IETF Logo Mail Archive

Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7823)

Aaron Parecki <aaron@parecki.com> Mon, 26 February 2024 23:48 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D65FC1654F3 for <oauth@ietfa.amsl.com>; Mon, 26 Feb 2024 15:48:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jv9cPd1l7WYB for <oauth@ietfa.amsl.com>; Mon, 26 Feb 2024 15:48:30 -0800 (PST)
Received: from mail-vk1-xa31.google.com (mail-vk1-xa31.google.com [IPv6:2607:f8b0:4864:20::a31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE9E5C1654EC for <oauth@ietf.org>; Mon, 26 Feb 2024 15:48:25 -0800 (PST)
Received: by mail-vk1-xa31.google.com with SMTP id 71dfb90a1353d-4d13e46ac0dso331047e0c.3 for <oauth@ietf.org>; Mon, 26 Feb 2024 15:48:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1708991304; x=1709596104; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=gTgUSmfITpNuhZy0TDeCoIeGSiKvY2XD/+ASsprOMw0=; b=ebadIfdvdQvfU1XXVuD1lcUU+De94rmayZvqPke4pc0sV0lW6snuBGu2C9DiLw5fBv fT9rlIgjcumaNN9+dRm7izXYisMV4R/yCu+ElWoVVF/uMmdR0RBG7P1MTODRdAxiA3L5 tP1U2VC9Cx3f9Sd/344VSzPKyLNIbcMt4A2Ov3CAJD9LFbB/Ip0T4VNBlPTHltSE26Sj O5aara97TCpbv2lb4kF31qCUBbS0wev03gb/5IPiwD/G5cjA2o5/xGiBrNa3dvc4I2N8 +VdIWVDpftogtGGDO6xxVTqZSxeTMC1ityashpBNZDC1UOTtx/DR3VY78Twp75wSzCEU IR0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708991304; x=1709596104; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=gTgUSmfITpNuhZy0TDeCoIeGSiKvY2XD/+ASsprOMw0=; b=GMcxNjT1Uab3Tnu6gLIF80aoSsPjV+G4pSCnNYkbxO4rDkvw4Su+a16MQUKC44ExFE ahzLqjJevuB87FqNVR0g+lDp2a64Dsh1F814hE60wEhiQEdPJJAOGl/b5JyObyvt541V n7KSLM8rliqdxTS8bXm+m5AhYZjgBgnCz3Wec4g2JBr0gH4sx09Ztt///8QZZSBj9ZWP 6vpxkLND0Nzi6aEvT+vFw8ACvLc6qMx06tHX9LTBVwtgLlgXdEsiIozFEU3jUdYBF7Oh uNR0+DC2xFkoG3elS/PHpqZp+uQiUsON4b7JlCAUqLig73JfQtvSeKvdxemQjdC7K4ay 3PuA==
X-Forwarded-Encrypted: i=1; AJvYcCWbyHDYagQPNpHCtSKVLKR51Lpj/qkjQhhbcA33DfA/gYWs4QtE8Z6y4zB+vBcb2dyh3hqh+QAaJOVee6XlcQ==
X-Gm-Message-State: AOJu0Yz61R9pKRJEqPIZ9GwjBXzFs0LGvJu5fTwi9QEZUYQi8ewlnFYl 8Kn6s4qaeQd8XykFrg9pmyHboSOPu2IJxUN9ryfdcXsJhluoweUsrEfUN3Gbu9SK5R5yd74mSg0 =
X-Google-Smtp-Source: AGHT+IFy5mlvtQ8tphO2kmYTO9EYWl8Pq4Iw6n8MkcCd9+cASCNe6Of1t3SMK/U95z+aIOTnaBWEfg==
X-Received: by 2002:a1f:c607:0:b0:4c8:979d:8137 with SMTP id w7-20020a1fc607000000b004c8979d8137mr4627580vkf.3.1708991304108; Mon, 26 Feb 2024 15:48:24 -0800 (PST)
Received: from mail-ua1-f43.google.com (mail-ua1-f43.google.com. [209.85.222.43]) by smtp.gmail.com with ESMTPSA id ep9-20020a056122390900b004c003cf5e14sm762132vkb.28.2024.02.26.15.48.23 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 26 Feb 2024 15:48:23 -0800 (PST)
Received: by mail-ua1-f43.google.com with SMTP id a1e0cc1a2514c-7d6a772e08dso1078676241.2 for <oauth@ietf.org>; Mon, 26 Feb 2024 15:48:23 -0800 (PST)
X-Forwarded-Encrypted: i=1; AJvYcCWJ4p2EIB4zDNwzfE6uewHH8zAR815e3LzZkFTCCj2o47YBUZp54kWkWuv7ZxSdj4AAeWCosKgwkWOnk2Xh9g==
X-Received: by 2002:a05:6102:4a2:b0:470:3dc9:44cd with SMTP id r2-20020a05610204a200b004703dc944cdmr5300252vsa.25.1708991303089; Mon, 26 Feb 2024 15:48:23 -0800 (PST)
MIME-Version: 1.0
References: <20240226231354.820FAEF28C@rfcpa.amsl.com> <CAGBSGjqJuho5oD3-TDk2tFyGdJ-rzn6V8XxSn+XxakS=PgUocw@mail.gmail.com> <d85794d5d87d614683eabdcd7c337828@AlexStumpf.de>
In-Reply-To: <d85794d5d87d614683eabdcd7c337828@AlexStumpf.de>
From: Aaron Parecki <aaron@parecki.com>
Date: Mon, 26 Feb 2024 15:48:12 -0800
X-Gmail-Original-Message-ID: <CAGBSGjouoSoF+v8kN_Qvp2o8DUt_mM7EEs--3ebY_xMUQ35GLg@mail.gmail.com>
Message-ID: <CAGBSGjouoSoF+v8kN_Qvp2o8DUt_mM7EEs--3ebY_xMUQ35GLg@mail.gmail.com>
To: Alexander Stumpf <rfc@alexstumpf.de>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="0000000000008b91d40612518b33"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ozIyBWQNUlfNY_xETzapP4rJV2s>
Subject: Re: [OAUTH-WG] [Editorial Errata Reported] RFC6749 (7823)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Feb 2024 23:48:35 -0000

I'm not sure where the mismatch is happening then, because there is no
requirement that scopes are limited to certain clients at least from the
perspective of the specification. If the authorization server has a policy
that only "Client A" can request "scope_a", and then it allows "Client B"
to request that scope, that sounds like a problem with that authorization
server implementation. However this would be allowed according to RFC6749.

I did find this text you might be able to point to that makes this clearer:

https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.1

> Since the client authentication is used as the authorization grant,
> no additional authorization request is needed.

The key being that the client authentication (mTLS in your example) IS the
authorization grant, so should be used to make authorization decisions.

Aaron


On Mon, Feb 26, 2024 at 3:37 PM Alexander Stumpf <rfc@alexstumpf.de> wrote:

> Thanks for the quick reply and I understand your rationale.
>
> Maybe I rephrase the issue we are having right now:
>
> The authorization server should use the identity of the client (proven by
> authentication) to come to a conclusion whether or not the client is
> authorized to receive the access token. While this sounds trivial and
> obvious, it is not explicitely stated in the RFC (please correct me if I am
> wrong), and therefore $VENDOR exist that claims that they are in accordance
> with the RFC when they
>
> 1) receive the identity of the client through a valid and trusted client
> certificate ("authentication" via mTLS)
>
> 2) issue the access token to the client according to the demanded scope,
> ignoring the identity from 1)
>
> I thought proving them wrong by finding the respective section in the RFC
> would be easy, but I did not find any statement to support my view.
>
>
>
> Am 2024-02-27 00:19, schrieb Aaron Parecki:
>
> This errata should be rejected.
>
> The client credentials grant results in an access token issued to
> the client that presented credentials. There is no mechanism for "Client A"
> to request a token for "Client B" using the client credentials grant, since
> the credentials themselves are what determines which client the token is
> issued to. However, this access token is not "bound" to the client, since
> it is still a bearer token. (Other extensions like DPoP can add a binding
> of the access token to the client.)
>
> Aaron
>
>
> On Mon, Feb 26, 2024 at 3:14 PM RFC Errata System <
> rfc-editor@rfc-editor.org> wrote:
>
> The following errata report has been submitted for RFC6749,
> "The OAuth 2.0 Authorization Framework".
>
> --------------------------------------
> You may review the report below and at:
> https://www.rfc-editor.org/errata/eid7823
>
> --------------------------------------
> Type: Editorial
> Reported by: Alexander Stumpf <rfc@AlexStumpf.de>
>
> Section: 3.2.1
>
> Original Text
> -------------
>    Confidential clients or other clients issued client credentials MUST
>    authenticate with the authorization server as described in
>    Section 2.3 when making requests to the token endpoint.  Client
>    authentication is used for:
>
>    o  Enforcing the binding of refresh tokens and authorization codes to
>       the client they were issued to.  Client authentication is critical
>       when an authorization code is transmitted to the redirection
>       endpoint over an insecure channel or when the redirection URI has
>       not been registered in full.
>
> Corrected Text
> --------------
>    Confidential clients or other clients issued client credentials MUST
>    authenticate with the authorization server as described in
>    Section 2.3 when making requests to the token endpoint.  Client
>    authentication is used for:
>
>    o  Enforcing the binding of refresh tokens, authorization codes, and
>       (in the case of the Client Credentials Grant as described in
>       Section 4.4) the access token to the client they were issued to.
>       Client authentication is critical when an authorization code is
>       transmitted to the redirection endpoint over an insecure channel
>       or when the redirection URI has not been registered in full.
>
> Notes
> -----
> Section 4.4.2 requires for the "client_credentials" grant type that the
> client is authenticated to the authorization server according to section
> 3.2.1. The reason for this authentication is (or so I assume) that the
> to-be-issued access token shall be bound to the correct (authenticated)
> client. Otherwise, the client could authenticate with valid credentials as
> "client A" and request a token for "client B", and would still be in
> accordance with the RFC, which is probably not intended.
>
> Instructions:
> -------------
> This erratum is currently posted as "Reported". (If it is spam, it
> will be removed shortly by the RFC Production Center.) Please
> use "Reply All" to discuss whether it should be verified or
> rejected. When a decision is reached, the verifying party
> will log in to change the status and edit the report, if necessary.
>
> --------------------------------------
> RFC6749 (draft-ietf-oauth-v2-31)
> --------------------------------------
> Title               : The OAuth 2.0 Authorization Framework
> Publication Date    : October 2012
> Author(s)           : D. Hardt, Ed.
> Category            : PROPOSED STANDARD
> Source              : Web Authorization Protocol
> Area                : Security
> Stream              : IETF
> Verifying Party     : IESG
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email