IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth GREASE

Mike Jones <Michael.Jones@microsoft.com> Thu, 23 April 2020 16:52 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F53F3A0C95 for <oauth@ietfa.amsl.com>; Thu, 23 Apr 2020 09:52:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tVUkJBfZYG4 for <oauth@ietfa.amsl.com>; Thu, 23 Apr 2020 09:52:56 -0700 (PDT)
Received: from NAM06-BL2-obe.outbound.protection.outlook.com (mail-eopbgr650123.outbound.protection.outlook.com [40.107.65.123]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EA003A0C8F for <oauth@ietf.org>; Thu, 23 Apr 2020 09:52:55 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JQhkl23Jb6J9hd/LXL5rjbHSDcClBg2sQcwcksKjktroJcmb3i6dseWFDqY6du4OLbSurdyFmEaFGWmE5NaisqcsBhAt0TPrjKajcRc/Gsvzvx8K4LjU/5t9xcWjgWwKR07MRriL6o9Nn+wayRPKFg9ERirChPydhLScaz6znof1xj2F3fT5lHcWImtvfJDbv0d6/FOVhXN+A8InAIU7J7bgiiDSN7jsBg8I4mTEQR7nT3sfFvizCXmJW6pjMUCWSwCnX9ZyNvQkFAGXagqpr/tAzJQlJWoYI2408shPX/phTR47N8/Kyth/IB9fY7Q+gUDG7K9zk0/6h8qjL67GUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DkcB5tTyt/q9GWnZGAIqFnYvcUhAFbcAv+PWKJF5Aq4=; b=Sl0lMKlG9BORZVZSEa0cA37MVPVRtGns6bKibxfM9kB9rIsRRHBmadTk40GDZ3jyLGuKjLKysjwuyjajiljUxpsCpBZSk68KjsCqi+Hz0FH0lJjUSNctgtgNSnc5VAYi29/m5NJureXOL62Ouw6iAN9Pm33ELpWHNR6KazkIVeOvvGNQZdUvDBV0ZKJRqwMTkr1oFwdnfDIDNE2+qX9j+xbQcGTLf7PLp9E4ievjegkPdWQGZCefP5wrhD1G39tmLZHTuaDdXQUMrGjOEbyzLnZH7J9jm+7cJhrcWslYwlwNvJ+KA4nkPXWl0eZWEDbWemt9n8JRD4HbsQmrujAN0A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DkcB5tTyt/q9GWnZGAIqFnYvcUhAFbcAv+PWKJF5Aq4=; b=CPgqxRoI3NfifBNXIiblD+iVOhRhnrQCifVy6UY/tiAou507N9OTil9VyPgVF+fAjoiXLhmWxZdwXK66WLAEdEPCiUblPG0fZHNen0vDADQXHTbG2Lo7rumq8LEj28n0P4DJx0iX+XgL+28cmsDHdAKPTAL6IkOhsqgXUlR9hlw=
Received: from CH2PR00MB0678.namprd00.prod.outlook.com (2603:10b6:610:a9::23) by CH2PR00MB0853.namprd00.prod.outlook.com (2603:10b6:610:ad::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2975.0; Thu, 23 Apr 2020 16:52:50 +0000
Received: from CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::9517:9630:ed53:8dd6]) by CH2PR00MB0678.namprd00.prod.outlook.com ([fe80::9517:9630:ed53:8dd6%6]) with mapi id 15.20.2977.000; Thu, 23 Apr 2020 16:52:50 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Neil Madden <neil.madden@forgerock.com>, Vladimir Dzhuvinov <vladimir@connect2id.com>
CC: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] OAuth GREASE
Thread-Index: AdYZj537nA0KzPRCRTq0r9xWXlhR1Q==
Date: Thu, 23 Apr 2020 16:52:49 +0000
Message-ID: <CH2PR00MB06788186BFF0F6BBBA0CAB90F5D30@CH2PR00MB0678.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=03c4bc6f-cc84-4b57-a43d-0000303a252f; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-04-23T16:49:07Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 70933fa6-0fcf-4883-259c-08d7e7a6c1f7
x-ms-traffictypediagnostic: CH2PR00MB0853:
x-microsoft-antispam-prvs: <CH2PR00MB0853BCFB8F337C9AD48D8141F5D30@CH2PR00MB0853.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03827AF76E
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1r5dIvwaS6iX1GzRuf9PQLf7zbyPjCmy7YV4zzMUHu6NjbH/f5HFXwpz7H+eJSrF0FOcciWy2nCwiA7MthHGsMI8dDwq8D6sIostkag5wY3RnC1EssbyxtAIOh51GLc4nr6L3mimF+apyjQQWgdpSgfqMOAiW8JOmD0EFu5CVePBC4w9AIdjxrSK4VVYf1RrQ6S3S7D/p/RtgoaSd4ZKPzwEh6f58x9lTzlfA36lfpBvGAiZ2fgPVw6XpsGjyS46qos2VUnN8VZPx8UkO+cBpbLS5QP1OKSkNBG7LZ5CWs1KBLbIdUuVhPB+NQ3+vGFNteTfoDp9ycVDi9cRR08ZUmPc/KUOG0Ga7laP0CYHjs8dHQUVGB5VmnpWXsPSlBdVVRspsKijBu3KkMgqnpEuMGJtgqqaM9yfNpw9IMFjuXmBCOzPrl+Jro16OXBkFeq68zXzGW7eciEtck66daAowBQRoT9C3oR2jOBWMwpWmmCHm8lSb7wK/1YeoBy9JbVzYojkq79dRqDeyYmxVBg4QA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR00MB0678.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(136003)(346002)(396003)(376002)(39860400002)(366004)(76116006)(66476007)(66556008)(55016002)(66946007)(86362001)(316002)(10290500003)(5660300002)(33656002)(8990500004)(186003)(53546011)(7696005)(8936002)(71200400001)(2906002)(64756008)(52536014)(26005)(66446008)(6506007)(82950400001)(966005)(9686003)(8676002)(110136005)(478600001)(82960400001)(4326008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: cpHczLpicLIqbBZDHkOT99KoP1PA3IqyLOX12Mjgr/Qt2hNfYqisSIGnDNilm5awgew/mi3U0s/RVw3S1hYrM4Xf9dxzTlnM/pOi5S//sfSi/fSbvB4B0yfvmp8A+EOdAO4IDuvMyVdtWLJE0ZI870m7WYAqUlDnKBROsrvzi+L0cmE01RYLXGoKH9Rr5chZfftlsh0xBm1z3IZNrvuuzrafXWjMmrZdHebNkkS9c7IrRYtu4TKJltUN+3clbroLEgNxHdiWRVbyYzyu4Qi+jmf3cUpPNT2NgutN1NaBfP3CuL+oucHDR5gf95CHMzbb7N5YseFQXFzx0rviZOw3iU117Y6vKtp+BZnLX1JFkfCKVqQ10E49Zi14d0jpqRsocnP1JllqUSPlz5JaQGifcRjXrYv1e5E3PIQGlIkXIi5LV1jQiRJzHgfqydnbCNnuLpdXq5twyB+sfrqTx3oLgR3nQbOKwh1ruXvM3Om2+sQ3GwA9oJTvA12FGxOiAPy8IvoZRXQpC2oos5mODmCtjk1YBw0erQ/fa/FpOuflR2+CBq4KGVRvPwtkRZCp66uCtRePxm4g3KvRAIR7OSyGlo5lMeQw6PK8Fi8lfUjOUypRFoirbnCfIyB/OmNIUD6bYmIOQmQXOsdBTytZVsK4wH0WzaZTUa1fQw0lmB05nzVMTHnRgVE5A4VG5TsLn7UHjhMkZ6xtANesohi5qE6x6lTcpwGPO3lkouY/XD7EYKKOmvzs5zmF4GgikfLy9D0/6TE/J8/w4w7YLK2lk9tWnOcueZqUllVT1yt+yYNf07o=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_CH2PR00MB06788186BFF0F6BBBA0CAB90F5D30CH2PR00MB0678namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR00MB0678.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 70933fa6-0fcf-4883-259c-08d7e7a6c1f7
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2020 16:52:49.9866 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HD4dT583kBCjD0WUwa2HjlePgPrQ0JIquxwRhvxZKqDs+islnioJfE//M1PkxO+lVBiTcIUkCYZza8jrfwyxnA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR00MB0853
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9DeMiq2hZ0ulVdaRxHwYF5RMVR4>
Subject: Re: [OAUTH-WG] OAuth GREASE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 16:53:00 -0000

I will point out that OpenID Connect certification tests that the implementation ignores not-understood request parameters.  So at least all the authorization servers that are also certified OpenID Connect implementations should be successfully ignoring not-understood parameters.

I’d personally point out these non-compliant behaviors to the vendors and ask them to fix them.  Their non-compliance makes it harder for clients to interoperate with them, hurting both.  Name names, if that’s what it takes.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Neil Madden
Sent: Thursday, April 23, 2020 2:30 AM
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth GREASE

If a clients sends a handful of random additional parameters on authorization requests a compliant AS will already ignore them, so there should be no additional burden on the AS.

However, the ship may already have sailed on the specific issue of request parameters, as there are major deployed services already rejecting unknown parameters. (I won’t name them, but probably a fair proportion of people on this list have an account with at least one of them). Of course, even if they eventually do enable PKCE we won’t start using it until we notice and remove them from the blacklist, so this harms security as well as interoperability.

I’m not saying the situation is anywhere near as bad for OAuth as it is for TLS with all the incompatible middleboxes, but there are definitely some other areas of potential ossification:

- I know of services that error if a published JWKSet has more than one key in it
- some error if there’s a JWK with an unknown “kty” (e.g “okp”) even if they don’t need to use that JWK, same for unknown “crv” values
- there are clients that error if any value in the id_token_signing_alg_values_supported is not one of the original JWS signing algorithms (e.g., “EdDSA”), making it hard to adopt a new signature algorithm

(Basically there are quite a few clients that use JSON mapping tools with enum types - List<JWSAlgorithm>. I know there are parts of our own codebase where we do this too).

I was only semi-serious about GREASE, but I think this is a problem that will only get worse over time.

— Neil


On 23 Apr 2020, at 08:54, Vladimir Dzhuvinov <vladimir@connect2id.com<mailto:vladimir@connect2id.com>> wrote:

I get your frustration with PKCE. It would be a bad policy and example to burden compliant ASes with additional stuff just because a few AS implementations are not complying with the spec. It's not fair and can end up creating all sorts of bad incentives in future.
Vladimir
On 22/04/2020 10:29, Neil Madden wrote:
Section 3.1 of RFC 6749 says (of the authorization endpoint):


The authorization server MUST ignore

   unrecognized request parameters.

We hoped to be able to use this to opportunistically apply PKCE - always send a code_challenge in the hope that the AS supports it and there should be no harm if it doesn’t.

Sadly I learned yesterday of yet another public AS that fails hard if the request contains unrecognised parameters. It appears this part of the spec is widely ignored.

Given that this hampers the ability to add new request parameters in future, do we need our own GREASE to prevent these joints rusting tight?

https://www.rfc-editor.org/rfc/rfc8701.html<https://www..rfc-editor.org/rfc/rfc8701.html>

— Neil

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email