Re: [OAUTH-WG] DPoP with token exchange where the subject_token and / or actor_token is also DPoP bound
Vladimir Dzhuvinov <vladimir@connect2id.com> Tue, 19 July 2022 04:36 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DD51C14CF0E for <oauth@ietfa.amsl.com>; Mon, 18 Jul 2022 21:36:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=connect2id.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0GXjsM4Wmud8 for <oauth@ietfa.amsl.com>; Mon, 18 Jul 2022 21:36:03 -0700 (PDT)
Received: from mout-b-203.mailbox.org (mout-b-203.mailbox.org [195.10.208.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9423AC14F733 for <oauth@ietf.org>; Mon, 18 Jul 2022 21:36:00 -0700 (PDT)
Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-b-203.mailbox.org (Postfix) with ESMTPS id 4Ln5cS0jVxz9sl1; Tue, 19 Jul 2022 06:35:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=connect2id.com; s=MBO0001; t=1658205352; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=ViXEV1scy90anaQD7i7NrEwF7WAkUcb6w7Egh1zOl1o=; b=uEahwva9EtBqkTAEWCptrdWK0L2Z9GulLdT+KawDKd9gTQQmjx3QJJQwPF/74sGOIYunlA GD0Z23PwE3W87YqHNxUHw5k5R8NBf8Dr1kNCvhDJ54j86HcwIiItsMWtO9BE1czZWD35/V dyCKr/vEEFfI8Quh319NtGGV9NG+DJmgUnhU77Qef74foPcPCNWC4/VaZbXv3Tvkeg1Lii MLiYd+WE0yxk5666aX4MS4QG7Ie/bSNDp9uN3YYRSb60pjrycp5yjxNkIvoO3BqXlgECsq PfDAoM5OEOv4j6Qrs3sf4XnF9p+mwWksmEOxk4cLMw5H1QcaCnBbcK6T5Oek5Q==
Message-ID: <f0909067-dcd1-899d-380e-1a8bc916f45d@connect2id.com>
Date: Tue, 19 Jul 2022 07:35:33 +0300
MIME-Version: 1.0
Content-Language: en-US
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Warren Parad <wparad@rhosys.ch>, oauth <oauth@ietf.org>
References: <14aa5cd3-ac9a-3189-1077-1e198bee3c5b@connect2id.com> <CAJot-L2L4=OiaRJhZ+9u1HmGRQGruWSdQRyhJQ1USvQwjmQ6Ng@mail.gmail.com> <193be267-467c-10a6-caa3-6dc87ad57ae9@connect2id.com> <c72189c5-fc93-497c-d05e-18279589c998@connect2id.com> <CAJot-L0zHUGQ8yhikm6CRt+U1X==4hxhCS9FUQ-+u+2KhXYD1g@mail.gmail.com> <21e37d7a-7fda-66b6-96ff-f463decc9681@connect2id.com> <CA+k3eCSJKJ8YaoNEKYW2RhUvupnn35tOtN2-7am_zpNtkFWrew@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
In-Reply-To: <CA+k3eCSJKJ8YaoNEKYW2RhUvupnn35tOtN2-7am_zpNtkFWrew@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms070505090008030103050305"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pbFbUoHEDU-i8cWjR7OEM8TBlF0>
Subject: Re: [OAUTH-WG] DPoP with token exchange where the subject_token and / or actor_token is also DPoP bound
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2022 04:36:09 -0000
Thanks Brian for your response. Do you think DPoP should have an own token type URI registered? https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#uri I did not think about the possibility of having the DPoP proof and the token value put together in the subject/actor_token parameter. It makes good sense because the proof and the token can be considered inseparable, i.e. the "complete token". The DPoP JWT has a well defined syntax, so I am now thinking of appending the token to the DPoP JWT with a dot (.) delimiter. This is sufficient to make the new string parseable and thus solve the case. Having a std DPoP token type URI would be nice for clients to hint to the AS that the subject/actor_token is a combination of DPoP proof and access token. Vladimir Vladimir Dzhuvinov On 18/07/2022 21:46, Brian Campbell wrote: > While there are potentially more tokens involved in a RFC 8693 token > exchange, it's still a single client and it's not evident (to me > anyway at this point) that there's sufficient need to give it distinct > DPoP treatment beyond other token endpoint interaction > <https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-10.html#name-dpop-access-token-request>s. > Should the need arise more, I'd suggest maybe considering having the > new token type define how the token and associated proof be conveyed > together as the value of the subject/actor_token parameter rather than > introducing new parameters. > > On Mon, Jul 18, 2022 at 9:34 AM Vladimir Dzhuvinov > <vladimir@connect2id.com> wrote: > > I find the token exchange RFC to be quite flexible, it allows the > subject_token, actor_token and the output token to be of any type, > and there is a mechanism to define (register) new > urn:ietf:params:oauth:token-type values. The only concrete need is > to define a way to pass the accompanying DPoP proof. I don't think > that could have been anticipated at the time when the exchange > spec was devised. And the token exchange spec is not explicit in > prohibiting extensions. > > Vladimir > > Vladimir Dzhuvinov > > On 18/07/2022 17:03, Warren Parad wrote: >> I agree this is a problem, but as I see it as a problem for Token >> Exchange, and the lack of flexibility in that standard, it does >> not make sense to add to the DPoP spec. >> >> On Mon, Jul 18, 2022 at 3:33 PM Vladimir Dzhuvinov >> <vladimir@connect2id.com> wrote: >> >> I would like to resurrect this thread and propose a new >> section to the current DPoP draft which changes nothing in >> regard to DPoP itself, only adds new parameters to enable >> DPoP with OAuth 2.0 token exchange (RFC 8693): >> >> https://datatracker.ietf.org/doc/html/rfc8693 >> >> Why? >> >> Token exchange lets a client submit a subject_token (and >> potentially actor_token) to obtain a new token from the AS. >> >> If the submitted token(s) and the minted token are DPoP bound >> there is a need to submit a DPoP proof for each one: >> >> * A DPoP proof for the subject_token >> * Potentially a DPoP proof for the actor_token (if there is >> one) >> * A DPoP proof for the token that is going to be minted by >> the AS >> >> At present the DPoP spec defines the DPoP header in such a >> way that only one DPoP proof may be submitted. >> >> >> The proposal: >> >> A new section "DPoP with Token Exchange": >> >> Specifies the following new optional form request parameters >> for use in the token exchange grant, so that any DPoP proofs >> can be submitted together with the subject_token / >> actor_token as form parameters: >> >> subject_token_dpop - To pass the DPoP proof for a >> subject_token that is DPoP bound >> >> actor_token_dpop - To pass the DPoP proof for an actor_token >> that is DPoP bound >> >> >> (the existing std token exchange params can be seen here >> https://datatracker.ietf.org/doc/html/rfc8693#section-2.1 ) >> >> >> Registration of a new token type identifier to indicate the >> token is a DPoP access token: >> >> https://datatracker.ietf.org/doc/html/rfc8693#section-3 >> >> urn:ietf:params:oauth:token-type:dpop_access_token >> Indicates that the token is an OAuth 2.0 DPoP bound access token issued by the given authorization server. >> >> >> I hope it's not too late to include this addition to the DPoP >> spec. The token exchange grant is standard and is seeing use. >> With the introduction of DPoP it is likely such tokens will >> become involved in token exchanges. We tried a work around >> where the client uses a single DPoP proof for the submitted >> tokens and the one to be minted, but this has issues, >> including potential security issues. So I've come to the >> conclusion that a spec change of some sort is the proper way >> to solve this. The proposed solution has no effect on DPoP >> core and it preserves the existing token exchange semantics. >> >> >> Vladimir >> >> Vladimir Dzhuvinov >> >> On 25/06/2022 15:23, Vladimir Dzhuvinov wrote: >>> >>> Hi Warren, >>> >>> The case looks like this: >>> >>> * An OAuth client registered with AS1 for code flow, with >>> AS2 for token exchange >>> * API1 secured by AS1, API2 secured by AS2 >>> * For API1 the client obtains DPoP tokens from AS1 >>> * For API2 the client presents DPoP token from AS1 as >>> grant at AS2 to obtain its own DPoP token (AS2 trusts >>> selected AS1 token scopes for this) >>> >>> So we have a case where the token endpoint at AS2 needs once >>> a DPoP proof for the submitted access token (in the >>> subject_token form parameter), and a second time to bind the >>> token that is going to be issued. I.e. a situation where the >>> token endpoint is also "addressed" as a DPoP aware protected >>> resource. >>> >>> If only one DPoP HTTP header is permitted one work around I >>> see is to insist on a single DPoP proof for both jobs, by >>> including the "ath" claim in the proof to the AS2 token >>> endpoint and requiring the client to use the same JWK with >>> both ASes. Another possibility is to include the DPoP proof >>> in the form parameters alongside the subject_token, but this >>> will require a spec change. >>> >>> Vladimir Dzhuvinov >>> On 25/06/2022 13:33, Warren Parad wrote: >>>> What's the flow here? Assuming we are talking about RFC >>>> 8693, what's the situation where you would need to do a >>>> token exchange, and you actually have access to the >>>> subject's DPoP key? If you have access to the subject's >>>> key, then you are the subject and can request a new token. >>>> Or am I missing something fundamental here? >>>> >>>> Also, according to the RFC, the request must be made with >>>> client authentication, you don't need DPoP, because if the >>>> client's credentials are compromised, you have a different >>>> problem. Unless the goal is to DPoP instead of client >>>> credentials, in which case, I think I'm back to the >>>> previous question. >>>> >>>> On Sat, Jun 25, 2022 at 12:19 PM Vladimir Dzhuvinov >>>> <vladimir@connect2id.com> wrote: >>>> >>>> I have a question to the DPoP spec authors - do you >>>> have a suggestion how to approach a token exchange case >>>> where the client requests a DPoP token and the >>>> submitted subject(actor)_token is / are also DPoP bound? >>>> >>>> My first thought was to simply let the client send two >>>> DPoP JWTs, one for the submitted token and another for >>>> the requested token, and then find a way in the AS to >>>> figure out which is which, but then I found this in >>>> section 4.3.1: >>>> >>>>> To validate a DPoP proof, the receiving server MUST >>>>> ensure that that there is not more than one |DPoP| >>>>> HTTP request header field, >>>> >>>> Thanks, >>>> >>>> Vladimir >>>> >>>> -- >>>> Vladimir Dzhuvinov >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./
- [OAUTH-WG] DPoP with token exchange where the sub… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP with token exchange where the… Warren Parad
- Re: [OAUTH-WG] DPoP with token exchange where the… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP with token exchange where the… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP with token exchange where the… Warren Parad
- Re: [OAUTH-WG] DPoP with token exchange where the… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP with token exchange where the… Brian Campbell
- Re: [OAUTH-WG] DPoP with token exchange where the… Vladimir Dzhuvinov
- Re: [OAUTH-WG] DPoP with token exchange where the… Brian Campbell