IETF Logo Mail Archive

Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Warren Parad <wparad@rhosys.ch> Sat, 15 August 2020 16:27 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E6113A0F9D for <oauth@ietfa.amsl.com>; Sat, 15 Aug 2020 09:27:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjYK_ZG3CopH for <oauth@ietfa.amsl.com>; Sat, 15 Aug 2020 09:27:31 -0700 (PDT)
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com [IPv6:2607:f8b0:4864:20::82b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ADD03A0F25 for <oauth@ietf.org>; Sat, 15 Aug 2020 09:27:31 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id k18so9266159qtm.10 for <oauth@ietf.org>; Sat, 15 Aug 2020 09:27:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3B9cjXUU+EpJeczfu+8AK4A04kUIWvWwjJjcaoZyF00=; b=kSElZGZSPHrkG88LvPfOLcBQwKbhK28kVNSSgkcyYhMkQb0XVx+0e8UycykGTInf/A 77R5Qre4o5DU0TWDR1m7rr1vKNdNS9RknapPD9qGJ2955PqL4k5aFxh8TB0MppK1Fy8N vAyXvmhzufcRru/kZW7wocAWLLsb4vECBITBI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3B9cjXUU+EpJeczfu+8AK4A04kUIWvWwjJjcaoZyF00=; b=e3QrszF+wbEETPlEnKyukmFkrxX+5QJpoW/rQk3CCZl4Km2DX1D8wCK9NNN5XEbsSb rqaMJQeqyODV3VxrfH8SGjLZheKtD5teY2HxrsLvhyAGNze8mIXPISV/aoH8HLAn9wGZ 5P5I6VYBxn8bYQtybyUTSUQN3hmjlYRgUQbnWbLgTSvl6wWUpP2003vu9KjgGYjVC3pC umpV6FEP13tpWUTVcp73TA0sjO/fiCamN5FACRH9ILyEfrXi9rgMeFxza9z+ks+rU88U tM1zYsDMI4yJSkHndPNrprMz5lwChwjk6TUQTiMMTtlTKl9kWxBq6KDaVptZ/8i/oOiK hq8g==
X-Gm-Message-State: AOAM532OU7Srq96lntGLrscx1uONEPJsFB4bFkmSJ937ZFsk80y8Is/S anm+YwpGJcfPoUZ06+oLMT1RedKSFIXnYGL5v2Lh/hNK0ntU
X-Google-Smtp-Source: ABdhPJwvW3IHS6XwT5EFgY8PuVlxJOMp2Dv9bQs2O6K53uihPhfM0os1xImLrKgg4L3p78tJLQy3r8xB9RaCaNOi0JQ=
X-Received: by 2002:ac8:688e:: with SMTP id m14mr6827143qtq.7.1597508850232; Sat, 15 Aug 2020 09:27:30 -0700 (PDT)
MIME-Version: 1.0
References: <MN2PR00MB06863A1064A05D8029C44788F5431@MN2PR00MB0686.namprd00.prod.outlook.com> <CALAqi_9M40enpWOMO2h5rVdiveOxh6hnA1ZLc9EJJ-H_Fp59+g@mail.gmail.com> <c9620f5f-55f2-9b85-61ad-bac5dc1e9877@connect2id.com>
In-Reply-To: <c9620f5f-55f2-9b85-61ad-bac5dc1e9877@connect2id.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Sat, 15 Aug 2020 18:27:19 +0200
Message-ID: <CAJot-L3UKNjdxnDZr3JHt_YuBC5zAv=hAq3AGGgMRo8hhhopiw@mail.gmail.com>
To: Vladimir Dzhuvinov <vladimir@connect2id.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008b484e05aced03c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/jIgSEe0J2vCSgnJxXy2wAVXzS84>
Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Aug 2020 16:27:34 -0000

In the case of

> if the Request Object includes a sub claim with the value of the client_id
> the AS MUST reject the request


What would the expectation be in terms of a client_credentials grant?

>From experience, the *sub *is frequently populated with the client_id value
and the client_id is not used. Which would mean breaking for that type of
grant wouldn't it?


Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress <https://bit.ly/37SSO1p>.


On Sat, Aug 15, 2020 at 11:08 AM Vladimir Dzhuvinov <vladimir@connect2id.com>
wrote:

> +1 to make the "typ" check, as Filip suggested, normative, as existing
> client and RP deployments with undefined "typ" will not be affected. New
> deployments should be encouraged to type the JWT, and thus be made safer.
>
>
> Regarding the "sub != client_id" check -- could a simple rejection of all
> JWTs with "sub" present suffice?
>
> I find it difficult to imagine what else a client could end up setting the
> "sub" claim to, if it does end up populating it for some reason.
>
> Rejecting JWTs with "sub=client_id" or "sub" present will break
> deployments where a client for some reason sets the "typical" JWT claims,
> and "sub" is a typical one, but if those deployments happen to accept
> client_secret_jwt or private_key_jwt client authentication, they could well
> be vulnerable to cross-JWT confusion attacks.
>
>
> Vladimir
> On 14/08/2020 13:58, Filip Skokan wrote:
>
> Hi Mike, Nat,
>
> I thought we would go as far as making these normative requirements
>
>    - if the Request Object includes a sub claim with the value of the
>    client_id the AS MUST reject the request
>    - if the Request Object is explicitly typed (typ) its value MUST be ...
>
> First rejects client assertions to be passed as Request Objects. Second
> rejects all future typed JWT profiles from being used as Request Objects
> without worrying about the claims they may or may not contain.
>
> Or is that breaking?
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Fri, 14 Aug 2020 at 00:59, Mike Jones <Michael.Jones=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
>> At Nat's request, I've created a pull request addressing Cross-JWT
>> Confusion security considerations.  It addresses both Brian's comment and
>> the IESG comments about explicit typing.  See the full PR at
>> https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10.  See the source
>> diffs at
>> https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml.
>> Please review!
>>
>> This is only the first commit, albeit, one that addresses some of the
>> must substantive issues.  More commits will follow addressing additional
>> IESG comments.
>>
>>                                 -- Mike
>>
>> -----Original Message-----
>> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Benjamin Kaduk
>> Sent: Thursday, August 13, 2020 2:59 PM
>> To: Brian Campbell <bcampbell@pingidentity.com>
>> Cc: draft-ietf-oauth-jwsreq@ietf.org; oauth-chairs@ietf.org; The IESG <
>> iesg@ietf.org>; oauth <oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on
>> draft-ietf-oauth-jwsreq-26: (with COMMENT)
>>
>> Oops, that's my bad.  Thanks for the correction -- I've linked to your
>> message in the datatracker (but didn't bother to have the datatracker send
>> a third copy of my updated-again ballot position).
>>
>> -Ben
>>
>> On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote:
>> > While some discussion of why explicit typing was not used might be
>> > useful to have, that thread started with a request for security
>> > considerations prohibiting use of the "sub" with a client ID value.
>> > Because such a request JWT could be repurposed for JWT client
>> > authentication. And explicit typing wouldn't help in that situation.
>> >
>> > On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker <
>> > noreply@ietf.org> wrote:
>> >
>> > >
>> > > --------------------------------------------------------------------
>> > > --
>> > > COMMENT:
>> > > --------------------------------------------------------------------
>> > > --
>> > >
>> > > [updated to note that, per
>> > > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0
>> > > eaE/ and the JWT BCP (RFC 8725), some discussion of why explicit
>> > > typing is not used would be in order]
>> > >
>> > >
>> >
>> > --
>> > _CONFIDENTIALITY NOTICE: This email may contain confidential and
>> > privileged material for the sole use of the intended recipient(s). Any
>> > review, use, distribution or disclosure by others is strictly
>> > prohibited.  If you have received this communication in error, please
>> > notify the sender immediately by e-mail and delete the message and any
>> > file attachments from your computer. Thank you._
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> --
> Vladimir Dzhuvinov
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.14.0 | Report a Bug | By Email