IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Brian Campbell <bcampbell@pingidentity.com> Tue, 18 December 2018 17:27 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1162C131166 for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 09:27:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7BtaLLPblKby for <oauth@ietfa.amsl.com>; Tue, 18 Dec 2018 09:27:21 -0800 (PST)
Received: from mail-it1-x12b.google.com (mail-it1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D1FF126DBF for <oauth@ietf.org>; Tue, 18 Dec 2018 09:27:21 -0800 (PST)
Received: by mail-it1-x12b.google.com with SMTP id b5so5353231iti.2 for <oauth@ietf.org>; Tue, 18 Dec 2018 09:27:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vYlhV5zRCiGsq7i3a4KL5zFdr9OpC6kW9cs7qFfnxPs=; b=cUrRgH7UnPBJehvJnHiNgRqJyRtL2YeuT/1yG4ajqfrRFlgvShKW5vwzgF39D/+KHk uvpds94Ze3npntvhL112UMaR4ft7Oam5GRhi2Sw7/+EMMqu4u0dz+fmwV/0AUDBOIV5r sTgt1qEPmEJBlfi5rTIRhEX3/OAC7Rh0itv7M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vYlhV5zRCiGsq7i3a4KL5zFdr9OpC6kW9cs7qFfnxPs=; b=idjPhL5KXdZVKX4vR3qmqbFdZWILLLNjr1+gwsah8Th5NI8cCRXD6tYgnrlOxsnsLy 0ULCzZpius+utqBSdEc2M/s7XwJ55wMmoBkQNFV4e15RH7H6wuiNBYziJ/ri6KSsfYvQ btxXtOQWt+vn+L6BqyCQs8qS3/c2JlBSJpiumS9xtQ6wLRA1XdLuOBjxzaoBaf8VAiIe FMjQtptr1f8KbMEU7ZlP81YVifqg3zQJjHPXOAhqgmJR/dqiWT4p994P2hXwP3Ug3LGX +gShCV4a0nUudEAdZ+IDsCz3W9re7hMo4g8Ca/+aLTRuHKqzvbKR32dVZlUEGsrx3CXN Pm2g==
X-Gm-Message-State: AA+aEWa+ChK73tOfjEA4Eqb6aUqdp/odTbwyVxsTKXBL7ebbuHpYEbca 3L7vESSHJxIeeDailqQOr1uDWBinVRQQ8GgFguFu9olkVDmwhlaQj910DH7xJar1NgjNV8v1dIj dQEQCEeyrKzxxFw==
X-Google-Smtp-Source: AFSGD/WAPFA07T333yeBOSDBH2QClv6/gYLIXvNsLsJV4MjCdKlPb0aFWyvArDEo1c/FubBX2PQ3jrgLeRvs6IAxZ9M=
X-Received: by 2002:a05:660c:452:: with SMTP id d18mr3627592itl.124.1545154040457; Tue, 18 Dec 2018 09:27:20 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <CD0E1D9D-4A6C-46E1-A3B3-5B0CE5ED3203@forgerock.com> <74c76953-72fb-ae77-d27b-faf97d7905ef@ve7jtb.com> <DE16A6CC-A607-4BBE-B1B8-198B9C1DD357@gmail.com>
In-Reply-To: <DE16A6CC-A607-4BBE-B1B8-198B9C1DD357@gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 18 Dec 2018 10:26:53 -0700
Message-ID: <CA+k3eCQrOotES+e8uThUC4WajD4k1b7JwXKhgnYwJuxgyrMU0A@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: John Bradley <ve7jtb@ve7jtb.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b48ae9057d4f35b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kQEaA5F18zLxFYlNSMYaCCfIVTo>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Dec 2018 17:27:24 -0000

I claim no particular expertise here and it's admittedly been a long time
since I actually tested the behavior myself.  But in my prior experience
there were browsers that would prompt the user even when there were no
certificates/keys configured for or available to the browser.



On Mon, Dec 17, 2018 at 3:37 PM Filip Skokan <panva.ip@gmail.com> wrote:

> Correct. If there are certs installed on the device the browsers are
> likely going to prompt.
>
> Having at least one CA configured together with optional_no_ca (even if
> its a CA noone ever has certs for) additionally omits the prompt for some
> client configurations.
>
> Odesláno z iPhonu
>
> 17. 12. 2018 v 23:10, John Bradley <ve7jtb@ve7jtb.com>:
>
> > I think that works for those browsers if no certificates are installed
> for the browser.   We should test, but I think if any certificates are
> available to the browser then it will prompt.
> >
> > John B.
> >
> >
> >> On 12/17/2018 1:52 PM, Neil Madden wrote:
> >> I am currently running a Tomcat instance that I have configured to
> support, but not demand, client certificates using the
> certificateVerification=“optionalNoCA” setting. With this config I am able
> to authenticate a confidential client using mTLS, and yet connecting to the
> same server over HTTPS in either Safari or Chrome on Mac does not prompt me
> for any certificate. I don’t have any client certificates configured in my
> browser, so does this only happen if you do?
> >>
> >> Depending on the deployment scenario, it may also be possible to
> terminate TLS at a proxy and use a separate proxy for (intranet) mTLS
> clients vs public clients, but that may not suit every deployment.
> >>
> >> — Neil
> >>
> >>> On 17 Dec 2018, at 20:26, Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
> >>>
> >>> While there's been some disagreement about the specific wording etc.,
> there does seem to be general consensus coming out of this WG to, in one
> form or another, recommend against the use of the implicit grant in favor
> of authorization code. In order to follow that recommendation, in-browser
> JavaScript clients will need to use XHR/fetch (and likely CORS) to make
> requests directly to the token endpoint.
> >>>
> >>> Meanwhile there is the MTLS document utilizes TLS client certificates
> at the token endpoint for client authentication and/or certificate bound
> access tokens. The security BCP draft even recommends sender/key
> constrained access tokens and MTLS is close to the only viable way to do
> that at this time.
> >>>
> >>> Unfortunately, however, these two things don't play very nice
> together. When a browser makes a TLS connection where a client cert is
> requested by the server in the handshake, even when client certificates are
> optional and even when it's fetch/XHR, most/many/all browsers will throw up
> some kind of certificate selection interface to the user.  Which is
> typically a very very bad user experience. From a practical standpoint,
> this means that a single deployment cannot really support the MTLS draft
> and have in-browser JavaScript clients using authorization code at the same
> time.
> >>>
> >>> In order to address the conflict here, I'd propose that the MTLS draft
> introduce a new optional AS metadata parameter that is an MTLS enabled
> token endpoint alias. Clients that are doing MTLS client authentication
> and/or certificate bound access tokens would/should/must use the
> alternative token endpoint when present in the AS's metadata. While all
> other clients continue to use the standard token endpoint as they always
> have. This would allow for an AS to deploy an alternative token endpoint
> alias on a distinct host or port where it will request client certs in the
> TLS handshake for OAuth clients that use it while keeping the regular token
> endpoint as it normally is for other clients, especially in-browser
> JavaScript clients.
> >>>
> >>> Thoughts, objections, agreements, etc., on this proposal?
> >>>
> >>> PS Bikeshedding on a name for the metadata parameter is also welcome.
> Some ideas to start:
> >>> token_endpoint_mtls_alias
> >>> token_endpoint_mtls
> >>> mtls_token_endpoint_alias
> >>> mtls_token_endpoint
> >>> alt_token_endpoint_mtls
> >>> mtls_token_endpoint_alt
> >>>
> a_token_endpoint_that_a_client_wanting_to_do_mtls_stuff_a_la_RFC_[TBD]_should_use
> >>> equally_poor_idea_here
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you._______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email