IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic Client Registration with Native Apps

William Denniss <wdenniss@google.com> Fri, 30 November 2018 07:23 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41484130E74 for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 23:23:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -18.958
X-Spam-Level:
X-Spam-Status: No, score=-18.958 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5XIDvDjadLFw for <oauth@ietfa.amsl.com>; Thu, 29 Nov 2018 23:23:10 -0800 (PST)
Received: from mail-it1-x132.google.com (mail-it1-x132.google.com [IPv6:2607:f8b0:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0BF712F1A2 for <oauth@ietf.org>; Thu, 29 Nov 2018 23:23:09 -0800 (PST)
Received: by mail-it1-x132.google.com with SMTP id g85so7808954ita.3 for <oauth@ietf.org>; Thu, 29 Nov 2018 23:23:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=DMmChKojkP2BkqoHywZIZ0xkLd2XdAbE5VIlwd0ELDc=; b=quOiL1168bM+XCm65i+CNGcBIc5yJB9veEkvpwkB94Gsrb/oTnsjqx6THXa0PLY8co 1wmvr6oO2esW09IK6OXRD2J+o+wz+MI/Bz8aR6WzPGkEYegxnYFlVVgMjT2kwmLn/4uz FCZCqdUH1FLCGcOj+JbGs8a2KGy5ARRAJltbS263KYUjAY7Oz+GoBgbZR3BgxzVT1Dq5 avBUiaIDONN0JV6pXvfPzERXas3RLXC3bkRs9LfMDGIYyG5njqATpjdxOydsYoYYdCu4 3qGpj7Ojbl2AZXysu4n9i0Ywo/ytARQwpTYRz/tNMLGQAQyHL2oWs2wFUPrC9UsRiLXP cNkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=DMmChKojkP2BkqoHywZIZ0xkLd2XdAbE5VIlwd0ELDc=; b=VT+CHi4DjIzuCP13DB/CCqGrsUpXtlOlZRRpfp/H6FRHpjw3/Amu/+1/TOFaSo37QM lVOqYVPtnIL85dR29en+LRIIVOZ+Q2mEBx8N17QGcXw1gEVEBAcqkVLj3yn9u4FmKWCv QwNx8MHK/428KknMaktLQJMmoHPyXCxoxYjC1VAr99/pZKLP9OGoJfVb3n0vdmCncu9i vSL6WVeCMYIO+xqYW0B0mBO8MLaREYZ1ijnrn7aBJxv+fJtD99v87xnEkpLSg4UI4VRU lknUsAn2XrnR5sVYbj05tflKF/jlX662Ghjc3CsA5c3TXFAT96+Y5YbOqiWSTyDOAf/V X70Q==
X-Gm-Message-State: AA+aEWZVY3GUgm9yRGzYqho9QgPk9Pk4GVQTqc79T5tohb+8pK0JBNk+ bKOnrUtD5pHKMUZgDzc4P6O1vgH0BmRFcXJbTqReyw==
X-Google-Smtp-Source: AFSGD/Xe6d2e1dkzv2+2yJNlK7YxMcGSEovKlOk5xPIPf+Beb8ZqxPyzzNBKEbQFc+z0qX/VzpG56Fpdu06bGgiyII0=
X-Received: by 2002:a24:6254:: with SMTP id d81mr4686662itc.162.1543562588674; Thu, 29 Nov 2018 23:23:08 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a6b:5102:0:0:0:0:0 with HTTP; Thu, 29 Nov 2018 23:22:47 -0800 (PST)
In-Reply-To: <E02ADBF5-DC7E-4BBC-8346-D9D3A53B9FE1@amazon.com>
References: <ef1cc4ac-a85b-ef73-1ba2-3e7d76b3849d@rub.de> <CAAP42hB05ktBPES-vYqy=qrp8wBJM7JnMLomuPGYT8wLFY=SVA@mail.gmail.com> <0bdd9b63-939b-f1db-a87b-8e1e450bb1cc@aol.com> <CALAqi_-YhrC21Kw2TUJs86+bQbXbmo3ar1tvYLgYUZNTJatMTg@mail.gmail.com> <fd7bdf42-cb68-8e95-6e2e-1b5e0c528906@aol.com> <CALAqi_88fq4Ht7MHWxO28B+BcYYNoS0dkZGH85WdYW91oXC36g@mail.gmail.com> <D6AFB7CE-EDBF-4309-BA0C-2A4AAF62D3EA@amazon.com> <065bba73-eade-2f07-038f-8afa708e38be@rub.de> <CAAP42hAhPzm0kvSyuo5CcoGhvm+ymG8ZM7_at-Nh6+Y-AFCtgg@mail.gmail.com> <E02ADBF5-DC7E-4BBC-8346-D9D3A53B9FE1@amazon.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 29 Nov 2018 23:22:47 -0800
Message-ID: <CAAP42hCHmT5iwnzCGZOBgmRDc+eKek_bYyrxK9=tJBOOJcfeaQ@mail.gmail.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
Cc: Christian Mainka <Christian.Mainka@rub.de>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9d777057bdcab70"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/hW06AdxFIs7XDQWgAH0G7OAuji4>
Subject: Re: [OAUTH-WG] Dynamic Client Registration with Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Nov 2018 07:23:15 -0000

On Thu, Nov 29, 2018 at 4:17 PM, Richard Backman, Annabelle <
richanna=40amazon.com@dmarc.ietf.org> wrote:

> > Claimed "https" scheme URIs (RFC 8252, Sec 7.2) can be used to provide
> some identity guarantees…
>
>
>
> Yes, provided that the AS can verify that the claimed URI is a valid URI
> for the identity being asserted by the client. And this identity guarantee
> would apply to an public native app client just as well as one that has
> established a client secret via dynamic client registration.
>

I agree.



>
>
> Section 2.3 of RFC6749 <https://tools.ietf.org/html/rfc6749#section-2.3>
> is relevant here:
>
>
>
> The authorization server MAY establish a client authentication method
>
> with public clients.  However, the authorization server MUST NOT rely
>
> on public client authentication for the purpose of identifying the
>
> client.
>
>
>
> --
>
> Annabelle Richard Backman
>
> AWS Identity
>
>
>
>
>
> *From: *OAuth <oauth-bounces@ietf.org> on behalf of William Denniss
> <wdenniss=40google.com@dmarc.ietf.org>
> *Date: *Thursday, November 29, 2018 at 10:49 AM
> *To: *Christian Mainka <Christian.Mainka=40rub.de@dmarc.ietf.org>
>
> *Cc: *oauth <oauth@ietf.org>
> *Subject: *Re: [OAUTH-WG] Dynamic Client Registration with Native Apps
>
>
>
>
>
> On Thu, Nov 29, 2018 at 6:03 AM Christian Mainka <Christian.Mainka=
> 40rub.de@dmarc.ietf.org> wrote:
>
> Hi,
>
> thanks for pointing this out!
> This was exactly what confused us during reading *-* the main threat we
> see and which is not addressed is related to the app impersonation attack.
> Even PKCE does not help against the app impersonation attack.
>
>
>
> Claimed "https" scheme URIs (RFC 8252, Sec 7.2) can be used to provide
> some identity guarantees (security considerations in Sec 8.6), as the OS
> will only open apps that can verify domain ownership to process the
> redirect. This is what I would recommend as a starting point if you want
> assurances over the app's identity.
>
>
>
> A spoofing app can still use a web-view to intercept the response that
> way, but in that case they'd also have full access to the session cookie
> (due to the use of webview for the sign-in), which is potentially a more
> valuable token (i.e. you have bigger issues). It does effectively prevent
> against tokens issued form the browser SSO session being intercepted by the
> wrong app.
>
>
>
>
>
>
> So a "Native App + Dynamic Client Registration" can be seen at a different
> "confidentiality level" than a "public client", because every native App
> can dynamically register itself on the IdP.
> The IdP cannot distinguish, for example, an honest native client from an
> malicious client starting an app impersonation attack.
>
> We agree that, e.g., a leaked code cannot be redeemed unless you have the
> respective client_id/client_secret.
>
> But... we asked ourselfs, in which cases does a code leak?
>
> 1) In the front-channel. In this case, it is true that no client
> credentials leak and an attacker cannot redeem the code.
>
> 2) In the back-channel. But if this channel is insecure, you directly get
> client credentials (unless client_secret_jwt is used as pointed out by
> George).
>
> So, Dynamic Client Registration only helps if the code leaks alone (as in
> 1.), or if it leaks on different levels (e.g. logfiles).
>
> On the opposite site, if Dynamic Registration is available, an attacker
> can very easily do an app impersonation attack by registering on the IdP.
> To be clear, it is not "impersonation" as in the "one secret per software"
> scenario, because different client_id and client_secret is used, but to the
> best of my knowledge, the IdP cannot distinguish between an honest app and
> an app impersonation client that has simply registered.
>
> In addition, if the IdP supports the dynamic client registration:
>
> How can the IdP distinguish between confidential and public/native clients?
> With respect to the consent page, which must be shown every time for
> native apps, this is an important issue, which should be addressed properly.
>
> Best Regards
> Vladi/Christian
>
>
>
> Am 29.11.18 um 00:38 schrieb Richard Backman, Annabelle:
>
> It should be noted that “traditional” confidential clients with registered return URLs and server-side secrets may provide a higher degree of confidence in the true identity of the client that doesn’t carry over to confidential native app clients. A native app instance’s registration call is necessarily unauthenticated (for the same reasons that statically registered native app clients are public clients), so the Client Impersonation concerns described in section 8.6 of RFC8252<https://tools.ietf.org/html/rfc8252#section-8.6> <https://tools.ietf.org/html/rfc8252#section-8.6> still apply.
>
> --
>
> Annabelle Richard Backman
>
> AWS Identity
>
>
>
>
>
> From: OAuth <oauth-bounces@ietf.org> <oauth-bounces@ietf.org> on behalf of Filip Skokan <panva.ip@gmail.com> <panva.ip@gmail.com>
>
> Date: Wednesday, November 28, 2018 at 9:11 AM
>
> To: George Fletcher <gffletch@aol.com> <gffletch@aol.com>
>
> Cc: oauth <oauth@ietf.org> <oauth@ietf.org>
>
> Subject: Re: [OAUTH-WG] Dynamic Client Registration with Native Apps
>
>
>
> Apologies, I missed the issued in "issued a shared secret", just reading "shared secret" alone is the exact opposite of a per-instance secret. The rest is clear and as you say it brings the benefit of the secret never being sent over the wire (except during the initial registration via TLS).
>
>
>
> Best,
>
> Filip
>
>
>
>
>
> On Wed, Nov 28, 2018 at 6:03 PM George Fletcher <gffletch@aol.com<mailto:gffletch@aol.com> <gffletch@aol.com>> wrote:
>
> It's "confidential" in that the shared secret is unique to that app instance registration (as Dennis described in his response). If an attacker gets my phone and compromises the data stored on my device, they only get the secret for my device. This is no different than a server side client having their client secret compromised through an attack (and in some ways is better because it's instance specific).
>
>
>
> The main point I was trying to make, is that the 'client_secret_jwt' method allows the client to never send the shared secret across the wire as is created in the default OAuth2 HTTP Basic Authentication method.
>
>
>
> Thanks,
>
> George
>
> On 11/28/18 11:03 AM, Filip Skokan wrote:
>
> Hi George,
>
>
>
> #2 doesn't seem confidential, it's still a secret shared amongst installations and anyone reverse engineering the apk, extracting the secret, can form the client_secret_jwt client_assertion with it just fine.
>
>
>
> Best,
>
> Filip
>
>
>
> On Wed, Nov 28, 2018 at 4:48 PM George Fletcher <gffletch=40aol.com@dmarc.ietf.org<mailto:40aol.com@dmarc.ietf.org> <40aol.com@dmarc.ietf.org>> wrote:
>
> In addition, a few additional patterns are enabled...
>
>
>
> 1. The native app can generate a public/private key pair and then use private_secret_jwt as the client credential validation method via the client credentials flow (defined in OpenID Connect).
>
>
>
> 2. Maybe more simply, if the native app is issued a shared secret, the app can use client_secret_jwt method for client authentication which ensures the shared secret never leaves the device. (Again defined in the OpenID Connect spec).
>
>
>
> 3. Once the native app instance has credentials, they can be used for additional securing of app API transactions in addition to just the OAuth2/OpenID Connect flows.
>
>
>
> Thanks,
>
> George
>
> On 11/27/18 3:28 PM, William Denniss wrote:
>
> If the secret is dynamically provisioned then you have a confidential client. Anyone reverse engineering their own installation of the native app would only extract their own client's credentials, as opposed to the shared secret of all installations. Having a confidential client means that requests to the token endpoint (code, refresh) are client authenticated, so PKCE wouldn't be needed.
>
>
>
> On Tue, Nov 27, 2018 at 1:44 AM, Christian Mainka <Christian.Mainka=40rub.de@dmarc.ietf..org<mailto:Christian.Mainka=40rub.de@dmarc.ietf.org> <Christian.Mainka=40rub.de@dmarc.ietf.org>> wrote:
>
> Hi,
>
>
>
> we just stumbled upon this [1] statement:
>
> "Except when using a mechanism like Dynamic Client Registration
>
>    [RFC7591] to provision per-instance secrets, native apps are
>
>    classified as public clients ..."
>
>
>
> What does this mean for us? Native App + Dynamic Client Registration =
>
> Confidential Client?
>
> Which threats are covered if Dynamic Client Registration is used on
>
> Native Apps?
>
>
>
> Best Regards,
>
> Vladi/Christian
>
>
>
> [1]: https://tools.ietf.org/html/rfc8252#section-8.4
>
>
>
> --
>
> Dr.-Ing. Christian Mainka
>
> Horst Görtz Institute for IT-Security
>
> Chair for Network and Data Security
>
> Ruhr-University Bochum, Germany <https://maps.google.com/?q=Bochum,+Germany+%0D%0A+%0D%0A+Universit%C3%A4tsstr.+150&entry=gmail&source=g>
>
>
>
> Universitätsstr. 150 <https://maps.google.com/?q=Bochum,+Germany+%0D%0A+%0D%0A+Universit%C3%A4tsstr.+150&entry=gmail&source=g>, ID 2/463
>
> D-44801 Bochum, Germany
>
>
>
> Telefon: +49 (0) 234 / 32-26796
>
> Fax: +49 (0) 234 / 32-14347
>
> http://nds.rub.de/chair/people/cmainka/
>
> @CheariX
>
>
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org<mailto:OAuth@ietf.org> <OAuth@ietf.org>
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
>
>
> OAuth mailing list
>
>
>
> OAuth@ietf.org<mailto:OAuth@ietf.org> <OAuth@ietf.org>
>
>
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org<mailto:OAuth@ietf.org> <OAuth@ietf.org>
>
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>
>
>
> _______________________________________________
>
>
>
> OAuth mailing list
>
>
>
> OAuth@ietf.org<mailto:OAuth@ietf.org> <OAuth@ietf.org>
>
>
>
> https://www.ietf.org/mailman/listinfo/oauth<https://www..ietf.org/mailman/listinfo/oauth> <https://www..ietf.org/mailman/listinfo/oauth>
>
>
>
>
>
> _______________________________________________
>
> OAuth mailing list
>
> OAuth@ietf.org
>
> https://www.ietf.org/mailman/listinfo/oauth
>
> --
>
> Dr.-Ing. Christian Mainka
>
> Horst Görtz Institute for IT-Security
>
> Chair for Network and Data Security
>
> Ruhr-University Bochum, Germany <https://maps.google.com/?q=Bochum,+Germany+%0D%0A+%0D%0A+Universit%C3%A4tsstr.+150&entry=gmail&source=g>
>
>
>
> Universitätsstr. 150 <https://maps.google.com/?q=Bochum,+Germany+%0D%0A+%0D%0A+Universit%C3%A4tsstr.+150&entry=gmail&source=g>, ID 2/463
>
> D-44801 Bochum, Germany
>
>
>
> Telefon: +49 (0) 234 / 32-26796
>
> Fax: +49 (0) 234 / 32-14347
>
> http://nds.rub.de/chair/people/cmainka/
>
> @CheariX
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email