Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object

John Bradley <ve7jtb@ve7jtb.com> Sat, 11 January 2020 00:58 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79C7F120120 for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 16:58:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.799
X-Spam-Level:
X-Spam-Status: No, score=-1.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g9mSkUY17xnu for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 16:58:32 -0800 (PST)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F58812003E for <oauth@ietf.org>; Fri, 10 Jan 2020 16:58:32 -0800 (PST)
Received: by mail-wm1-x333.google.com with SMTP id m24so3854144wmc.3 for <oauth@ietf.org>; Fri, 10 Jan 2020 16:58:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/sHe9CI8cmzJxzeR6JYbT9csgJBoXXZOtf+sIL2q29A=; b=aqGWJuUh308Pq+KmQZmaz9aII2J5FnYa467Qa14CO9ZxBlzncIHyxCu1MGITjz6quV JPS5nlyt2i9oOaGHe0pcIy6fIBrbBjphsqE7Vy1nbVTc/Xoen646cZZVMQGaG3rxKS4H BULpHsOsAXjbYUOAs8KAuYHkYjCG9UKa7CmBRxyQWgXgyQaiXxUuSjO9B9aqMinjrI95 N0a0FWzU8+Eh4jh1GUDDw7zjexNZt33vI5MaQt5Q6cLeicWhHmgMfktMGaVBV9Ajwmli w30/csOjS0v1/5UrZrYDBP8JSvDAfooTN1YQoPvqW5wOYqQhWv/5PbxG5IQ8VBCZZ1VJ iMOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/sHe9CI8cmzJxzeR6JYbT9csgJBoXXZOtf+sIL2q29A=; b=JYmroAD8Q1jb1twJmU2sRtm49anaCuRn07GYKucLRtNuGNYckw+SewggLXz8woXh7S TEkEni2Sql+zM8fMt3M5nEKhP9MgCPX4Cma5GiCN964rj9f5wMaOr8xq2Yw7gvA0Je7U YnYi2NWVaqkbX8+fRwndztzeWaInBo2s4ZfIXn75DCzP3JsfCRg/wcWIVs7sEEw9MYZh OYXuSyU6DQ4vmVr4NeUJqjQQNM3xQdP3MWqzNqu96CBLkshvX/8pbAMedPmkLF/1RAlZ aqvut7w0Xidd1eeC77WRf8RhP9FJj1DGl4dnVnPQXdkEe+Nrb4pcc8rbQAHarRMAYVhD 8feA==
X-Gm-Message-State: APjAAAWC8t+QrcpqndfhQ+hcOBltB3VTFHlhqck/XOrBFFAnR1RJY2u7 PpDhkH0S0q8bo7ENUC4kpoPchmzjCVxauX0jcHkvdA==
X-Google-Smtp-Source: APXvYqywmDn4a1sCzt5WjSojpXeidoQqlzXyWdyqkoIcWhMtgEJx9vD26BisLh5r2oRkWZqohOHZKN5xpF/O3cZ/Y4s=
X-Received: by 2002:a1c:740b:: with SMTP id p11mr7437792wmc.78.1578704310777; Fri, 10 Jan 2020 16:58:30 -0800 (PST)
MIME-Version: 1.0
References: <fc3805e5-e908-00db-a734-990721371ab2@connect2id.com> <79C4475C-FDEB-42C8-8A44-7BFE4DBF9453@gmail.com> <110a95d9-2981-6d2b-9cbf-9658be3585cc@connect2id.com> <CAANoGhK0-n6V_RogvVZ=8J8AQCEUUVJQn4_7wSWYixeQM8aZsw@mail.gmail.com> <CH2PR00MB0843D5044E11E0F4CE5F5D09F53B0@CH2PR00MB0843.namprd00.prod.outlook.com>
In-Reply-To: <CH2PR00MB0843D5044E11E0F4CE5F5D09F53B0@CH2PR00MB0843.namprd00.prod.outlook.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Fri, 10 Jan 2020 21:58:14 -0300
Message-ID: <CAANoGhJB4mYSFiWKt3T=cObH7uCW0s3Zpv2m92+YaAY2Oy4mqw@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a64a3f059bd2bdb3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lPIIsmDve_F4itU0m0x1Ld6x32M>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jan 2020 00:58:36 -0000

Right we just don't say to put the iss there in OIDC if it's symetricly
encrypted.

On Fri, Jan 10, 2020, 9:41 PM Mike Jones <Michael.Jones@microsoft.com>
wrote:

> The technique of replicating JWT claims that need to be publicly visible
> in an encrypted JWT in the header is defined at
> https://tools.ietf.org/html/rfc7519#section-5.3.  (Thanks to Dick Hardt
> for bringing this need to my attention as we were finishing the JWT spec.)
>
>
>
>                                                        -- Mike
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of * John Bradley
> *Sent:* Friday, January 10, 2020 2:15 PM
> *To:* Vladimir Dzhuvinov <vladimir@connect2id.com>
> *Cc:* IETF oauth WG <oauth@ietf.org>
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] JWT Secured Authorization Request
> (JAR) vs OIDC request object
>
>
>
> The intent was to do that, but specs change once the OAuth WG and IESG get
> there hands on them.
>
>
>
> Being backwards compatible with OIDC is not a compelling argument to the
> IESG.
>
>
>
> We were mostly thinking of asymmetric encryption.
>
>
>
> Specifying puting the issuer and or the audience in the headder has come
> up in the past but probably is not documented.
>
>
>
> John B
>
>
>
> On Fri, Jan 10, 2020, 6:29 PM Vladimir Dzhuvinov <vladimir@connect2id.com>
> wrote:
>
> Yes, putting the client_id into the JWE header is a way around the need
> to have the client_id outside the JWE as top-level authZ request parameter.
>
> Unfortunately this work around isn't mentioned anywhere, I just checked
> the most recent draft-ietf-oauth-jwsreq-20.
>
> Our DDoS attack mitigation (for OIDC request_uri) also relies on the
> presence of client_id as top-level parameter, together with requiring
> RPs to register their request_uri's (so that we don't need to build and
> store an index of all request_uri's). I just had a look at "DDoS Attack
> on the Authorization Server" and also realised the request_uri
> registration isn't explicitly mentioned as attack prevention ("the
> server should (a) check that the value of "request_uri" parameter does
> not point to an unexpected location").
>
> https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-20#section-10.4.1
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-jwsreq-20%23section-10.4.1&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cc470d4ec4bd14d481c0f08d7961a8abb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637142913068793193&sdata=%2FvHVp68SN5CAHimqZ5jx93aOCIruxqLCRMUFCc5DSxc%3D&reserved=0>
>
> To be honest, I feel quite bad about the situation with JAR we are in
> now. For some reason I had the impression that OAuth JAR was going to be
> the OIDC request / request_uri for general OAuth 2.0 use, as with other
> OIDC bits that later became general purpose OAuth 2.0 specs.
>
> I find it unfortunate I didn't notice this when I was reviewing the spec
> in the past.
>
> Vladimir
>
>
> On 10/01/2020 22:39, Filip Skokan wrote:
> > Vladimir,
> >
> > For that very case the payload claims may be repeated in the JWE
> protected header. An implementation wanting to handle this may look for
> iss/client_id there.
> >
> > Odesláno z iPhonu
> >
> >> 10. 1. 2020 v 21:19, Vladimir Dzhuvinov <vladimir@connect2id.com>om>:
> >>
> >> I just realised there is one class of JARs where it's practially
> >> impossible to process the request if merge isn't supported:
> >>
> >> The client submits a JAR encrypted (JWT) with a shared key. OIDC allows
> >> for that and specs a method for deriving the shared key from the
> >> client_secret:
> >>
> >> https://openid.net/specs/openid-connect-core-1_0.html#Encryption
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fopenid.net%2Fspecs%2Fopenid-connect-core-1_0.html%23Encryption&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cc470d4ec4bd14d481c0f08d7961a8abb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637142913068793193&sdata=soK9t7pzu504iILuDNFnG%2BMLxZPP2pN6ugEJ4ZOpqd4%3D&reserved=0>
> >>
> >> If the JAR is encrypted with the client_secret, and there is no
> >> top-level client_id parameter, there's no good way for the OP to find
> >> out which client_secret to get to try to decrypt the JWE. Unless the OP
> >> keeps an index of all issued client_secret's.
> >>
> >>
> >> OP servers which require request_uri registration
> >> (require_request_uri_registration=true) and don't want to index all
> >> registered request_uri's, also have no good way to process a request_uri
> >> if the client_id isn't present as top-level parameter.
> >>
> >>
> >> Vladimir
> >>
> >>
> >>> On 10/01/2020 20:13, Torsten Lodderstedt wrote:
> >>>
> >>>>> Am 10.01.2020 um 16:53 schrieb John Bradley <ve7jtb@ve7jtb.com>om>:
> >>>> I think Torsten is speculating that is not a feature people use.
> >>> I’m still trying to understand the use case for merging signed and
> unsigned parameters. Nat once explained a use case, where a client uses
> parameters signed by a 3rd party (some „certification authority“) in
> combination with transaction-specific parameters. Is this being done in the
> wild?
> >>>
> >>> PS: PAR would work with both modes.
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=02%7C01%7CMichael.Jones%40microsoft.com%7Cc470d4ec4bd14d481c0f08d7961a8abb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637142913068803145&sdata=kobH%2FsGT7ElSSUCJvu%2FbiAqnRCXx%2B4SZNJsrL%2FCuVyc%3D&reserved=0>
>
>