Re: [OAUTH-WG] updated Distributed OAuth ID

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 19 July 2018 12:51 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D09B6130E59 for <oauth@ietfa.amsl.com>; Thu, 19 Jul 2018 05:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id atH1S3SKb63t for <oauth@ietfa.amsl.com>; Thu, 19 Jul 2018 05:51:46 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC5F8129619 for <oauth@ietf.org>; Thu, 19 Jul 2018 05:51:46 -0700 (PDT)
Received: from [91.14.23.243] (helo=[192.168.179.103]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <torsten@lodderstedt.net>) id 1fg8PH-0000dp-IG; Thu, 19 Jul 2018 14:51:43 +0200
Content-Type: multipart/signed; boundary=Apple-Mail-8096C819-9693-4A75-AC82-B2D8C27BB346; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (1.0)
From: Torsten Lodderstedt <torsten@lodderstedt.net>
X-Mailer: iPad Mail (15F79)
In-Reply-To: <CAD9ie-sUM3jQm8pN1e4wUpSAJw=DW=xDXJS--R6icpjJsnV_AA@mail.gmail.com>
Date: Thu, 19 Jul 2018 14:51:41 +0200
Cc: oauth@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <3A81E7C4-5FE1-448A-BB3D-540D30BF2637@lodderstedt.net>
References: <CAD9ie-sW7EbfuJWc8_fkLO0wGg9kd0VR=xuO346yOoMK8ZGiyQ@mail.gmail.com> <B976F6E6-95E3-4B50-A54B-C207FA4D82A7@lodderstedt.net> <CAD9ie-sUM3jQm8pN1e4wUpSAJw=DW=xDXJS--R6icpjJsnV_AA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lTbcJB1FIvh1WnkwFQmTWWJXeNg>
Subject: Re: [OAUTH-WG] updated Distributed OAuth ID
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 12:51:56 -0000

Hi Dick,

>  
>> 
>> Section 3: 
>> Don’t you think it could be a useful information to have the resource URI available in the authorization flow?I would assume it could have some additional meaning to the AS and could also be the context of the scope.
> 
> I'm assuming you are referring to the Authorization Code Grant. Good call out that the resource URI would be useful in the redirect. 
> 
> The use cases that I have been working with have all been Client Credential Grants
> 
> I currently don't know of a real world use case for the Authorization Code Grant for Distributed OAuth.

I think any scenario with multiple resource servers relying on the same AS for authorization where the client acts on behalf of the resource owner qualifies for grant type code and distributed OAuth. 

Let’s assume a user wants to authorize a client for access to her cloud storage, email account and contacts when setting app the respective app.

One would use the code grant type for that use case. And having the resource URLs in the authorization flow would allow the AS to further determine the context of the requested authorization.

Even more important, the AS could restrict the access tokens for use at this URIs only. At best, the AS would allow the client to obtain different access tokens for any of the involved resource servers, each of them tailored to the needs of the particular RS (content) and bound to it (aud, token binding, ...).

In the YES context, we have several different services/resources, which can be combined in a single authorization transaction, e.g. initiation of a payment and creating an electronic signature.

In all solutions I have seen or designed in the past, the resource server was either carried in the scope parameter or implicitly determined from the scope values (see OIDC). Making it explicit would result in an interoperable approach to represent this information and use it to tighten up OAuth security and privacy (token binding, audience restriction).

kind regards,
Torsten.

>  
>> 
>> Section 4: 
>> I think the client MUST authenticate using a PoP (asymmetric crypto based) mechanisms due to the attack angle given in 6.3
>> Did you intentionally restricted the draft to single resources?
> 
> yes
>  
>> I would desire support for an integrated UI flow for authorizing access to multiple resources at once. This makes sense in multi-service deployments.
> 
> It could be. Would be great to get some real use cases for that in an Authorization Code Grant.
>  
>> 
>> Section 6.1. 
>> I suggest you also refer to https://tools.ietf.org/html/draft-ietf-oauth-security-topics-06#section-3.7 for a comprehensive discussion of this threat.
> 
> Thanks
>  
>> 
>> kind regards,
>> Torsten.   
>> 
>> 
>> > Am 12.06.2018 um 21:28 schrieb Dick Hardt <dick.hardt@gmail.com>om>:
>> > 
>> > Hey OAuth WG
>> > 
>> > I have worked with Nat and Brian to merge our concepts and those are captured in the updated draft.
>> > 
>> > https://datatracker.ietf.org/doc/draft-hardt-oauth-distributed/
>> > 
>> > We are hopeful the WG will adopt this draft as a WG document.
>> > 
>> > Any comments and feedback are welcome!
>> > 
>> > /Dick
>> > _______________________________________________
>> > OAuth mailing list
>> > OAuth@ietf.org
>> > https://www.ietf.org/mailman/listinfo/oauth
>> 
>