IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP with token exchange where the subject_token and / or actor_token is also DPoP bound

Vladimir Dzhuvinov <vladimir@connect2id.com> Tue, 19 July 2022 04:36 UTC

Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DD51C14CF0E for <oauth@ietfa.amsl.com>; Mon, 18 Jul 2022 21:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=connect2id.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GXjsM4Wmud8 for <oauth@ietfa.amsl.com>; Mon, 18 Jul 2022 21:36:03 -0700 (PDT)
Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [195.10.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9423AC14F733 for <oauth@ietf.org>; Mon, 18 Jul 2022 21:36:00 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4Ln5cS0jVxz9sl1; Tue, 19 Jul 2022 06:35:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=connect2id.com; s=MBO0001; t=1658205352; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ViXEV1scy90anaQD7i7NrEwF7WAkUcb6w7Egh1zOl1o=; b=uEahwva9EtBqkTAEWCptrdWK0L2Z9GulLdT+KawDKd9gTQQmjx3QJJQwPF/74sGOIYunlA GD0Z23PwE3W87YqHNxUHw5k5R8NBf8Dr1kNCvhDJ54j86HcwIiItsMWtO9BE1czZWD35/V dyCKr/vEEFfI8Quh319NtGGV9NG+DJmgUnhU77Qef74foPcPCNWC4/VaZbXv3Tvkeg1Lii MLiYd+WE0yxk5666aX4MS4QG7Ie/bSNDp9uN3YYRSb60pjrycp5yjxNkIvoO3BqXlgECsq PfDAoM5OEOv4j6Qrs3sf4XnF9p+mwWksmEOxk4cLMw5H1QcaCnBbcK6T5Oek5Q==
Message-ID: <f0909067-dcd1-899d-380e-1a8bc916f45d@connect2id.com>
Date: Tue, 19 Jul 2022 07:35:33 +0300
MIME-Version: 1.0
Content-Language: en-US
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Warren Parad <wparad@rhosys.ch>, oauth <oauth@ietf.org>
References: <14aa5cd3-ac9a-3189-1077-1e198bee3c5b@connect2id.com> <CAJot-L2L4=OiaRJhZ+9u1HmGRQGruWSdQRyhJQ1USvQwjmQ6Ng@mail.gmail.com> <193be267-467c-10a6-caa3-6dc87ad57ae9@connect2id.com> <c72189c5-fc93-497c-d05e-18279589c998@connect2id.com> <CAJot-L0zHUGQ8yhikm6CRt+U1X==4hxhCS9FUQ-+u+2KhXYD1g@mail.gmail.com> <21e37d7a-7fda-66b6-96ff-f463decc9681@connect2id.com> <CA+k3eCSJKJ8YaoNEKYW2RhUvupnn35tOtN2-7am_zpNtkFWrew@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
In-Reply-To: <CA+k3eCSJKJ8YaoNEKYW2RhUvupnn35tOtN2-7am_zpNtkFWrew@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070505090008030103050305"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pbFbUoHEDU-i8cWjR7OEM8TBlF0>
Subject: Re: [OAUTH-WG] DPoP with token exchange where the subject_token and / or actor_token is also DPoP bound
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 04:36:09 -0000

Thanks Brian for your response.

Do you think DPoP should have an own token type URI registered?

https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#uri

I did not think about the possibility of having the DPoP proof and the 
token value put together in the subject/actor_token parameter. It makes 
good sense because the proof and the token can be considered 
inseparable, i.e. the "complete token".

The DPoP JWT has a well defined syntax, so I am now thinking of 
appending the token to the DPoP JWT with a dot (.) delimiter. This is 
sufficient to make the new string parseable and thus solve the case. 
Having a std DPoP token type URI would be nice for clients to hint to 
the AS that the subject/actor_token is a combination of DPoP proof and 
access token.

Vladimir

Vladimir Dzhuvinov

On 18/07/2022 21:46, Brian Campbell wrote:
> While there are potentially more tokens involved in a RFC 8693 token 
> exchange, it's still a single client and it's not evident (to me 
> anyway at this point) that there's sufficient need to give it distinct 
> DPoP treatment beyond other token endpoint interaction 
> <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request>s. 
> Should the need arise more, I'd suggest maybe considering having the 
> new token type define how the token and associated proof be conveyed 
> together as the value of the subject/actor_token parameter rather than 
> introducing new parameters.
>
> On Mon, Jul 18, 2022 at 9:34 AM Vladimir Dzhuvinov 
> <vladimir@connect2id.com> wrote:
>
>     I find the token exchange RFC to be quite flexible, it allows the
>     subject_token, actor_token and the output token to be of any type,
>     and there is a mechanism to define (register) new
>     urn:ietf:params:oauth:token-type values. The only concrete need is
>     to define a way to pass the accompanying DPoP proof. I don't think
>     that could have been anticipated at the time when the exchange
>     spec was devised. And the token exchange spec is not explicit in
>     prohibiting extensions.
>
>     Vladimir
>
>     Vladimir Dzhuvinov
>
>     On 18/07/2022 17:03, Warren Parad wrote:
>>     I agree this is a problem, but as I see it as a problem for Token
>>     Exchange, and the lack of flexibility in that standard, it does
>>     not make sense to add to the DPoP spec.
>>
>>     On Mon, Jul 18, 2022 at 3:33 PM Vladimir Dzhuvinov
>>     <vladimir@connect2id.com> wrote:
>>
>>         I would like to resurrect this thread and propose a new
>>         section to the current DPoP draft which changes nothing in
>>         regard to DPoP itself, only adds new parameters to enable
>>         DPoP with OAuth 2.0 token exchange (RFC 8693):
>>
>>         https://datatracker.ietf.org/doc/html/rfc8693
>>
>>         Why?
>>
>>         Token exchange lets a client submit a subject_token (and
>>         potentially actor_token) to obtain a new token from the AS.
>>
>>         If the submitted token(s) and the minted token are DPoP bound
>>         there is a need to submit a DPoP proof for each one:
>>
>>           * A DPoP proof for the subject_token
>>           * Potentially a DPoP proof for the actor_token (if there is
>>             one)
>>           * A DPoP proof for the token that is going to be minted by
>>             the AS
>>
>>         At present the DPoP spec defines the DPoP header in such a
>>         way that only one DPoP proof may be submitted.
>>
>>
>>         The proposal:
>>
>>         A new section "DPoP with Token Exchange":
>>
>>         Specifies the following new optional form request parameters
>>         for use in the token exchange grant, so that any DPoP proofs
>>         can be submitted together with the subject_token /
>>         actor_token as form parameters:
>>
>>         subject_token_dpop - To pass the DPoP proof for a
>>         subject_token that is DPoP bound
>>
>>         actor_token_dpop - To pass the DPoP proof for an actor_token
>>         that is DPoP bound
>>
>>
>>         (the existing std token exchange params can be seen here
>>         https://datatracker.ietf.org/doc/html/rfc8693#section-2.1 )
>>
>>
>>         Registration of a new token type identifier to indicate the
>>         token is a DPoP access token:
>>
>>         https://datatracker.ietf.org/doc/html/rfc8693#section-3
>>
>>             urn:ietf:params:oauth:token-type:dpop_access_token
>>                Indicates that the token is an OAuth 2.0 DPoP bound access token issued by the given authorization server.
>>
>>
>>         I hope it's not too late to include this addition to the DPoP
>>         spec. The token exchange grant is standard and is seeing use.
>>         With the introduction of DPoP it is likely such tokens will
>>         become involved in token exchanges. We tried a work around
>>         where the client uses a single DPoP proof for the submitted
>>         tokens and the one to be minted, but this has issues,
>>         including potential security issues. So I've come to the
>>         conclusion that a spec change of some sort is the proper way
>>         to solve this. The proposed solution has no effect on DPoP
>>         core and it preserves the existing token exchange semantics.
>>
>>
>>         Vladimir
>>
>>         Vladimir Dzhuvinov
>>
>>         On 25/06/2022 15:23, Vladimir Dzhuvinov wrote:
>>>
>>>         Hi Warren,
>>>
>>>         The case looks like this:
>>>
>>>           * An OAuth client registered with AS1 for code flow, with
>>>             AS2 for token exchange
>>>           * API1 secured by AS1, API2 secured by AS2
>>>           * For API1 the client obtains DPoP tokens from AS1
>>>           * For API2 the client presents DPoP token from AS1 as
>>>             grant at AS2 to obtain its own DPoP token (AS2 trusts
>>>             selected AS1 token scopes for this)
>>>
>>>         So we have a case where the token endpoint at AS2 needs once
>>>         a DPoP proof for the submitted access token (in the
>>>         subject_token form parameter), and a second time to bind the
>>>         token that is going to be issued. I.e. a situation where the
>>>         token endpoint is also "addressed" as a DPoP aware protected
>>>         resource.
>>>
>>>         If only one DPoP HTTP header is permitted one work around I
>>>         see is to insist on a single DPoP proof for both jobs, by
>>>         including the "ath" claim in the proof to the AS2 token
>>>         endpoint and requiring the client to use the same JWK with
>>>         both ASes. Another possibility is to include the DPoP proof
>>>         in the form parameters alongside the subject_token, but this
>>>         will require a spec change.
>>>
>>>         Vladimir Dzhuvinov
>>>         On 25/06/2022 13:33, Warren Parad wrote:
>>>>         What's the flow here? Assuming we are talking about RFC
>>>>         8693, what's the situation where you would need to do a
>>>>         token exchange, and you actually have access to the
>>>>         subject's DPoP key? If you have access to the subject's
>>>>         key, then you are the subject and can request a new token.
>>>>         Or am I missing something fundamental here?
>>>>
>>>>         Also, according to the RFC, the request must be made with
>>>>         client authentication, you don't need DPoP, because if the
>>>>         client's credentials are compromised, you have a different
>>>>         problem. Unless the goal is to DPoP instead of client
>>>>         credentials, in which case, I think I'm back to the
>>>>         previous question.
>>>>
>>>>         On Sat, Jun 25, 2022 at 12:19 PM Vladimir Dzhuvinov
>>>>         <vladimir@connect2id.com> wrote:
>>>>
>>>>             I have a question to the DPoP spec authors - do you
>>>>             have a suggestion how to approach a token exchange case
>>>>             where the client requests a DPoP token and the
>>>>             submitted subject(actor)_token is / are also DPoP bound?
>>>>
>>>>             My first thought was to simply let the client send two
>>>>             DPoP JWTs, one for the submitted token and another for
>>>>             the requested token, and then find a way in the AS to
>>>>             figure out which is which, but then I found this in
>>>>             section 4.3.1:
>>>>
>>>>>             To validate a DPoP proof, the receiving server MUST
>>>>>             ensure that that there is not more than one |DPoP|
>>>>>             HTTP request header field,
>>>>
>>>>             Thanks,
>>>>
>>>>             Vladimir
>>>>
>>>>             -- 
>>>>             Vladimir Dzhuvinov
>>>>
>>>>             _______________________________________________
>>>>             OAuth mailing list
>>>>             OAuth@ietf.org
>>>>             https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>         _______________________________________________
>>>         OAuth mailing list
>>>         OAuth@ietf.org
>>>         https://www.ietf.org/mailman/listinfo/oauth
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org
>>         https://www.ietf.org/mailman/listinfo/oauth
>>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./

v2.23.0 | Report a Bug | By Email