[OAUTH-WG] Fwd: Token Binding Demo Online

Brian Campbell <bcampbell@pingidentity.com> Mon, 03 April 2017 11:52 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 38C761250B8 for <oauth@ietfa.amsl.com>; Mon, 3 Apr 2017 04:52:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id SUYkXzlXLgkA for <oauth@ietfa.amsl.com>; Mon, 3 Apr 2017 04:52:30 -0700 (PDT)
Received: from mail-pg0-x236.google.com (mail-pg0-x236.google.com [IPv6:2607:f8b0:400e:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B937127B57 for <oauth@ietf.org>; Mon, 3 Apr 2017 04:52:30 -0700 (PDT)
Received: by mail-pg0-x236.google.com with SMTP id 81so118313532pgh.2 for <oauth@ietf.org>; Mon, 03 Apr 2017 04:52:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=SSLaJpgoLknT0TJ4bRsTGFPmMzXQizwxA1aKO8iEfVw=; b=JpsnhCy5CXKZN2M8KcTv0eZUJWaVIpm6SQh0n1KzjOWxyv8LRfCOJFOMfJmbTak2wX ftR0Abobf24RyQucNbS0nsE91i8qTD5lPsahrNq3aj33AtML04bOcHSOuSO34gBgORZB tZ0eaVljbtwXdVO24iBtEkKGGOETDQL5AQMXY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=SSLaJpgoLknT0TJ4bRsTGFPmMzXQizwxA1aKO8iEfVw=; b=FHh74kCzTS0Bg+l/SGAz0Cvw+MDvA64NpB6lrF00tSE7ZYycxInznOmATtysFw2D8b uloTfJYwP/3iVPcHOoItKOU3jFVPmhnF5CCiyiF/EFakWZxJmwZEji/E3th/+7PANAZG iZzFEwk9+UqHdHKUPAt7CEli7IY1jFEhCGihDOuGuu81I01UKjnUfeQwqGVWJad/gL+i 6ouN4zDU+gOBqsTVKwdWPT7NlIIb77Pfh8/7nzVfWxyq38yPlQgPYJB5xm0Vftiiwbhc pbmUg7KTrNuhtNWwdNuXJaA5chjNnShWNkOAI7PsC1xQXuFFxXslhGa4FL6yG6U2zDgi o03w==
X-Gm-Message-State: AFeK/H2ojIIlCSZ8ZNWRYBOUI707Yi/DHO1agdjSpCf/hoQ9grujW8Mitw8ZKSQA6WnaPGb9RpMAPWRUtwD3e+vs
X-Received: by with SMTP id i3mr21286803plk.172.1491220349743; Mon, 03 Apr 2017 04:52:29 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 3 Apr 2017 04:51:59 -0700 (PDT)
In-Reply-To: <CA+k3eCQrSH3AXOvzH56qo-N9MgPFA37vGZ9EQzLGvagTE=cgKQ@mail.gmail.com>
References: <CA+k3eCQrSH3AXOvzH56qo-N9MgPFA37vGZ9EQzLGvagTE=cgKQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 3 Apr 2017 05:51:59 -0600
Message-ID: <CA+k3eCRb4evEg4bX7aRQUNH=QDO3AtWGXd85mMpYFfpnJUfhHw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=f40304361d103a91f0054c41cb0a
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/n5Cisk1pAFoMuEhKjPSStwUD1FE>
Subject: [OAUTH-WG] Fwd: Token Binding Demo Online
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 11:52:33 -0000

Below is the Token Binding demo that I mentioned and said I share on the
list during the Friday meeting in Chicago.

---------- Forwarded message ----------
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, Mar 24, 2017 at 3:11 PM
Subject: Token Binding Demo Online
To: IETF Tokbind WG <unbearable@ietf.org>

I put up a demonstration of some token binding functionality that I wanted
to share. There are a few parts to it, which I'll attempt to describe

At https://unbearable-bc.ping-eng.com:3000/open/ is a token binding capable
reverse proxy (of sorts) that is proxying requests to http://httpbin.org/
with a little path rewriting. If you go to https://unbearable-bc.ping-
eng.com:3000/open/headers with a token binding (-10 to -13) capable
browser, for example, you should see the a dump of the request headers
including "Sec-Token-Binding".

The reverse proxy is also set up with some access control and will proxy
from https://unbearable-bc.ping-eng.com:3000/ to http://httpbin.org/ but
require an authenticated session to do so. And it's using OpenID Connect
Token Bound Authentication
with an IDP at https://token-provider-bc.ping-eng.com:9031 to authenticate

So, for example, if you go to https://unbearable-bc.ping-
eng.com:3000/headers without a session you will be redirected to the
authorization endpoint at that IDP and presented with a login page. Use
USERNAME: brian and PASSWORD: Test5555 on that page. After login, you'll be
sent back to the relying party via the Form Post Response Mode
<https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html> where
the ID Token is sent though the browser. If you grab that token and decode
it, there should be a confirmation method claim that has the hash of the
Token Binding ID used with the relying party (i.e. "cnf": {"tbh":

The relying party sets up its own session from the OIDC SSO, which is a
cookie named PA.unbearable that is a JWT. The page at
https://unbearable-bc.ping-eng.com:3000/headers will dump the headers
including that cookie. If you decode that JWT, you should also see that the
local session is token bound with the confirmation method claim.

Things will still work when using a non token binding capable browser but
none of the tokens will be token bound.

As a reminder, you can enable Token Binding in Chrome by putting
chrome://flags/#enable-token-binding into the address bar. Chrome and Chrome
Canaryā€ˇ are what I've been using to play with this. I'm hopping someone
with the TB enabled Edge/IE can poke around on this demo too.