IETF Logo Mail Archive

Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00

George Fletcher <gffletch@aol.com> Tue, 22 November 2016 19:31 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14932129B3F for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 11:31:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.397
X-Spam-Level:
X-Spam-Status: No, score=-3.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mx.aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nqD9CGR5xLJt for <oauth@ietfa.amsl.com>; Tue, 22 Nov 2016 11:31:06 -0800 (PST)
Received: from omr-m008e.mx.aol.com (omr-m008e.mx.aol.com [204.29.186.7]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34A49129E87 for <oauth@ietf.org>; Tue, 22 Nov 2016 11:31:06 -0800 (PST)
Received: from mtaout-mac01.mx.aol.com (mtaout-mac01.mx.aol.com [172.26.222.205]) by omr-m008e.mx.aol.com (Outbound Mail Relay) with ESMTP id F1A6138000F2; Tue, 22 Nov 2016 14:31:04 -0500 (EST)
Received: from [10.172.104.61] (unknown [10.172.104.61]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mac01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 75EFA38000093; Tue, 22 Nov 2016 14:31:03 -0500 (EST)
To: Denis <denis.ietf@free.fr>, John Bradley <ve7jtb@ve7jtb.com>
References: <f5f049b9-1aca-9949-ffd6-c9ce1396ef31@free.fr> <7fe51b7f-cc68-abda-79ed-9b6d75e00bc4@gmx.net> <5161dc3d-aac7-acb3-d4b3-7e6864a0520b@free.fr> <468C84B4-B2B3-4CC8-8AD1-A25A0D6893EF@ve7jtb.com> <b107314f-ec3b-e678-7bc6-9d3135bd304e@free.fr>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <6f5973b7-8f16-031d-9fab-d96943fd4da7@aol.com>
Date: Tue, 22 Nov 2016 14:31:02 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <b107314f-ec3b-e678-7bc6-9d3135bd304e@free.fr>
Content-Type: multipart/alternative; boundary="------------ABF556CB47122F373687E575"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1479843064; bh=tEhvZoheR6eSoswBOFSjmcSvzRbyhWmH+CU9n3LzJ6I=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=6a4MBL20U6palUVejaDs5ARB24k1yFDCI69Yt3eKiaf1NwQiqsYmaEfeKXHfusDgS /mlaOzohPxWVIJkt03DIum7++snpdkhSBUOCzCeAX0fet/5dLVZJ2oEpttf+UKirDo REC1gjJndmKN9EiQac6eoMaD2GRhLRtTfffzeaJU=
x-aol-sid: 3039ac1adecd58349cf77f3d
X-AOL-IP: 10.172.104.61
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mMUk5dr5TiHt2uk3AUbwTQ4QJBo>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] About Big Brother and draft-campbell-oauth-resource-indicators-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Nov 2016 19:31:09 -0000

Hi Denis,

If I understand your arguments correctly, you'd like a way to ask the AS 
to add an RS supplied nonce to the access_token. This is done in OpenID 
Connect with the id_token but nothing like this exists within OAuth2. 
Largely because the entity asking for the token (client) is different 
from the entity that will consume the token (resource server).

I see this oauth-resource-indicators spec trying to address a different 
problem. Namely, allowing the AS to not issue a token if the requested 
"resource" is suspect or does not in some way meet the AS policy.

It's unclear from the spec, how the RS should do audience restriction 
though I suspect that the RS will introspect the token and then compare 
the returned audience(s) in some way with itself. [Brian/John/Hannes I'd 
recommending adding a section on audience restriction processing in the RS.]

The model you suggest in this thread is much closer to UMA (User Managed 
Access) [1] where the client first tries to access a resource and then 
is told they need to obtain some additional claims before access will be 
granted.

Thanks,
George

[1] https://docs.kantarainitiative.org/uma/rec-uma-core-v1_0_1.html

On 11/22/16 12:22 PM, Denis wrote:
> Hi John,
>
>> The privacy problem is a touch hypothetical the way that OAuth 
>> currently works. There is not standard access token, a AS producing 
>> access tokens that could be used across a number of RS in different 
>> security domains would be a security disaster, unless they are proof 
>> of possession tokens. If all of the RS trust each other by being in 
>> the same security domain they can all collude and the AS can know 
>> where the tokens are used without the resource being indicated to the 
>> AS directly. If the RS are in different security domains then 
>> potentially some privacy is disclosed.
>
> I am dealing with scenarios where RS may be in the same security 
> domain or in different security domains.
> More precisely, none of the RS will necessarily be in the same 
> security domain as the AS.
>
>> The only way to deal with that is the alternative of POP AT that the 
>> WG is documenting separately.
>
> I disagree.  There are some cases, where an access token should be 
> targeted to a RS and the target RS should be indicated
> in the access token.
>
> draft-campbell-oauth-resource-indicators should say that data that can 
> be recognized by the RS may be incorporated
> into the access token.
>
> This has nothing to do with POP which is another issue.
>
> draft-ietf-oauth-pop-architecture-08 does not, unfortunately, provides 
> a solution since a major threat has been omitted:
>
>     Collusion between users
>
>           Users can collude and one user may attempt to use an access
>     token legitimately obtained from an AS
>           and then transmit it to another user so that it can be used
>     on the same RS.
>
>
> This document states on page (clause 3.3):
>
>   * the important assumption in this use case is that a resource
>     server does not have TLS support
>     and the security solution should work in such a scenario.
>
> This means that binding the access token to HTTP (see 
> draft-ietf-tokbind-https-06) is not a valid solution
> since it is unable to address the Alice and Bob Collusion (ABC) attack.
>
>> I think it is fine to say that if the AS are in separate security 
>> domains and privacy is a issue, then use PoP rather than resource to 
>> protect the AT from replay.
>
> I do not think this is what should be said.
>
> If an access token cannot be replayed on another RS, then it does not 
> necessarily need to be targeted to a RS (... but it will not heart).
>
> If privacy is a concern _and_ if there is a need to include a target 
> RS in an access token because the access token might be forwarded
> to another RS, then a pseudo-random number shall be used to identify 
> the RS rather than an absolute URI.
>
>> The reason for using a URI for the resource is that it is something the client knows.
>> If we use a abstract name the client might be tricked into giving a token to the wrong resource.
>
> Please take another look at the example I have provided below. The 
> problem you mention does not exist.
>
> Denis
>> John B.
>>
>>
>>> On Nov 22, 2016, at 9:34 AM, Denis<denis.ietf@free.fr>  wrote:
>>>
>>> Hi Hannes,
>>>
>>> I do not deny the fact that it is necessary to provide some information to the authorization server
>>> to indicate the resource server where the access token shall only be used.
>>>
>>> Let us illustrate the concept with a simple scenario.
>>>
>>> A user first connects to a resource server and announces some actions he would like to perform.
>>> In its response, the resource server indicates "demonstrate that you are older than 18 and incorporate
>>> in your access token the random value (some kind of challenge) I have just generated for you only".
>>>
>>> The client forwards that random value to the authorization server which is blindly copied and pasted
>>> into the access token. If the resource server does not recognize this value, the access will be denied.
>>>
>>> In this way, the authorization server has no way to know where the access token will be used.
>>>
>>> On the contrary, an absolute URI would allow the authorization server to know which resources the user is accessing.
>>> The use of an absolute URI should be deprecated because of this privacy concern.
>>>
>>> Denis
>>>
>>>> Hi Denis
>>>>
>>>> draft-campbell-oauth-resource-indicators gives the authorization server
>>>> information about the resource server the access token will be used with.
>>>>
>>>> Without this information there is the risk that the access token is
>>>> replayed at other resource servers and with the proof-of-possession /
>>>> token binding work there obviously has to be an indication of where the
>>>> token is used.
>>>>
>>>> The reason for using an absolute URI is that the resource server needs
>>>> to take the information from the incoming access token and to compare it
>>>> with its own information in order to determine whether the token is
>>>> indeed intended for itself.
>>>>
>>>> If the authorization server does not know to whom it gives rights to
>>>> access protected information then this is also a privacy risk (namely
>>>> unauthorized access).
>>>>
>>>> Ciao
>>>> Hannes
>>>>
>>>> On 11/15/2016 12:50 PM, Denis wrote:
>>>>> Hello everybody,
>>>>>
>>>>> Since I am not present at the meeting, I read the minutes from the first
>>>>> session, in particular:
>>>>>
>>>>>      Brian Campbell and John did a draft allowing the client to tell the
>>>>>      AS where it plans to use the token
>>>>>      draft-campbell-oauth-resource-indicators
>>>>>
>>>>>                    This enables the AS to audience restrict the access
>>>>>      token to the resource
>>>>>                    Phil Hunt:  We should keep the audience restriction
>>>>>      idea on the table
>>>>>
>>>>> The introduction contains the following sentences:
>>>>>
>>>>>      Several years of deployment and implementation experience with OAuth
>>>>>      2.0 [RFC6749] has uncovered a need, in some circumstances,
>>>>>      for the client to explicitly signal to the authorization sever where
>>>>>      it intends to use the access token it is requesting.
>>>>>
>>>>>      A means for the client to signal to the authorization sever where it
>>>>>      intends to use the access token it's requesting is important and
>>>>>      useful.
>>>>>
>>>>> The document contains a "security considerations" section but
>>>>> unfortunately no "privacy considerations" section.
>>>>>
>>>>> Clause 2 states:
>>>>>
>>>>>      The client may indicate the resource server(s) for which it is
>>>>>      requesting an access token by including the
>>>>>      following parameter in the request.
>>>>>
>>>>>      resource
>>>>>
>>>>>      OPTIONAL. The value of the resource parameter indicates a resource
>>>>>      server where the requested
>>>>>      access token will be used.*It MUST be an absolute URI*, as specified
>>>>>      by Section 4.3 of[RFC3986],
>>>>>
>>>>> With such an approach, the authorization server would have the ability
>>>>> to *act as a Big Brother *and hence to know exactly
>>>>> where the user will be performing activities.
>>>>>
>>>>> However, some users might be concerned with their privacy, and would
>>>>> like to restrict the use of the access token
>>>>> to some resource servers without the authorization server knowing which
>>>>> are these resource servers.
>>>>>
>>>>> The key point is whether the information is primarily intended to the
>>>>> authorization server or to the resource server(s).
>>>>>
>>>>> I believe that it is primarily intended to the resource server(s) rather
>>>>> than to the authorization server in order to be included
>>>>> in an access token. Obviously, the information needs to transit through
>>>>> the authorization sever, that should simply be copied
>>>>> and pasted into the access token. Its semantics, if any, does not
>>>>> necessarily needs to be interpreted by the authorization sever.
>>>>>
>>>>> I believe that a "privacy considerations" section should be added.
>>>>>
>>>>> The sentence "*It MUST be an absolute URI*, as specified by Section 4.3
>>>>> of [RFC3986]" should be removed or
>>>>>   replaced by : "*It MAY be an absolute URI*, as specified by Section 4.3
>>>>> of [RFC3986]".
>>>>>
>>>>> Obviously, other changes would be necessary too.
>>>>>
>>>>> Denis
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email