Re: [OAUTH-WG] DPoP proof keys, token renewal, and confidential clients
Brian Campbell <bcampbell@pingidentity.com> Wed, 01 March 2023 19:40 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8238C14CE33 for <oauth@ietfa.amsl.com>; Wed, 1 Mar 2023 11:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.092
X-Spam-Level:
X-Spam-Status: No, score=-2.092 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CBofC7OqvQ7v for <oauth@ietfa.amsl.com>; Wed, 1 Mar 2023 11:40:18 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9574C14CE2E for <oauth@ietf.org>; Wed, 1 Mar 2023 11:40:18 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id h8so11864529plf.10 for <oauth@ietf.org>; Wed, 01 Mar 2023 11:40:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sd33jtTdKJhHqqMzO9ocABik1c66f//FBZFVAKN2sA0=; b=A5AHKZOQkyjhiWyANgp73cO+7A4aAITaeiQS6bYsle739UwJwtIYf0ogq9QLgPrJrM eu22OgFs22yRss48W9Yl9lhCcXZb/XRLDNVgKyZqgWBl5RExbvrChnGNixmmQ2E/lr81 GyftpF/Hhb1FHbJAtriD195ccD+Ar8HA1LatEdXxH/XDQjQ3sTKie4aQMgix4PpGsiU2 pFaqSqSU9G3oUOI338BQhhk2n493EtP7rCIVYV4L3GcJSoCWzDj0xJ9FpJjuFt56XryR l6RRS5NJ3s25vnRUq8tiQSyFvOgv4JhVfShdTkP0yxzEW/2YTGRvV5ngHt9NZB2WCFQd Ak7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sd33jtTdKJhHqqMzO9ocABik1c66f//FBZFVAKN2sA0=; b=tQw/nnj2/ZE9gak4chX8h0bSp70E9y2fe6MCZ7aqrLhKqFtiX/c2RpPDNQEV0feqzW 6olr+SXbOycg82fpoMG+cgSrUZyfrVew07VblMVBHgtcaDebwpF7GY7eZBbq5frAYbZD +bLDak71L4we4GmNMQwGVKAgjITdG2AKZd2WishI0TNgtsyBYC3Cr6bK8Ke2NzgXBatW GFjzIfSZtz36lqG7yUlXy2zOQP0Y9bJpptUqdle9ldSvbl3vzh+PXkDZcE3kwB/4tSnl xBndjUOJV3/WN0MvpkEhwJjb/qJM2WU5RGpEQLM9SPBEULVvykHFfZXrPDcS2qluSUhu CSWA==
X-Gm-Message-State: AO0yUKUJhtdxFTburo8lBVl0mMUMwDWJcXnF3wm+uBzT4mrmlo3xx+QB dzxeq0TeF43cp1a4Jy81MrMKD4RQvIRKP+ipmlyFIn6CQx5VCaP2h/fefY9bl1Mv2KYHagcOMCy bruiy6C2wg/JWnQ==
X-Google-Smtp-Source: AK7set9qfQWgOu2I5XLRCe5F/47LWsjm81FXxPd00KT67UuSnkkZHMOZ16kmZGV5I+4HH5byt1ZzS97jeNc1mpfFxZo=
X-Received: by 2002:a17:902:ef8a:b0:199:2451:feaf with SMTP id iz10-20020a170902ef8a00b001992451feafmr2826255plb.3.1677699618098; Wed, 01 Mar 2023 11:40:18 -0800 (PST)
MIME-Version: 1.0
References: <Mailbird-ac5a50df-4dde-416b-8f4e-f72c39af7fa6@gmail.com>
In-Reply-To: <Mailbird-ac5a50df-4dde-416b-8f4e-f72c39af7fa6@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 01 Mar 2023 12:39:44 -0700
Message-ID: <CA+k3eCSxuNnrEH6x=t1fpHA-pa04N2aEr6Me4F3RSV3NDNn2zA@mail.gmail.com>
To: Brock Allen <brockallen@gmail.com>
Cc: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c75a2705f5dbe174"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/el-d3Zxm3RkXiwqFrIAxRGqZdCs>
Subject: Re: [OAUTH-WG] DPoP proof keys, token renewal, and confidential clients
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 19:40:22 -0000
Hi Brock :) The term "credential rotation" there was meant (to me anyway when writing the text) to refer to the client authentication credential - meaning the client config/metadata about its authentication credentials can be updated without invalidating the RT (as is the case already in 'plain' OAuth). However, to the point of your question, the sentiment also applies to the DPoP key - not binding the RT to the DPoP key for confidential clients does allow for a new DPoP proof to be used for new access tokens requested from the same refresh token. On Wed, Mar 1, 2023 at 7:51 AM Brock Allen <brockallen@gmail.com> wrote: > Hi -- another DPoP question :) > > In the very last paragraph, in the very last sentence of section "5. DPoP > Access Token Request", draft-ietf-oauth-dpop-13 says: > > "This existing sender-constraining mechanism is more flexible (e.g., it > allows credential rotation for the client without invalidating refresh > tokens) than binding directly to a particular public key." > > Can someone clarify if the term "credential rotation" refers to the > client authentication credential, or the PPoP credential? > > I'm pretty sure it means the PPoP credential, since that would allow for > a new DPoP proof to be used for new access tokens generated from the same > refresh token. Is this correct? > > Thanks, as always! > > -Brock > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] DPoP proof keys, token renewal, and co… Brock Allen
- Re: [OAUTH-WG] DPoP proof keys, token renewal, an… Brian Campbell