IETF Logo Mail Archive

Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)

Brian Campbell <bcampbell@pingidentity.com> Tue, 19 July 2022 16:05 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E455DC15A72A for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 09:05:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g2GqzzQiyQg3 for <oauth@ietfa.amsl.com>; Tue, 19 Jul 2022 09:05:26 -0700 (PDT)
Received: from mail-yb1-xb2c.google.com (mail-yb1-xb2c.google.com [IPv6:2607:f8b0:4864:20::b2c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85968C15790B for <oauth@ietf.org>; Tue, 19 Jul 2022 09:05:26 -0700 (PDT)
Received: by mail-yb1-xb2c.google.com with SMTP id l11so27228141ybu.13 for <oauth@ietf.org>; Tue, 19 Jul 2022 09:05:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/jN32deXPyB8+483ClGhz7PQKf4FXne21Qj9zqzlZGE=; b=AWdGNnF4slCQY96z8XFd3fENQyMOTt4vsf89BFLvzifbNCPYJOJmTM+3s9Zv127uDa 1K3DGkERftcqXDFnH+5cr7ECezmZPuHmWgzpUAM/7gnDc4ZynfzyfC28XQqWAqRXc5id 2nKO/SZnnE2pBYtbSONoRhP0+Hn+eGT8ExNXoHpY9hCrgEnSupm7VuTTXEWYRDmQ0aMn /9Sf8FSxXqz21Shh5cwMe/ySKDjtxyOb6KbdFDqSvQJ/mJy4UQUH3fWLnDmeHi7JdO2g Cu5FqDq8CcLGmUf4K267Xr1dglEe7JSCzRk7Hoy/s4O+9Ph5QiFBClsBsyviG1u6JVmz racw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/jN32deXPyB8+483ClGhz7PQKf4FXne21Qj9zqzlZGE=; b=hdw6+50bWKmcAfBjCwqbwSoTTAoPE0iONg4FLymXxrbaUk7Rtk+kslABesNiyS9koW 0qXdh+Fu715h+ryLTuFiJBcrFWAanHVpQ3l7I/eOBEHcaBymoJdZ3RspS4PXjz8APFZ/ kzAcpRQSemnTpwzWNdev1JGoCThI5QMxTQ2DfRX4Nte44qb+zm0mDx/lItqV8Tlo6GVV NCstk1NIYybwpmXZ+4ChVD6YC2HSslcYxvc4AQrBeODEzsOOy2oUoSuS3Y01NSimZRf0 Torm2tGu4cP/ESwj/auPtrRJ3SfCA4GbNQAcY7OhgU3UOeW8in3OEeTduPh6+KR3K0QE 15LA==
X-Gm-Message-State: AJIora9h1Zc9SEhM01mFpAjfsV75m6Qtv+x4+CS9OWJoV6EqqQKXpKbW +8rWBAuwWjr2p51yz3LLlQMa0eKV9dRuKqu/UCPgNuFnc/r73LqV/LbS+C1JpiTXuKmUcazpYK2 DKW/K+qaGAgZYLg==
X-Google-Smtp-Source: AGRyM1vVB0C3G0AVBL9ZPBdw2til64PtZelCLmHjY70u1cdktFljdpJ9FyDeEd+fun0t0sevX7F4q/9zRsDJHmjgO1k=
X-Received: by 2002:a25:13c8:0:b0:670:6a55:5fad with SMTP id 191-20020a2513c8000000b006706a555fadmr6779259ybt.598.1658246725225; Tue, 19 Jul 2022 09:05:25 -0700 (PDT)
MIME-Version: 1.0
References: <20211015193847.E6C9E20EBD5@rfc-editor.org> <CA+k3eCTmZHQ9yrokOQLd98t9JWvQB39Qf1Xz2rq=Dm8=JZ_nBw@mail.gmail.com> <CADNypP_WF1FOCncUs8djWqKndz5dXsnD7+uLiFvURmDqEGiCMw@mail.gmail.com> <0BDBCCBF-8292-494E-B2BE-471DE0BCCC58@lodderstedt.net> <CALAqi_-jviiCYBn6PNwcHiQ+GUY7U0xZ84PpfLsbMqrBQ6dV9A@mail.gmail.com>
In-Reply-To: <CALAqi_-jviiCYBn6PNwcHiQ+GUY7U0xZ84PpfLsbMqrBQ6dV9A@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 19 Jul 2022 10:04:49 -0600
Message-ID: <CA+k3eCRPStkY6iFWBumfGortPFAGGHRmh6nA2N1bDtuaqxjoQQ@mail.gmail.com>
To: Filip Skokan <panva.ip@gmail.com>
Cc: Torsten Lodderstedt <torsten@lodderstedt.net>, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, RFC Errata System <rfc-editor@rfc-editor.org>, Nat Sakimura <nat@sakimura.org>, Dave Tonge <dave@tonge.org>, Roman Danyliw <rdd@cert.org>, Benjamin Kaduk <kaduk@mit.edu>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, oauth <oauth@ietf.org>, paul.wouters@aiven.io
Content-Type: multipart/alternative; boundary="00000000000001ede205e42aa7c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kjZ55ovqopSkcEsN54ET59tZkkk>
Subject: Re: [OAUTH-WG] [Technical Errata Reported] RFC9126 (6711)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 16:05:31 -0000

Thanks Filip, and yes I agree that request and client_id parameter names should
be quoted in the corrected text. As should
"application/x-www-form-urlencoded". Corrected corrected text is below. I
believe someone with more authority would need to edit the errata while
verifying.


Corrected Text
--------------
  Clients MAY use the "request" and "client_id" parameters as defined in
  JAR [RFC9101] to push a Request Object JWT to the authorization
  server. The rules for processing, signing, and encryption of the
  Request Object as defined in JAR [RFC9101] apply. Request parameters
  required by a given client authentication method are included in the
  "application/x-www-form-urlencoded" request directly and are the only
  parameters other than request and client_id in the form body (e.g.,
  JWT assertion-based client authentication [RFC7523] uses
  "client_assertion" and "client_assertion_type") HTTP request
  parameters). All authorization request parameters, i.e., those
  pertaining to the authorization request itself, MUST appear as
  claims of the JWT representing the authorization request.


On Tue, Jul 19, 2022 at 7:52 AM Filip Skokan <panva.ip@gmail.com> wrote:

> I too believe the Errata should be verified. (Although I think the
> parameter names request and client_id should be in quotes in the
> corrected text?).
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Tue, 19 Jul 2022 at 15:44, Torsten Lodderstedt <torsten@lodderstedt.net>
> wrote:
>
>> I’m not sure this requires an update. It basically says „stick the uri
>> you get from step 1 into this parameter in step 2“. Does this really
>> require use to re-state any further requirements of a proper JAR?
>>
>> Am 19.07.2022 um 15:15 schrieb Rifaat Shekh-Yusef <
>> rifaat.s.ietf@gmail.com>:
>>
>> + Roman and Paul
>>
>> On Mon, Jul 18, 2022 at 12:25 PM Brian Campbell <
>> bcampbell@pingidentity.com> wrote:
>>
>>> I believe this should be verified. I'm also the one that reported it
>>> though. But it's been sitting in reported status for a while now.
>>>
>>> On Fri, Oct 15, 2021 at 1:38 PM RFC Errata System <
>>> rfc-editor@rfc-editor.org> wrote:
>>>
>>>> The following errata report has been submitted for RFC9126,
>>>> "OAuth 2.0 Pushed Authorization Requests".
>>>>
>>>> --------------------------------------
>>>> You may review the report below and at:
>>>> https://www.rfc-editor.org/errata/eid6711
>>>>
>>>> --------------------------------------
>>>> Type: Technical
>>>> Reported by: Brian Campbell <bcampbell@pingidentity.com>
>>>>
>>>> Section: 3.
>>>>
>>>> Original Text
>>>> -------------
>>>>    Clients MAY use the "request" parameter as defined in JAR [RFC9101]
>>>>    to push a Request Object JWT to the authorization server.  The rules
>>>>    for processing, signing, and encryption of the Request Object as
>>>>    defined in JAR [RFC9101] apply.  Request parameters required by a
>>>>    given client authentication method are included in the "application/
>>>>    x-www-form-urlencoded" request directly and are the only parameters
>>>>    other than "request" in the form body (e.g., mutual TLS client
>>>>    authentication [RFC8705] uses the "client_id" HTTP request parameter,
>>>>    while JWT assertion-based client authentication [RFC7523] uses
>>>>    "client_assertion" and "client_assertion_type").  All other request
>>>>    parameters, i.e., those pertaining to the authorization request
>>>>    itself, MUST appear as claims of the JWT representing the
>>>>    authorization request.
>>>>
>>>> Corrected Text
>>>> --------------
>>>>   Clients MAY use the request and client_id parameters as defined in
>>>>   JAR [RFC9101] to push a Request Object JWT to the authorization
>>>>   server. The rules for processing, signing, and encryption of the
>>>>   Request Object as defined in JAR [RFC9101] apply. Request parameters
>>>>   required by a given client authentication method are included in the
>>>>   application/x-www-form-urlencoded request directly and are the only
>>>>   parameters other than request and client_id in the form body (e.g.,
>>>>   JWT assertion-based client authentication [RFC7523] uses
>>>>   "client_assertion" and "client_assertion_type") HTTP request
>>>>   parameters). All authorization request parameters, i.e., those
>>>>   pertaining to the authorization request itself, MUST appear as
>>>>   claims of the JWT representing the authorization request.
>>>>
>>>> Notes
>>>> -----
>>>> That first paragraph of Sec 3 was not properly updated to come inline
>>>> with JAR (now RFC9101) when it changed in draft -21 to require "client_id"
>>>> in the authorization request in addition to in addition to "request" or
>>>> "request_uri" - so is  somewhat ambiguous in maybe suggesting that
>>>> "client_id" isn't required. But it is required based on how PAR works and
>>>> RFC9101 requiring "client_id".
>>>>
>>>> Instructions:
>>>> -------------
>>>> This erratum is currently posted as "Reported". If necessary, please
>>>> use "Reply All" to discuss whether it should be verified or
>>>> rejected. When a decision is reached, the verifying party
>>>> can log in to change the status and edit the report, if necessary.
>>>>
>>>> --------------------------------------
>>>> RFC9126 (draft-ietf-oauth-par-10)
>>>> --------------------------------------
>>>> Title               : OAuth 2.0 Pushed Authorization Requests
>>>> Publication Date    : September 2021
>>>> Author(s)           : T. Lodderstedt, B. Campbell, N. Sakimura, D.
>>>> Tonge, F. Skokan
>>>> Category            : PROPOSED STANDARD
>>>> Source              : Web Authorization Protocol
>>>> Area                : Security
>>>> Stream              : IETF
>>>> Verifying Party     : IESG
>>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>
>>
>>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email