Re: [OAUTH-WG] DPoP and client registration metadata
Brian Campbell <bcampbell@pingidentity.com> Thu, 17 February 2022 21:33 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DF623A1429 for <oauth@ietfa.amsl.com>; Thu, 17 Feb 2022 13:33:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5mE56PjH_cxZ for <oauth@ietfa.amsl.com>; Thu, 17 Feb 2022 13:33:10 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 99E1A3A1407 for <oauth@ietf.org>; Thu, 17 Feb 2022 13:32:56 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id r20so1437629ljj.1 for <oauth@ietf.org>; Thu, 17 Feb 2022 13:32:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b9te3JmiFF0mTHwrA0nIIK+8Wb35QT4p10m+3mK2tmA=; b=N48MR9qy99TwnSU6sSKz59sZ5e2J1G8+1senM2I6YlahROeaE4c6U6vw05QC2cthy5 L4zyVTtKK8CGU08zTn3Xi2yjasZvQy8+KkNsqhthBKopjOcsMMXeWWAhT2nVfAqb0163 RAb6kQg3I6P8wgQ4HfeLYeYwZL8p0elDKOAGZKUBMnT3yx59SkbQ44fflA34lWiczqOp i99OkbZONUoylNJOf3d7tcrRrwtFXcgpIW8TGzfGrSKDvzLjEYnL0dtDduHuyOVMwlI2 zKUvFXwHXpY4AnxVIKooJnfwcLQYa80ehwcd6zoUqkM1wdKppTldfPSdNFjBqXfLdy0s 0dxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b9te3JmiFF0mTHwrA0nIIK+8Wb35QT4p10m+3mK2tmA=; b=h3SIi5xQhqNdRnKVXsAstbW2qwd24qjzYovxFJ8jxhUS/CyZxxsVXwVRhPuvqMUANr aZVcksqjxk6fsa4e1hwbnSDo01cIa2Z6maPCSw9IugFFb9RR2kApTyRp6Jxfq4JvQAru JviYKX1b3izIMr7EmWrjaSeh1p+Tl3hGnY+vsUwzNGNZ/G4k+FDJ0vxe9T5ovc06AhJg Uoe28Ty1GofT2f02jfd1yXQRTI9d1iL1JY8YbBMkD0ErJuh83hQohj6VTE/l5I2koP8q 5CS23KLljRljSohbQ5GpKTfpg+HFO7/iq1+cEZPIjQEDYnx3r4YH2ZQoEbrCx8Iken7k YiYw==
X-Gm-Message-State: AOAM531urqRdVzUDeLQ6QDkqAcmAeYq6kAWUrVFhFhle1vOncwnJ5Zir 1pxNY5bteIxpDL4/NUx2M26J/qV4I6gw2v6HJJSWtMCL30GGSVHyQKEDT1oFyEpIAFeKFpQswGv 5tFNrljGP0d7j6g==
X-Google-Smtp-Source: ABdhPJyUcuz09oRE3ODpS37h8r5g958cRfr3qVplCgSYMPAyLTem6Ht7pPaWbRIK/meDfEwXQHWQ/8Ze+WrZOcOEpDg=
X-Received: by 2002:a05:651c:1509:b0:241:8db:ca24 with SMTP id e9-20020a05651c150900b0024108dbca24mr3583229ljf.347.1645133573974; Thu, 17 Feb 2022 13:32:53 -0800 (PST)
MIME-Version: 1.0
References: <CAOtx8DkFrDBk==_4Yr8JFiNmPSQkhMnVDk09RGhz_Kb52gMMtA@mail.gmail.com> <CA+k3eCSG0-bjJRsVrgAtVocvRBpwY+7fBxr=WPAYdUBd25g=pQ@mail.gmail.com> <CA+k3eCTCjawQx7g8Q+tUwtC7oRCkpev0r-kCuo3n3Xy18XvgVA@mail.gmail.com> <9b66ac72-19af-974a-d85d-c7ab88f31183@aol.com>
In-Reply-To: <9b66ac72-19af-974a-d85d-c7ab88f31183@aol.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 17 Feb 2022 14:32:27 -0700
Message-ID: <CA+k3eCTbWHJdVLOFspgrFtq9K4QdXcqkfMQh6JtsFh7O-h7b1g@mail.gmail.com>
To: George Fletcher <gffletch=40aol.com@dmarc.ietf.org>
Cc: Dmitry Telegin <dmitryt@backbase.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004913d205d83d8211"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/moToklOElb9neUkYv6g9CrkCq40>
Subject: Re: [OAUTH-WG] DPoP and client registration metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Feb 2022 21:33:24 -0000
On Thu, Feb 17, 2022 at 12:28 PM George Fletcher <gffletch= 40aol.com@dmarc.ietf.org> wrote: > From an authorization server perspective, I think it makes sense to be > able to flag certain clients as only supporting DPoP bound tokens and hence > rejecting any request without the appropriate proof. > There's work underway over in github to get that into the next draft. Though there's still discussion about the scope of what the metadata indicates the client will do and the AS should require. > Given that the FAPI 2 baseline is requiring either DPoP or MTLS as the > sender-constraining methods, I think we need to provide more guidance about > how DPoP is used in cases outside of SPAs. Can a mobile app using dynamic > client registration via pub/priv key pair generated on the device using the > same public key for the DPoP required portions of the flows? > It could use the same key but there's nothing requiring it or checking any association. In https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-04.html#section-1-3 we say "DPoP can be used to sender-constrain access tokens regardless of the client authentication method employed, but DPoP itself is not used for client authentication." Which is meant to say that DPoP is orthogonal to client auth. > > Thanks, > George > > On 2/14/22 5:51 PM, Brian Campbell wrote: > > This (more or less) has come up again in the from of a github issue: > https://github.com/danielfett/draft-dpop/issues/105 and it has me sort of > maybe reconsidering the idea of introducing some kind of client metadata > that indicates that the client will always do DPoP. So I wanted to bring > it up again here on the list to try and see what folks had opinions on it. > > On Tue, Oct 26, 2021 at 4:08 PM Brian Campbell <bcampbell@pingidentity.com> > wrote: > >> There are no plans to introduce client registration metadata for DPoP - >> the requirement to use DPoP is more of a property of a resource so I don't >> think registration metadata for a client fits very well. >> >> >> On Tue, Oct 26, 2021 at 8:53 AM Dmitry Telegin <dmitryt= >> 40backbase.com@dmarc.ietf.org> wrote: >> >>> For dynamically registered clients, there is currently no way to >>> indicate the intention to use DPoP. Hence, it's completely up to the AS >>> whether to enforce DPoP or not on such clients (for example, using client >>> registration policies). >>> >>> Seems like there is no common approach here; for example, RFC 8705 >>> (OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access >>> Tokens) does define client registration metadata (see section 9.5), whilst >>> RFC 7636 (PKCE) does not. I guess this is due to PKCE being initially >>> conceived as a feature that would become mandatory in OAuth 2.1. >>> >>> Are there any plans to introduce client registration metadata for DPoP? >>> >>> Regards, >>> Dmitry >>> Backbase >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] DPoP and client registration metadata Dmitry Telegin
- Re: [OAUTH-WG] DPoP and client registration metad… Brian Campbell
- Re: [OAUTH-WG] DPoP and client registration metad… Brian Campbell
- Re: [OAUTH-WG] DPoP and client registration metad… George Fletcher
- Re: [OAUTH-WG] DPoP and client registration metad… Brian Campbell
- Re: [OAUTH-WG] DPoP and client registration metad… George Fletcher