IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)

Brian Campbell <bcampbell@pingidentity.com> Tue, 19 July 2022 16:24 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4361C14F72E for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 09:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VH8S_BKxMIZv for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 09:24:32 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECEFBC14F743 for <oauth@ietf.org>; Tue, 19 Jul 2022 09:24:32 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id i206so27391822ybc.5 for <oauth@ietf.org>; Tue, 19 Jul 2022 09:24:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mlOFsVSuqx51CFSNRZ4nw0WUw4+DYt8jBS6EWFlJxwM=; b=OyENgy5svFo+XBAdI3VD9wDkbyVFhOp/sXAConUncaIomYgiLyFVdBRxRJlBtU/H2q gcN2rLf1WP8x5So+7RN5LAd0+0SYnU+3YSuLe0ZZxrnKJ4POz/m8KuaZue4yymTdBlsa Xn32sdEzFwLLf3D2VNrCZBMDkTPOXLhvWplZh9/eQKytJQ3RbfhIr7WVIkyJbzLCHNNG eQSZbq1dXqiNx/0YMRmLsdwHOSrrsrxHW7w0+4xdbEkoArKWJdbz5y/8utrl2i1q3rB8 8+aBZl3Tf/GO3tgQxjpZ0tkFrbj+WmmCnl/DARHvaEsgvAo4m+teoUUQkQhkJm4O8uRm FGuw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mlOFsVSuqx51CFSNRZ4nw0WUw4+DYt8jBS6EWFlJxwM=; b=tn3WXgIMLewLIpjci4oy05oNPqshtwuuBw9UFN6ohaY3OVe2S8i4Qsky1dVwWI21Dx KoblnTVEk2toSNntdVqnbGzlCaS32FcOdNShhiDkiO2AVzuhzbFAzYxpHv1Rx0WpaYq1 zdnvS2fnr00yB8zzCnSoAp0kaP19koHxZSKSzclSqjRM5RhxXcaWfsLiSUI3gyJo2uEz S8xlVmbficjrG8Mk1Vr6Md7n0ZI5HejH+XQks2QQVb6Rr7nlLDROx3Eb0khUYW+MP19R NPK1u7kLmNNsvnX5k4YiYvqQx3WriU2/GYti0HynFoFIJkGDTCYp36+yaXu3waOu1NzK 05pA==
X-Gm-Message-State: AJIora8ld2AYl96TakwCiaf3FfLusit54RBArcIh929+2laZvEYV846E QUZZxsYBktnaFGtF+TGiviw4dUB7kcfPzSccNAhUJavtyM9knUuUjHvfH3P2Jf60sNX89ybtHXb S4sNUTB9rZqDsyg==
X-Google-Smtp-Source: AGRyM1urZkH+gS+mgbFR4L0pILm5PPUt2hJqkMQIIQoT+5rueXhesG7awU6jnao2kP3hM01YvbM0Oz+Xd809U1wt4pE=
X-Received: by 2002:a25:a487:0:b0:670:675a:376a with SMTP id g7-20020a25a487000000b00670675a376amr7500976ybi.437.1658247871334; Tue, 19 Jul 2022 09:24:31 -0700 (PDT)
MIME-Version: 1.0
References: <20211015193847.E6C9E20EBD5@rfc-editor.org> <CA+k3eCTmZHQ9yrokOQLd98t9JWvQB39Qf1Xz2rq=Dm8=JZ_nBw@mail.gmail.com> <CADNypP_WF1FOCncUs8djWqKndz5dXsnD7+uLiFvURmDqEGiCMw@mail.gmail.com> <0BDBCCBF-8292-494E-B2BE-471DE0BCCC58@lodderstedt.net>
In-Reply-To: <0BDBCCBF-8292-494E-B2BE-471DE0BCCC58@lodderstedt.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 19 Jul 2022 10:23:56 -0600
Message-ID: <CA+k3eCREa_eFVKfemNGCVMQG77QJN8c4sq6ufA6PiPR9p8hKVw@mail.gmail.com>
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, RFC Errata System <rfc-editor@rfc-editor.org>, Nat Sakimura <nat@sakimura.org>, dave@tonge.org, Filip Skokan <panva.ip@gmail.com>, Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, oauth <oauth@ietf.org>, paul.wouters@aiven.io
Content-Type: multipart/alternative; boundary="0000000000005228be05e42aeba5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ikBKl03zD1CSfXjg_WenX4J1e7E>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 16:24:36 -0000

The correction is attempting to remove some potential ambiguity that has
been interpreted as JAR's requirement for "client_id" not being applicable
in the context JAR over PAR.

Maybe it should have been an editorial errata rather than technical.

On Tue, Jul 19, 2022 at 7:44 AM Torsten Lodderstedt <torsten@lodderstedt.net>
wrote:

> I’m not sure this requires an update. It basically says „stick the uri you
> get from step 1 into this parameter in step 2“. Does this really require
> use to re-state any further requirements of a proper JAR?
>
> Am 19.07.2022 um 15:15 schrieb Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com
> >:
>
> + Roman and Paul
>
> On Mon, Jul 18, 2022 at 12:25 PM Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>> I believe this should be verified. I'm also the one that reported it
>> though. But it's been sitting in reported status for a while now.
>>
>> On Fri, Oct 15, 2021 at 1:38 PM RFC Errata System <
>> rfc-editor@rfc-editor.org> wrote:
>>
>>> The following errata report has been submitted for RFC9126,
>>> "OAuth 2.0 Pushed Authorization Requests".
>>>
>>> --------------------------------------
>>> You may review the report below and at:
>>> https://www.rfc-editor.org/errata/eid6711
>>>
>>> --------------------------------------
>>> Type: Technical
>>> Reported by: Brian Campbell <bcampbell@pingidentity.com>
>>>
>>> Section: 3.
>>>
>>> Original Text
>>> -------------
>>>    Clients MAY use the "request" parameter as defined in JAR [RFC9101]
>>>    to push a Request Object JWT to the authorization server.  The rules
>>>    for processing, signing, and encryption of the Request Object as
>>>    defined in JAR [RFC9101] apply.  Request parameters required by a
>>>    given client authentication method are included in the "application/
>>>    x-www-form-urlencoded" request directly and are the only parameters
>>>    other than "request" in the form body (e.g., mutual TLS client
>>>    authentication [RFC8705] uses the "client_id" HTTP request parameter,
>>>    while JWT assertion-based client authentication [RFC7523] uses
>>>    "client_assertion" and "client_assertion_type").  All other request
>>>    parameters, i.e., those pertaining to the authorization request
>>>    itself, MUST appear as claims of the JWT representing the
>>>    authorization request.
>>>
>>> Corrected Text
>>> --------------
>>>   Clients MAY use the request and client_id parameters as defined in
>>>   JAR [RFC9101] to push a Request Object JWT to the authorization
>>>   server. The rules for processing, signing, and encryption of the
>>>   Request Object as defined in JAR [RFC9101] apply. Request parameters
>>>   required by a given client authentication method are included in the
>>>   application/x-www-form-urlencoded request directly and are the only
>>>   parameters other than request and client_id in the form body (e.g.,
>>>   JWT assertion-based client authentication [RFC7523] uses
>>>   "client_assertion" and "client_assertion_type") HTTP request
>>>   parameters). All authorization request parameters, i.e., those
>>>   pertaining to the authorization request itself, MUST appear as
>>>   claims of the JWT representing the authorization request.
>>>
>>> Notes
>>> -----
>>> That first paragraph of Sec 3 was not properly updated to come inline
>>> with JAR (now RFC9101) when it changed in draft -21 to require "client_id"
>>> in the authorization request in addition to in addition to "request" or
>>> "request_uri" - so is  somewhat ambiguous in maybe suggesting that
>>> "client_id" isn't required. But it is required based on how PAR works and
>>> RFC9101 requiring "client_id".
>>>
>>> Instructions:
>>> -------------
>>> This erratum is currently posted as "Reported". If necessary, please
>>> use "Reply All" to discuss whether it should be verified or
>>> rejected. When a decision is reached, the verifying party
>>> can log in to change the status and edit the report, if necessary.
>>>
>>> --------------------------------------
>>> RFC9126 (draft-ietf-oauth-par-10)
>>> --------------------------------------
>>> Title               : OAuth 2.0 Pushed Authorization Requests
>>> Publication Date    : September 2021
>>> Author(s)           : T. Lodderstedt, B. Campbell, N. Sakimura, D.
>>> Tonge, F. Skokan
>>> Category            : PROPOSED STANDARD
>>> Source              : Web Authorization Protocol
>>> Area                : Security
>>> Stream              : IETF
>>> Verifying Party     : IESG
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email