Re: [OAUTH-WG] draft-fett-oauth-dpop-00
rich levinson <rich.levinson@oracle.com> Sat, 30 March 2019 23:39 UTC
Return-Path: <rich.levinson@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7946120340 for <oauth@ietfa.amsl.com>; Sat, 30 Mar 2019 16:39:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.04
X-Spam-Level:
X-Spam-Status: No, score=-4.04 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 462gd4T2vxq8 for <oauth@ietfa.amsl.com>; Sat, 30 Mar 2019 16:39:11 -0700 (PDT)
Received: from userp2120.oracle.com (userp2120.oracle.com [156.151.31.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C54A12033D for <oauth@ietf.org>; Sat, 30 Mar 2019 16:39:11 -0700 (PDT)
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x2UNYZhC172324 for <oauth@ietf.org>; Sat, 30 Mar 2019 23:39:09 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : subject : to : message-id : date : mime-version : content-type; s=corp-2018-07-02; bh=39U1MNQpR+9ZfUkB1tU7J1qMp+1VpM4jly+DS9SH1ZY=; b=cXsGYh37W8Z+4Rki6r+8e5YcQJvILUIh18ptLhH66GvL//dtqpJuouPCcI1frgEjR6sA 6zYjW9iG8BZuDfOZkPte31y5gAJ7gW000nDy3hpsmrJtfkMl1Vn+Vf+2YylzBnqllxyq 7lJimHtXqHADPAGVFkLlHmyTDjW4aPJClbP/heJ1Qymcws7e1YmNZAVmeVnWojChdsum xnXJZOjNZS4uV7VP8Zfpvxnqb8FNCvrJhh2nh63/vgxa+PD82xUJvZlbhAA7GJfnMyls ZWm/D8ur+HqUDN9HEy2eBTanOYca/j1gXwhCdtiBnLBNhDteIChq26jxN1Ry2rTeNOJr dg==
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2120.oracle.com with ESMTP id 2rj13psqbq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <oauth@ietf.org>; Sat, 30 Mar 2019 23:39:08 +0000
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x2UNd7oA029008 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for <oauth@ietf.org>; Sat, 30 Mar 2019 23:39:07 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x2UNd6Px024098 for <oauth@ietf.org>; Sat, 30 Mar 2019 23:39:07 GMT
Received: from [10.39.212.164] (/10.39.212.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 30 Mar 2019 16:39:06 -0700
From: rich levinson <rich.levinson@oracle.com>
Organization: Oracle Corporation
To: oauth@ietf.org
Message-ID: <2979ec5a-195c-21db-48a6-46a627833a9f@oracle.com>
Date: Sat, 30 Mar 2019 19:39:05 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------46E49D4BA1A3851FC79DC78D"
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9212 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903300173
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eOAjipnaTLbF0a7Cek_KHN_FwiU>
Subject: Re: [OAUTH-WG] draft-fett-oauth-dpop-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2019 23:39:15 -0000
Speaking for myself, as a long time user of OAuth 2.0, I am very enthusiastic about the new proposal: "OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer" https://tools.ietf.org/html/draft-fett-oauth-dpop-00 I believe it represents a real milestone for OAuth in that it appears to me to be the first proposal that is capable of offering true end-to-end integrity by using the OAuth 2.0 protocol at the application layer. In addition to the basic proof of possession capability, it inherently contains the mechanism for the client to completely protect any request that can be decomposed into a set of key:value pairs, which can then be signed within a JWT. The additional key:value pairs can be included in a Resource Access POST request, as described in section 5, by placing them in a 2nd JWT using the same public key and format as Figure 3, in a parameter with a name required by the Resource Server Application, for example, "dpop_appl_request". Since the parameter will be in the body of a POST request, there should be no size limitation for the set of key:value pairs that can be provided. Furthermore, the Access Token received in response to the token request shown in Figure 3, should cover the "dpop_appl_request" parameter, in the same way it covers the "dpop_proof" parameter described in section 5, because it covers the usage of the public key, and any specific content that is protected by that public key. The Access Token implicitly contains the user consent, the authorization of the IdP, plus the public key of the client making the request, and therefore the "dpop_appl_request" can potentially be usable to preserve the signature and possibly be used in some cases for non-repudiation, a capability that is not possible using the transport layer protocols, which remove all the protocol protection before delivering the request to the Resource Server Appl. In summary, the dpop at the appl layer proposal, imo, represents a significant advance in OAuth 2.0 technology that potentially addresses many of the security requirements that OAuth 2.0 does not currently provide. Thanks, Rich Levinson Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan <panva.ip@gmail.com>Fri, 29 March 2019 16:39 UTCShow header <https://mailarchive.ietf.org/arch/browse/oauth/#> And here's a real simple client-side implementation using - Webcrypto API - IndexedDB API - fetch https://boiling-escarpment-16732.herokuapp.com/ It's not really a SPA but uses the same browser APIs and no backend other than a web server hosting the html. Best, *Filip Skokan* On Thu, 28 Mar 2019 at 19:48, Filip Skokan <panva.ip@gmail.com> <mailto:panva.ip@gmail.com>>; wrote: > Hello Daniel, everyone, > > I've hacked together an AS implementation to enable client-side > experimentation using this draft. > > You can find this hosted at https://draft-fett-oauth-dpop-00.herokuapp.com <https://draft-fett-oauth-dpop-00.herokuapp.com/> (it's > also the issuer identifier). There's a default client registered and > dynamic registration is also open, so hack away. It's using the draft > version with dpop_binding expecting "jwk": { ...jwk } rather then "cnf": { > "dpop+jwk": { ... jwk } } as the payload claim as suggested by Ludwig. > > There are more notes on the index page itself. > > Aaron kindly accepted to work on the SPA client-side demonstration, I'm > not a SPA guru mastermind like Aaron and it would take me ages to deliver > that particular piece. That being said I did test this with a regular web > app as well as a CLI client using both code+pkce and dynamic port binding > as well as device authorization grant client. Works. > > Feeding back to the draft > > - i think we should mention the client to provide reasonable > expiration value of the dpop JWTs (max minutes). Altho not critical since > we require a jti, as an AS i don't wanna cache the used jti values forever > :) > - the AS should error when the dpop JWT contains private key material > - altho implied by the use of "public" and "private" key i think it > wouldn't hurt explicitly forbidding "oct" JWKs > - i don't see a point in dpop_proof containing the JWK again unless > the AS is supposed to do something new with it > - it wouldn't hurt mentioning that, kinda following 6750, when > dpop_proof is sent it's in a query for GET, in the request body for a POST. > my provider for instance will ignore query parameters during a POST. With > that said, what about RS endpoints using other methods? Maybe placing the > proof in a header isn't a terrible idea afterall. > > > Kind Regards, > *Filip Skokan* > > > On Thu, 28 Mar 2019 at 11:19, Daniel Fett <danielf+oauth@yes.com> <mailto:danielf+oauth@yes.com>>; wrote: > >> Hi all, >> >> I published the first version of the DPoP draft at >> https://tools.ietf.org/html/draft-fett-oauth-dpop-00 >> >> Abstract >> >> This document defines a sender-constraint mechanism for OAuth 2.0 >> access tokens and refresh tokens utilizing an application-level >> proof-of-possession mechanism based on public/private key pairs. >> >> >> Thanks for the feedback I received so far from John, Mike, Torsten, and >> others during today's session or before! >> >> If you find any errors I would welcome if you open an issue in the GitHub >> repository at https://github.com/webhamster/draft-dpop >> >> - Daniel >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> > * [OAUTH-WG] draft-fett-oauth-dpop-00 <https://mailarchive.ietf.org/arch/msg/oauth/9jETD0i94pq6ZM290c9PnxUUAkw> Daniel Fett * Re: [OAUTH-WG] draft-fett-oauth-dpop-00 <https://mailarchive.ietf.org/arch/msg/oauth/IHt83R7tGwb9iuC9MhPTFIDJrAI> Mike Jones * Re: [OAUTH-WG] draft-fett-oauth-dpop-00 <https://mailarchive.ietf.org/arch/msg/oauth/0uBLlJe9eA8TONn7ykaPDSj2bVQ> Ludwig Seitz * Re: [OAUTH-WG] draft-fett-oauth-dpop-00 <https://mailarchive.ietf.org/arch/msg/oauth/d9i047xb8SgFk1VeIP36DEdRA5Y> Filip Skokan * Re: [OAUTH-WG] draft-fett-oauth-dpop-00 <https://mailarchive.ietf.org/arch/msg/oauth/ZwOJqiQFTs42XUrNF4ZMQWfayhQ> Filip Skokan
- [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Mike Jones
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Filip Skokan
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 rich levinson
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Ludwig Seitz
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Daniel Fett
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 George Fletcher
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Phil Hunt
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Brian Campbell
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Justin Richer
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 David Waite
- Re: [OAUTH-WG] draft-fett-oauth-dpop-00 Simon Moffatt