IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns

John Bradley <ve7jtb@ve7jtb.com> Fri, 17 April 2020 19:04 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B71B83A065A for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 12:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ujC57qMO8i7N for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 12:04:10 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 04FE53A08A7 for <oauth@ietf.org>; Fri, 17 Apr 2020 12:03:15 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id b62so3585330qkf.6 for <oauth@ietf.org>; Fri, 17 Apr 2020 12:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:autocrypt:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=pIsukEIhaC4TagQBIEp/ZR1chK11+2B2OR4GYb/9E7E=; b=crIvdulBeOHRahy+Zor3wGz1N3/iLgU/Tn9y8quUlUpRGYqKOGRJ9WCbGQ8DMwTzcL UuoyAP8pxh7Ic7NaJmhsMWSr/98r7Vf4q7tCAN7baf1f4xgR3ZdQItWqpkOsEajDnK4J vhrioRhO7whswLFVCp5MgFzmC4+aW4OO7idAyVkCz1dVWiwyXA2kTFH8pNuA7qq9bO74 QqgZCobK/0/sFUkvnE1xL/00KQaf8aOOQYbwTdB95b/nTUnB+0DFmpyVp15OXUw1KdS+ ddpDL/udCeKyFr/QGWKzIJcfBq6lDPF+J/AIdf8J6S3XKALM8NZx1xrHVMMEIfmqsEp4 ktJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:autocrypt:message-id :date:user-agent:mime-version:in-reply-to:content-language; bh=pIsukEIhaC4TagQBIEp/ZR1chK11+2B2OR4GYb/9E7E=; b=YFxrE7pnwJdULkbDjNr4zrcsN98GAQg2iEFMElYPlWCDm3W5OqyKsQJYEqLYEyHj9R 5KhPO0LTE2IpwO4gFpxda1q/fiuOG0hJNuOvH/MeY/j726vyGXlLpdV14S3zqnX6EsZ+ YPtMtamRZDXdgXWgbo2w+AREHwgBaWGbeegDysVVf5PvL9/M/nEi6IwtYMpCJFDYNRZz NBmluZrtEmJFIEVbX9L/rkO0HUv04A63vytRwgs+IfWwn8TSz1Tw8sUulxJW9x+eDUd6 FMOSvhdr4wnExQnziCs4993hMOPFKNJQrOjDO6ZgCqJCJzTHRQnKJb4L2oNb5AaqsWWC uAYQ==
X-Gm-Message-State: AGi0PuYT9f9xcNy6wX+B0g2Ewcy9B5TG38k/Dfc5a0pOuvvPQJzv+0TK p1XnAXQUKUIGkBk0Whckfx/hEwvKPkF11D9y
X-Google-Smtp-Source: APiQypIoZGX8R2aUQLU3Il/ZTq4kJKHxWImjGglwRibtzA0mutXSDbt087aJ662SW+Mz9xEObZ62ag==
X-Received: by 2002:a37:e10c:: with SMTP id c12mr4686167qkm.483.1587150193139; Fri, 17 Apr 2020 12:03:13 -0700 (PDT)
Received: from [192.168.8.104] ([190.107.226.32]) by smtp.gmail.com with ESMTPSA id k58sm1194811qtf.40.2020.04.17.12.03.10 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Apr 2020 12:03:12 -0700 (PDT)
To: oauth@ietf.org
References: <1d6fb3d7-cd3d-9e46-972c-4c30633a6657@aol.com> <033DBD9F-9C5B-465B-ABD6-27A8525ADDA9@lodderstedt.net>
From: John Bradley <ve7jtb@ve7jtb.com>
Autocrypt: addr=ve7jtb@ve7jtb.com; keydata= mQINBF1708MBEAC+aR8GCZVXEdrPOaYORjPzZCi5nvoWd2t5+xKHCalCgnz8ORFcREM38tZI yQNQ6cfB1METyr+9dVqKrBm8x00QWIlZ4hrcW87pOBek3hrsvvbmagoxzlOCLYHQ+7ESjfUe QVV5O9mESU2s3Zm+c0kLAUYtsuo7neeeiYaAkiCHo9WkpybA5o9tzeg9fK8e+bygPFYD1u8B X1Uy3GYbO9iCQIUXjgVya0117J7XgN/2QwGUbQtYKAFOIyDZfz/WXce2nthRP0nfFczLKozA 0KgSu70CEWZedRqotqzXorSbWIStjqf5WlD2g+Yf2+pbHt19xKQKplfy11qM0tJSd4UhcPu3 CWXfTVEzecQAee72A9U9yy4H3DimSxbkee/K8/f8ZkddzkUC5RxNEp3iYVThzVKbbScFU+6n JW7vwmihP1V3eBpbxpOGDF36h4CLssG1sTQFDHAstSJwQPFsUYzly6tEtLCVt1S8XIqzbTu9 /sHaBJBORmq8z1D7AWh7q9whjp0j+xcDITmIQq31Bkftxq3ru4Ow9b7cBb86bhotvDoXTQJL dEcfcB/YvobVSsy0W06GrKTf218N8+lHHL3z3GXxxoQUUU9yD45UxGSOe3rA7MQruoE+sa6O 1voGFcTDrGyYdjJ+KFsvK+GWHtMkLpHH/ArQsnTEhXXK+MfdAQARAQABtCNKb2huIFQuIEJy YWRsZXkgPHZlN2p0YkB2ZTdqdGIuY29tPokCVAQTAQgAPhYhBEiwG6+1WqDAVWlaHtAUSk/j /S+vBQJde9RyAhsDBQkDw6G9BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENAUSk/j/S+v G6EQAIn7W2JGIaLRJhlHmA901QTwkEc/0Nj1qkJLDLKJuIB7P2/2go7/qEMngTZyZhoglM0w 9EuQie/9UXz7HtyORS+AsmDityDeUr5XkTunyTFLPiiv9E2SwJwAQVJYS6V0NbesJDnkqpTt 4UwUa+Asqw2NaCxT1THHvnFJkDYhPrCGvtOEXBFHpEzYwLoEjx2wfqU1byZsjoxYMCrNokaY J4SUw+bVZaFa+M5WNRwn7ySgEpCv1egSvUydXhFBJTbdwVmCZL7m4WJbECs/ofIYcBGtUJFV nIZ+g34iRqJUPnd4xI/F27u9ydvw+Ml8bldmMnIwhsFkkDnZb8ecBo2P4FQS3h0nB+uNYIl+ SFGLb9B17Kvhy8HtGWrn+KTUn2C96DTuJkwYwS/vUs43HhWUsCx6SLYmQpIUq1CoUOLCP5pJ VB0Q8e/zwrjkB4yMKLPdl3yFbj/bSXSvCG0LcjAAc4Thbngm+xoh5v+nZMxkL8AI9XDE3+Mi M869EDITGKQTmIIB6fKtuLJQYbhAG8uDZ0zOHAJoxArVE9ZwdYiHNGimFa04uBjtobDCz//n k1jaEd3dkjh6kVuQt3sSvf7icen27OXoBB4/HPlH/WNCaeIB13+YyfdYTcdiIB9s7W+R3Kan ANoCAT9pS/ogP5M8Tr8dvZkBPrflkXBspLBOLmc2uQINBF1708MBEADwwZM3OKVJQluPNTJf Jw0XjTJtt0dTMfXG4alx0pF1SHndJweFKtlkp0u5OJZ+YsaZtqspFe++LzBscL3sz2FPsWwP g2OS3Kg1il1QAjZSFoR7fDj5lmxQ9VQws9BSDAr1W1E5YAAnmJFDpJ2DQokYSx1B9MhgG6br UurLR0rZXGvNdNeMUCBMg6vMkvAmwR5yrwBZ8FFLTGk8zN8CUM8EFtGW7/m9r/iwsoUpdsq9 UghvVvIte1xTK+79g6IrNB14O7QUmAaV1FUA4lWqz3pHsPRLIoFS/C5F/d0fLLQ68En/nN2x Tk1totgEqO7gXJa0n48907ALvk5zubZ95lpCNb4gE8FK+hPXLLoYJ+aC2ILjsyD2sMCSEbVK 2QuGL+CmsLVRZCfy/NOhyeCC9IzUxES/Y/a9Zp1ZPdHpiZ7Bjm7O3QoaZ1Jm5vSJ9g7r4T3A fGt7hHGTk6E0jlCaKdt3aB8R4HiIZO/TgUc+tpqAaZBIWELzsqZXAdRhpNYKBAwSU80Oe7GZ zwly5454oKXZe9d7jyjEY19MEEHzWtYgbcygyLXbrUEMpwa+OlFRxuvfQyWYCY0aU7eh6qpP rSbxyj4TtJ3aetaEvNehjttSpNUSWEhsy3AGHqPMjgd5Otio0eP61quJNZdBgkqq2Xop1Lnq l48RAb5xUI1NE33CcwARAQABiQI8BBgBCAAmFiEESLAbr7VaoMBVaVoe0BRKT+P9L68FAl17 08MCGwwFCQPDob0ACgkQ0BRKT+P9L688mxAAj2d6uNsbnQ5937w5N3dWgUZNGaZOOY5XwjZy kbFzXEyOGTbWDevuE2fkkrDFZISvLwfJs5Q1fxF7hP72sSYjNFso+ngFGpF9o8QPkxn9c1vs d9W94HjZN0c4gdmLtdGWr4zZAbnWIjmuEhDxd8CFDLlhCT7L6Iii9UMbJ1trsCvp8d8vbIK+ 2pJhrCy6eIZy9ceoCH2XLaLDxoCtnMhWeSLrwA16qnXEpddtK5pXauvBkdv9bLy9z+SMvSn2 ZFSAI8nv0Ck3FfFBe3rHd16vOn//jmwwMzAb9mNDV8e7/KarWA/YmZJ4YiJ1KbuSu9mS89fG c4mug1igE9DYThB42OvD/8QGdUbkZFcr7E0QJflwrtaZ5j8wIoAUvf0IUsh/6Y6p23hYqxZy dUg43w5tEUtnBR3r/9jE4+RkQtVm8DplNTZUVkA3AVSRp23k4zsU7ioa8hzUasDf3jJMZfSd Xsiuo4Y1Eq6IddJL063Uh6jouXASjwynRW0W7CWlR1/D9z9v+I+0zK/px1vEgNRSQzqtKkMV wUDKMby9BNuIURIj6TBpKk5jBrp3kMP6Yt+Ke9Fs0pPoFX6e+LbOhBvNNGusWIadZfMpL8Ur ZWafyadOQJtqa+xpicVY+ui83oXmGajjOnbIieYlWoskl00HNzppfyBtqOMcxRa7yBIooQE=
Message-ID: <840bc070-3a35-5df5-4164-1fb332e44b7c@ve7jtb.com>
Date: Fri, 17 Apr 2020 15:03:08 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <033DBD9F-9C5B-465B-ABD6-27A8525ADDA9@lodderstedt.net>
Content-Type: multipart/alternative; boundary="------------345E10107B63E6704B5BE915"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/k_5HW8TXqEBcQIsN66nvpO0dPKE>
Subject: Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 19:04:14 -0000

I agree that without a tight binding between the RS and AS we need to
revisit RS meta-data.

It is a can of worms however.


On 4/17/2020 2:39 PM, Torsten Lodderstedt wrote:
> I think the same is already true for mTLS. Solving it in an
> interoperable way would require some metadata about RS and their
> requirements re mTLS/DPoP. Shall we revitalize the idea of RS metadata?
>
>> Am 17..04.2020 um 17:37 schrieb George Fletcher
>> <gffletch=40aol.com@dmarc.ietf.org>:
>>
>>  This brings up interesting rollout questions. Protecting just the
>> refresh_token is easy and a useful security measure (especially if
>> access tokens are short lived). However, once you start issuing DPoP
>> bound access tokens to a client, it means ALL the endpoints that
>> client invokes MUST understand DPoP and know what to do with the
>> header. Depending on how many endpoints that is, spread across N
>> teams (or even companies) this can be problematic.
>>
>> As much as I agree with Justin in regards to the security issues, it
>> may not be possible to force all RPs to update at the same time. This
>> is of course potentially solvable if the client uses unique access
>> tokens per API endpoint AND the AS knows which endpoints support DPoP
>> and which don't. The problem here is that this creates a
>> tight-coupling between RP and AS (at least for the rollout period).
>>
>> On 4/17/20 11:25 AM, Filip Skokan wrote:
>>> I completely agree Justin, as mentioned - i wondered a year ago, I don't
>>> anymore. But i'd like it to be clear that sending a DPoP proof does not
>>> necessarily mean the AS MUST issue a DPoP access token. Depending on the
>>> AS/RS relationship and configuration a regular Bearer may be still be
>>> issued and only the public client's refresh token would be constrained.
>>>
>>> Best,
>>> *Filip*
>>>
>>>
>>> On Fri, 17 Apr 2020 at 17:16, Justin Richer <jricher@mit.edu> wrote:
>>>
>>>> The idea of “Continuing to work without taking advantage of sender
>>>> constraints” is, I would argue, a security hole. Systems are allowed to
>>>> fail security checks but still offer functionality. This is exactly the
>>>> pattern behind allowing an unsigned JWT because you checked the “alg"
>>>> header and it was “none” and so you’re OK with that. Yes, you shouldn’t do
>>>> that, but maybe we could’ve also made this more explicit within JOSE.. By
>>>> using the ‘DPoP’ auth scheme, we’re making a clear syntactic change that
>>>> says to the RS “either you know to look for this or you don’t know what it
>>>> is”.
>>>>
>>>> It’s one of the problems I have with how the OAuth MTLS spec was written.
>>>> By re-using the “Bearer” scheme there, I believe we’ve made a mistake that
>>>> allows things to fall through in an insecure fashion. The same argument
>>>> against it — ease of porting existing deployments — was raised there as
>>>> well, and it won in the end. I hope we can do better this time.
>>>>
>>>>  — Justin
>>>>
>>>> On Apr 16, 2020, at 4:05 AM, Filip Skokan <panva.ip@gmail.com> wrote:
>>>>
>>>> I'm still somewhat on the fence as to the pros and cons of using a new
>>>>> token type and authorization scheme. But the draft has gone with a new one.
>>>>> Would it have really helped this situation, if it'd stuck with "bearer"? Or
>>>>> would it just be less obvious?
>>>>>
>>>> If we had stuck "bearer" than i wouldn't have raised this topic, since
>>>> existing RS would most likely ignore the cnf claim and the resource server
>>>> calls would continue to work, obviously without taking advantage of the
>>>> available sender check.
>>>>
>>>> As I wrote the preceding rambling paragraph I am starting to think that
>>>>> more should be said in the draft about working with RSs that don't support
>>>>> DPoP. Which isn't really what you were asking about. But maybe would cover
>>>>> some of the same ground.
>>>> I agree.
>>>>
>>>>  The AS is the one that does the binding (which includes checking the
>>>>> proof) so I don't see how sending two proofs would really work or help the
>>>>> situation?
>>>> :facepalm: indeed, sorry.
>>>>
>>>> S pozdravem,
>>>> *Filip Skokan*
>>>>
>>>>
>>>> On Tue, 14 Apr 2020 at 23:39, Brian Campbell <bcampbell@pingidentity.com>
>>>> wrote:
>>>>
>>>>> Hi Filip,
>>>>>
>>>>> My attempts at responses to your questions/comments are inline:
>>>>>
>>>>> On Tue, Apr 14, 2020 at 2:14 AM Filip Skokan <panva.ip@gmail.com> wrote:
>>>>>
>>>>>> I've wondered about the decision to use a new scheme before
>>>>>> <https://github.com/danielfett/draft-dpop/issues/41#issuecomment-490096716> but
>>>>>> this time i'd like to challenge the immediate usability of the future spec
>>>>>> for one specific case - sender constraining public client Refresh Tokens.
>>>>>>
>>>>> I'm still somewhat on the fence as to the pros and cons of using a new
>>>>> token type and authorization scheme. But the draft has gone with a new one.
>>>>> Would it have really helped this situation, if it'd stuck with "bearer"? Or
>>>>> would it just be less obvious?
>>>>>
>>>>>
>>>>>> If at all, it is going to take time for RS implementations to recognize
>>>>>> the new `DPoP` authorization scheme, let alone process it properly. In the
>>>>>> meantime, i'd still like to have the option to bind issued public client
>>>>>> refresh tokens using DPoP without affecting the access tokens. In doing so
>>>>>> i get an immediate win in sender constraining the refresh tokens but not
>>>>>> introducing a breaking change for the RS.
>>>>>>
>>>>>>
>>>>>>    - Do you see this as something an AS implementation is just free to
>>>>>>    do since it's both the issuer and recipient of a refresh token?
>>>>>>
>>>>>> That's my first thought, yes.
>>>>>>    - Should this be somehow baked in the draft?
>>>>>>
>>>>>> I'm not sure. Do you think it needs to be? I'm not sure what it would
>>>>> say though.
>>>>>
>>>>> In such a case the AS could bind the RT to the given dpop proof and
>>>>> either not bind the AT while returning token_type=Bearer or bind the AT
>>>>> while returning token_type value DPoP. In the latter case the AT would
>>>>> almost certainly still work as a bearer token at the RS and the client that
>>>>> knew the RS's needs could send it as such with an `Authorization: Bearer
>>>>> <at>`. Or if it didn't know the RS's needs, it could start with
>>>>> `Authorization: DPoP <at>` which would get a 401 with `WWW-Authenticate:
>>>>> Bearer` at which point it could send `Authorization: Bearer <at>`.
>>>>>
>>>>> As I wrote the preceding rambling paragraph I am starting to think that
>>>>> more should be said in the draft about working with RSs that don't support
>>>>> DPoP. Which isn't really what you were asking about. But maybe would cover
>>>>> some of the same ground.
>>>>>
>>>>>
>>>>>
>>>>>>    - Do you think client registration metadata could be used to signal
>>>>>>    such intent?
>>>>>>
>>>>>> I think it certainly could. But it seems maybe too specific to warrant
>>>>> metadata.
>>>>>
>>>>>
>>>>>>    - Do you think the protocol should have signals in the messages
>>>>>>    themselves to say what the client wants to apply DPoP to?
>>>>>>
>>>>>> My initial thought here is no. Take the case of a client working with an
>>>>> AS that supports DPoP and one RS that does and one RS that doesn't. I can't
>>>>> really even think what signaling might look like there or how it could be
>>>>> made to be generally useful.
>>>>>
>>>>>
>>>>>>    - What if AS and RS don't have a shared support DPoP JWS Algorithm?
>>>>>>    Do we disqualify such cases or allow for sending two proofs, one for the AS
>>>>>>    to bind refresh tokens to, one for the RS to bind access tokens to?
>>>>>>
>>>>>> The AS is the one that does the binding (which includes checking the
>>>>> proof) so I don't see how sending two proofs would really work or help the
>>>>> situation?
>>>>>
>>>>>
>>>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>>>> privileged material for the sole use of the intended recipient(s). Any
>>>>> review, use, distribution or disclosure by others is strictly prohibited...
>>>>> If you have received this communication in error, please notify the sender
>>>>> immediately by e-mail and delete the message and any file attachments from
>>>>> your computer. Thank you.*
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email