IETF Logo Mail Archive

Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint

Brian Campbell <bcampbell@pingidentity.com> Tue, 08 January 2019 13:04 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F1E5131118 for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2019 05:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nV6NrfpX5ZQs for <oauth@ietfa.amsl.com>; Tue, 8 Jan 2019 05:04:44 -0800 (PST)
Received: from mail-it1-x12a.google.com (mail-it1-x12a.google.com [IPv6:2607:f8b0:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBFAE131119 for <oauth@ietf.org>; Tue, 8 Jan 2019 05:04:44 -0800 (PST)
Received: by mail-it1-x12a.google.com with SMTP id b5so5834665iti.2 for <oauth@ietf.org>; Tue, 08 Jan 2019 05:04:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3ItI3aVkOUPoG63S8tn/Gmu/D6OcqNyNS/Mvu0OhKRo=; b=d23icc1pn+stxWDeHma1dtnyo8o5X6hcuuO+iIf+A6O9XcY2ZA0WSmFTwoLt0uA1eV a8rkVVAK0nIqMxHnIGM08gHbS9nQjLE3Om2lM4M/Ms40ZaVZo7pkDX9aF2L32MniJrEA ZzjZgAMpWmAMat35cZZFoIDUJWjvCCCwvnwSo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3ItI3aVkOUPoG63S8tn/Gmu/D6OcqNyNS/Mvu0OhKRo=; b=g53pFDH9KrFsmPSFBx/9giE6OM8q2Mm2C3zchpba9Z6BK3MP86gRaU0eLgJaFQb3sa 1R/upD4XdXcQ5PJ6gCJT1FWVz4ts0iKjIl5O23Dtwk8NxXJMNWOsC/dQirmkD4mso5i1 wTvryBhhzhjNqEbZ+TGZmVbbQPIutMQWdJwDrFYkcqxY823j7YfJoW86QJgIizLgmYYE 2pq9hvAXQwleM+nnH83rn5ae2HFvgPboPtdARld+SuLd02xMiwVrqSO/qdhEk0pqvrbf zD2F01IeXrYzl6790hqk9jO+rwZp8CAfaZT2BRZNxSQJeNhF/5Y3lhM7/9pPUHpX4qau BJfA==
X-Gm-Message-State: AJcUukfRAkneg8RxfJEM/4ev1wWjoMM8mUx5tHzfSw82x9Bx/bmfNREy pPiNc3m7F2JI08ctkQdM313y4oZgUUbC37JCn4TVTNHQXFuULhGU8v1mDZIF0AUBx+Jqh42O223 qJEiWjCrcp6aSTQ==
X-Google-Smtp-Source: ALg8bN6FAQFH2tsB4bMhlr6LqrS6GmOBKx88HmIlvDH/xusWAJKe4ICSJEL5vyuoMXmjEwWqpCAtwWWPq3KvOUIR6lU=
X-Received: by 2002:a24:8ac7:: with SMTP id v190mr1180015itd.174.1546952683888; Tue, 08 Jan 2019 05:04:43 -0800 (PST)
MIME-Version: 1.0
References: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com> <6A614742-290D-47E2-B3E9-A4D49DB32DD7@forgerock.com> <CA+k3eCSoNRGrsxeLYd6DEqU+U6TB_aXV2aPUa07Um2X0ZH_ZEw@mail.gmail.com> <20190104215540.GL86936@kduck.kaduk.org> <CA+k3eCR9JVmeUcuGaDgDvcFz4L=uXph+CZ_=cJVSc4NJP2DG+Q@mail.gmail.com> <34DD1788-FC0E-4BB3-BB4D-198005285A71@forgerock.com>
In-Reply-To: <34DD1788-FC0E-4BB3-BB4D-198005285A71@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 08 Jan 2019 06:04:17 -0700
Message-ID: <CA+k3eCS1Jub7V1qPggeskCLdxrQnzc_MzX3gRjHOUci21ngPXA@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Benjamin Kaduk <kaduk@mit.edu>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000354354057ef1fd1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/lWKE33NBbENFtp0sWLpuPRljiyY>
Subject: Re: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 13:04:48 -0000

Yes *but* not when the client is a javascript application running in the
user's browser. And the direction this WG is taking is to start/continue to
suggest that such clients use the code flow (which hits the token endpoint)
rather than the implicit (which only hits the authorization endpoint).

On Mon, Jan 7, 2019 at 11:36 AM Neil Madden <neil.madden@forgerock.com>
wrote:

> Thinking about this, given that this is the *token* endpoint that clients
> talk to directly, not the *authorize* endpoint, it seems already possible
> for the AS to put it on a different port/host so that users aren’t ever
> prompted for a cert. Right?
>
> — Neil
>
> On 7 Jan 2019, at 17:21, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
> I don't honestly know for sure but I suspect that employees of big
> corporations will likely have keys/certs on their devices/machines that are
> issued by some internal CA and provisioned to them automatically (and in
> many cases without the user knowing and/or understanding that they are
> there and why). Those users would likely be prompted when TLS handshaking
> with a server that presents an empty list of CAs in the
> certificate_authorities of the CertificateRequest.
>
> I dunno. Maybe I was too quick to retract the proposal for the MTLS
> supporting secondary token endpoint?
>
> What do folks (including Ben & Neil) think?
>
> On Fri, Jan 4, 2019 at 2:55 PM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
>> On Fri, Dec 28, 2018 at 03:55:15PM -0700, Brian Campbell wrote:
>> > I
>> > suspect that not having client certs set up is the situation for the
>> vast
>> > majority of users and their browsers. And for those that do have client
>>
>> Is this still true when we limit to the set of users/browsers that are
>> employees of big corporations?
>>
>> -Ben
>>
>> > certs set up, I think they are more likely to be the kind of user that
>> is
>> > able to deal with the UI prompt okay.
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email