Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators
Sergey Beryozkin <sberyozkin@gmail.com> Thu, 01 December 2016 10:30 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC2C129624 for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2016 02:30:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKAqmnaQv7DP for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2016 02:30:39 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1DDF12961C for <oauth@ietf.org>; Thu, 1 Dec 2016 02:30:38 -0800 (PST)
Received: by mail-lf0-x229.google.com with SMTP id b14so167889534lfg.2 for <oauth@ietf.org>; Thu, 01 Dec 2016 02:30:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=FoKbMBQgrhwSaVYaiTgowbsBAIe4vXCx1pKJymA07ck=; b=iJnIg3FrvucqEEA17+vUF1+jq5zZLf1NcXt5PHd1ysXCWOKp3mu44/ldMXt95+twQO I94Bf6QFF+IkFMgXq6HZSF3RWlniKQKmW8ljZbeTfxAxIy+9zJ1F/WWH+vMNamuuLmA0 LA6TAjzo7u40h5A9253rTVIRJEFV9Oy3mkhXxHhwDeNcyLgO8vWM718xp4gJ62hwf+eZ SoJznbAgIkbrMvtrZ9fw+zP9Rv1d5uwzzlxsGzA0rikMLCaADy/5k9hRgyki4iuZKOF4 oqOzt2IbIWf7xX2eaf9ZErJ9KOVvJDx8O1JxcK1YvjrHDvn0mCggGLkc5R7GW0bbRGFI 5lJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=FoKbMBQgrhwSaVYaiTgowbsBAIe4vXCx1pKJymA07ck=; b=Qc4k4rm1PKFtQhXDUT4z/9m7Rzo+lq+cjzebZGPQsWALGnGuS5BpTUclzI/raBpjni M6+fp3N+GvW6KGC1c63S32LM4TvWDaPKdvwVBwvl0b2cB/PQlu68zU9hPmz5753mmMuX I7keIwXa3lL324g6aCuZhtvUO17qK7TSPDOHVSuWhpwsQyF3mmvIWuKyCcNd3Ijnm5kG EoETPOtjkxkkzxJbnKybAt+NSsfIGufC7JdzWNhDmLTNhFKzDZPC/GuUKrBF2Oh9zR2M Nm9w0pdb3APv8cabfK0nvVHz+GVL6zHnjwN99uIcI9/Pax0XBq1+JQb1Cd3t7p3ctasK huHg==
X-Gm-Message-State: AKaTC02lIXK0FObFDghty0REKaUSeDPvPxeyxlSxS34Rlf/8aMEJ+vVB1wXPqLVDWKrqYw==
X-Received: by 10.46.72.2 with SMTP id v2mr12075898lja.67.1480588236602; Thu, 01 Dec 2016 02:30:36 -0800 (PST)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id v26sm15199137lja.30.2016.12.01.02.30.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Dec 2016 02:30:35 -0800 (PST)
To: John Bradley <ve7jtb@ve7jtb.com>, Justin Richer <jricher@mit.edu>
References: <c607334a-edcd-2be6-1796-7b31e070bad0@gmail.com> <BFE837C1-C2A8-4393-A6E1-3F56E45AC12C@mit.edu> <CD883FC7-531B-4BDF-91FF-33F0FBC102BD@ve7jtb.com> <6c46d3a4-ad0d-3b49-7a15-7532634702e9@gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <e93b42c4-888a-0315-19b8-2aedab6227b2@gmail.com>
Date: Thu, 01 Dec 2016 10:30:34 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <6c46d3a4-ad0d-3b49-7a15-7532634702e9@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mRhrA0jzzwU9u_pNeOLvFEbAacA>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 10:30:41 -0000
Hi, We'll experiment with starting supporting a "resource_uris" extension array property - the name is based on a 'resource' indicator property from the resource indicators draft, with a '_uris' added given that many dynamic registration properties have similar suffixes Cheers, Sergey On 29/11/16 10:49, Sergey Beryozkin wrote: > Hi John, All > > I've been alway thinking that the reason an audience can be an array (as > indicated for ex by the JWT spec, etc) is because a client application > may need to talk to more than one RS in order to complete a single > action for the current user (ex, the client will not talk to either RS1 > or RS2 but first to RS1 and then will complete the action by talking to > RS2). > > Why else would a JWT access token have an array of audience values ? > https://tools.ietf.org/html/rfc7519#section-4.1.3 > > I agree the resource indicators can help on its own - in case no > audiences for a given client have been pre-registered or as you > suggested - to point to a specific resource at the runtime, with this > (resource) URI being validated against the pre-registered values. > > But also, pre-registering a single audience during the client > registration (dynamic or static) can minimize the need to use the > resource indicators at the runtime. > > I did not quite understand what you were explaining about registering > RSs with the client - I guess that client will know in advance which > RS(s) it will need to talk to do its work, > > Many thanks, Sergey > > > > > On 28/11/16 22:58, John Bradley wrote: >> To make something like this work with a loose coupling between the RS >> and AS the format of the AT would also need to be specified. >> >> To this point the WG has avoided standardizing AT. >> >> Most AS probably believe they know what RS the token is going to be >> used at based on scopes. >> Taking those tokens and using them at other RS is arguably at-least >> out of scope or arguably not allowed by the current specs. >> >> People are perhaps abusing the specs and sending AT to RS that are not >> properly audienced and can be replayed between RS. >> This is really bad from a security perspective with bearer tokens. >> >> I do however see a valid use case. >> >> Registering RS with the client is not a bad idea, however if you >> register more than one without the client saying at runtime what RS >> the token is for they can still be replayed. >> The client depending on design could still be tricked by a RS or >> something else to get a token audienced to a different RS if the AS >> dosen't know where the client is sending the token. >> >> I don’t think registering RS gets around the need for the resource >> indicator draft >> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators >> >> Typically we have thought about a tight coupling between the RS and >> AS, but now it seems people are putting more of the >> intelligence/burden on the the client. >> >> in a more dynamic system the RS might provide a list of AS that it >> accepts tokens form and the client might dynamically register with one >> of them. >> >> I suspect Sergey’s AS is doing something in between. >> >> I am hesitant to pick off just dynamic registration as there are a >> number of interrelated issues that need to be thought through to >> prevent security issues. >> >> John B. >> >> >> >> >> >> >>> On Nov 28, 2016, at 3:47 PM, Justin Richer <jricher@mit.edu> wrote: >>> >>> I would consider that a totally reasonable extension. You will need >>> to define what the behavior is if the client doesn’t provide a value >>> for that field: is there a default? Are there no resources available >>> to the client? >>> >>> — Justin >>> >>>> On Nov 28, 2016, at 12:21 PM, Sergey Beryozkin >>>> <sberyozkin@gmail.com> wrote: >>>> >>>> Hi All >>>> >>>> Our AS allows for the manual client registration with the UI >>>> offering an option to assign the audience/resource URIs to a given >>>> Client registration with all the associated future access tokens >>>> inheriting them. >>>> >>>> The client will not have to follow the resource indicator >>>> registration as recommended at [1] - the administrator who registers >>>> the clients sets the audiences. >>>> >>>> We'd like to achieve the same with the dynamic client registration >>>> but my colleague noted the client metadata in the dynamic >>>> registration request has no 'audience' property. >>>> >>>> We will consider supporting either an 'audience' or 'resource' >>>> property - does it sound reasonable ? >>>> >>>> By the way, as far as [1] is concerned, should a 'resource' property >>>> support an array of audiences ? (To support a case a client needed >>>> to talk to several RSs to complete a given action) >>>> >>>> Thanks, Sergey >>>> >>>> [1] >>>> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02 >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Dynamic client registration and the au… Sergey Beryozkin
- Re: [OAUTH-WG] Dynamic client registration and th… Justin Richer
- Re: [OAUTH-WG] Dynamic client registration and th… Sergey Beryozkin
- Re: [OAUTH-WG] Dynamic client registration and th… John Bradley
- Re: [OAUTH-WG] Dynamic client registration and th… Sergey Beryozkin
- Re: [OAUTH-WG] Dynamic client registration and th… Sergey Beryozkin