IETF Logo Mail Archive

[OAUTH-WG] dpop_jkt Authorization Request Parameter

Mike Jones <Michael.Jones@microsoft.com> Tue, 30 November 2021 20:15 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E9A3A1532 for <oauth@ietfa.amsl.com>; Tue, 30 Nov 2021 12:15:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9l_UKGilKkTk for <oauth@ietfa.amsl.com>; Tue, 30 Nov 2021 12:15:53 -0800 (PST)
Received: from na01-obe.outbound.protection.outlook.com (mail-cusazlp17010008.outbound.protection.outlook.com [40.93.13.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F25B63A1530 for <oauth@ietf.org>; Tue, 30 Nov 2021 12:15:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cZxG+LWhjiDMF8rgAofoJxluzuM1F/P7IqN6A1l8WSi9wLLiL+xGmYdmV2oK0hfxwSKRgMMi3DrdI8MVDK6FgTlrYaNki9tzrPDPq8HuYCHmfVnE1HkD6LCArMPnMK80E42Nv7ScnAMSA6ihh/ZG1vAtH9UxzOSQk6mSByTHtMMDGSBGHbVsmjwKfj3axuctA7H9cbcWp3BiK2iBubEQNH+aUBW9wUjH/9gXwfeRjYHr4kzDKdrWN7xc/xAif/MsYUts6XCWE2Vgb5C0A7mZavQ58Gb3hVy9iYKPKNu+mrpWbtYNkbQWwu4DQz8y1AOdlswlUOOISs6LwvDC4SF1sQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o82DbI9Oqij+lm0zAMeZUNZAC8TblRALDyUAUyliSU4=; b=eY28Dx1qKbtU2I242/cpI+OupMUVxk2bqV1PBKcCztRBXBPAatkIp62YDYeiubX/+6eyMS7ZSA5Cymz0KlsBK17iJutyF8VTZs0zkENR2+OdRdKcLlh3dwBWScWUQvgsgE8gRNzyrc+hqXF+drgDZGTSOu5ikwaoYB2C1CvhgzDFU5oj3X0ZGBcoR3hObv3aGjG8pQYgSiIBcL/GfQk3J63FRs3OV9UM7Fd1/mU/0+lF2DkqlVE06IZCWbmjpTDPJ0F4JCLY+Pft0oF7WWdjEwdQ+ulpp6wMDPPdoWlqXqAiENd0caPxPoSkLOBLMgtz6WxFm0UnIzO6B0BTa2LwDw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=o82DbI9Oqij+lm0zAMeZUNZAC8TblRALDyUAUyliSU4=; b=NPQkkrlG09+tY+QY4ZCBWG/LnjNIYSJOtWK1A/hmmC56fE/8XpvXMl+FY0+H4zxzW2bSKVRjd6swRsCrBpZSmdEL7+yb75uLKrk+PECVzADa0tYYmqasBhXVPoNHDQruqq+qYyLa0iycHTVWb5QQXZ2jhD/pvgSce7+7h8dTr38=
Received: from PH0PR00MB0997.namprd00.prod.outlook.com (2603:10b6:510:33::14) by PH0PR00MB1182.namprd00.prod.outlook.com (2603:10b6:510:9c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4789.0; Tue, 30 Nov 2021 20:15:50 +0000
Received: from PH0PR00MB0997.namprd00.prod.outlook.com ([fe80::752a:dd03:a5b8:3b01]) by PH0PR00MB0997.namprd00.prod.outlook.com ([fe80::752a:dd03:a5b8:3b01%6]) with mapi id 15.20.4796.000; Tue, 30 Nov 2021 20:15:50 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: dpop_jkt Authorization Request Parameter
Thread-Index: AdfmJiLly3CI7uXkRCWLNlYaTn4HqA==
Date: Tue, 30 Nov 2021 20:15:49 +0000
Message-ID: <PH0PR00MB09979174CD87DF0DB226D334F5679@PH0PR00MB0997.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-11-30T20:08:51Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=6daaf8f1-25b7-4541-ba40-1e37a48e3114; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 538f0556-31e2-429e-27cc-08d9b43e33e8
x-ms-traffictypediagnostic: PH0PR00MB1182:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <PH0PR00MB11823F9E3F31B63D11E83A9EF5679@PH0PR00MB1182.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:1775;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CJXNETAFYAoavISRDXfeyx1kE7/3yxmeRATsS6Xi8q7lNzLfyT/nDoM0nRSfFeSR681hI6kV7QIru4hPvrHlAEjb3np0gvMzbEgtr0dkrEa+ycBeNm8/VorKd0WiakZ/qZLiV78bXfRu0bZFJpWvOJI2dTcTXp/7741XGz5/Bs+aKQaroT827YSbq3TOTnjAAEN1573jdKxQ/Cc4A+2tXQXj6tX6r6+DyV6rdI54p/YbrheuNVRD6o0fZFz8QEQpx638Q3FYUHozXOCqT4NO0EhvjP+1+ma2nPJYqZiXAylbp7cmw3jx/70ly49p0HVHGeDdT12ms+ZxWv9rwZUKay8SFN41MKc69zY4w1SgphCtGbuM5+qxPnOx8pNZrRst/fAAmina+9UkQod/YuTykyncR+H1tlsdo7ix39qge6YdOvAiCCcpvDFWAX05fDEO/2NRwX2MTbsd0wFeLJ76iDTLcCC1OQuW4eeIIpr1PPkCBlompTjPharYcymfqUexFHX3WijImg6v+6m5VYyiZf7/1FXqgpE8x0VhSd0XBd+ZZbL2Rp6rp5lMQKIp0CSqlel/aDgCva5bgPuwH92eyKqrFIjmgLT/xLJv8jtLt7kAtzMbxZ9eCWIKFTTP+yvI+2aV6bI8yDoe48IHszG4fEVAuzr2V0GdLKbi7QqTJxOTYn4T9OjYYcGbgGpELFctPsx7LNjLsTrA1jVfM6eoo0rrd9H2bsCrIPqklB9gX7SJRcbHrXvtPkf3H3sFhGNp8sYVkVhwT6x/gvPv1iJEbt4Fp7E6uu8r6TT5WHSdAhPJtp5aBcjOEbJCTarf2yscI5Ej6Q9KDQDrzLTRTeSNbqael4BIv5JiC8hF6N2etp8U4VLweorzfe235/JF0Vws
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR00MB0997.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38070700005)(2906002)(4744005)(5660300002)(8990500004)(6506007)(64756008)(966005)(186003)(166002)(9686003)(33656002)(55016003)(71200400001)(83380400001)(86362001)(38100700002)(10290500003)(122000001)(508600001)(8936002)(66476007)(8676002)(66946007)(66446008)(6916009)(316002)(7696005)(82960400001)(52536014)(66556008)(76116006)(82950400001)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: tRB84TvIEFhEGBQiXCCma3zHGrkEc5t4vxzSOi1qXlMcSEsheJB/GcUa7AXhXIIh0S+gHIqCMORbw2qC1+qsja8Robuyme7lEFm8dWcU9KzAHuZAbAhUhxzzndDGFMOExqCtSupyKB7MIbimjAQkSq1KssU/jr3exZUZmiZMcuDZCyp7GP6F36K9JFkG8luw91J+6+O2ba05zPG9MZBxyoJShdFgNZe35qWCzbVd5GH5VB8K7v0AGfCIvI1OnZVI/FHSXfNpjqoD5LFdLVm+pD66fa1TkKV7EN/bm3X5YO1NKnrM8acvrAujp6SzNX65t6o3a6hSU7I7bg8H0cCrCFJv4D/8AiatyGSKbXWvuqt8n8iHTC9ruJeDOpjijATeJWHKwiDuvRhICS1H1brRxnmbxjgR8lS5B4ZOijGnvSFNk+gUeF7j+4hwj3V1NNf/shS3ajxc+d775+DiN+6LnjcHOKlk/089VKjUKBz/s2A+uOw/XnJf10IWklIoRKfPdxpozNAyaR8ktNxKBWcFYdsFY4T65axxCTHMSIbNEBzWENaTsdbH9a7r9ZCKexsrRX503mNAHTrjdw1Nct4w5W8IFGK1KDMVxnLoM8bdllejuHaBLdEAMluS7TucXbAMNAJKbRfURnMDtIGbyoR+kw95I1ZuYBSeGzmdjzgDXueJviqZJS/Q0YagYXQOMH6rTrTTO8uGFBx0u5Xkq9RF6CgkMm38wp4a3BANNmzpVcGeDUUYfUYksi/dLLa/FEH/M/+LQ2fNXQQz8nAiTQipi6nFnwErbwHVBcWGQkqSqsZrOhPLCtIMG/cag1SkLpA4UzXCx6W151KV2PGW6adA+Um/Tk9u8UV+EyG5QI4PUXi8XXPhJkEusxFyuQ/C4vNhnihpSkXacFaMFPaHu9hqjVRHU6ZnTlJHAAFbldb7/kR+CENmg/eZCIbYfXTa6+VyJwcAC6B0eVlaq2R6Hl66ERpDKl+lD2m0qc8UvUyBbUw8bA9+XTyVIGfua0h6tQdIMaslxYE33Rx43g++DnBxOlY8gBn37BBlNqwxg+/SL/gnmQoHhlrDdUY7dVTDLFvjPuJoKh0sY67LffAmTfa+eZe4bkpjfXZpodiRxMJbrbTGa/DhOo4ZnXagCOtrmoFeOvMW1DamYiTfcirY6ygCzEssr+DNGivOL+QVkKUx60TGrPpaJ87d+N3iNm5TB7RRFlXZdI8w0zn6c+VazXsudQvE7DGMxunLZio7hP53ctzng1i5JxSjSMeRfB2RxLScUvQ3WyvZVxtf6J9JaPoicr98sZD/ZwjfwBainCOlXHc5y9jMDf4tbpySQKnsfBTOvi+6rOyGQh1cMiWg+iIUwGlmRrkmdpOQmRDT4W9LOaqneM6mvGpeiin4zwBEIitRs1X7HiyPK7CX/TLUJ7f40iKSoHP6k93hXCDKc8iNVQqtbOk3EppjxcMtFaxtsHA2OiN9TU4eUc3Bz37xqsP3gDui5ea56peVU9g5pzz6VHSfsEhoP6OxQQyo1RRLqqsfNao9D5WLxzKrNHlayiE3YiAYX0mU0Y6tpzvXnaC5tri77KI9vpE59eEVc6b7xVGYtNy1Nn1eviXY+G8WBbn+UZUyTNje7Nl1tJjN6HE7NuJ29im8+hVN0eG7HgBHp1L0bIgxWq+anNIJuW+VsrDrR8udOt8Sc1KhfcJFTWq0184=
Content-Type: multipart/alternative; boundary="_000_PH0PR00MB09979174CD87DF0DB226D334F5679PH0PR00MB0997namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR00MB0997.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 538f0556-31e2-429e-27cc-08d9b43e33e8
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2021 20:15:50.0160 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: I5UTyTRXLp969w9hAyY63SRmCAC5/FRebzC1IMCvDIIQqjlZN32J8Rkl4VsdqbdE0gmyanzR+O411mkBubnmPw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR00MB1182
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k0V9xA-M7x4AB1F2DXEvNflzbp8>
Subject: [OAUTH-WG] dpop_jkt Authorization Request Parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2021 20:15:56 -0000

As described during the OAuth Security Workshop session on DPoP, I created a pull request adding the dpop_jkt authorization request parameter to use for binding the authorization code to the client's DPoP key.  See https://github.com/danielfett/draft-dpop/pull/89.

This is an alternative to https://github.com/danielfett/draft-dpop/pull/86, which achieved this binding using a new DPoP PKCE method.  Using this alternative allows PKCE implementations to be unmodified, while adding DPoP in new code, which may be an advantage in some deployments.

Please review and comment.  Note that I plan to add more of the attack description written by Pieter Kasselman to the security considerations in a future commit.  This attack description was sent by Pieter yesterday in a message with the subject "Authorization Code Log File Attack (was DPoP Interim Meeting Minutes)".

                                                       -- Mike

v2.23.0 | Report a Bug | By Email