Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments

Torsten Lodderstedt <torsten@lodderstedt.net> Sun, 07 June 2020 07:22 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31FE73A0B32 for <oauth@ietfa.amsl.com>; Sun, 7 Jun 2020 00:22:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EvmqdtbJBT0o for <oauth@ietfa.amsl.com>; Sun, 7 Jun 2020 00:22:05 -0700 (PDT)
Received: from mail-ed1-x532.google.com (mail-ed1-x532.google.com [IPv6:2a00:1450:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 840993A0B33 for <oauth@ietf.org>; Sun, 7 Jun 2020 00:22:05 -0700 (PDT)
Received: by mail-ed1-x532.google.com with SMTP id q13so10793499edi.3 for <oauth@ietf.org>; Sun, 07 Jun 2020 00:22:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=2klc+xsH93yDu2YEpHbtyOdvTb8WtR60eQohZNkvQow=; b=0ZI4TUsdLoFZHHy/mTUjcspNCxprljgNoioR7q4KjKheX100vMMaXwyR0zARllNAgA 6p1Dd7TxBxjH5zQzWxDtyHtwDHEab7q93pky5UJE+CPD+0x2J7reEfqXzc9FVPHdhXaD 8GbomTprqQu/4AmUPZ5ic4xgM0h89hM1DPlklVoDj0lwPZ+8IZxR1/6lG1ke1HpzPSVq 8EivjUgAoYAieqEvcWMmS9YaOw3wkXmKDuc92bUa/k8fDZCQnTryZWiiL9JvLbmTUST2 wxr+lOZKOfJwSkzX9itwOUWuHiscyCfe7eVlF/rruTtzy+8q84qY0L7UoqlIvZJJpvs6 a4zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=2klc+xsH93yDu2YEpHbtyOdvTb8WtR60eQohZNkvQow=; b=Zdw+AytkwarT+HDwWLs21sIUj9kFyEJSXHEpM6kd8XEiUBXn9SpvpVkLFhRxQ/czFn JGdE2s/IDjPcr/q6kgI9ck5OY+c400lKB6UVLLNExdJn06e1IfuxC+8cjgilUm6rZzzY geQ3XkuEUAPIweErz5L6qEVsp4Fc5IPYtClHUuTpOdE/0frl9VL7ybp2oVjuyiaxHaKH 50MXGMZnkfBtD9R/AQcluzJphFxIwJIsHNtl2qs1BgSH/9WHldE0nS8cpQcmRWGPJ9E/ tIR4exXgL7o0zLuoFh6WuAqHR3P6ZbKC7sa3FZGF3GMVTwJRqMsB/ScoH8sQ3wvGfBfB jvpw==
X-Gm-Message-State: AOAM530GEeMCybaAXU+lTbarSEOoIpC9uNmeokxDgIkQpYG+ACe1IHJG mgGDdpkfA4hbmH3ntjlVfDIH7WYh9qM=
X-Google-Smtp-Source: ABdhPJywuOek1hXZqLeg6itvwL7LE6WumuI7rmmeUa2ua/mvPXgOZ7xIpaj5kxWnuDelcM+ZTZB/Qg==
X-Received: by 2002:aa7:c9c9:: with SMTP id i9mr16420151edt.166.1591514522070; Sun, 07 Jun 2020 00:22:02 -0700 (PDT)
Received: from ?IPv6:2003:eb:8f18:4cac:595f:7e6:53fe:b837? (p200300eb8f184cac595f07e653feb837.dip0.t-ipconnect.de. [2003:eb:8f18:4cac:595f:7e6:53fe:b837]) by smtp.gmail.com with ESMTPSA id n16sm4681552ejl.70.2020.06.07.00.22.01 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Jun 2020 00:22:01 -0700 (PDT)
Content-Type: multipart/signed; boundary=Apple-Mail-21CAEC53-F93A-4980-B4F9-A46F19D1F00D; protocol="application/pkcs7-signature"; micalg=sha-256
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Sun, 7 Jun 2020 09:22:00 +0200
Message-Id: <C1441100-0259-48E6-B013-70B74D0AD8E1@lodderstedt.net>
References: <CAOW4vyNXyCm65ifYQ97H1yySU0E-2n1xRPbAau8zLTubUxA+1g@mail.gmail.com>
Cc: oauth <oauth@ietf.org>, George Fletcher <gffletch@aol.com>
In-Reply-To: <CAOW4vyNXyCm65ifYQ97H1yySU0E-2n1xRPbAau8zLTubUxA+1g@mail.gmail.com>
To: Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>
X-Mailer: iPhone Mail (17F75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/h1KL1OV7scrID3-ypkpuVp7Xg18>
Subject: Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jun 2020 07:22:07 -0000

That’s correct for confidential clients.

For a public client, the refresh token is just bound to the client id. DPoP allows binding to an ephemeral key pair for this kind of clients.

> Am 07.06.2020 um 00:57 schrieb Francis Pouatcha <fpo=40adorsys.de@dmarc.ietf.org>rg>:
> 
> 
>> 
>> > Am 05.06.2020 um 22:17 schrieb George Fletcher <gffletch=40aol.com@dmarc..ietf.org>:
>> > 
>> > Secondly, I do think we need a way to allow for the refresh_token to be bound while leaving the access_tokens as bearer tokens. This adds useful security without impacting existing RS deployments.
>> 
>> +1 that’s a very useful feature_______________________________________________
> AFAIK a refresh_token is always bound. What am I missing here?
> -- 
> Francis Pouatcha
> Co-Founder and Technical Lead at adorys
> https://adorsys-platform.de/solutions/