Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments

Brian Campbell <> Fri, 29 May 2020 21:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 55BA13A0F21 for <>; Fri, 29 May 2020 14:50:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5TgpuBQ8zW5X for <>; Fri, 29 May 2020 14:50:42 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5BC463A0B56 for <>; Fri, 29 May 2020 14:50:42 -0700 (PDT)
Received: by with SMTP id z22so597047lfd.0 for <>; Fri, 29 May 2020 14:50:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kEwEAwYDVD7PpY/sX9lJWECvsJzDNTIN1adx4J7gwXw=; b=BefBKogKQOUb6zdyFy5Ea8BqgDfEMBD/LCRqmeQA9nd96EI9uFVsqSam+20Rb2606U MsK4JXI4hADFFteY1KfuFmPqyoYff+MAvdBSz4CVaFJYnqScV0KDZwRozh/4hAoXidn6 SCQtGvoadGPesHvyi2uiy1ojHyI+LLN5tNV18Nl+A5pl67nYuvJ7KZx4s8UGhu9IVLza T71/Qi5kLtnGMnt1JoRhFD+RGywg7AVFUkmoQ15VnQHRr9xH+bB7E3hK0ISPiCN+9C5t +jqHPn4TLtpVjdRB0IBbI9C3WxEugmj8YsA8TqTTqd0uUoD5yQS7RAm9jftOfgGIIA9a q/Sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kEwEAwYDVD7PpY/sX9lJWECvsJzDNTIN1adx4J7gwXw=; b=bS7JsRlVsD9xok0PJQzWUS75aXMGQ6G/+bRojd1A9iWHiy9JPbiVgwqTkLgeYzVHoZ V5oNiPybo6umHUNI+z+ZWYJ5PGj2Kmv6V+7Q+Po1J2kgflUuGNV6E+7sz6BjTbWbaLfJ Fg+BiG2ix9R5ddeXKIdz3VTrF7Zwu32BRBz8FdI5uS1loeyBQuMsefDKMNR+ZUVg+OhG i+1pkeJatnO6b9xFk4k4u9XNRMrhpNv1Z/Xglegd9yKbtCIoTrF/wjtFz8RUYYwFG/kf Uc49nC94HrUkVhHEQIfntljo+MlehAPQQCryhJoJEgoSHJEkBpKohRR5ckOIWLgIZYx8 BIhg==
X-Gm-Message-State: AOAM532hzeRyP4Pps8GCDUWdR7qwPBuGADepYIxaIBZqm29Bdwpsg+ie o25Bm8ZsEOy7Jifh9E8KwxHG04IsxjX/h/FpnixT7RI2qsVRLFXns14hx/9mvn8WCKR4PxVsmmF 8Ya6xwDebNDYSfA==
X-Google-Smtp-Source: ABdhPJy16V2Uxx7v9+9GDkJ53h8xbyKRF6Jwpnn5nX+dRlugSi7a/1Iu/OUwWefHR52Ja50EHSQVaRfRXmPwtQHo0MI=
X-Received: by 2002:a19:f518:: with SMTP id j24mr5436935lfb.11.1590789040040; Fri, 29 May 2020 14:50:40 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Brian Campbell <>
Date: Fri, 29 May 2020 15:50:13 -0600
Message-ID: <>
To: Filip Skokan <>
Cc: oauth <>
Content-Type: multipart/alternative; boundary="000000000000a5920905a6d06ff2"
Archived-At: <>
Subject: Re: [OAUTH-WG] DPoP - Downgrades, Transitional Rollout & Mixed Token Type Deployments
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 29 May 2020 21:50:45 -0000

Apologies for the slow reply on this. No excuses other than life sometimes

`token_type` is maybe not the clearest extension point (and one I've
arguably misused in OAuth MTLS <>
and the now defunct Token Binding
<>and admitted
to being on the fence about in the issue you linked to
<>). But it is the
extension point that was basically left in RFC 6749 to facilitate this
exact kind of thing (for MAC really but it's conceptually similar in that
it was an application level proof mechanism of sorts) . The text from RFC
6749 sec 7.1 <> is also
copied below. Note that a "client MUST NOT use an access token if it does
not understand the token type" so FWIW the client behaviours you describe
aren't in line with that.

It still seems to be that using DPoP token_type is the appropriate thing to
do and that it can be defined to account and allow for mixed token type
situations.  It would define that the DPoP authz scheme be used as the
authentication method to include the access token when making a protected
resource request. That definition can also include falling back to using
the Bearer authz scheme when/if so challenged by a protected resource.


  7.1 <>.  Access Token Types

   The access token type provides the client with the information
   required to successfully utilize the access token to make a protected
   resource request (along with type-specific attributes).  The client
   MUST NOT use an access token if it does not understand the token

   For example, the "bearer" token type defined in [RFC6750
<>] is utilized
   by simply including the access token string in the request:

     GET /resource/1 HTTP/1.1
     Authorization: Bearer mF_9.B5f-4.1JqM

   while the "mac" token type defined in [OAuth-HTTP-MAC
<>] is utilized
   issuing a Message Authentication Code (MAC) key together with the
   access token that is used to sign certain components of the HTTP

     GET /resource/1 HTTP/1.1
     Authorization: MAC id="h480djs93hd8",

   The above examples are provided for illustration purposes only.
   Developers are advised to consult the [RFC6750
<>] and [OAuth-HTTP-MAC
   specifications before use.

   Each access token type definition specifies the additional attributes
   (if any) sent to the client together with the "access_token" response
   parameter.  It also defines the HTTP authentication method used to
   include the access token when making a protected resource request.

On Tue, May 19, 2020 at 7:20 AM Filip Skokan <> wrote:

> This is a RE: to yesterday's interim meeting discussion, largely related
> to the first rollout step where we want to constrain refresh tokens but
> leave protected resource access intact.
> I'll start off with a case that I hope we can agree is absolutely
> necessary for DPoP to solve - that is constraining refresh tokens for
> browser based applications. Now, *do we see this as a secondary
> objective? I think it should be on par with access token constraining.* SPAs
> using code flow and having access to refresh tokens as means against the
> continuous browser efforts to cut down on storage access is a real case
> servers will be eventually forced to adopt.
> Since rollout for DPoP needs to begin with the AS and Client supporting it
> (regardless what order i guess) there are going to be instances where the
> RS will be supporting both Bearer and DPoP at the same time.
> As discussed yesterday, the client shouldn't know/care and change its
> behaviour when it comes to using access tokens.
> *But what is the client behaviour we take for standard?* Because I can
> see two conflicting implementations in the wild
>    1. The client echoes the token_type it received from the token
>    endpoint as the authorization scheme
>       - (optionally) throws on unrecognized token type values
>    2. The client uses Bearer as a fixed authorization scheme and ignores
>    the token_type it received
> #2 is an implementation which I suspect has no idea about DPoP, but if
> extended to send DPoP headers (through various mechanism - library
> extensions or even manipulating the `XMLHttpRequest` prototype) will
>    - 🎉 get the benefit of having its Refresh Tokens bound
>    - 🎉 most likely continue to work with RSs that only support Bearer
>    - ❌ will cease to work with RSs that will adopt support for DPoP
>    because it'll be using the wrong scheme, that is unless (🎉) RSs supporting
>    DPoP choose to suspend the requirement to use the new scheme and instead
>    depend on the presence of `cnf.jkt` as means to trigger DPoP validation. *Q:
>    is that an acceptable thing to do?*
> Arguably, client behaviour #1 is what a client should be using if it
> supports other schemes besides Bearer. But it may as well be the behaviour
> of a client that has no clue about DPoP, right? Again, such client can be
> made to support DPoP in a SPA through manipulation of the XMLHttpRequest
> prototype, in which case the developer needs to do the same for
> the protected resource calls. But at this point the developer has to know
> which RS to apply DPoP to and which not - ergo - which to send Bearer vs.
> DPoP scheme to? The developer will have to write a whitelist of resource
> servers anyway - and there we get to the point where client has information
> and functionality that it shouldn't /need to/ have.
> Its great that we have token_type, authorization header schemes, etc...,
> but we don't seem have a well defined (or at least followed) behaviour for
> our clients around handling the token_type response values and their usage.
> A developer has to resolve to navigate this monkey course unless the RS
> definition on the AS is aware of the fact that the RS does support DPoP, so
> that the issued token_type is always correct for the RS. So, *should we
> make that a recommended way of 'indicating' when to issue Bearer vs DPoP
> access tokens?*
> What else could we do that doesn't give more decision making to the
> clients so that the very first step - *Refresh Tokens get constrained* -
> is achieved* but Protected Resource access is unaffected?*
> Note that this was not "a thing" for mTLS because it continues to use the
> Bearer scheme (for better or worse) and it completely omits possible
> continuous rollout or discussing what are the signals the RS must use to
> require mTLS to be used), same for the abandoned OAuth 2.0 Token Binding
> draft (also continued to use the Bearer scheme).
> I suspect we have just this opportunity to fix token types and their use
> and if we can't, we'll have to resolve to abandon that extension point as
> one that doesn't support continued rollout of real sender constraining
> mechanism (e.g. http signatures in the future) and just continue using
> Bearer because in the end, given that RSs could be relying on the presence
> of the cnf claim to figure out the token's constraining mechanism, would
> that be such a bad thing?
> Put it the other way around. By introducing Bearer scheme, do we actually
> gain anything of value that can't be gained through other means?
> Note that this message didn't start with the goal of questioning the new
> scheme use, it just sort of landed there... My pedantic nature would love
> to see the new scheme and token_type extension point used as it was meant
> to be but I also recognize the many issues it brings that could be
> sidestepped by not introducing it in the first place, all without losing
> capabilities.
> Previous material on the topic
>    -, decision to
>    break backwards compatibility amongst the authors
>    - ML
>    <> thread,
>    in my opinion inconclusive, no consensus
> S pozdravem,
> *Filip Skokan*
> _______________________________________________
> OAuth mailing list

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._