[OAUTH-WG] How could an IdP create an id token for one audience RP without knowing for which RP ?
Denis <email@example.com> Mon, 31 July 2017 07:28 UTC
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF863131EA7 for <firstname.lastname@example.org>; Mon, 31 Jul 2017 00:28:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([184.108.40.206]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGlmJcC8qIln for <email@example.com>; Mon, 31 Jul 2017 00:27:58 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 023E1131EA9 for <firstname.lastname@example.org>; Mon, 31 Jul 2017 00:27:58 -0700 (PDT)
Received: from [192.168.0.13] (unknown [220.127.116.11]) by smtp6-g21.free.fr (Postfix) with ESMTP id 111AB7802B2 for <email@example.com>; Mon, 31 Jul 2017 09:27:55 +0200 (CEST)
To: oauth <firstname.lastname@example.org>
From: Denis <email@example.com>
Date: Mon, 31 Jul 2017 09:27:56 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
Content-Type: multipart/alternative; boundary="------------4F95769C6E072A9EE77B91F6"
Subject: [OAUTH-WG] How could an IdP create an id token for one audience RP without knowing for which RP ?
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 07:28:01 -0000
This is a follow-up of the OAuth workshop held in Zurich on July 13 th. At the end of the first day, Sven Hammann made a presentation on the following topic: "A private mode for OpenID Connect" Slide 14 indicated the motivation of the presentation : The IdP learns at which Relying Parties (RPs) the user logs in This does not respect the user's privacy User's activities over multiple RPs can be tracked User might not want anyone to know which service they are using Especially if using the RP might provide sensitive information I Alcoholics Anonymous I Medical Forums Slide 22 indicated: Privacy and Security Goals Privacy towards IdP: IdP cannot distinguish between logins to different RPs. Slides 33 indicated the problem to be solved (hence the title of this email): How can the IdP create an id token for one audience RP without knowing for which RP? In the previous presentation from John Bradley and Torsten Lodderstedt (Access token phishing), made on the same day, the same problem was considered with the final slide asking: " What do you think ? " I believe that it is the time to agree on a solution for this problem. As I already said on the WG list, the audience parameter does not allow to respect privacy. However, there are cases where both an access token MUST be targeted and privacy MUST be supported. Draft "JSON Web Token Best Current Practices" recently became draft-ietf-oauth-jwt-bcp-00. One major problem (with respect to privacy) is that it mandates the use of the audience parameter: 3.8.Use and Validate Audience If the same issuer can issue JWTs that are intended for use by more than one relying party or application, the JWT MUST contain an "aud"(audience) claim that can be used to determine whether the JWT is being used by an intended party or was substituted by an attacker at an unintended party. With such a wording, as soon as the "aud" claim will be used, privacy will be violated since the AS will be able to act as Big Brother. Similarly, in a token request the use of the OPTIONAL resource parameter is also violating privacy : it indicates the physical location of the target service or resource where the client intends to use the requested security token. The value of the "resource" parameter MUST be an absolute URI, as specified by Section 4.3 of [RFC3986], During the workshop, it has been proposed to use some signature on some data placed /outside/ the access token. I propose a different approach where both a new parameter placed *inside* the access token will be used and a new structure placed *outside* the access token will be used. This means : -the addition of a tid (target identifier) parameter *inside* the access token, and -the definition of a new data structure placed *outside* the access token (which does not require the computation of a digital signature and does not require the demonstration of a proof of possession of a key). Once the basic principles have been explained, let us now explain how the mechanism would work. The client chooses the URI of the target service. For every access token request (and for every target service, see later on the case of multiple targets), it generates a random number (rdn). It then computes tid = OWHF (rdn, URI) where the rdn comes first and where the URI comes after. OWHF is a One Way Hash Function. The client communicates to the Authorisation Server a method which includes two parameters: the OID of the OWHF to be used (e.g. SHA 256) and the value of tid that it has computed. The AS blindly copies and pastes this information into the access token. The client communicates to the Target Server (outside the access token): the method, the OID of the OWHF, the value of the rdn and the value for the URI. The Target Server first verifies that the data structure placed *outside* the access token matches with the data placed *inside* the access token: same method and same OID for the OWHF. Then after, it verifies that the URI (placed *outside* the access token) matches with one of the expected values and then using the method, the designated OID of the OWHF, the received rdn and the received URI computes OWHF (rdn, URI). It finally verifies that the result of this computation is identical to the tid parameter contained in the access token. If the verification is successful, the access token is accepted by the Target Server, otherwise it is rejected. Note that an access token MAY include several target identifiers. This should be used with care since such an access token might be usable by one designated Target Server towards another designated Target Server. However, there are circumstances where this is a desirable feature. As indicated earlier, each target identifier (tid) is computed using a different rdn. Comments ? Denis
- [OAUTH-WG] How could an IdP create an id token ... Denis
- Re: [OAUTH-WG] How could an IdP create an id to... John Bradley
- Re: [OAUTH-WG] How could an IdP create an id to... Torsten Lodderstedt
- Re: [OAUTH-WG] How could an IdP create an id to... Hammann Sven