Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object

Takahiko Kawasaki <taka@authlete.com> Thu, 02 January 2020 08:40 UTC

Return-Path: <taka@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB787120052 for <oauth@ietfa.amsl.com>; Thu, 2 Jan 2020 00:40:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id roKp6E0ooWP0 for <oauth@ietfa.amsl.com>; Thu, 2 Jan 2020 00:40:39 -0800 (PST)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBA0812000F for <oauth@ietf.org>; Thu, 2 Jan 2020 00:40:38 -0800 (PST)
Received: by mail-wr1-x432.google.com with SMTP id q6so38424733wro.9 for <oauth@ietf.org>; Thu, 02 Jan 2020 00:40:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4tIGRLOnMiq+q52gtTx+LgycVX6pMTuFU6dtrvNSvA4=; b=oyylRwqkWS211l/WfXT5y3uVfsFE7lGFVKiusBtnnu5caZ5r1v5aL8KoniEN6sHnLy hHisJWC/ZnUo0m/XlCEYVuYkka4f+U078fnGJTMDYTAfBfTS0vN1cSDBth+UB6+uGjIs QE/PTaYO6BUfL0Jw5nqpTgFzEVvMrMRjAKGOMhklTzxeyWfnFGGk1vsNL+HxIIXnzEmH G7IDwJ/YecQun/qQJyIv7ICjgYzL9/kUK6F5m+muHtIFmB8f8rdSaMwyDSSyQnldkoil /AZocCLmeMaH7/EzXv9Co9v631USBga7H+pTPbRqL4OIYvCbAkJOME4Xna25ekNfFwmr ZEQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4tIGRLOnMiq+q52gtTx+LgycVX6pMTuFU6dtrvNSvA4=; b=Bf+rId9pk8HlYCptUWl6NIUoEnvIDqInwP7EgjB7yOg5YSAY5uNnT3FPQgFCqqXtte 4d6LamRl5skLX/h77ZoBzBZz9N2ho929QUcsGKiNeYO6UuzbwWi9PI4xfxCjzUTlqd1Q 5PVN2xFWYVSg5UyIxVYh7/lPxKwbXi1PMM+3QONVuA7dnxoqlRlUFdkMRynk+uQVw2Zh zmRGLs+qKmB84SaqTmaDQXeRawkwH6+qaeRrVm2fosAK26YtW5g+pyHITa1ZdSq8lf45 o/SSCzivk5MWAYVA5QERggoiUwj+de7VA6lK/odft74vA1tJOiTAFnCEY7TKXlQYaC5N 1odw==
X-Gm-Message-State: APjAAAVCxNOvHtviapoChbZvS8EitHbaCO9C9hWV3tSN1RwMkH96IOcS KaDw6keteSB02hEbcVcVbtmE9kbcbXWFgd9mofnAS03Zpwg=
X-Google-Smtp-Source: APXvYqzrrPcmV8fLOYu3dJ/0+KID2ZprhhnxA+EQtnxDV+V+gxyfRtrzwZA+81bLIH/O8/iD8B9F+XqY07GSOctqfDI=
X-Received: by 2002:adf:f7c4:: with SMTP id a4mr78476320wrq.332.1577954437302; Thu, 02 Jan 2020 00:40:37 -0800 (PST)
MIME-Version: 1.0
References: <CALAqi_-Ku6Hh3DQDXGR+83Q8jofMzVBcW=7GUnFFzsoG+Ka_1g@mail.gmail.com> <CA+k3eCRRW9oLfdmBXsccc_BVd-Ne8qOR5A4HftpSMkMt2JZLRg@mail.gmail.com> <CALAqi_9s+jXDwfb-HK+sguijR6=R6cPgJMwXhSkU52YQcEkX2A@mail.gmail.com> <CA+k3eCQZdX_DTDzcVaDJ=xaKSa0msjJh2UQvA+ZvhTeEBkTDkw@mail.gmail.com> <CABzCy2BVoutsLiwTDxpOKxOOtiNv59-TKAq=V9498m4OT=79+w@mail.gmail.com> <CAANoGhJnHnrN2aMtgpyTs02bA8v7d5a_M5PgSVcUx1xxHo4CmA@mail.gmail.com> <CABzCy2DM7OwUfOiYK2P6vWttpZm+Y=EWf_NwCvih==gSfXA=dw@mail.gmail.com>
In-Reply-To: <CABzCy2DM7OwUfOiYK2P6vWttpZm+Y=EWf_NwCvih==gSfXA=dw@mail.gmail.com>
From: Takahiko Kawasaki <taka@authlete.com>
Date: Thu, 2 Jan 2020 17:40:26 +0900
Message-ID: <CAHdPCmPjHkrfJvTJaMbqn7es=R1GPUGO8M+ASbUiODLUuWEEGw@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Cc: John Bradley <ve7jtb@ve7jtb.com>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, oauth <oauth@ietf.org>, Nat Sakimura <nat.sakimura@oidf.org>
Content-Type: multipart/alternative; boundary="000000000000b520a9059b2425fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ikhXPXoDeRMNklmrzYkdNafM3AI>
Subject: Re: [OAUTH-WG] JWT Secured Authorization Request (JAR) vs OIDC request object
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jan 2020 08:40:42 -0000

Breaking backward compatibility in this part would mean that OpenID
Certification given to AS implementations with request_uri support will be
invalidated once they support JAR. It also would mean that test cases in
the official conformance suite need to be changed in a
backward-incompatible manner, which would implicitly encourage that all
certified implementations should re-try to get certification.

Changing the spec now might need more three to six months, but it would be
worth considering what we get and lose by saving the months and breaking
backward compatibility.

Best Regards,
Taka

On Wed, Dec 18, 2019 at 4:14 PM Nat Sakimura <sakimura@gmail.com> wrote:

> So, no change is OK?
>
> On Wed, Dec 11, 2019 at 10:01 PM John Bradley <ve7jtb@ve7jtb.com> wrote:
>
>> I also slightly prefer the merge approach.
>>
>> There are plusses and minuses to both.
>>
>> Changing again now that it is past ISEG review and backing out a Discuss
>> will add another three to six months at this point, if we can get them to
>> agree to the change.
>>
>> John B.
>>
>> On Tue, Dec 10, 2019, 11:29 PM Nat Sakimura <sakimura@gmail.com> wrote:
>>
>>> Correct. The WG supported the precedence approach and even merge just
>>> like OIDC as it is very useful from the implementation point of view and
>>> helps with a bunch of deployment patter.
>>>
>>> The push back came in from the Ben Campbell’s DISCUSS.
>>> See
>>>
>>> https://bitbucket.org/Nat/oauth-jwsreq/issues/70/bc-the-current-text-actually-specifies-the
>>>
>>> I am willing to go either way as long as people agree. My slight
>>> preference is to the original approach.
>>>
>>> Best,
>>>
>>> Nat Sakimura
>>>
>>> 2019年8月29日(木) 6:56 Brian Campbell <bcampbell=
>>> 40pingidentity..com@dmarc.ietf.org <40pingidentity.com@dmarc.ietf.org>>g>>:
>>>
>>>> FWIW, as best I can remember the change in question came as I result of directorate/IESG
>>>> review rather than a WG decision/discussion. Which is likely why you can't
>>>> find the "why" anywhere in the mailing list archive.
>>>>
>>>> On Wed, Aug 28, 2019 at 3:23 PM Filip Skokan <panva.ip@gmail.com>
>>>> wrote:
>>>>
>>>>> Well it kind of blows, doesn't it? I wasn't able to find the "why"
>>>>> anywhere in the mailing list archive around the time this was changed.
>>>>>
>>>>> My take on satisfying both worlds looks like this
>>>>>
>>>>> - allow just JAR - no other params when possible.
>>>>>     (which btw isn't possible to do with request_uri when enforcing
>>>>> client based uri whitelist and the jwsreq 5.2.2 shows as much)
>>>>> - enforce the "dupe behaviours" defined in OIDC (if response_type or
>>>>> client_id is in request object it must either be missing or the same in
>>>>> regular request).
>>>>> - allows merging request object and regular parameters with request
>>>>> object taking precedence since it is a very useful feature when having
>>>>> pre-signed request object that's not one time use and clients using it wish
>>>>> to vary state/nonce per-request.
>>>>>
>>>>> I wish the group reconsidered making this breaking change from OIDC's
>>>>> take on request objects - allow combination of parameters from the request
>>>>> object with ones from regular parameters (if not present in request object).
>>>>>
>>>>> S pozdravem,
>>>>> *Filip Skokan*
>>>>>
>>>>>
>>>>> On Wed, 28 Aug 2019 at 23:02, Brian Campbell <
>>>>> bcampbell@pingidentity.com> wrote:
>>>>>
>>>> Filip, for better or worse, I believe your assessment of the situation
>>>>>> is correct. I know of one AS that didn't choose which of the two to follow
>>>>>> but rather implemented a bit of a hybrid where it basically ignores
>>>>>> everything outside of the request object per JAR but also checks for and
>>>>>> enforces the presence and value of the few regular parameters (client_id,
>>>>>> response_type) that OIDC mandates.
>>>>>>
>>>>>> On Tue, Aug 27, 2019 at 5:47 AM Filip Skokan <panva.ip@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello everyone,
>>>>>>>
>>>>>>> in an earlier thread I've posed the following question that might
>>>>>>> have gotten missed, this might have consequences for the existing
>>>>>>> implementations of Request Objects in OIDC implementations - its making
>>>>>>> pure JAR requests incompatible with OIDC Core implementations.
>>>>>>>
>>>>>>> draft 14 of jwsreq (JAR) introduced this language
>>>>>>>
>>>>>>> The client MAY send the parameters included in the request object
>>>>>>>> duplicated in the query parameters as well for the backward
>>>>>>>> compatibility etc.
>>>>>>>>
>>>>>>>> *However, the authorization server supporting thisspecification
>>>>>>>> MUST only use the parameters included in the requestobject. *
>>>>>>>
>>>>>>>
>>>>>>> Server MUST only use the parameters in the Request Object even if the
>>>>>>>> same parameter is provided in the query parameter.  The
>>>>>>>> Authorization
>>>>>>>
>>>>>>>
>>>>>>> The client MAY send the parameters included in the request object
>>>>>>>> duplicated in the query parameters as well for the backward
>>>>>>>> compatibility etc.
>>>>>>>>
>>>>>>>> *However, the authorization server supporting thisspecification
>>>>>>>> MUST only use the parameters included in the requestobject. *
>>>>>>>
>>>>>>>
>>>>>>> Nat, John, everyone - *does this mean a JAR compliant AS ignores
>>>>>>> everything outside of the request object while OIDC Request Object one
>>>>>>> merges the two with the ones in the request object being used over ones
>>>>>>> that are sent in clear?* The OIDC language also includes sections
>>>>>>> which make sure that some required arguments are still passed outside of
>>>>>>> the request object with the same value to make sure the request is "valid"
>>>>>>> OAuth 2.0 request (client_id, response_type), something which an example in
>>>>>>> the JAR spec does not do. Not having this language means that existing
>>>>>>> authorization request pipelines can't simply be extended with e.g. a
>>>>>>> middleware, they need to branch their codepaths.
>>>>>>>
>>>>>>> Is an AS required to choose which of the two it follows?
>>>>>>>
>>>>>>> Thank you for clarifying this in advance. I think if either the
>>>>>>> behaviour is the same as in OIDC or different this should be called out in
>>>>>>> the language to avoid confusion, especially since this already exists in
>>>>>>> OIDC and likely isn't going to be read in isolation, especially because the
>>>>>>> Request Object is even called out to be already in place in OIDC in the JAR
>>>>>>> draft.
>>>>>>>
>>>>>>> Best,
>>>>>>> *Filip*
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>
>>>>>>
>>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>>> privileged material for the sole use of the intended recipient(s).. Any
>>>>>> review, use, distribution or disclosure by others is strictly prohibited.
>>>>>> If you have received this communication in error, please notify the sender
>>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>>> your computer. Thank you.*
>>>>>
>>>>>
>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>> privileged material for the sole use of the intended recipient(s). Any
>>>> review, use, distribution or disclosure by others is strictly prohibited..
>>>> If you have received this communication in error, please notify the sender
>>>> immediately by e-mail and delete the message and any file attachments from
>>>> your computer. Thank you.*
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>> --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>