ietf.org/arch/msg/oauth/7qxGcptE-uzA5WQaxnzGMdSqb2I/
>
> Best regards,
> Emond Papegaaij
>
>
>
>> > On Aug 22, 2021, at 5:14 AM, RFC Errata System <
>> rfc-editor@rfc-editor.org> wrote:
>> >
>> > The following errata report has been submitted for RFC7009,
>> > "OAuth 2.0 Token Revocation".
>> >
>> > --------------------------------------
>> > You may review the report below and at:
>> > https://www.rfc-editor.org/errata/eid6663
>> >
>> > --------------------------------------
>> > Type: Technical
>> > Reported by: Ashvin Narayanan <ashvinnarayanan@gmail.com>
>> >
>> > Section: 2.1
>> >
>> > Original Text
>> > -------------
>> > The client constructs the request by including the following
>> >   parameters using the "application/x-www-form-urlencoded" format in
>> >   the HTTP request entity-body:
>> >
>> >   token   REQUIRED.  The token that the client wants to get revoked.
>> >
>> >   token_type_hint  OPTIONAL.  A hint about the type of the token
>> >           submitted for revocation.  Clients MAY pass this parameter in
>> >           order to help the authorization server to optimize the token
>> >           lookup.  If the server is unable to locate the token using
>> >           the given hint, it MUST extend its search across all of its
>> >           supported token types.  An authorization server MAY ignore
>> >           this parameter, particularly if it is able to detect the
>> >           token type automatically.  This specification defines two
>> >           such values:
>> >
>> >           * access_token: An access token as defined in [RFC6749],
>> >             Section 1.4
>> >
>> >           * refresh_token: A refresh token as defined in [RFC6749],
>> >             Section 1.5
>> >
>> >           Specific implementations, profiles, and extensions of this
>> >           specification MAY define other values for this parameter
>> >           using the registry defined in Section 4.1.2.
>> >
>> >   The client also includes its authentication credentials as described
>> >   in Section 2.3. of [RFC6749].
>> >
>> >   For example, a client may request the revocation of a refresh token
>> >   with the following request:
>> >
>> >     POST /revoke HTTP/1.1
>> >     Host: server.example.com
>> >     Content-Type: application/x-www-form-urlencoded
>> >     Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
>> >
>> >     token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
>> >
>> >   The authorization server first validates the client credentials (in
>> >   case of a confidential client) and then verifies whether the token
>> >   was issued to the client making the revocation request.  If this
>> >   validation fails, the request is refused and the client is informed
>> >   of the error by the authorization server as described below.
>> >
>> > Corrected Text
>> > --------------
>> > The client calls the revocation endpoint using an HTTP
>> >   POST [RFC7231] request with the following parameters sent as
>> >   "application/x-www-form-urlencoded" data in the request body:
>> >
>> >   token   REQUIRED.  The token that the client wants to get revoked.
>> >
>> >   token_type_hint  OPTIONAL.  A hint about the type of the token
>> >           submitted for revocation.  Clients MAY pass this parameter in
>> >           order to help the authorization server to optimize the token
>> >           lookup.  If the server is unable to locate the token using
>> >           the given hint, it MUST extend its search across all of its
>> >           supported token types.  An authorization server MAY ignore
>> >           this parameter, particularly if it is able to detect the
>> >           token type automatically.  This specification defines two
>> >           such values:
>> >
>> >           * access_token: An access token as defined in [RFC6749],
>> >             Section 1.4
>> >
>> >           * refresh_token: A refresh token as defined in [RFC6749],
>> >             Section 1.5
>> >
>> >           Specific implementations, profiles, and extensions of this
>> >           specification MAY define other values for this parameter
>> >           using the registry defined in Section 4.1.2.
>> >
>> >   The client MUST also include in the request, the access token it
>> received
>> >   from the authorization server. It must do so in the same way as it
>> would
>> >   when accessing a protected resource, as describe in [RFC6749],
>> Section 7.
>> >
>> >   The following is a non-normative example request in which the client
>> uses
>> >   its access token to revoke the associated refresh token:
>> >
>> >     POST /revoke HTTP/1.1
>> >     Host: server.example.com
>> >     Content-Type: application/x-www-form-urlencoded
>> >     Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
>> >
>> >     token=45ghiukldjahdnhzdauz&token_type_hint=refresh_token
>> >
>> >   The following is a non-normative example request in which the client
>> uses
>> >   its access token to revoke the same access token:
>> >
>> >     POST /revoke HTTP/1.1
>> >     Host: server.example.com
>> >     Content-Type: application/x-www-form-urlencoded
>> >     Authorization: Bearer czZCaGRSa3F0MzpnWDFmQmF0M2JW
>> >
>> >     token=czZCaGRSa3F0MzpnWDFmQmF0M2JW&token_type_hint=access_token
>> >
>> >   The authorization server MUST validate the access token used by the
>>
>> >   client to authorize its call to the revocation endpoint, including
>> >   ensuring that it is not expired or revoked.
>> >   Additionally, the authorization server MUST also validate whether the
>> >   access token used for authorization is part of the same grant  as the
>> >   token being revoked. If validation fails, the request is  refused and
>> >   the client is informed of the error by the authorization server.
>> >   In the case of a bearer token, the authorization server SHOULD
>> respond
>> >   with an HTTP 401 code as described in OAuth 2.0 Bearer Token Usage
>> >   [RFC6750], Section 3.
>> >   Errors based on other types of tokens are beyond the scope of this
>> >   specification.
>> >
>> >
>> > Notes
>> > -----
>> > It appears as though the authors of RFC7009 have failed to consider
>> that requests to revoke are likely to come from non-confidential clients
>> and such, would lack authentication credentials. Regardless of the type of
>> client however, authentication should not be required. The OAuth 2.0
>> specification (RFC6749) does not specify verifying that the access token
>> belongs to the client accessing protected resources, of which revocation is
>> one. It is the role of the access token alone to signify authorization
>> required to make requests to protected resources. If this is an issue for
>> revocation, then it is an issue for all protected resources and counter
>> measures may be proposed in a separate RFC rather than broadening the scope
>> of this particular RFC. As per the original text itself, "This
>> specification in general does not intend to provide countermeasures against
>> token theft and abuse." Additionally, "If an attacker is able to
>> successfully guess a public client's client_id and one of their tok
>> > ens, or a private client's credentials and one of their tokens, they
>> could do much worse damage by using the token elsewhere than by revoking
>> it.  If they chose to revoke the token, the legitimate client will lose its
>> authorization grant and will need to prompt the user again.  No further
>> damage is done and the guessed token is now worthless."
>> > Note that the client_id is not meant to be private information to begin
>> with, so relying on an attacker "guessing" it should not be seen as a
>> security countermeasure. This section of RFC7009 will be referenced in a
>> subsequent errata.
>> >
>> > Instructions:
>> > -------------
>> > This erratum is currently posted as "Reported". If necessary, please
>> > use "Reply All" to discuss whether it should be verified or
>> > rejected. When a decision is reached, the verifying party
>> > can log in to change the status and edit the report, if necessary.
>> >
>> > --------------------------------------
>> > RFC7009 (draft-ietf-oauth-revocation-11)
>> > --------------------------------------
>> > Title               : OAuth 2.0 Token Revocation
>> > Publication Date    : August 2013
>> > Author(s)           : T. Lodderstedt, Ed., S. Dronia, M. Scurtescu
>> > Category            : PROPOSED STANDARD
>> > Source              : Web Authorization Protocol
>> > Area                : Security
>> > Stream              : IETF
>> > Verifying Party     : IESG
>> >
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email