[OAUTH-WG] Implicit grant and sender constrained token/JPOP/DPOP
Nat Sakimura <sakimura@gmail.com> Tue, 23 July 2019 12:00 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85FF0120221 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 05:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpk-g2AgruK8 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 05:00:52 -0700 (PDT)
Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E70D120125 for <oauth@ietf.org>; Tue, 23 Jul 2019 05:00:52 -0700 (PDT)
Received: by mail-wr1-x429.google.com with SMTP id n4so42956713wrs.3 for <oauth@ietf.org>; Tue, 23 Jul 2019 05:00:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=SvsKzQWZa/yEscdz4l9b9LWIuYWGmU8TGa5yfNM6kB4=; b=EaW+R+A1fe9TIhH5k3SOfv/DzbjSXzjjOAvI1xi0G/JIL2bvgrFb7x94MAAJ5FNtaf MLVhXuK8qta9jayldLboNK48aPYARD337UwCNwna0FC+JIY7900wPemFpjoV1P3vgSF6 t8U/KRJR+5mu7UZfbMEyWfm2gGjkYReCGjeQhKP07UHb5EfRdnC2Jqt1aevKGdiXja5e qgm5gdfXkAeDnyDY31NoB2Z3+j/F1YXyzFVgoWLrySlFnGphNLSjNK3wWKXevT1n/UQE OvrmHS6xn3Gy1EGHSLmBi6EkVjr6PkMHKHtchgLhr11yBw5XQuDHaRM7uERjUEjBBGs7 KIeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=SvsKzQWZa/yEscdz4l9b9LWIuYWGmU8TGa5yfNM6kB4=; b=c/uDvCpyURtJz5gmUkF+HkxfBau/5YazFhcQLnf6rdr70LqSQnpv0bqJGXFx31uz6L AymAWQWOf8f9Ft2U5CofGqsw444zAXc4YrcxDqV+MNkFLTVqlu5r2Piw6jZb5FnBIjla IWwXQsSw++ZF93iZdOIcjYjBfCRZYXPSaLrZMcPvvRUi4pe7Qzirtg6rVz9MECrUoISy hxPMahfydUEc9Dov6w2WgGHS3oWD3I9xZPG8nKsaEZ4idAj1ooNHD1Rol4aJTizmjEWA wXxKx+KJpUy2cAe9XhccN2VZGPcDLLAIGTN6hFcjbx1qL0j1/WULLTgFNRSnfQq6wJVM GE4Q==
X-Gm-Message-State: APjAAAV2lqB81gFlClqGK6v+Qap70708gL0fJBg3zxbIcB4i4Fco91Q2 VsQww4ArMxSaWp9phv4RzKqklrOajgFqOtzfm/FWQgVIxmiZfA==
X-Google-Smtp-Source: APXvYqyxRSFLu3mJiMrk+SRnjubAM9oPbgFPi33fKJKOFYelkdLgoYZXFRf4VWXqVGiq+SBi1wWxeIQg3QEZr6ALEQ4=
X-Received: by 2002:adf:a341:: with SMTP id d1mr33215214wrb.260.1563883250084; Tue, 23 Jul 2019 05:00:50 -0700 (PDT)
MIME-Version: 1.0
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 23 Jul 2019 08:00:40 -0400
Message-ID: <CABzCy2Cc1en2YD8G6wUbCFj81AB9rL9j5=W9kLvMrk1xXi-haw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iBxdEoy9PaIwUJ1XA6u5cPn7XAI>
Subject: [OAUTH-WG] Implicit grant and sender constrained token/JPOP/DPOP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 12:00:55 -0000
A while ago, when implicit was almost entirely banned in the Security BCP, I raised voice that the ban should be constrained and the text was modified accordingly. At the time, I probably did not express myself well enough so here is a bit of explanation on what I was thinking about the sender constraining the token. 1. Assumption: The client is a confidential client on a web server. 2. The Client registration is done either through the Developer portal at the AuthZ server or through RFC7591 in which jwks_uri is given. 3. When the client asks for the access token through implicit grant, the AS mints the client_id constrained access token or key constrained access token as in [JPOP] draft and send it back to the client. 4. The client exercises the token against the resource as in [JPOP]. Client ID based JPOP access token works better when the client keys are being refreshed quicker than the expiry of the access token. In the case of DPOP, the key is being specified during the token request, as I understand, so it does not work with implicit grant. When it comes to using the token, the [JPOP] draft only signs over a server created nonce (which can be tied to the URI and the method that the client was trying to access) while [DPOP] signs over client created nonce `jti` together with methods, uri, etc. [JPOP] https://tools.ietf.org/html/draft-sakimura-oauth-jpop-05 [DPOP] https://tools.ietf.org/html/draft-fett-oauth-dpop-02 my 2c. Cheers, Nat Sakimura -- Nat Sakimura (=nat) Chairman, OpenID Foundation http://nat.sakimura.org/ @_nat_en
- [OAUTH-WG] Implicit grant and sender constrained … Nat Sakimura