[OAUTH-WG] MTLS and in-browser clients using the token endpoint

Brian Campbell <bcampbell@pingidentity.com> Mon, 17 December 2018 20:27 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 11AD8126F72 for <oauth@ietfa.amsl.com>; Mon, 17 Dec 2018 12:27:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id r5DoFHtPcMP3 for <oauth@ietfa.amsl.com>; Mon, 17 Dec 2018 12:27:25 -0800 (PST)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51AE4129BBF for <oauth@ietf.org>; Mon, 17 Dec 2018 12:27:25 -0800 (PST)
Received: by mail-io1-xd2b.google.com with SMTP id t24so11050421ioi.0 for <oauth@ietf.org>; Mon, 17 Dec 2018 12:27:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to; bh=CTqOvl97ovhWdE/IU3fC5NIvhNnIukHStLbrz1Bc+Mk=; b=TN1mWSTwTFdsHmpuOJQ2AfsZ7AhJCEuIkJEx26ujGUKwzc6ggT6I/o6/ixuRvtaCra UxOb2QRdXdWAlANvG5TDQighWsabm9RBGKe3vsvIN3WLtzp309M3hWJjNzatZZ37XHyp 17O9L1z2AZzj7VOGv6bK9CinJ0+Y93RKrpndw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=CTqOvl97ovhWdE/IU3fC5NIvhNnIukHStLbrz1Bc+Mk=; b=QbAjRy1HShz3/8aE5l/KYrh54+369rHz5a+rFD6VdOD24MBqSndMqEkHFRaa4LSH9x PRQPnCVVS+ZYNa3cLqSPd+b/Bxei8Yo2xmlqdpamv68tI+V8YSlIg3uidTY+gqIsdAKf aJw2C+K8yqb9iAMYjwrYu7Nx2nBTyf0QktzdCdYnkkQgcwOdOz5zcBZhY7wPI8AsRRxK pWwZZ42X1sXN0kvd+xmmDv8g79RswZybnAlqWIjcxJSZvVf0UafqNJBr9j0XLlz1s7vk M82pupWsn/8UHyl0oLWUVGYpBLXVKAMTKjilZPK0mhaMbkij+iDGCjDJEau/K8CuYxqQ LIDg==
X-Gm-Message-State: AA+aEWZDuKdqVUWEUMXnKT9XxzVhRbQ/S3lKOCSH5MjAB/cI6XT6BPWZ SLpU2p9EysVkKyA+DsRk8Tv8G4iv1hraP91vMrkJx84uGRGQal7+SZBBbWZjpgcoyfln/zJvBml /PKtb6lLwocVboweUj4Y=
X-Google-Smtp-Source: AFSGD/XEjNPP9ks46yjbSpr7q97DmEx7TbPeVjsiAcaEaMQiiVFXqP7kMMFDIKGyHz2z30SFa+gaDtF4wAoZVHwullw=
X-Received: by 2002:a6b:6e09:: with SMTP id d9mr10743388ioh.138.1545078444191; Mon, 17 Dec 2018 12:27:24 -0800 (PST)
MIME-Version: 1.0
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 17 Dec 2018 13:26:58 -0700
Message-ID: <CA+k3eCTKSFiiTw8--qBS0R2YVQ0MY0eKrMBvBNE4pauSr1rHcA@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d11740057d3d9b5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oFxf7DIiHA58-A71Jm-Bdzm4eCk>
Subject: [OAUTH-WG] MTLS and in-browser clients using the token endpoint
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 20:27:28 -0000

While there's been some disagreement about the specific wording etc., there
does seem to be general consensus coming out of this WG to, in one form or
another, recommend against the use of the implicit grant in favor of
authorization code. In order to follow that recommendation, in-browser
JavaScript clients will need to use XHR/fetch (and likely CORS) to make
requests directly to the token endpoint.

Meanwhile there is the MTLS document
<https://tools.ietf.org/html/draft-ietf-oauth-mtls-12> utilizes TLS client
certificates at the token endpoint for client authentication and/or
certificate bound access tokens. The security BCP draft even recommends
sender/key constrained access tokens and MTLS is close to the only viable
way to do that at this time.

Unfortunately, however, these two things don't play very nice together.
When a browser makes a TLS connection where a client cert is requested by
the server in the handshake, even when client certificates are optional and
even when it's fetch/XHR, most/many/all browsers will throw up some kind of
certificate selection interface to the user.  Which is typically a very
very bad user experience. From a practical standpoint, this means that a
single deployment cannot really support the MTLS draft and have in-browser
JavaScript clients using authorization code at the same time.

In order to address the conflict here, I'd propose that the MTLS draft
introduce a new optional AS metadata parameter that is an MTLS enabled
token endpoint alias. Clients that are doing MTLS client authentication
and/or certificate bound access tokens would/should/must use the
alternative token endpoint when present in the AS's metadata. While all
other clients continue to use the standard token endpoint as they always
have. This would allow for an AS to deploy an alternative token endpoint
alias on a distinct host or port where it will request client certs in the
TLS handshake for OAuth clients that use it while keeping the regular token
endpoint as it normally is for other clients, especially in-browser
JavaScript clients.

Thoughts, objections, agreements, etc., on this proposal?

PS Bikeshedding on a name for the metadata parameter is also welcome. Some
ideas to start:

_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._