Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt

Brian Campbell <bcampbell@pingidentity.com> Fri, 24 July 2020 21:14 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E84073A0B84 for <oauth@ietfa.amsl.com>; Fri, 24 Jul 2020 14:14:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4lOZemTLmsJ for <oauth@ietfa.amsl.com>; Fri, 24 Jul 2020 14:14:10 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCDE43A0C64 for <oauth@ietf.org>; Fri, 24 Jul 2020 14:14:09 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id i80so5895543lfi.13 for <oauth@ietf.org>; Fri, 24 Jul 2020 14:14:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vzCHrwCtgSsAjrgNxD7MZUgjOhPnhoSOP0fJ40qauog=; b=Jcw2MVYJfmsVeMO/8nvocyCteCWeTB33xmZ3vcT/FUDdVz/xDYWAI/Rf+pbmWdOqtm rf1JALK+jXtSL/LdGtFQeZQ6OKMIeJE9WqFav4jWKpF6Xa3LFptG/wkPEr4OuYDocw+V TLFmlnCnpoHx8KaYYE77RiWS8U6J5z71Xsfgr+oWyYuCfBytooD3k1iBeBxgTmXSMgEz dUkAhWEBLIRvkEAPlr0mh9DnFBjGZA/SmVmNZgIFmPk1sLI1ukah2xb3yd7+AnWblasR hEPqRvfzzlKi0C0v7RF+P43MZDrppL7MKqGmaEd/TfAgayvFhEfsc5knYTotP8nnhbV7 5x0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vzCHrwCtgSsAjrgNxD7MZUgjOhPnhoSOP0fJ40qauog=; b=oBgGSuc09FXaTigimxfRItcNtvwxYzRev9Mrd6zk0mSvYUl3rvnLgUrnYhKF7wJTQn rS9WSVlEA8lO0hxZkzJVzH0stlLWvGP/Yetv21/Dcj9u75Z5Qxg8Qr+dFVsQGh1Q+vhD gyLVY8/ilnAgHfuMrrTrHhcG8lF7AhaAMVv38Wt1uz9CQKqHsREKIQGYAZUpK//ZpMRS Il/whx+6PZ1twYZMsYMc5txJtdgf80yQdVlniWvCdaw4vber7TGg1tYTXPT0/IhO0VtU I+Y/4W0eRAtSp5Pl8nT3h2nUkY+XqcIhMuYwWh+f5faJ7+SSPNn2Rs1ofxqMILnnCk6W H1Rg==
X-Gm-Message-State: AOAM532Xx28ozKEo6LI1GWNzbzbjX376a0PN2Z4W2BXlBP3COlGxCM3l HOJe+TH0bjM04/TZ3hnlBKefezDH+FxnqywtsXoZFl69wpZIdBgv4rwf9am1kvtmXEPbQXBOkm3 GagKe1tBKuDCoAQ==
X-Google-Smtp-Source: ABdhPJz3jN93ftJuKiVJBmT/VUalMFZdb6OnuPhJJAv1LGytoEfWyKtzDdWJgQlGabi2iuzPcnxqAk8dtjy7LyQ3ArY=
X-Received: by 2002:a19:c653:: with SMTP id w80mr5886921lff.167.1595625247606; Fri, 24 Jul 2020 14:14:07 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCRWSFGHPb9Yo1POR_YqZLELyhEuYuUsObcXMebxtnySBg@mail.gmail.com> <2ABDD1A0-0455-4CD7-94B9-121F7D61A287@forgerock.com>
In-Reply-To: <2ABDD1A0-0455-4CD7-94B9-121F7D61A287@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 24 Jul 2020 15:13:41 -0600
Message-ID: <CA+k3eCSqv98aMAd94ow-iFnFx_x_XE_Xjxn=P=EBwj2k=xux9Q@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000014249805ab3674fe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mL6gEQhuDBzsP5HQb_9WkXT5-CY>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-par-02.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2020 21:14:13 -0000

Hi Neil,

Torsten added this issue
https://github.com/oauthstuff/draft-oauth-par/issues/53 from your
questions/comments, which touches on some things, and maybe he can provide
more thoughts. But I'll make an attempt here too.

In my mind, the one-time use suggestion on the request_uri came about less
from the risks of replay and more from the fact that the contents of a
particular auth request are unique to the one request. So it just kinda
made sense to similarly limit the reference to the data in a request. A
specific request can only be made once so it's suggested (though not
required) that a request_uri that represents that request also be usable
only once.

I believe state and/or PKCE and/or nonce can prevent replay already but
those take effect at different points in the whole dance and to catch
replay of different artifacts.

Agreed that it'd be good for the draft to have some more discussion about
the risks of modification and disclosure of the request content. Torsten
also agreed yesterday at a brief discussion during OSW so I'm hopeful he
can add some good content to the draft :) Thinking about richer
authorization requests that might have transaction data like payee account
numbers or amounts or similar etc. gives some idea of requests where
integrity and confidentiality would be good. And even more basic requests,
preventing control or modification of something like code_challenge seems
useful.





On Thu, Jul 23, 2020 at 1:53 AM Neil Madden <neil.madden@forgerock.com>
wrote:

> Can you expand on the risks of replay? It seems like if the request can be
> replayed an attacker can also block the original request and inject the URI
> into a different request - ie no replay.
>
> (Shouldn’t state and/or PKCE and/or nonce prevent replay already?)
>
> In general the draft could do with some discussion of why an attacker
> being able to modify an authorization request is a risk. I might just be
> lacking enough coffee this morning to understand the risk here.
>
> — Neil
>
> On 22 Jul 2020, at 23:14, Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
> 
> Thanks Vladimir, both comments should be easy to address in -03 (HTTPS/TLS
> required and SHOULD on short lifetime *and* single use).
>
> On Sun, Jul 19, 2020 at 12:55 PM Vladimir Dzhuvinov <
> vladimir@connect2id.com> wrote:
>
>> Thanks for the update. With the "require PAR" AS and client metadata the
>> spec is now "policy complete". I can't think of what else there is to add.
>>
>>
>> I have two comments about -02:
>>
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2
>>
>> I didn't see a mention of https / TLS being required for the PAR
>> endpoint. The reader could assume http is fine.
>>
>>
>> https://tools.ietf.org/html/draft-ietf-oauth-par-02#section-2.2
>>
>>    Since the request URI can be replayed, its lifetime SHOULD be short
>>    and preferably limited to one-time use.
>>
>> The SHOULD is ambiguous here - does it apply to the lifetime only, or to
>> the lifetime and the single use.
>>
>>
>> Vladimir
>>
>>
>> On 10/07/2020 21:36, Brian Campbell wrote:
>>
>> WG,
>>
>> A new -02 draft of "OAuth 2.0 Pushed Authorization Requests" has been
>> published. A summary of the changes, taken from the document history, is
>> included below for ease of reference.
>>
>>    -02
>>
>>    *  Update Resource Indicators reference to the somewhat recently
>>       published RFC 8707 <https://datatracker.ietf.org/doc/html/rfc8707>
>>
>>    *  Added metadata in support of pushed authorization requests only
>>       feature
>>
>>    *  Update to comply with draft-ietf-oauth-jwsreq-21 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-21>, which requires
>>       "client_id" in the authorization request in addition to the
>>       "request_uri"
>>
>>    *  Clarified timing of request validation
>>
>>    *  Add some guidance/options on the request URI structure
>>
>>    *  Add the key used in the request object example so that a reader
>>       could validate or recreate the request object signature
>>
>>    *  Update to draft-ietf-oauth-jwsreq-25 <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwsreq-25> and added note regarding
>>       "require_signed_request_object"
>>
>>
>> ---------- Forwarded message ---------
>> From: <internet-drafts@ietf.org>
>> Date: Fri, Jul 10, 2020 at 1:21 PM
>> Subject: New Version Notification for draft-ietf-oauth-par-02.txt
>> To: Filip Skokan <panva.ip@gmail.com>om>, Torsten Lodderstedt <
>> torsten@lodderstedt.net>gt;, Brian Campbell <bcampbell@pingidentity.com>om>,
>> Dave Tonge <dave@tonge.org>rg>, Nat Sakimura <nat@sakimura.org>
>>
>>
>>
>> A new version of I-D, draft-ietf-oauth-par-02.txt
>> has been successfully submitted by Brian Campbell and posted to the
>> IETF repository.
>>
>> Name:           draft-ietf-oauth-par
>> Revision:       02
>> Title:          OAuth 2.0 Pushed Authorization Requests
>> Document date:  2020-07-10
>> Group:          oauth
>> Pages:          18
>> URL:
>> https://www.ietf.org/internet-drafts/draft-ietf-oauth-par-02.txt
>> Status:         https://datatracker.ietf.org/doc/draft-ietf-oauth-par/
>> Htmlized:       https://tools..ietf.org/html/draft-ietf-oauth-par-02
>> <https://tools.ietf...org/html/draft-ietf-oauth-par-02>
>> Htmlized:
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-par
>> <https://datatracker..ietf.org/doc/html/draft-ietf-oauth-par>
>> Diff:           https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-par-02
>>
>> Abstract:
>>    This document defines the pushed authorization request endpoint,
>>    which allows clients to push the payload of an OAuth 2..0
>>    authorization request to the authorization server via a direct
>>    request and provides them with a request URI that is used as
>>    reference to the data in a subsequent authorization request.
>>
>>
>>
>>
>> Please note that it may take a couple of minutes from the time of
>> submission
>> until the htmlized version and diff are available at tools.ietf.org..
>>
>> The IETF Secretariat
>>
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited..
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>>
>> _______________________________________________
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>> --
>> Vladimir Dzhuvinov
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited..
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._