IETF Logo Mail Archive

Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators

Sergey Beryozkin <sberyozkin@gmail.com> Thu, 01 December 2016 10:30 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC2C129624 for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2016 02:30:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BKAqmnaQv7DP for <oauth@ietfa.amsl.com>; Thu, 1 Dec 2016 02:30:39 -0800 (PST)
Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1DDF12961C for <oauth@ietf.org>; Thu, 1 Dec 2016 02:30:38 -0800 (PST)
Received: by mail-lf0-x229.google.com with SMTP id b14so167889534lfg.2 for <oauth@ietf.org>; Thu, 01 Dec 2016 02:30:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=FoKbMBQgrhwSaVYaiTgowbsBAIe4vXCx1pKJymA07ck=; b=iJnIg3FrvucqEEA17+vUF1+jq5zZLf1NcXt5PHd1ysXCWOKp3mu44/ldMXt95+twQO I94Bf6QFF+IkFMgXq6HZSF3RWlniKQKmW8ljZbeTfxAxIy+9zJ1F/WWH+vMNamuuLmA0 LA6TAjzo7u40h5A9253rTVIRJEFV9Oy3mkhXxHhwDeNcyLgO8vWM718xp4gJ62hwf+eZ SoJznbAgIkbrMvtrZ9fw+zP9Rv1d5uwzzlxsGzA0rikMLCaADy/5k9hRgyki4iuZKOF4 oqOzt2IbIWf7xX2eaf9ZErJ9KOVvJDx8O1JxcK1YvjrHDvn0mCggGLkc5R7GW0bbRGFI 5lJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=FoKbMBQgrhwSaVYaiTgowbsBAIe4vXCx1pKJymA07ck=; b=Qc4k4rm1PKFtQhXDUT4z/9m7Rzo+lq+cjzebZGPQsWALGnGuS5BpTUclzI/raBpjni M6+fp3N+GvW6KGC1c63S32LM4TvWDaPKdvwVBwvl0b2cB/PQlu68zU9hPmz5753mmMuX I7keIwXa3lL324g6aCuZhtvUO17qK7TSPDOHVSuWhpwsQyF3mmvIWuKyCcNd3Ijnm5kG EoETPOtjkxkkzxJbnKybAt+NSsfIGufC7JdzWNhDmLTNhFKzDZPC/GuUKrBF2Oh9zR2M Nm9w0pdb3APv8cabfK0nvVHz+GVL6zHnjwN99uIcI9/Pax0XBq1+JQb1Cd3t7p3ctasK huHg==
X-Gm-Message-State: AKaTC02lIXK0FObFDghty0REKaUSeDPvPxeyxlSxS34Rlf/8aMEJ+vVB1wXPqLVDWKrqYw==
X-Received: by 10.46.72.2 with SMTP id v2mr12075898lja.67.1480588236602; Thu, 01 Dec 2016 02:30:36 -0800 (PST)
Received: from [192.168.2.7] ([79.97.121.181]) by smtp.googlemail.com with ESMTPSA id v26sm15199137lja.30.2016.12.01.02.30.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Dec 2016 02:30:35 -0800 (PST)
To: John Bradley <ve7jtb@ve7jtb.com>, Justin Richer <jricher@mit.edu>
References: <c607334a-edcd-2be6-1796-7b31e070bad0@gmail.com> <BFE837C1-C2A8-4393-A6E1-3F56E45AC12C@mit.edu> <CD883FC7-531B-4BDF-91FF-33F0FBC102BD@ve7jtb.com> <6c46d3a4-ad0d-3b49-7a15-7532634702e9@gmail.com>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <e93b42c4-888a-0315-19b8-2aedab6227b2@gmail.com>
Date: Thu, 01 Dec 2016 10:30:34 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <6c46d3a4-ad0d-3b49-7a15-7532634702e9@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mRhrA0jzzwU9u_pNeOLvFEbAacA>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic client registration and the audience (resource) indicators
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 10:30:41 -0000

Hi,
We'll experiment with starting supporting a "resource_uris" extension 
array property - the name is based on a 'resource' indicator property 
from the resource indicators draft, with a '_uris' added given that many 
dynamic registration properties have similar suffixes

Cheers, Sergey
On 29/11/16 10:49, Sergey Beryozkin wrote:
> Hi John, All
>
> I've been alway thinking that the reason an audience can be an array (as
> indicated for ex by the JWT spec, etc) is because a client application
> may need to talk to more than one RS in order to complete a single
> action for the current user (ex, the client will not talk to either RS1
> or RS2 but first to RS1 and then will complete the action by talking to
> RS2).
>
> Why else would a JWT access token have an array of audience values ?
> https://tools.ietf.org/html/rfc7519#section-4.1.3
>
> I agree the resource indicators can help on its own - in case no
> audiences for a given client have been pre-registered or as you
> suggested - to point to a specific resource at the runtime, with this
> (resource) URI being validated against the pre-registered values.
>
> But also, pre-registering a single audience during the client
> registration (dynamic or static) can minimize the need to use the
> resource indicators at the runtime.
>
> I did not quite understand what you were explaining about registering
> RSs with the client - I guess that client will know in advance which
> RS(s) it will need to talk to do its work,
>
> Many thanks, Sergey
>
>
>
>
> On 28/11/16 22:58, John Bradley wrote:
>> To make something like this work with a loose coupling between the RS
>> and AS the format of the AT would also need to be specified.
>>
>> To this point the WG has avoided standardizing AT.
>>
>> Most AS probably believe they know what RS the token is going to be
>> used at based on scopes.
>> Taking those tokens and using them at other RS is arguably at-least
>> out of scope or arguably not allowed by the current specs.
>>
>> People are perhaps abusing the specs and sending AT to RS that are not
>> properly audienced and can be replayed between RS.
>> This is really bad from a security perspective with bearer tokens.
>>
>> I do however see a valid use case.
>>
>> Registering RS with the client is not a bad idea, however if you
>> register more than one without the client saying at runtime what RS
>> the token is for they can still be replayed.
>> The client depending on design could still be tricked by a RS or
>> something else to get a token audienced to a different RS if the AS
>> dosen't know where the client is sending the token.
>>
>> I don’t think registering RS gets around the need for the resource
>> indicator draft
>> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators
>>
>> Typically we have thought about a tight coupling between the RS and
>> AS,  but now it seems people are putting more of the
>> intelligence/burden on the the client.
>>
>> in a more dynamic system the RS might provide a list of AS that it
>> accepts tokens form and the client might dynamically register with one
>> of them.
>>
>> I suspect Sergey’s AS is doing something in between.
>>
>> I am hesitant to pick off just dynamic registration as there are a
>> number of interrelated issues that need to be thought through to
>> prevent security issues.
>>
>> John B.
>>
>>
>>
>>
>>
>>
>>> On Nov 28, 2016, at 3:47 PM, Justin Richer <jricher@mit.edu> wrote:
>>>
>>> I would consider that a totally reasonable extension. You will need
>>> to define what the behavior is if the client doesn’t provide a value
>>> for that field: is there a default? Are there no resources available
>>> to the client?
>>>
>>> — Justin
>>>
>>>> On Nov 28, 2016, at 12:21 PM, Sergey Beryozkin
>>>> <sberyozkin@gmail.com> wrote:
>>>>
>>>> Hi All
>>>>
>>>> Our AS allows for the manual client registration with the UI
>>>> offering an option to assign the audience/resource URIs to a given
>>>> Client registration with all the associated future access tokens
>>>> inheriting them.
>>>>
>>>> The client will not have to follow the resource indicator
>>>> registration as recommended at [1] - the administrator who registers
>>>> the clients sets the audiences.
>>>>
>>>> We'd like to achieve the same with the dynamic client registration
>>>> but my colleague noted the client metadata in the dynamic
>>>> registration request has no 'audience' property.
>>>>
>>>> We will consider supporting either an 'audience' or 'resource'
>>>> property - does it sound reasonable ?
>>>>
>>>> By the way, as far as [1] is concerned, should a 'resource' property
>>>> support an array of audiences ? (To support a case a client needed
>>>> to talk to several RSs to complete a given action)
>>>>
>>>> Thanks, Sergey
>>>>
>>>> [1]
>>>> https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-02
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>

v2.23.0 | Report a Bug | By Email