Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
"Phil Hunt (IDM)" <phil.hunt@oracle.com> Sat, 20 February 2016 05:12 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8DF41B3802 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2016 21:12:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dGlP3IT9DLZ3 for <oauth@ietfa.amsl.com>; Fri, 19 Feb 2016 21:12:37 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 517BC1B38B3 for <oauth@ietf.org>; Fri, 19 Feb 2016 21:12:33 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u1K5CUIM000852 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 20 Feb 2016 05:12:31 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u1K5CU7A030043 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Sat, 20 Feb 2016 05:12:30 GMT
Received: from abhmp0017.oracle.com (abhmp0017.oracle.com [141.146.116.23]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u1K5CRr9019809; Sat, 20 Feb 2016 05:12:30 GMT
Received: from [25.173.105.41] (/72.143.227.126) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 19 Feb 2016 21:12:27 -0800
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (13D15)
In-Reply-To: <56C77D92.5050203@pingidentity.com>
Date: Fri, 19 Feb 2016 22:12:19 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com>
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com>
To: Hans Zandbelt <hzandbelt@pingidentity.com>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/jcrpy7VIq-NjwCk6vf6xZT9sGyE>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Feb 2016 05:12:40 -0000
Option A Phil > On Feb 19, 2016, at 13:39, Hans Zandbelt <hzandbelt@pingidentity.com> wrote: > > Option A: I agree with Mike that the complexity and implementation cost of Option B will make adoption harder, which was also a concern with the first iteration of Option A. > > To be honest, I'm not sure most people would even understand why the complexity would be required and just forget about it. At least with the simplicity of the most recent option A they don't have to care, just add some simple parameters/checks. > > And for the record: I've also implemented option A in the mod_auth_openidc [1] and lua-resty-openidc [2] clients for Apache and NGINX respectively. > > Hans. > > [1] https://github.com/pingidentity/mod_auth_openidc > [2] https://github.com/pingidentity/lua-resty-openidc > >> On 2/19/16 9:18 PM, Mike Jones wrote: >> Option A. I have higher confidence that this specification solves the >> problems because it was designed during a 4-day security meeting >> dedicated to this task by a group of over 20 OAuth security experts, >> *including both sets of researchers in Germany who originally identified >> the problem*. This solution has also been implemented and interop >> tested by Roland Hedberg, Brian Campbell, and I believe others. Note >> that the reason I am advocating this specification is **not** because >> I'm an editor of it; my role was to record in spec language what the >> OAuth security experts designed together over the 4-day period in Darmstadt. >> >> I’ll also note that even if Option B also solves the problem, it comes >> at significant adoption costs and complexity not found in A. In >> particular, it requires that developers understand support a new “Link >> Relation” syntax not used elsewhere in OAuth. As Nat writes about his >> own draft in >> http://www.ietf.org/mail-archive/web/oauth/current/msg15789.html - there >> is not a standard JSON syntax for link relations. He writes “we could >> easily create a parallel to it”. I’d rather we solve the problem using >> standard mechanisms already employed in OAuth, rather than risk >> bifurcating OAuth in the developer community by unnecessarily >> inventing/creating new syntax that is unfamiliar to developers and that >> many of them may reject using. >> >> -- Mike >> >> P.S. Information about the OAuth security meeting can be found at >> https://docs.google.com/document/d/136Cz2iwUFMdoKWZPCqZRhkmfmHAlJ6kM5OyeXzGptU4/edit >> and >> https://docs.google.com/document/d/1cRa11EgimnTeJZR1-PUpNRpi_u_EoSpO5NtakVbA_sk/edit >> . >> >> -----Original Message----- >> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig >> Sent: Friday, February 19, 2016 11:43 AM >> To: oauth@ietf.org >> Subject: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for >> Adoption >> >> Early February I posted a mail to the list to make progress on the >> solution to the OAuth Authorization Server Mix-Up problem discovered >> late last year. >> >> Here is my mail about the Authorization Server Mix-Up: >> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html >> >> Here is my mail to the list that tries to summarize the discussion >> status and asked a few questions: >> >> http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html >> >> Unfortunately, my mail didn't lead to the intended success. While there >> was some feedback I wasn't getting the desired response. >> >> In order to move forward I believe we need a working group document that >> serves as a starting point for further work in the group*. We have two >> documents that provide similar functionality in an attempt to solve the >> Authorization Server Mix-Up problem. >> >> So, here is the question for the group. Which document do you want as a >> starting point for work on this topic: >> >> -- Option A: 'OAuth 2.0 Mix-Up Mitigation' by Mike Jones and John Bradley >> >> Link: >> >> https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-01 >> >> -- Option B: 'OAuth Response Metadata' by Nat Sakimura, Nov Matake and >> Sascha Preibisch >> >> Link: >> >> https://tools.ietf.org/html/draft-sakimura-oauth-meta-07 >> >> Deadline for feedback is March, 4th. >> >> Ciao >> >> Hannes & Derek >> >> PS: (*) Regardless of the selected solution we will provide proper >> acknowledgement for those who contributed to the work. >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > -- > Hans Zandbelt | Sr. Technical Architect > hzandbelt@pingidentity.com | Ping Identity > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fixing the Authorization Server Mix-Up… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hans Zandbelt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Phil Hunt (IDM)
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Mike Jones
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… William Denniss
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Antonio Sanso
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Daniel Fett
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] JWS Access Token concerns Antonio Sanso
- Re: [OAUTH-WG] JWS Access Token concerns Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Roland Hedberg
- Re: [OAUTH-WG] JWS Access Token concerns Sergey Beryozkin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Anthony Nadalin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Nat Sakimura
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… George Fletcher
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Brian Campbell
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Donald F. Coffin
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Torsten Lodderstedt
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… John Bradley
- Re: [OAUTH-WG] Fixing the Authorization Server Mi… Vladimir Dzhuvinov