Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata
Tom Jones <thomasclinganjones@gmail.com> Sat, 26 August 2023 15:12 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1F8FC14CE46 for <oauth@ietfa.amsl.com>; Sat, 26 Aug 2023 08:12:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZc9llGq6ihc for <oauth@ietfa.amsl.com>; Sat, 26 Aug 2023 08:12:25 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70B8DC14CE25 for <oauth@ietf.org>; Sat, 26 Aug 2023 08:12:25 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2bd001539bdso1650121fa.1 for <oauth@ietf.org>; Sat, 26 Aug 2023 08:12:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693062743; x=1693667543; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=r5FBr48gSBYbP1EyR84UeKoOypFx2Ek3yCyrtP+135Y=; b=TXg17orfy2Fx9iCxcZyYG3lCdhGJs5GMhab6wj3uPNjO6FrrYEBVxTCT+G0sGuNkrl xOzG35Rkfwj1n4NhhbhvUrbPTRVN8YiwZFnLgw7eh0S0/SfIZss7CAv+U0OkMMi8YyRs InOkrEXmFmp8MxpyRV+71d8jyPjPSAQxpCL2C5DmJCpl2rkvf43xgLeUNab1UFNH4kUH Ux2FU/szdEbCTJ5QyFKua2V5s7Fw9ECyossPQCPKxFronqn016cGZ94O917XQSpYbQBt +V0myfcS9VA9h0JtiQ/TDPwLWD/SHNOAYt28L+p9iTE0hbls7+4vdxQSO28BzEyPVPDZ Qkfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693062743; x=1693667543; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=r5FBr48gSBYbP1EyR84UeKoOypFx2Ek3yCyrtP+135Y=; b=mFTVMGHGopmO3VBmXOj1cddmFSe4FQDtnslCo8K5O+p18kUYqJJ4zkEJyKrppj2b5M Io55XnMHB8m44nbvZo2AqzxhCXINBapvMNxOdlkaxKSuW3b1ilhWEfhYtAbnIzetuhgr pHDF1vlbu2MVQEyaHIfkOH4OtwX0Tqh7lRfGsTBor+YRbkQt/DKAqDQwUjSpXOGaJ88w 6ULHrMO7clssaEn9um7j7Sy41usS50urVNH14Rt3eimlmmmTHuyWijxDNcgseXp122JA 6mEorhfvArnW60CcRvE7wlpybbceM4rGIpknZNW+iw+uDpe51XZR05SEnAUYLOGy30LU HWPA==
X-Gm-Message-State: AOJu0YxH+zsN0HbEx/1VZfcDZ8ZTCMUUdWdYvdHHPyAYxy2cJ87kLOGZ Quiy26gQoVSGONaHR121b3DbAwT3qx8Lp7Ls1DQ=
X-Google-Smtp-Source: AGHT+IFkYWant8qMf6Ypivl1BHQe9x2V4hUaU5uI5XDjG6Uj29dT7zvpyQvJIFzoFdDEEeuVBYk8ebYL2TfsJb4M1Ko=
X-Received: by 2002:a05:651c:2112:b0:2b9:54bd:caed with SMTP id a18-20020a05651c211200b002b954bdcaedmr16257887ljq.1.1693062743350; Sat, 26 Aug 2023 08:12:23 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP_ve-rMFrioC0LS=NowESnTn1LSOU0pV4=K8hht4zy+Nw@mail.gmail.com> <CAODMz5FsmR7mxGuZk5=bOg4zP9PEAHhsWbnK7uvU_Q3ATKuc8g@mail.gmail.com> <CAGBSGjpWB5ynNQM5fLUwd9SoaN8hs-87aiMxPk4km9jVrfLHqw@mail.gmail.com> <CAODMz5GuGUhZWJZrbkGW_Pj0LefDQqsSCd++4ODMJBKCwR1Wcw@mail.gmail.com> <CAD9ie-sgqfEF+Gf-XFVyeUF9QSbnXxryG+7Nb1bmp0cva2ssQA@mail.gmail.com>
In-Reply-To: <CAD9ie-sgqfEF+Gf-XFVyeUF9QSbnXxryG+7Nb1bmp0cva2ssQA@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Sat, 26 Aug 2023 08:12:11 -0700
Message-ID: <CAK2Cwb6nF5p8S0HD-cFjXWcN1HJxr1Tih8mhk-0m1P2bvXEj9Q@mail.gmail.com>
To: Dick Hardt <Dick.Hardt@gmail.com>
Cc: Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org>, Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006660d70603d4e3e8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iyPMhqkn6mYnspK0l6-iaoR-aTA>
Subject: Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2023 15:12:29 -0000
The security reason for exclusion of error codes and other information is that the data helps the attacker subvert the app. I continue my attempt to avoid helping the attacker. thx ..Tom (mobile) On Sat, Aug 26, 2023, 7:58 AM Dick Hardt <dick.hardt@gmail.com> wrote: > Jaimandeep: Do I understand your objection to adoption is that providing a > resource discovery endpoint increases the attack surface as an > attacker gains knowledge about the resource? > > If I understand that correctly, then you are suggesting security through > obscurity. > > As mentioned by Aaron, there is no requirement for a resource to support > the resource metadata, and the metadata itself could be protected. > > Practically though, I believe the argument that security is improved by > not having a resource discovery endpoint is false. Most resources have > publicly available documentation which will contain the same information, > and while the docs are not necessarily machine readable, LLMs can make it > pretty accessible. > > Even if you wanted to keep it secret, if applications that use the > resource are readily available, how the applications interact with the > resource can be discerned through reverse engineering. > I think that a security consideration calling out that a malicious actor > more readily has access to the protected resource metadata is an adequate > response. > > For my use case, the protected resource metadata is required for the > functionality I plan to implement. The AS has no prior knowledge about the > protected resource, and when a request is made, the AS learns about the PR > and presents the user with an experience based on the metadata for the user > to make a decision to grant access. > > /Dick > > > > On Fri, Aug 25, 2023 at 8:29 PM Jaimandeep Singh <jaimandeep.phdcs21= > 40nfsu.ac.in@dmarc.ietf.org> wrote: > >> Hi Aaron, >> >> Thx for your suggestions. I have reviewed the recordings and I would >> suggest following: >> >> 1. Design Consideration: The two components of the OAuth 2.0 ecosystem >> authorization server (step 1) and protected resource server (step 2) may >> appear independent, but from systems perspective there is a linear >> dependency between them. Directly engaging with step 2, even in a limited >> capacity, threatens the established sequence and poses substantial security >> and architectural implications. >> >> 2. Information Disclosure: Say I have my HIPPA record stored on a >> protected resource server, I don't want any app to even know that I have >> such a resource available with a protected resource server in the first >> place. The concept of exposing the mere existence of such data raises a >> glaring concern. Looking at Google, it has a fine-grained authorization >> strategy that meticulously limits access for its RESTRICTED scopes only to >> apps that meet certain security benchmarks. Once, the malicious apps come >> to know of the prized data at the resource server, it will lead to targeted >> phishing attacks, as was highlighted during the 117 meeting, underscoring >> the fragility of this approach. >> >> 3. The Imperative of Gradation and Minimal Exposure: Even if we have to >> go down this path, there is a definite need to mitigate the perils of >> overexposure. Instead we can look at gradation strategy, wherein the scopes >> could be categorized into levels, spanning from generic (Level 0) to >> tightly controlled (Level 5) access. There is no requirement of >> secondary URI in this appch. For instance, the sensitive scopes like level >> 3 and above, may mandate clients to support DPoP and OAuth 2.1. There is no >> need to divulge if a particular resource is present or not and not even the >> address of the authorization server. >> >> Thanks >> Jaimandeep Singh >> >> >> On Sat, Aug 26, 2023 at 7:03 AM Aaron Parecki <aaron= >> 40parecki.com@dmarc.ietf.org> wrote: >> >>> Hi Jaimandeep, >>> >>> As with many OAuth extensions, this is not obligatory to implement >>> unless you need the functionality it provides. Many of the concerns you >>> mention are referenced in the security considerations section of the draft >>> already, and we would of course be happy to further expand that section as >>> appropriate. >>> >>> As we presented during the last two IETF meetings, there are many use >>> cases that would benefit from this draft that currently don't have an >>> interoperable solution. I would suggest you review those presentation >>> recordings so better understand the use cases. >>> >>> Aaron >>> >>> >>> >>> >>> On Fri, Aug 25, 2023 at 12:31 PM Jaimandeep Singh <jaimandeep.phdcs21= >>> 40nfsu.ac.in@dmarc.ietf.org> wrote: >>> >>>> I do not support the adoption because of following: >>>> >>>> 1. Increased Attack Surface and Information Disclosure: The proposed >>>> draft inherently expands the attack surface by allowing the retrieval of >>>> detailed information about the protected resources held with a >>>> particular resource server, as outlined in section 3.1. We are >>>> inadvertently exposing the resources supported by the protected resource >>>> server. The secondary URIs which correspond to each of the protected >>>> resources further expands the potential attack vectors. To illustrate, if a >>>> protected resource server supports resources from 1 to 10, and a client >>>> requests metadata for all these resources, it leads to 11 requests (1 + >>>> 10). This exposes a total of 11 URIs to potential attackers with >>>> information disclosure. >>>> >>>> 2. Lack of Client Verification and Potential DDoS Vulnerability: There >>>> is absence of client application verification before it accesses the APIs. >>>> This can lead to the possibility of malicious client applications >>>> initiating Distributed Denial of Service (DDoS) attacks. >>>> >>>> 3. Impact on Processing Time due to Multiple Resources: The need to >>>> wildcard match/support numerous secondary URIs based on the number of >>>> protected resources could lead to increased processing time. >>>> >>>> 4. Strengthening the Existing System with Adequate Error Codes: Our >>>> existing OAuth RFC, can handle this issue gracefully by incorporating error >>>> codes. This ensures that, at the very least, access tokens are verified >>>> before any specific information is disclosed. >>>> >>>> Thanks >>>> Jaimandeep Singh >>>> >>>> On Thu, Aug 24, 2023 at 12:32 AM Rifaat Shekh-Yusef < >>>> rifaat.s.ietf@gmail.com> wrote: >>>> >>>>> All, >>>>> >>>>> This is an official call for adoption for the *Protected Resource >>>>> Metadata* draft: >>>>> https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/ >>>>> >>>>> Please, reply on the mailing list and let us know if you are in favor >>>>> of adopting this draft as WG document, by *Sep 6th.* >>>>> >>>>> Regards, >>>>> Rifaat & Hannes >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>> >>>> >>>> -- >>>> Regards and Best Wishes >>>> Jaimandeep Singh >>>> LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >> >> -- >> Regards and Best Wishes >> Jaimandeep Singh >> LinkedIn <http://www.linkedin.com/in/jaimandeep-singh-07834b1b7> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Call for adoption - Protected Resource… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Dick Hardt
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Michael Jones
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Orie Steele
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Pieter Kasselman
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Michael Prorock
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Nicole Roy
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Steinar Noem
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Heather Flanagan
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Tobias Looker
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Amir Sharif
- Re: [OAUTH-WG] Call for adoption - Protected Reso… David Waite
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Leif Johansson
- Re: [OAUTH-WG] Call for adoption - Protected Reso… John Bradley
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Oliver Terbu
- Re: [OAUTH-WG] [External Sender] Call for adoptio… George Fletcher
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Neil Madden
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Michael Schwartz
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Dick Hardt
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Tom Jones
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Dick Hardt
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Neil Madden
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Joseph Heenan
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Daniel Fett
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Takahiko Kawasaki
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Atul Tulshibagwale
- Re: [OAUTH-WG] [External Sender] Re: Call for ado… George Fletcher
- Re: [OAUTH-WG] [External Sender] Re: Call for ado… Atul Tulshibagwale
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Brian Campbell
- Re: [OAUTH-WG] Call for adoption - Protected Reso… Atul Tulshibagwale