From nobody Tue Nov 30 12:15:58 2021 Return-Path: X-Original-To: oauth@ietfa.amsl.com Delivered-To: oauth@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E9A3A1532 for ; Tue, 30 Nov 2021 12:15:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.802 X-Spam-Level: X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9l_UKGilKkTk for ; Tue, 30 Nov 2021 12:15:53 -0800 (PST) Received: from na01-obe.outbound.protection.outlook.com (mail-cusazlp17010008.outbound.protection.outlook.com [40.93.13.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F25B63A1530 for ; Tue, 30 Nov 2021 12:15:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cZxG+LWhjiDMF8rgAofoJxluzuM1F/P7IqN6A1l8WSi9wLLiL+xGmYdmV2oK0hfxwSKRgMMi3DrdI8MVDK6FgTlrYaNki9tzrPDPq8HuYCHmfVnE1HkD6LCArMPnMK80E42Nv7ScnAMSA6ihh/ZG1vAtH9UxzOSQk6mSByTHtMMDGSBGHbVsmjwKfj3axuctA7H9cbcWp3BiK2iBubEQNH+aUBW9wUjH/9gXwfeRjYHr4kzDKdrWN7xc/xAif/MsYUts6XCWE2Vgb5C0A7mZavQ58Gb3hVy9iYKPKNu+mrpWbtYNkbQWwu4DQz8y1AOdlswlUOOISs6LwvDC4SF1sQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=o82DbI9Oqij+lm0zAMeZUNZAC8TblRALDyUAUyliSU4=; b=eY28Dx1qKbtU2I242/cpI+OupMUVxk2bqV1PBKcCztRBXBPAatkIp62YDYeiubX/+6eyMS7ZSA5Cymz0KlsBK17iJutyF8VTZs0zkENR2+OdRdKcLlh3dwBWScWUQvgsgE8gRNzyrc+hqXF+drgDZGTSOu5ikwaoYB2C1CvhgzDFU5oj3X0ZGBcoR3hObv3aGjG8pQYgSiIBcL/GfQk3J63FRs3OV9UM7Fd1/mU/0+lF2DkqlVE06IZCWbmjpTDPJ0F4JCLY+Pft0oF7WWdjEwdQ+ulpp6wMDPPdoWlqXqAiENd0caPxPoSkLOBLMgtz6WxFm0UnIzO6B0BTa2LwDw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=o82DbI9Oqij+lm0zAMeZUNZAC8TblRALDyUAUyliSU4=; b=NPQkkrlG09+tY+QY4ZCBWG/LnjNIYSJOtWK1A/hmmC56fE/8XpvXMl+FY0+H4zxzW2bSKVRjd6swRsCrBpZSmdEL7+yb75uLKrk+PECVzADa0tYYmqasBhXVPoNHDQruqq+qYyLa0iycHTVWb5QQXZ2jhD/pvgSce7+7h8dTr38= Received: from PH0PR00MB0997.namprd00.prod.outlook.com (2603:10b6:510:33::14) by PH0PR00MB1182.namprd00.prod.outlook.com (2603:10b6:510:9c::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4789.0; Tue, 30 Nov 2021 20:15:50 +0000 Received: from PH0PR00MB0997.namprd00.prod.outlook.com ([fe80::752a:dd03:a5b8:3b01]) by PH0PR00MB0997.namprd00.prod.outlook.com ([fe80::752a:dd03:a5b8:3b01%6]) with mapi id 15.20.4796.000; Tue, 30 Nov 2021 20:15:50 +0000 From: Mike Jones To: "oauth@ietf.org" Thread-Topic: dpop_jkt Authorization Request Parameter Thread-Index: AdfmJiLly3CI7uXkRCWLNlYaTn4HqA== Date: Tue, 30 Nov 2021 20:15:49 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-11-30T20:08:51Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=6daaf8f1-25b7-4541-ba40-1e37a48e3114; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0 authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com; x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 538f0556-31e2-429e-27cc-08d9b43e33e8 x-ms-traffictypediagnostic: PH0PR00MB1182:EE_ x-ms-exchange-atpmessageproperties: SA|SL x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:1775; x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: CJXNETAFYAoavISRDXfeyx1kE7/3yxmeRATsS6Xi8q7lNzLfyT/nDoM0nRSfFeSR681hI6kV7QIru4hPvrHlAEjb3np0gvMzbEgtr0dkrEa+ycBeNm8/VorKd0WiakZ/qZLiV78bXfRu0bZFJpWvOJI2dTcTXp/7741XGz5/Bs+aKQaroT827YSbq3TOTnjAAEN1573jdKxQ/Cc4A+2tXQXj6tX6r6+DyV6rdI54p/YbrheuNVRD6o0fZFz8QEQpx638Q3FYUHozXOCqT4NO0EhvjP+1+ma2nPJYqZiXAylbp7cmw3jx/70ly49p0HVHGeDdT12ms+ZxWv9rwZUKay8SFN41MKc69zY4w1SgphCtGbuM5+qxPnOx8pNZrRst/fAAmina+9UkQod/YuTykyncR+H1tlsdo7ix39qge6YdOvAiCCcpvDFWAX05fDEO/2NRwX2MTbsd0wFeLJ76iDTLcCC1OQuW4eeIIpr1PPkCBlompTjPharYcymfqUexFHX3WijImg6v+6m5VYyiZf7/1FXqgpE8x0VhSd0XBd+ZZbL2Rp6rp5lMQKIp0CSqlel/aDgCva5bgPuwH92eyKqrFIjmgLT/xLJv8jtLt7kAtzMbxZ9eCWIKFTTP+yvI+2aV6bI8yDoe48IHszG4fEVAuzr2V0GdLKbi7QqTJxOTYn4T9OjYYcGbgGpELFctPsx7LNjLsTrA1jVfM6eoo0rrd9H2bsCrIPqklB9gX7SJRcbHrXvtPkf3H3sFhGNp8sYVkVhwT6x/gvPv1iJEbt4Fp7E6uu8r6TT5WHSdAhPJtp5aBcjOEbJCTarf2yscI5Ej6Q9KDQDrzLTRTeSNbqael4BIv5JiC8hF6N2etp8U4VLweorzfe235/JF0Vws x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR00MB0997.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(38070700005)(2906002)(4744005)(5660300002)(8990500004)(6506007)(64756008)(966005)(186003)(166002)(9686003)(33656002)(55016003)(71200400001)(83380400001)(86362001)(38100700002)(10290500003)(122000001)(508600001)(8936002)(66476007)(8676002)(66946007)(66446008)(6916009)(316002)(7696005)(82960400001)(52536014)(66556008)(76116006)(82950400001)(20210929001); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?tRB84TvIEFhEGBQiXCCma3zHGrkEc5t4vxzSOi1qXlMcSEsheJB/GcUa7AXh?= =?us-ascii?Q?XIIh0S+gHIqCMORbw2qC1+qsja8Robuyme7lEFm8dWcU9KzAHuZAbAhUhxzz?= =?us-ascii?Q?ndDGFMOExqCtSupyKB7MIbimjAQkSq1KssU/jr3exZUZmiZMcuDZCyp7GP6F?= =?us-ascii?Q?36K9JFkG8luw91J+6+O2ba05zPG9MZBxyoJShdFgNZe35qWCzbVd5GH5VB8K?= =?us-ascii?Q?7v0AGfCIvI1OnZVI/FHSXfNpjqoD5LFdLVm+pD66fa1TkKV7EN/bm3X5YO1N?= =?us-ascii?Q?KnrM8acvrAujp6SzNX65t6o3a6hSU7I7bg8H0cCrCFJv4D/8AiatyGSKbXWv?= =?us-ascii?Q?uqt8n8iHTC9ruJeDOpjijATeJWHKwiDuvRhICS1H1brRxnmbxjgR8lS5B4ZO?= =?us-ascii?Q?ijGnvSFNk+gUeF7j+4hwj3V1NNf/shS3ajxc+d775+DiN+6LnjcHOKlk/089?= =?us-ascii?Q?VKjUKBz/s2A+uOw/XnJf10IWklIoRKfPdxpozNAyaR8ktNxKBWcFYdsFY4T6?= =?us-ascii?Q?5axxCTHMSIbNEBzWENaTsdbH9a7r9ZCKexsrRX503mNAHTrjdw1Nct4w5W8I?= =?us-ascii?Q?FGK1KDMVxnLoM8bdllejuHaBLdEAMluS7TucXbAMNAJKbRfURnMDtIGbyoR+?= =?us-ascii?Q?kw95I1ZuYBSeGzmdjzgDXueJviqZJS/Q0YagYXQOMH6rTrTTO8uGFBx0u5Xk?= =?us-ascii?Q?q9RF6CgkMm38wp4a3BANNmzpVcGeDUUYfUYksi/dLLa/FEH/M/+LQ2fNXQQz?= =?us-ascii?Q?8nAiTQipi6nFnwErbwHVBcWGQkqSqsZrOhPLCtIMG/cag1SkLpA4UzXCx6W1?= =?us-ascii?Q?51KV2PGW6adA+Um/Tk9u8UV+EyG5QI4PUXi8XXPhJkEusxFyuQ/C4vNhnihp?= =?us-ascii?Q?SkXacFaMFPaHu9hqjVRHU6ZnTlJHAAFbldb7/kR+CENmg/eZCIbYfXTa6+Vy?= =?us-ascii?Q?JwcAC6B0eVlaq2R6Hl66ERpDKl+lD2m0qc8UvUyBbUw8bA9+XTyVIGfua0h6?= =?us-ascii?Q?tQdIMaslxYE33Rx43g++DnBxOlY8gBn37BBlNqwxg+/SL/gnmQoHhlrDdUY7?= =?us-ascii?Q?dVTDLFvjPuJoKh0sY67LffAmTfa+eZe4bkpjfXZpodiRxMJbrbTGa/DhOo4Z?= =?us-ascii?Q?nXagCOtrmoFeOvMW1DamYiTfcirY6ygCzEssr+DNGivOL+QVkKUx60TGrPpa?= =?us-ascii?Q?J87d+N3iNm5TB7RRFlXZdI8w0zn6c+VazXsudQvE7DGMxunLZio7hP53ctzn?= =?us-ascii?Q?g1i5JxSjSMeRfB2RxLScUvQ3WyvZVxtf6J9JaPoicr98sZD/ZwjfwBainCOl?= =?us-ascii?Q?XHc5y9jMDf4tbpySQKnsfBTOvi+6rOyGQh1cMiWg+iIUwGlmRrkmdpOQmRDT?= =?us-ascii?Q?4W9LOaqneM6mvGpeiin4zwBEIitRs1X7HiyPK7CX/TLUJ7f40iKSoHP6k93h?= =?us-ascii?Q?XCDKc8iNVQqtbOk3EppjxcMtFaxtsHA2OiN9TU4eUc3Bz37xqsP3gDui5ea5?= =?us-ascii?Q?6peVU9g5pzz6VHSfsEhoP6OxQQyo1RRLqqsfNao9D5WLxzKrNHlayiE3YiAY?= =?us-ascii?Q?X0mU0Y6tpzvXnaC5tri77KI9vpE59eEVc6b7xVGYtNy1Nn1eviXY+G8WBbn+?= =?us-ascii?Q?UZUyTNje7Nl1tJjN6HE7NuJ29im8+hVN0eG7HgBHp1L0bIgxWq+anNIJuW+V?= =?us-ascii?Q?srDrR8udOt8Sc1KhfcJFTWq0184=3D?= Content-Type: multipart/alternative; boundary="_000_PH0PR00MB09979174CD87DF0DB226D334F5679PH0PR00MB0997namp_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: PH0PR00MB0997.namprd00.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 538f0556-31e2-429e-27cc-08d9b43e33e8 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2021 20:15:50.0160 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: I5UTyTRXLp969w9hAyY63SRmCAC5/FRebzC1IMCvDIIQqjlZN32J8Rkl4VsdqbdE0gmyanzR+O411mkBubnmPw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR00MB1182 Archived-At: Subject: [OAUTH-WG] dpop_jkt Authorization Request Parameter X-BeenThere: oauth@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: OAUTH WG List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Nov 2021 20:15:56 -0000 --_000_PH0PR00MB09979174CD87DF0DB226D334F5679PH0PR00MB0997namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable As described during the OAuth Security Workshop session on DPoP, I created = a pull request adding the dpop_jkt authorization request parameter to use f= or binding the authorization code to the client's DPoP key. See https://gi= thub.com/danielfett/draft-dpop/pull/89. This is an alternative to https://github.com/danielfett/draft-dpop/pull/86,= which achieved this binding using a new DPoP PKCE method. Using this alte= rnative allows PKCE implementations to be unmodified, while adding DPoP in = new code, which may be an advantage in some deployments. Please review and comment. Note that I plan to add more of the attack desc= ription written by Pieter Kasselman to the security considerations in a fut= ure commit. This attack description was sent by Pieter yesterday in a mess= age with the subject "Authorization Code Log File Attack (was DPoP Interim = Meeting Minutes)". -- Mike --_000_PH0PR00MB09979174CD87DF0DB226D334F5679PH0PR00MB0997namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

As described during the OAuth Security Workshop sess= ion on DPoP, I created a pull request adding the dpop_jkt authorization req= uest parameter to use for binding the authorization code to the client̵= 7;s DPoP key.  See https://github= .com/danielfett/draft-dpop/pull/89.

 

This is an alternative to https://github.com/danielfett/draft-dpop/pull/86, which achieved this b= inding using a new DPoP PKCE method.  Using this alternative allows PK= CE implementations to be unmodified, while adding DPoP in new code, which m= ay be an advantage in some deployments.

 

Please review and comment.  Note that I plan to= add more of the attack description written by Pieter Kasselman to the secu= rity considerations in a future commit.  This attack description was s= ent by Pieter yesterday in a message with the subject “Authorization Code Log File Attack (was DPoP Interim Meetin= g Minutes)”.

 

        &nbs= p;            &= nbsp;           &nbs= p;            &= nbsp;        -- Mike

 

--_000_PH0PR00MB09979174CD87DF0DB226D334F5679PH0PR00MB0997namp_--