IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Takahiko Kawasaki <taka@authlete.com> Wed, 19 May 2021 09:28 UTC

Return-Path: <taka@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 892BB3A240E for <oauth@ietfa.amsl.com>; Wed, 19 May 2021 02:28:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z8xDJRFOYfgY for <oauth@ietfa.amsl.com>; Wed, 19 May 2021 02:28:54 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EF2E3A240C for <oauth@ietf.org>; Wed, 19 May 2021 02:28:53 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id d11so13214941wrw.8 for <oauth@ietf.org>; Wed, 19 May 2021 02:28:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NSegSLkzG3Ue15hahFXc6D2IfZI5DiAAStoB5HOuA5U=; b=WR2C37PQ/wp5sG92cFb8ODiC/Y0fgf0aoCdVe10S2fUBQ5Bjv3Q2TdfW5OJWXVxiTr 3tFkquUHlHg3BltuOUGe1v/oIC0dbfTh/6Ks8TiuABOjU+6j4Z9ee1GbDaCVEFwOtft0 5lnCQEI2m8fKlaA0Y4dLOmn1LoPsaWB9NHVPWhBfZBQPZ4kN/2vQ4yu1wsKkHQ7TlL4S iMxy1dfDTaLxj36X3X8hwSarPT7XOpahZ3FDHWMFzCgjUYgAWALkGg7murOPBI1tqUO/ LVURLmJ8TZIr9MHw+UAdEXdXAd+RNv0mSzl8UgQJ37/0kmvCqATictgGJrUG0Jmn/9nm t4nQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NSegSLkzG3Ue15hahFXc6D2IfZI5DiAAStoB5HOuA5U=; b=faYuj+C8ZmzXnxfhdJtXnQvwL7jTY1ZATednGRiGT8EaJ+VrbBOJjvdbr7b56okSl3 rf8ABfKdNheqJOsz+tU/C/18IbrtPtkk8MLitZM5YQVjEeCsVuqeOgR7C8seOYSKT+vv q55thIDhOVt0KjmAllCtUMDsyJxN7OACefxdOoHR/DDtHwro95CrhsFiAkKAt/w5ZT96 vwBsnmNNEcJG6PuILfExZngmpdXg7hPZdImbCOE6XpzYrjKmLd0y9lxA3PdJ1FSKtX/Y 6wYPZysoiiPHJOHKRudQ6jPLJXAinVMmLA1/fMYJgnQV6//s6+GlgKtF9DWvS7+rJD0G v89g==
X-Gm-Message-State: AOAM5323kAfd61kbp9bf2KXsnpRGZDgBb3FkjyMe1sNa/A8bW44qj5vC nl06vHUuFwbSOrf12yglq2zB0HBg1YRdjIQ9UPPvVw==
X-Google-Smtp-Source: ABdhPJwv4jzzKQKSTghRnn0O5RnryWyM+dnJz25afS8Xr5yXVuQvoJ7rNNW/j8kdNn4H8PtAk6d5mXdFLOiBqPSNKn0=
X-Received: by 2002:a5d:4c50:: with SMTP id n16mr12813705wrt.319.1621416531622; Wed, 19 May 2021 02:28:51 -0700 (PDT)
MIME-Version: 1.0
References: <634f7b10-bb26-e05c-7d79-566c893c32b6@hackmanit.de> <CADNypP_P=bdtSHmX0aM4eK4yw+8n9HYnnS6ERVdOC_x7U3spZw@mail.gmail.com> <CA+k3eCQboyohxe=u8wxtA9RyVhy=E4sMDkdsn76x3Xk19asVMA@mail.gmail.com> <b70f1d84-f395-9272-754d-61becb8e9aec@hackmanit.de>
In-Reply-To: <b70f1d84-f395-9272-754d-61becb8e9aec@hackmanit.de>
From: Takahiko Kawasaki <taka@authlete.com>
Date: Wed, 19 May 2021 18:28:40 +0900
Message-ID: <CAHdPCmPdEoo4+rOyFdr7hW2J9AEgbLk1_YHPxiy=CfXqeeW-Cw@mail.gmail.com>
To: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000669e9805c2ab7463"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hOFXaB_Q-FtmFV4xGCmJJz2Mu9E>
Subject: Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 09:29:00 -0000

Hi Karsten,

I've read the specification and implemented it. I think that the
specification is good enough for implementers. Actually, the latest version
of my company's product supports the specification and has already been
rolled out. The release note of the version mentions the specification. If
you are interested, please visit the page:

https://www.authlete.com/developers/relnotes/2.2.2/#oauth-2-0-authorization-server-issuer-identifier-in-authorization-response

Best Regards,
Takahiko Kawasaki


On Wed, May 19, 2021 at 3:45 PM Karsten Meyer zu Selhausen <
karsten.meyerzuselhausen@hackmanit.de> wrote:

> Hi Brian,
>
> thank you for your feedback.
>
> I agree that the language is too strong here. What do you think about this
> new note?
>
> Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] defines a mechanism that conveys all authorization response
> parameters in a JWT. This JWT contains an iss claim that provides the same
> protection if it is validated as described in Section 2.4. Therefore, an
> additional iss authorization response parameter as defined by this document
> MUST NOT be used when JARM is used.
>
> Best regards,
> Karsten
> On 15.05.2021 00:35, Brian Campbell wrote:
>
> Overall it looks pretty good to me.
> One little nit is that I don't love this text from the end of sec 2.4 that
> talks about JARM:
>
> 'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)"
> [JARM] forbids the use of additional parameters in the authorization
> response. Therefore, the iss parameter MUST NOT be used when JARM is used.
> However, JARM responses contain an iss claim that provides the same
> protection if it is validated as described in Section 2.4.'
>
> JARM doesn't exactly forbid additional parameters but rather just wraps up
> all the authorization response parameters as claims in a JWT which is
> itself sent as a single form/query/fragment parameter. So really the iss
> authorization response parameter of this draft is still sent as a claim of
> the JARM JWT. It just happens to be the same as the iss claim value that
> JARM is already including.
>
> On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
> wrote:
>
>> All,
>>
>> We have not seen any comments on this document.
>> Can you please review the document and provide feedback, or indicate that
>> you have reviewed the document and have no concerns.
>>
>> Regards,
>>  Rifaat & Hannes
>>
>>
>> On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen <
>> karsten.meyerzuselhausen@hackmanit.de> wrote:
>>
>>> Hi all,
>>>
>>> the latest version of the security BCP references
>>> draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to mix-up attacks.
>>>
>>> There have not been any concerns with the first WG draft version so far:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
>>>
>>> I would like to ask the WG if there are any comments on or concerns with
>>> the current draft version.
>>>
>>> Otherwise I hope we can move forward with the next steps and hopefully
>>> finish the draft before/with the security BCP.
>>>
>>> Best regards,
>>> Karsten
>>>
>>> --
>>> Karsten Meyer zu Selhausen
>>> Senior IT Security Consultant
>>> Phone:	+49 (0)234 / 54456499
>>> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>>>
>>> Is your OAuth or OpenID Connect client vulnerable to the severe impacts of mix-up attacks? Learn how to protect your client in our latest blog post on single sign-on:https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
>>>
>>> Hackmanit GmbH
>>> Universitätsstraße 60 (Exzenterhaus)
>>> 44789 Bochum
>>>
>>> Registergericht: Amtsgericht Bochum, HRB 14896
>>> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
> --
> Karsten Meyer zu Selhausen
> Senior IT Security Consultant
> Phone:	+49 (0)234 / 54456499
> Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training
>
> Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den Standards OAuth und OpenID Connect vertraut machen?
> Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth und OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 Uhr!https://www.hackmanit.de/de/schulungen/uebersicht/139-einfuehrung-in-single-sign-on-oauth-und-openid-connect
>
> Hackmanit GmbH
> Universitätsstraße 60 (Exzenterhaus)
> 44789 Bochum
>
> Registergericht: Amtsgericht Bochum, HRB 14896
> Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.20.0 | Report a Bug | By Email