[OAUTH-WG] How could an IdP create an id token for one audience RP without knowing for which RP ?

Denis <denis.ietf@free.fr> Mon, 31 July 2017 07:28 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id EF863131EA7 for <oauth@ietfa.amsl.com>; Mon, 31 Jul 2017 00:28:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id AGlmJcC8qIln for <oauth@ietfa.amsl.com>; Mon, 31 Jul 2017 00:27:58 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 023E1131EA9 for <oauth@ietf.org>; Mon, 31 Jul 2017 00:27:58 -0700 (PDT)
Received: from [] (unknown []) by smtp6-g21.free.fr (Postfix) with ESMTP id 111AB7802B2 for <oauth@ietf.org>; Mon, 31 Jul 2017 09:27:55 +0200 (CEST)
To: oauth <oauth@ietf.org>
From: Denis <denis.ietf@free.fr>
Message-ID: <e20207fc-804e-9485-7f18-736f423a0eeb@free.fr>
Date: Mon, 31 Jul 2017 09:27:56 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------4F95769C6E072A9EE77B91F6"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fhShEwDK5CRwunAGfKfJ1134xss>
Subject: [OAUTH-WG] How could an IdP create an id token for one audience RP without knowing for which RP ?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2017 07:28:01 -0000

This is a follow-up of the OAuth workshop held in Zurich on July 13 th.

At the end of the first day, Sven Hammann made a presentation on the 
following topic:
"A private mode for OpenID Connect"

Slide 14 indicated the motivation of the presentation :

The IdP learns at which Relying Parties (RPs) the user logs in

This does not respect the user's privacy

User's activities over multiple RPs can be tracked

User might not want anyone to know which service they are using

Especially if using the RP might provide sensitive information

I Alcoholics Anonymous

I Medical Forums

Slide 22 indicated:

Privacy and Security Goals

Privacy towards IdP: IdP cannot distinguish between logins to different RPs.

Slides 33 indicated the problem to be solved (hence the title of this 

How can the IdP create an id token for one audience RP without knowing 
for which RP?

In the previous presentation from John Bradley and Torsten Lodderstedt 
(Access token phishing),
made on the same day, the same problem was considered with the final 
slide asking: " What do you think ? "

I believe that it is the time to agree on a solution for this problem.

As I already said on the WG list, the audience parameter does not allow 
to respect privacy.
However, there are cases where both an access token MUST be targeted and 
privacy MUST be supported.

Draft "JSON Web Token Best Current Practices" recently became 
One major problem (with respect to privacy) is that it mandates the use 
of the audience parameter:

3.8.Use and Validate Audience

If the same issuer can issue JWTs that are intended for use by more than 
one relying party or application,
the JWT MUST contain an "aud"(audience) claim that can be used to 
determine whether the JWT is being
used by an intended party or was substituted by an attacker at an 
unintended party.

With such a wording, as soon as the "aud" claim will be used, privacy 
will be violated since the AS will be able
to act as Big Brother.

Similarly, in a token request the use of the OPTIONAL resource parameter 
is also violating privacy : it indicates
the physical location of the target service or resource where the client 
intends to use the requested security token.
The value of the "resource" parameter MUST be an absolute URI, as 
specified by Section 4.3 of [RFC3986],

During the workshop, it has been proposed to use some signature on some 
data placed /outside/ the access token.

I propose a different approach where both a new parameter placed 
*inside* the access token will be used and
a new structure placed *outside* the access token will be used. This means :

-the addition of a tid (target identifier) parameter *inside* the access 
token, and

-the definition of a new data structure placed *outside* the access 
token (which does not require the computation
  of a digital signature and does not require the demonstration of a 
proof of possession of a key).

Once the basic principles have been explained, let us now explain how 
the mechanism would work.

The client chooses the URI of the target service. For every access token 
request (and for every target service, see later on
the case of multiple targets), it generates a random number (rdn). It 
then computes tid = OWHF (rdn, URI) where the rdn
comes first and where the URI comes after. OWHF is a One Way Hash Function.

The client communicates to the Authorisation Server a method which 
includes two parameters: the OID of the OWHF to be used
(e.g. SHA 256) and the value of tid that it has computed. The AS blindly 
copies and pastes this information into the access token.

The client communicates to the Target Server (outside the access token): 
the method, the OID of the OWHF, the value of the rdn
and the value for the URI.

The Target Server first verifies that the data structure placed 
*outside* the access token matches with the data placed *inside*
the access token: same method and same OID for the OWHF. Then after, it 
verifies that the URI (placed *outside* the access token)
matches with one of the expected values and then using the method, the 
designated OID of the OWHF, the received rdn and
the received URI computes OWHF (rdn, URI). It finally verifies that the 
result of this computation is identical to the tid parameter
contained in the access token. If the verification is successful, the 
access token is accepted by the Target Server, otherwise it is rejected.

Note that an access token MAY include several target identifiers. This 
should be used with care since such an access token might be usable
by one designated Target Server towards another designated Target 
Server. However, there are circumstances where this is a desirable feature.
As indicated earlier, each target identifier (tid) is computed using a 
different rdn.

Comments ?