Re: [OAUTH-WG] New Version Notification for draft-ietf-oauth-dpop-04.txt
Neil Madden <neil.madden@forgerock.com> Mon, 29 November 2021 19:10 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6754D3A07CF for <oauth@ietfa.amsl.com>; Mon, 29 Nov 2021 11:10:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxY_hjfMuKXZ for <oauth@ietfa.amsl.com>; Mon, 29 Nov 2021 11:10:03 -0800 (PST)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9E623A07C9 for <oauth@ietf.org>; Mon, 29 Nov 2021 11:10:02 -0800 (PST)
Received: by mail-wm1-x335.google.com with SMTP id 77-20020a1c0450000000b0033123de3425so17730427wme.0 for <oauth@ietf.org>; Mon, 29 Nov 2021 11:10:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=X9w69fS4oRbquYdEdcEGc7VJjiLUIbjP03U8DEsF6jI=; b=X9+5EjOCRVqCk3pAIJ8mMjFiyGRWjeW/m0qPqS4IPiOqWHWNKX0St1q5syjrhjSa2J 4AR/90jFRJTqWW9DYkY+f0DrK7ZZDwnC4i8CCkNsfabtPDGnfwZu8BZWYZSIZzsD3BPb 4xTRcwoAurN9HJkDvVntrt+G1hkP2fDxefbeY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=X9w69fS4oRbquYdEdcEGc7VJjiLUIbjP03U8DEsF6jI=; b=IyGTAlp6Fs1gqPoE0lYvmovysAiO8lbmShc7n6jJHnojANYXlpbfEvgsSpqVmG9jCS spuw2r9nSOD/rptjc8gPS2D6tIyefm17k4WPFMqbGzxBgQo9OkeaV0nJIzWipJTB1WA6 XZGHzojnaSTGTIAXNOgYZLuktJzCLoNYDgUAyoBeRp4b2XOyTFQBhV8gK5w6DsAtA8Iv UUKDmFOf9iXpb5uaNtugQfeMA9RTzdVvqzbG6VVp50G09Zhg5NeKVBJY1KX1QJhy/W9R StjSBK/3MB7fD4/ytspTdyrUMHTlAALE+43ibfB1YviUfnVThO405kTpCAm+DRdrhW3z 3rxA==
X-Gm-Message-State: AOAM531KRYAi+YTe9hIhpQzdIQCHycGsL7mUaNaUkeKOfNNtLh6AG14S jMmxmnVn4XwCPsVOODVON9qzQwwxwo8v0Q==
X-Google-Smtp-Source: ABdhPJyVm9o4mTqCF1T/0mq2rOyx5ChoQAIjVBkekJUkwdODrhYvHg2z+VBNkwxNlPsCCIMiN/TJEg==
X-Received: by 2002:a1c:7e41:: with SMTP id z62mr266717wmc.62.1638212999958; Mon, 29 Nov 2021 11:09:59 -0800 (PST)
Received: from [10.0.0.7] (12.87.75.194.dyn.plus.net. [194.75.87.12]) by smtp.gmail.com with ESMTPSA id w15sm14378996wrk.77.2021.11.29.11.09.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Nov 2021 11:09:59 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <EC811423-50B1-439D-A25A-D5AAD89B6CD3@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0EB258B4-B8E3-4A6B-B650-A28501550355"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.7\))
Date: Mon, 29 Nov 2021 19:09:58 +0000
In-Reply-To: <CA+k3eCTqx_w2d6um+kOW1er9Xe6DhsboXqGxSWWZeKWERUMzfA@mail.gmail.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, oauth@ietf.org
To: Brian Campbell <bcampbell@pingidentity.com>
References: <PH0PR00MB09970FB8EB1884B8BF5A090CF5B09@PH0PR00MB0997.namprd00.prod.outlook.com> <BB556582-2CEC-4A73-ABF3-BFB9EB12B0D0@forgerock.com> <CA+k3eCTqx_w2d6um+kOW1er9Xe6DhsboXqGxSWWZeKWERUMzfA@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/gVxkrJUIKVVuTOlXW8BHtjyTeG4>
Subject: Re: [OAUTH-WG] New Version Notification for draft-ietf-oauth-dpop-04.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 19:10:08 -0000
I’m by no means a HTTP caching expert (*), but https://datatracker.ietf.org/doc/html/rfc7234#section-3 <https://datatracker.ietf.org/doc/html/rfc7234#section-3> says that the non-cacheability of responses to requests with Authorization headers only applies to shared caches. So could a user-agent itself cache the response and incorrectly return a stale DPoP-Nonce response on a subsequent request? But I think you’re right that this only applies, at most, to section 8.1, as DPoP only allows the Authorization header for making requests to the RS (unlike RFC 6750). (*) I know a joke about HTTP caching, but I think you’ve already heard it. — Neil > On 29 Nov 2021, at 18:03, Brian Campbell <bcampbell@pingidentity.com> wrote: > > I'm preparing some slides for a DPoP session tomowwo at the OAuth Security Workshop https://barcamps.eu/osw2021/ <https://barcamps.eu/osw2021/> so looking back at some threads like this one trying to compile a list of issues needing attention. The stateful handling of server-supplied nonces is one such topic. I was about to add a topic for Cache-Control but, in doing/thinking about it, I believe that all cases that would use a DPoP-Nonce response header are already not cacheable - response to POST, 401 challenge, response to a request containing an authorization header - so I don't think anything is needed. But let me know if I'm missing something. > > On Wed, Oct 6, 2021 at 1:54 PM Neil Madden <neil.madden@forgerock.com <mailto:neil.madden@forgerock.com>> wrote: > Overall I think thus is good, but I have a few comments/suggestions: > > I think the stateful handling of server-supplied nonces (ie the client reuses the same nonce until the server sends a new one) perhaps needs to be clarified with respect to clients making concurrent requests. Especially clients using multiple access tokens and/or DPoP keys (eg for different users). Is the nonce specific to a particular access token? > > And we also need to consider a client that is itself a cluster of servers - does such a client need to synchronise nonces across instances? Does the AS/RS need to? (I can imagine this getting quite complex with different requests from different client machines hitting different AS/RS servers). > > I think probably any use of the DPoP-Nonce response header should also be accompanied by Cache-Control: private (or no-store) and this should be a MUST. I think we’ve also missed that the DPoP header on requests should also have Cache-Control: no-store added, at least when not sending the access token in an Authorization header. > > It seems slightly odd that the WWW-Authenticate challenge for RS server-supplied nonces isn’t self-contained, but I don’t see anything that says it should be so that is probably ok. (And I can see the consistency argument for using the header). > > It does seem a shame to pay the cost of a challenge-response roundtrip and not to do a key exchange to speed up subsequent requests, but never mind. > > — Neil > >> On 6 Oct 2021, at 17:37, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org <mailto:40microsoft.com@dmarc.ietf.org>> wrote: >> >> >> FYI, I wrote about the nonce support at https://self-issued.info/?p=2194 <https://self-issued.info/?p=2194> and https://twitter.com/selfissued/status/1445789505902899206 <https://twitter.com/selfissued/status/1445789505902899206>. >> >> >> >> -- Mike >> >> >> >> From: OAuth <oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>> On Behalf Of Brian Campbell >> Sent: Monday, October 4, 2021 3:11 PM >> To: oauth <oauth@ietf.org <mailto:oauth@ietf.org>> >> Subject: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-dpop-04.txt >> >> >> >> >> >> WG, >> >> >> >> The collective DPoP co-authors are pleased to announce that a new -04 revision of DPoP has been published. The doc history snippet is copied below for quick/easy reference. The main change here is the addition of an option for a server-provided nonce in the DPoP proof. >> >> >> -04 >> * Added the option for a server-provided nonce in the DPoP proof. >> * Registered the invalid_dpop_proof and use_dpop_nonce error codes. >> * Removed fictitious uses of realm from the examples, as they added >> no value. >> * State that if the introspection response has a token_type, it has >> to be DPoP. >> * Mention that RFC7235 allows multiple authentication schemes in >> WWW-Authenticate with a 401. >> * Editorial fixes. >> >> >> ---------- Forwarded message --------- >> From: <internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>> >> Date: Mon, Oct 4, 2021 at 4:05 PM >> Subject: New Version Notification for draft-ietf-oauth-dpop-04.txt >> To: ... >> >> >> >> >> A new version of I-D, draft-ietf-oauth-dpop-04.txt >> has been successfully submitted by Brian Campbell and posted to the >> IETF repository. >> >> Name: draft-ietf-oauth-dpop >> Revision: 04 >> Title: OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) >> Document date: 2021-10-04 >> Group: oauth >> Pages: 37 >> URL: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.txt <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.txt> >> Status: https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/> >> Html: https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html> >> Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop> >> Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-04 <https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-dpop-04> >> >> Abstract: >> This document describes a mechanism for sender-constraining OAuth 2.0 >> tokens via a proof-of-possession mechanism on the application level. >> This mechanism allows for the detection of replay attacks with access >> and refresh tokens. >> >> >> >> >> The IETF Secretariat >> >> >> >> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you. >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > Manage My Preferences <https://preferences.forgerock.com/>, Unsubscribe <https://preferences.forgerock.com/> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
- [OAUTH-WG] Fwd: New Version Notification for draf… Brian Campbell
- Re: [OAUTH-WG] Fwd: New Version Notification for … Mike Jones
- Re: [OAUTH-WG] Fwd: New Version Notification for … Neil Madden
- Re: [OAUTH-WG] Fwd: New Version Notification for … Brian Campbell
- Re: [OAUTH-WG] New Version Notification for draft… Neil Madden
- Re: [OAUTH-WG] New Version Notification for draft… Brian Campbell