IETF Logo Mail Archive

Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"

Brian Campbell <bcampbell@pingidentity.com> Fri, 18 March 2016 22:39 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B0AC12D5B9 for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 15:39:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0dNWfs69AN4G for <oauth@ietfa.amsl.com>; Fri, 18 Mar 2016 15:39:28 -0700 (PDT)
Received: from mail-io0-x22b.google.com (mail-io0-x22b.google.com [IPv6:2607:f8b0:4001:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C7BC12D57F for <oauth@ietf.org>; Fri, 18 Mar 2016 15:39:28 -0700 (PDT)
Received: by mail-io0-x22b.google.com with SMTP id o5so69679988iod.2 for <oauth@ietf.org>; Fri, 18 Mar 2016 15:39:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=LObKCXjdEMJ3QzAC67wBI9rC3ezzIZp6/Wkto13o54E=; b=hTpupzArRtx6tMXk31hiBm+zqV9uAJQKfO0ovy7/wBRSjiok7T5m0Om2naoLFm2axl yZMe3exS0AlBH0mtleXVj0xN1bI5kKBj6d1PKzXJW1Neuv9e3NHGb/F2Y/3vnbRWgKHT JyRPQkHKR8UPtvsgeUKVwWIEE3VP/7GA5XD1w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=LObKCXjdEMJ3QzAC67wBI9rC3ezzIZp6/Wkto13o54E=; b=FAa8brThdm10q7vpxcjWM6hwx2n13eue7NA6VX4s3V9srek0BU6492Ui6+4pPX/z64 +SaxwAY9Paq46oUf697xhs26EPYjoLNVRmMM+7VQAbLzpCrnYOErYtFNiUruNGrGy9+a j/7Dx5bJiGdB6z4SqHCMcrE1/utCi0snp1XSyauP4VznypQwZX9n+nt2DRiBMq+M3vbc f8KtBDse1dzwE3Wk/dW4Npie9srDrxgRKsuzfUlvqumdCpAksmCjuj43FnZQ9K1uXDC5 Q1RY59YdnxSa6i+TCrI6GLIjijjCNnC++o8ikqnFkwrlLjr/+NDvJ7VH8QzhM9oWe5nB T7xg==
X-Gm-Message-State: AD7BkJIh8+AH0qOtg0jG0wel0JPGGxfCI9oegEq4h59V+XN1WcCJe2QAKqgCrxkSxEQYClnbox08NVLzMaJNJmor
X-Received: by 10.107.137.152 with SMTP id t24mr20303674ioi.147.1458340767341; Fri, 18 Mar 2016 15:39:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.28.196 with HTTP; Fri, 18 Mar 2016 15:38:57 -0700 (PDT)
In-Reply-To: <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com>
References: <56EAEB54.8010208@aol.com> <CA+k3eCQ-C+MuAV__JnPMJqeKWMn=Qe2yGB06qzpet=xx1xGZ0g@mail.gmail.com> <B05D6061-BB5A-4593-B77A-9FF84AFE16F6@oracle.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 18 Mar 2016 16:38:57 -0600
Message-ID: <CA+k3eCR+NDPqrnjGEZbKiuN-FZX730ubnUruk3=YyG6amN=6Vg@mail.gmail.com>
To: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
Content-Type: multipart/alternative; boundary="001a113f9022664a83052e5a6bce"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/kgqY2hg5v6GesMHlOube7FpJ3jI>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Use cases for Audience Restricted tokens + AS and RS "discovery"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Mar 2016 22:39:30 -0000

How does one Mitm the token endpoint?

On Fri, Mar 18, 2016 at 4:27 PM, Phil Hunt (IDM) <phil.hunt@oracle.com>
wrote:

> There are two variations.
>
> Mitm the token endpoint is different then working one legit token endpoint
> against another thru redirect and state misdirection.
>
> In the mitm version you don't need multiple AS's.
>
> Phil
>
> On Mar 18, 2016, at 15:04, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> The "a. wrong AS /token endpoint" is the mix-up issue, which can be
> mitigated by returning an identifier for the AS in the authorization
> response. It is something that needs to be addressed but "discovery" or
> metadata aren't needed and audience restricted access tokens tokens don't
> help.
>
> Maybe that's obvious but there seems to be a lot of confusion on all this
> so I wanted to reiterate it.
>
> On Thu, Mar 17, 2016 at 11:37 AM, George Fletcher <gffletch@aol.com>
> wrote:
>
>> Goals:
>>
>> 1. Help the client not send a token to the "wrong" endpoint
>>    a. wrong AS /token endpoint
>>    b. evil RS endpoint(s)
>> 2. Allow good RS to determine if the token being validated was intended
>> for that RS
>>
>> Other high-level goals?
>>
>> Use cases:
>>
>> 1. RS that supports multiple AS (we've had this in production since 2011)
>> 2. RS rejects token not issued for use at the RS
>> 3. Client that dynamically supports new RS (say any client that supports
>> the jabber API)
>> 4. Client that dynamically supports new AS
>>
>> Feel free to add to the list :)
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email