IETF Logo Mail Archive

[OAUTH-WG] Re: OAuth Client ID Metadata Document

Emelia Smith <emelia@brandedcode.com> Mon, 08 July 2024 17:16 UTC

Return-Path: <emelia@brandedcode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 934ABC28EAE1 for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 10:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.214
X-Spam-Level:
X-Spam-Status: No, score=-1.214 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brandedcode.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4Uz76emzQh7u for <oauth@ietfa.amsl.com>; Mon, 8 Jul 2024 10:15:56 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16941C014569 for <oauth@ietf.org>; Mon, 8 Jul 2024 10:15:44 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2ee90f56e02so40419421fa.2 for <oauth@ietf.org>; Mon, 08 Jul 2024 10:15:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brandedcode.com; s=google; t=1720458942; x=1721063742; darn=ietf.org; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:from:to:cc:subject:date :message-id:reply-to; bh=2u/wqEI36409zXTipHkVRZQiF34kgKGO6awWseq2nME=; b=JcEFHME3uMSr95djINL7UWGSR6Mk2fqFxc9rw8XHT4kq7+Ga6Z/yz3LBeP6x8ax3n0 M7k9e+2d35ZJXyIz3iSlknxxXR3ud9R05pRC0n5wLgA9MIGlO5sDqKbcYrGUSejWrcLL yGYq06LQY7hD341de0t/tPQwrufM+y1HeXoINzc5DOmUD5tjd1sDM2+S99P9V712oN/G XI7HBIiRGB52GKDf/GvcSjm7G/q2S+K+wwsYj4k1kgHktHsWPsZbJ3V6GfwOtHqh2PJE 0yNqc/i9NiVTV49jHv9dkl/KUlRzbkijXb7ZWvPWQp8TEmD10JOH9hqxUyLEvYvaf2/N xzbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720458942; x=1721063742; h=to:references:message-id:cc:date:in-reply-to:from:subject :mime-version:content-transfer-encoding:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=2u/wqEI36409zXTipHkVRZQiF34kgKGO6awWseq2nME=; b=lJSIC6zdWvBOgelFlsLaKGpL1hoCIfmUto0a5HB0+hYJVQD6oLzKtyUuuttstg3dUu 5J69lBNh8+BBZtLJJwKANjXwu9RxDRUWaz2itWBMEfYCHdCZHHes2XDNaice2upEGaWg noH5FqEHQu5cB9RSyOl1Nz/Ar9D5KEC/3qajtxcybUk56IlsjuctPxu9qiKZEQZ+aHSZ 62r79ZBVmq5TK4xHySVSe2kCp9BWknK59cJsMj0fPwlj1MFAusxRVSMg4VTZkcMxFCKL 8xAy1Pzaa/QLvwh06VUEk146t/hj2SfulimegJSmLxiMmiSJ64VQ6YCnNx7uCZ1Gghk+ tNyQ==
X-Forwarded-Encrypted: i=1; AJvYcCW9rZEyOpilEDhcJ7IpMS7f/NsK44OlFbGvWGx96qJltrdupRyeT3TQUVGfoyOGtifSLYC+81iZPlBL3rj4Ng==
X-Gm-Message-State: AOJu0YynPD7gODfqWuOnu9QWGXdINZSi9uQ8LIvP9eDJYfJC3lm7J7IA NHDpl5SKLiLUP1e6HFmvn2jKQ8Vpss/h8EJAHAjvKJCveK/k41RGMvYpPh4T7Nc=
X-Google-Smtp-Source: AGHT+IGcOlcTOxBZGmDGmaxgBrXeyfZcslNU9Vz524sQRwch+dHkBn6Kkqw5kv9B8ziybzuBju53vg==
X-Received: by 2002:a2e:9b57:0:b0:2ec:5172:dbb8 with SMTP id 38308e7fff4ca-2eeb30b83afmr2162281fa.7.1720458941964; Mon, 08 Jul 2024 10:15:41 -0700 (PDT)
Received: from smtpclient.apple (p200300ef2f04448e0ca902c279e94af0.dip0.t-ipconnect.de. [2003:ef:2f04:448e:ca9:2c2:79e9:4af0]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-367cde890f6sm297221f8f.53.2024.07.08.10.15.40 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Jul 2024 10:15:41 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-42DDF846-3D6B-4B2A-96B1-11ACF1241D61"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Emelia Smith <emelia@brandedcode.com>
In-Reply-To: <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com>
Date: Mon, 08 Jul 2024 19:15:30 +0200
Message-Id: <BB9F5666-3FD7-4B38-A9E5-C7777FEE14E0@brandedcode.com>
References: <CAGBSGjrU03__4Wt+PiDuR5Z=b5y7GnBwzOiibE1v_Y11NV+Fpg@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: 44JWFXDTEIG4XWDTOANX5AFNB6UYVGKQ
X-Message-ID-Hash: 44JWFXDTEIG4XWDTOANX5AFNB6UYVGKQ
X-MailFrom: emelia@brandedcode.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dick.Hardt@gmail.com, oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Client ID Metadata Document
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/flcYCa5-NpKwUO9ES3fapbYOi2g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Just to follow up on this, further:
> > 1. If an AS supports both registered, and unregistered clients, is there any guidance or requirements on differentiating between them such as NOT issuing other identifiers that start with 'https"? 
>
> This is probably a good call-out. I am unsure about how many AS's would actually support both types of clients in practice though.

In practice you're not checking for "https" but "https://", furthermore most implementations use random bytes, often base64url or hex encoded, so they simply don't have the character set necessary to generate client_id's that are also valid URIs (or at least, the probability of this is incredibly small)

Whilst we could add guidance I'm not sure it'd add any value given the sheer unlikely probability of creating a valid URI across 20-40 random bytes (fairly common sizes I've seen)

If you allow a user to select a client_id, then you should absolutely validate that that input isn't going to cause confusion with the other specifications implemented & that it won't cause security issues.

Also, thanks for the early feedback Dick!

Yours,
Emelia Smith

On 8. Jul 2024, at 18:06, Aaron Parecki <aaron@parecki.com> wrote:


Thanks Dick, I hadn't gotten to post this to the list yet, but thanks for kicking off the discussion!

FYI there are already a few live implementations of this, and some additional in-progress implementations. There is also some overlap between this and an application of FedCM, which is where some of the initial implementation work has begun. I'll share more details on this and the FedCM work at IETF 120.

> 1. If an AS supports both registered, and unregistered clients, is there any guidance or requirements on differentiating between them such as NOT issuing other identifiers that start with 'https"? 

This is probably a good call-out. I am unsure about how many AS's would actually support both types of clients in practice though.

> 2. From a security perspective, I worry about the redirect URIs being any arbitrary URL -- perhaps that they need to start with the client_id? Is localhost supported as a redirect URI.

There will likely be some special handling for localhost client IDs and redirect URIs, particularly for development clients. There is some discussion about this happening on GitHub here: https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/issues/12" rel="nofollow">https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/issues/12 

For the non-development use cases, I think we should further discuss whether the limitation of the redirect URI starting with the client ID is helpful or not. Another set of use cases is native apps using custom URI schemes or even app-claimed HTTPS URLs which might have some more edge cases to consider.

> 3. A number of the parameters in dynamic client registration are a negotiation between the client and the AS.

Correct, this is not a negotiation anymore, this is a statement from the client about its properties, which the AS can either accept or reject during an authorization.

4. Along those lines, why are you pointing at 7591 rather than the list in IANA?

Good call, we should update this to point to the IANA registry.

5. Along those lines, it may be useful to recommend which of those properties are useful and why. ... The one bit of client_id_metadata_document_supported will unlikely not be enough to have a successful flow unless there is a MTI.

I think it would be a good exercise to see if there is a MTI subset for interoperability. I'll track this on GitHub for further discussion: https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/issues/15" rel="nofollow">https://github.com/aaronpk/draft-parecki-oauth-client-id-metadata-document/issues/15

> 6. Did you consider signing the metadata as a JWT as being one of the content types that could be returned?

It occurred to me, but I am not sure how valuable that actually is. The metadata is fetched over HTTPS, so signing it doesn't provide any additional integrity there. It could provide non-repudiation of the metadata, except that in order to do so it would have to be signed with a key that could later be proven to be from the client as well. Since this is primarily designed to be used by clients with no prior relationship with the AS, it is unclear how the provenance of the public key would be proven. I think this would require PIKA to be useful: https://www.ietf.org/archive/id/draft-barnes-oauth-pika-00.html" rel="nofollow">https://www.ietf.org/archive/id/draft-barnes-oauth-pika-00.html

Aaron





On Sat, Jul 6, 2024 at 4:09 PM Dick Hardt <dick.hardt@gmail.com> wrote:
Hey Aaron / Emelia


(was any info posted to the list?)

I like the general concept. Questions:

1. If an AS supports both registered, and unregistered clients, is there any guidance or requirements on differentiating between them such as NOT issuing other identifiers that start with 'https"? 

2. From a security perspective, I worry about the redirect URIs being any arbitrary URL -- perhaps that they need to start with the client_id? Is localhost supported as a redirect URI. What is the use case for an array of redirect URIs? Why not just have each of those be a different client_id? Perhaps you could just have a redirect_path that is appended to the client_id URL? 

3. A number of the parameters in dynamic client registration are a negotiation between the client and the AS. For example from 7591 token_endpoint_auth_method, grant_types, response_types.scope. while including token_endpoint_auth_method = private_key_jwt is useful, the client is not getting a direct response back from the AS. How are you envisioning a mismatch between what is in these values and the response from the AS? In dynamic client registration the AS is returning what it will support. The only mechanism I can think of currently if the request is not supported is to return an invalid client error to the authorization request.


A useful property there to call out would be initiate_login_uri.

5. Along those lines, it may be useful to recommend which of those properties are useful and why. For example, should I have a contact property? I think there should be a minimum to implement so there is interoperability -- otherwise it is hit or miss if it will work. The one bit of client_id_metadata_document_supported will unlikely not be enough to have a successful flow unless there is a MTI.

6. Did you consider signing the metadata as a JWT as being one of the content types that could be returned?

That's all for now! Thanks for writing this up!

/Dick

v2.35.0 | Report a Bug | By Email | System Status