Re: [OAUTH-WG] First Draft of OAuth 2.1

"Peck, Michael A" <mpeck@mitre.org> Thu, 12 March 2020 14:00 UTC

Return-Path: <mpeck@mitre.org>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B89DE3A0932 for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 07:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mitre.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QNCrY_l0PYSQ for <oauth@ietfa.amsl.com>; Thu, 12 Mar 2020 07:00:06 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (smtpvmsrv1.mitre.org [192.52.194.136]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75B5E3A092A for <oauth@ietf.org>; Thu, 12 Mar 2020 07:00:06 -0700 (PDT)
Received: from smtpvmsrv1.mitre.org (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id 7E58A13A628; Thu, 12 Mar 2020 10:00:05 -0400 (EDT)
Received: from smtprhmv1.mitre.org (unknown [128.29.154.203]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtpvmsrv1.mitre.org (Postfix) with ESMTPS id 73A2613A63D; Thu, 12 Mar 2020 10:00:05 -0400 (EDT)
Received: from mwfesmtp-mgt.mitre.org (mwfesmtp-in.mitre.org [192.52.194.235]) by smtprhmv1.mitre.org (Postfix) with ESMTP id 560CA925E35; Thu, 12 Mar 2020 10:00:05 -0400 (EDT)
Received: by mwfesmtp-mgt.mitre.org (Postfix, from userid 600) id 48dVnx24F5z3DYvb; Thu, 12 Mar 2020 13:59:26 +0000 (UTC)
Received: from GCC02-BL0-obe.outbound.protection.outlook.com (mail-bl2gcc02lp2104.outbound.protection.outlook.com [104.47.64.104]) by mwfesmtp-mgt.mitre.org (Postfix) with ESMTPS id 48dVn432xsz3DYsT; Thu, 12 Mar 2020 13:59:19 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DNEdDcmdn3OTD2ZN8+lBR8ZeQwMPDUk/WZ1piwQkcaco4iTgRtX3ibCvbE3rg5?= =?utf-8?q?z9+GlgpuJnmiLrhA/bkh1C8/OmpIxoua2AffUpcVpMRnY66TILJzHDy7S+rVclfNG?= =?utf-8?q?jkG2gxg0/+FXm83FiSLYH92MdafrRETVkLfRbQGx8gi0B+A3maLi8z/mV4d41/kfo?= =?utf-8?q?H2MJZId7/khahmhAezkowXnH5vTAQGXPwb0JP9BABDLCL6/NkpqEAF3FaAj0i04Yo?= =?utf-8?q?9Lm84e3cdbhzn912FTtZOn/uXTI8v/qXkiFbZ6phDAXHSK3/vfwQ0FqZkT2uRKt2Z?= =?utf-8?q?5C60GMi0NXFxcunjS1Q/w=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3DQkwUJbGEihxS/JSlJANZ83csSk0waM/nrV8Ac+7vMVM=3D=3B_b=3DQ/DXy5?= =?utf-8?q?OKrlu91yCq1FhECmwHEKeGAPAPhDHt3qd7n0Wdh4hN99OQ8fO29uYeFE5wPvqojfA?= =?utf-8?q?VWg1dzkogqnWPNdj3sUCGljvplGQnHuidx6dLx94SJDe+QzXb+qkMrZWyMvd7cK0V?= =?utf-8?q?IvB/LZItr02kvh12ehb/ZoEWUVSPjqgXDw7yLCpHs4/pUGuk1RXhohDIc4MXr+CTL?= =?utf-8?q?gdF9bg8nXbnnLT5i4JBKa2Tz2l/H2zM5KOEl8+9ogIIQxVGtApWXKs/h/o3/alo2G?= =?utf-8?q?3Ou7l//7SU1PL1NY2PSaPSgwFCMQBFXrLQd+SPNudAtR7O04hhuhVWClckg92jeuC?= =?utf-8?q?1WOXmx/XwIA=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mitre.org; dmarc=pass action=none header.from=mitre.org; dkim=pass header.d=mitre.org; arc=none
Received: from MN2PR09MB3630.namprd09.prod.outlook.com (2603:10b6:208:38::29) by MN2PR09MB5769.namprd09.prod.outlook.com (2603:10b6:208:21f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.17; Thu, 12 Mar 2020 13:59:17 +0000
Received: from MN2PR09MB3630.namprd09.prod.outlook.com ([fe80::7dbf:d54c:a32b:f9a4]) by MN2PR09MB3630.namprd09.prod.outlook.com ([fe80::7dbf:d54c:a32b:f9a4%7]) with mapi id 15.20.2814.007; Thu, 12 Mar 2020 13:59:17 +0000
From: "Peck, Michael A" <mpeck@mitre.org>
To: Aaron Parecki <aaron@parecki.com>, OAuth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] First Draft of OAuth 2.1
Thread-Index: AQHV+HZqEKi9F2u/xEys/5A5cObuFw==
Date: Thu, 12 Mar 2020 13:59:17 +0000
Message-ID: <355609CC-D224-4437-9735-E8B603A4FE3A@mitre.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.22.0.200209
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mpeck@mitre.org;
x-originating-ip: [192.160.51.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 86856bd7-668f-46d3-21c0-08d7c68d8e3d
x-ms-traffictypediagnostic: MN2PR09MB5769:
x-microsoft-antispam-prvs: =?utf-8?q?=3CMN2PR09MB5769AF93713B5AF8C5F4F015B9F?= =?utf-8?q?D0=40MN2PR09MB5769=2Enamprd09=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0340850FCD
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810001=29=281000902?= =?utf-8?b?MCkoMzk4NjA0MDAwMDIpKDM5NjAwMykoMzc2MDAyKSgzNDYwMDIpKDM2NjAwNCko?= =?utf-8?q?136003=29=28199004=29=288676002=29=2871200400001=29=288936002=29?= =?utf-8?b?KDQ3ODYwMDAwMSkoMzE2MDAyKSgzNjc1NjAwMykoNjQ4NjAwMikoNjUxMjAwNyko?= =?utf-8?b?MzM2NTYwMDIpKDY1MDYwMDcpKDI2MDA1KSgyOTA2MDAyKSg4MTE2NjAwNiko?= =?utf-8?q?5660300002=29=2866574012=29=2864756008=29=28966005=29=2866946007?= =?utf-8?b?KSg2NjU1NjAwOCkoODExNTYwMTQpKDE4NjAwMykoMTEwMTM2MDA1KSg3NjEx?= =?utf-8?b?NjAwNikoODYzNjIwMDEpKDY2NDc2MDA3KSg2NjQ0NjAwOCkoMjYxNjAwNSk7?= DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR09MB5769; H:MN2PR09MB3630.namprd09.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: mitre.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?wfWp7YVbBpOIO7eeIKbTklkXRqc4DVO?= =?utf-8?q?0Ri02XYPqydyK2FAnWT1+Oceu2GEyaRO0+E+pt6MFKs2OuD3Od10mfhEWqoP4HP4n?= =?utf-8?q?UWm7gF/r4q1+IPsE645/2Ml2OjxsUHtf7KhfPJuhnZiBKlkXcmXLjdFJSNYxHFO1z?= =?utf-8?q?QYn52+jhZZxobto0KaMyWwvpmvij6y8fJ8unF/2DQMQ3X0+CYNTxi1g64MXuqBl3d?= =?utf-8?q?nOh1J25Wevjdq17HhY5Qx90fu2f5UeTFOn/fBJCmqsyRrPQrmL5vd/NS7DsqZZLGP?= =?utf-8?q?utDX8dV8Q9BeHa1SObOzqjxoXE2l54FuQRHFNqKDeuuW3Gixp6znNjAXz30O4aNS+?= =?utf-8?q?Xj4174tk1qGvAJXuZvDm28X56KfE8N4TovGpjpS76/oVNZH0vNFtDizghRglrhnGu?= =?utf-8?q?IkDR9zppUA20Gve2HERzOp943VEN2JTx9spfXt3WSD5hBQ9dXdYUKv/w8BSLpt9oj?= =?utf-8?q?Gl7Er8j6VARl6HdTjrBBU+uPihCteRH46ZOYuEeggZLMIxZj3cqT81We9Anj3gl5H?= =?utf-8?q?LUjQ=3D?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?ZNrYJ54JTKapOs4ogGvpzAy118q5Sq?= =?utf-8?q?Wu9+697Zyyn2Bpvw3jUrHYOS7nJXdqkHGDKKg3b7haQ33lZejfkjtsHhzgebSZ5/f?= =?utf-8?q?YgmAWUX9sQT03rTck16gFRCggUur92AUv749+sG/Re/sbygwcfMo7Gg=3D=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <28685231C730654E8ED910B40F40FB03@namprd09.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: mitre.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 86856bd7-668f-46d3-21c0-08d7c68d8e3d
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2020 13:59:17.3694 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: c620dc48-1d50-4952-8b39-df4d54d74d82
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FjCW83Q30Ctct0Ms8FfVClznFt/XjQnXG5DqjtlLjkPye+uYACS6ecPtUapcjOsE
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR09MB5769
X-MITRE: 8GQsMWxq66rxk57w
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; =?utf-8?q?h=3Dfrom=3Ato=3Asubject=3Adate=3Amessage-id=3Acontent-type=3Acont?= =?utf-8?q?ent-id=3Acontent-transfer-encoding=3Amime-version=3B?= s=selector1; =?utf-8?q?bh=3DQkwUJbGEihxS/JSlJANZ83csSk0waM/nrV8Ac+7vMVM=3D=3B_b=3DC1vcAy?= =?utf-8?q?tTFZ5dSOFScmuwMgyQ4/9EZlHw2ANTzgnKUW/cTMO8LG8oVIH63YTn42PT07lALsn?= =?utf-8?q?eitFtsfw3cOApXkCqONFQPuX9yErZpzy9CLT3ilwUk/nBOn/55dJbFsD1THpk4Uob?= =?utf-8?q?n4dmT9ln5NjCRHF8EDcb8xExdLOs+l3Jnyc=3D?=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eKEeUSEt4q4AsD_oA_yaz3VXjSs>
Subject: Re: [OAUTH-WG] First Draft of OAuth 2.1
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2020 14:00:09 -0000

This looks like a great initial draft, and I hope to see it move forward.

Some comments so far:

Section 1.6:
“At the time of this writing” is duplicated.
 
Section 3.1.2.1 (and possibly other sections such as 1.6 / 2.3.1 / 3.1 / 3.2 that mandate TLS):
Section 3.1.2.1 currently retains this language from RFC 6749: “The redirection endpoint SHOULD require the use of TLS… This specification does not mandate the use of TLS because at the time of this writing, requiring clients to deploy TLS is a significant hurdle…”
I suggest updating this text to mandate TLS, and/or a blanket statement should be made that TLS is required for all protocol interactions (rather than or in addition to the statements throughout the draft). I don't think "requiring clients to deploy TLS is a significant hurdle" is an accurate statement at the present time.
 
Section 1.7:
Consider incorporating new guidance on HTTP redirects as specified in draft-ietf-oauth-security-topics section 4.10.
 
Section 1.8 / 2 / 3.1 / 3.2:
Consider including informative references to RFC 7591 (Dynamic Client Registration) and RFC 8414 (OAuth 2.0 Authorization Server Metadata) as optional methods that may be useful for client registration, determining AS capabilities, and endpoint discovery.
 
Section 2.1:
“Authorization servers SHOULD consider the level of confidence in a client’s identity when deciding whether they allow such a client access to more critical functions, such as the client credentials grant type.”
The client credentials example possibly conflicts with the section 4.2 statement “The client credentials grant MUST only be used by confidential clients” and the statement earlier in section 2.1 “Clients requiring a higher level of confidence…use credentials to authenticate with the authorization server.”
 
Section 2.3.1:
(This text is in RFC 6749 too)
client_secret – “REQUIRED…The client MAY omit the parameter if the client secret is an empty string.”
Since this section describes authentication using a password by confidential clients, it doesn’t make sense that the client secret would be an empty string?
(Certainly there may be situations where a client_id but not a client_secret would be sent – e.g. public clients, or if the client authenticates another way --  but that’d be out of scope of what section 2.3.1 is describing?)
 
Section 2.3.2:
“MAY support any suitable HTTP authentication scheme” – should the word “HTTP” be removed as being too specific? I don’t think methods such as mTLS and private_key_jwt are HTTP authentication schemes?
 
Section 3.1.2.2:
“The authorization server SHOULD require the client to provide the complete redirection URI” -
Given the section 3.1.2 requirement to compare redirect URIs using “simple string comparison”, should that instead be a MUST?
 
Section 3.1.2.3:
Consider removing the second paragraph, it looks redundant given the new section 3.1.2 requirement for “simple string comparison”.
 
Section 3.2.1:
“an unauthenticated client MUST sent its “client_id”…[t]his protects the client from substitution of the authentication code.”:
 
“authentication code” should be “authorization code” (typo also present in RFC 6749), also I don’t think this is true anymore with the requirement to use PKCE? However it’s probably still a good requirement, since explicitly identifying the client may make it easier for the AS to look up whether the authorization code is valid?
 
Section 4.1:
“The client includes its … requested scope, local state …” Consider indicating that requested scope and local state are optional?
 
Section 4.1.1.1:
(I guess this is more of an RFC 7636 question since the text comes from there.)
Why is the entropy requirement for the PKCE code verifier only SHOULD / RECOMMENDED rather than MUST?

Section 9.7:
(Already pointed out by Pieter this morning.)
Typo: RFC8418 should be RFC8414.
 
Thanks,
Mike

On 3/11/20, 8:29 PM, "OAuth on behalf of Aaron Parecki" <oauth-bounces@ietf.org on behalf of aaron@parecki.com> wrote:

    I'm happy to share that Dick and Torsten and I have published a first
    draft of OAuth 2.1. We've taken the feedback from the discussions on
    the list and incorporated that into the draft.
    
    https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01
    
    A summary of the differences between this draft and OAuth 2.0 can be
    found in section 12, and I've copied them here below.
    
    > This draft consolidates the functionality in OAuth 2.0 (RFC6749),
    > OAuth 2.0 for Native Apps (RFC8252), Proof Key for Code Exchange
    > (RFC7636), OAuth 2.0 for Browser-Based Apps
    > (I-D.ietf-oauth-browser-based-apps), OAuth Security Best Current
    > Practice (I-D.ietf-oauth-security-topics), and Bearer Token Usage
    > (RFC6750).
    >
    >   Where a later draft updates or obsoletes functionality found in the
    >   original [RFC6749], that functionality in this draft is updated with
    >   the normative changes described in a later draft, or removed
    >   entirely.
    >
    >   A non-normative list of changes from OAuth 2.0 is listed below:
    >
    >   *  The authorization code grant is extended with the functionality
    >      from PKCE ([RFC7636]) such that the only method of using the
    >      authorization code grant according to this specification requires
    >      the addition of the PKCE mechanism
    >
    >   *  Redirect URIs must be compared using exact string matching as per
    >      Section 4.1.3 of [I-D.ietf-oauth-security-topics]
    >
    >   *  The Implicit grant ("response_type=token") is omitted from this
    >      specification as per Section 2.1.2 of
    >      [I-D.ietf-oauth-security-topics]
    >
    >   *  The Resource Owner Password Credentials grant is omitted from this
    >      specification as per Section 2.4 of
    >      [I-D.ietf-oauth-security-topics]
    >
    >   *  Bearer token usage omits the use of bearer tokens in the query
    >      string of URIs as per Section 4.3.2 of
    >      [I-D.ietf-oauth-security-topics]
    >
    >   *  Refresh tokens must either be sender-constrained or one-time use
    >      as per Section 4.12.2 of [I-D.ietf-oauth-security-topics]
    
    https://tools.ietf.org/html/draft-parecki-oauth-v2-1-01#section-12
    
    I'm excited for the direction this is taking, and it has been a
    pleasure working with Dick and Torsten on this so far. My hope is that
    this first draft can serve as a good starting point for our future
    discussions!
    
    ----
    Aaron Parecki
    aaronparecki.com
    @aaronpk
    
    P.S. This notice was also posted at
    https://aaronparecki.com/2020/03/11/14/oauth-2-1
    
    _______________________________________________
    OAuth mailing list
    OAuth@ietf.org
    https://www.ietf.org/mailman/listinfo/oauth