IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata

Neil Madden <neil.e.madden@gmail.com> Sun, 27 August 2023 19:14 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93426C151063 for <oauth@ietfa.amsl.com>; Sun, 27 Aug 2023 12:14:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.216
X-Spam-Level:
X-Spam-Status: No, score=-1.216 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XK0sEZQiHvEP for <oauth@ietfa.amsl.com>; Sun, 27 Aug 2023 12:14:11 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 668AFC14EB1E for <oauth@ietf.org>; Sun, 27 Aug 2023 12:14:11 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id ffacd0b85a97d-31dcb3928beso53466f8f.0 for <oauth@ietf.org>; Sun, 27 Aug 2023 12:14:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693163650; x=1693768450; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=x8W12Bp0mkksITWfOWE7GLe3i/5RSWH1IngLM1CBr/c=; b=PjcANVmaKvMfzoOeViftvggWQqOt76v6MQM4O/wtliapQoLeRVnTwUiP9nRlrjiB/f lDesu+nUiHi7MmzueWfjTF1wmmP3cq8Bd90xP9BgzQ//PJtiU90yawczYqijOHHZSNmv It1QDwFj3hAV/PWyc0Nphvsv45fuFE3VG4qqWs0VmtX+C91Kd8pcUyuk8dgwLREqux5H Ebx/8Tuff3hPVGBJZ5B+EyR7HPHQiTzxCNi9QAaTwBDvPfzr4Updv9PLYWPly9d0CGa9 VmFbV8RLAPF1HJQ2Y2EkKmZqNZ8HwVwDx8o2Uo20IZn43CQm5ojgfJ+TzIKPY4ZDBG5b lZsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693163650; x=1693768450; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=x8W12Bp0mkksITWfOWE7GLe3i/5RSWH1IngLM1CBr/c=; b=J85jSp+ByzcNPsgfLLr9/QabvowAkxQYZOKjBrrmsrHLcdMLJ9aRB5XTSHgxOjRiUS 6r8Mx9PvdsQWSP5ZR9ousNQVRzW4+jYVggrNzH5v0/qrFQPvzgt2mHhqMChBdom/tlW8 wFg5C4L414cOhRRhhJPSiTa0cId2ac2xXceOKtffzTB6cgZGl+QdoI5JKhFPxJ/doq3n rGB10wsoz9hm05KuC34BmOyIRlYE12patD7y0N/uVeD1qEGujXaBf5eivtHj6SpwmxnJ FnFbzWNTv0FrPLUVp+qQJm9mRgtIscqne1YCg5iMh8HXX8Bupajd7SkS0NB3Qirgb2g/ BqdQ==
X-Gm-Message-State: AOJu0YySgJwgNPwfiWrMDLcyUB/hfocRfBsWwWyirX6LIhh+SiGw6Nxb qzmosmeBsNeBeTxg9M4TWCw=
X-Google-Smtp-Source: AGHT+IHrn2rv6G+oQV2LrEEpkEDjmb9WuHvD28pHCDXMPWhcQBgy38TW2Nic4z2y9OxNy+RBx5ON4w==
X-Received: by 2002:a7b:ca58:0:b0:401:b4ad:20cf with SMTP id m24-20020a7bca58000000b00401b4ad20cfmr5901719wml.0.1693163649454; Sun, 27 Aug 2023 12:14:09 -0700 (PDT)
Received: from smtpclient.apple (150.205.115.87.dyn.plus.net. [87.115.205.150]) by smtp.gmail.com with ESMTPSA id d15-20020a5d538f000000b0031ae8d86af4sm8306760wrv.103.2023.08.27.12.14.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 27 Aug 2023 12:14:08 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-92D8F2D1-A47B-46CF-8BC1-36543ECBA37D"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Sun, 27 Aug 2023 20:13:58 +0100
Message-Id: <3E881352-99C1-4D08-B342-1C75741246C2@gmail.com>
References: <CAD9ie-uzJcFy8nz2L6=gvPGn28A1JMa4-=BwF3gPw5Aj3hBjsg@mail.gmail.com>
Cc: Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in>, oauth <oauth@ietf.org>
In-Reply-To: <CAD9ie-uzJcFy8nz2L6=gvPGn28A1JMa4-=BwF3gPw5Aj3hBjsg@mail.gmail.com>
To: Dick.Hardt@gmail.com
X-Mailer: iPhone Mail (20G75)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/q4NLJnEq7r4Bm6atVTWKRFK4g6g>
Subject: Re: [OAUTH-WG] Call for adoption - Protected Resource Metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Aug 2023 19:14:26 -0000

Right. It’s worth noting that many endpoints already publish similar metadata via OpenAPI (Swagger) API descriptions.

Neil

On 27 Aug 2023, at 19:42, Dick Hardt <dick.hardt@gmail.com> wrote:


For many resources, the information is already disclosed. What is excessive to you might be crucial to others -- and my use case, the disclosure is crucial. 

Extrapolating your basis for objecting, that another endpoint provides additional attack surface, we would not do ANY new endpoints or functionality since they would all provide more attack surface.

On Sat, Aug 26, 2023 at 11:38 PM Jaimandeep Singh <jaimandeep.phdcs21@nfsu.ac.in> wrote:
Hi Dick,

My previous emails do not even obliquely refer to security by obscurity. It is about design patterns and excessive information disclosure.

Regards
Jaimandeep Singh 

On Sat, 26 Aug, 2023, 8:27 pm Dick Hardt, <dick.hardt@gmail.com> wrote:
Jaimandeep: Do I understand your objection to adoption is that providing a resource discovery endpoint increases the attack surface as an attacker gains knowledge about the resource?

If I understand that correctly, then you are suggesting security through obscurity.

As mentioned by Aaron, there is no requirement for a resource to support the resource metadata, and the metadata itself could be protected. 

Practically though, I believe the argument that security is improved by not having a resource discovery endpoint is false. Most resources have publicly available documentation which will contain the same information, and while the docs are not necessarily machine readable, LLMs can make it pretty accessible. 

Even if you wanted to keep it secret, if applications that use the resource are readily available, how the applications interact with the resource can be discerned through reverse engineering. 
I think that a security consideration calling out that a malicious actor more readily has access to the protected resource metadata is an adequate response.

For my use case, the protected resource metadata is required for the functionality I plan to implement. The AS has no prior knowledge about the protected resource, and when a request is made, the AS learns about the PR and presents the user with an experience based on the metadata for the user to make a decision to grant access. 

/Dick



On Fri, Aug 25, 2023 at 8:29 PM Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org> wrote:
Hi Aaron,

Thx for your suggestions. I have reviewed the recordings and I would suggest following:

1. Design Consideration: The two components of the OAuth 2.0 ecosystem authorization server (step 1) and protected resource server (step 2) may appear independent, but from systems perspective there is a linear dependency between them. Directly engaging with step 2, even in a limited capacity, threatens the established sequence and poses substantial security and architectural implications.

2. Information Disclosure: Say I have my HIPPA record stored on a protected resource server, I don't want any app to even know that I have such a resource available with a protected resource server in the first place. The concept of exposing the mere existence of such data raises a glaring concern. Looking at Google, it has a fine-grained authorization strategy that meticulously limits access for its RESTRICTED scopes only to apps that meet certain security benchmarks. Once, the malicious apps come to know of the prized data at the resource server, it will lead to targeted phishing attacks, as was highlighted during the 117 meeting, underscoring the fragility of this approach.

3. The Imperative of Gradation and Minimal Exposure: Even if we have to go down this path, there is a definite need to mitigate the perils of overexposure. Instead we can look at gradation strategy, wherein the scopes could be categorized into levels, spanning from generic (Level 0) to tightly controlled (Level 5) access. There is no requirement of secondary URI in this appch. For instance, the sensitive scopes like level 3 and above, may mandate clients to support DPoP and OAuth 2.1. There is no need to divulge if a particular resource is present or not and not even the address of the authorization server.

Thanks
Jaimandeep Singh


On Sat, Aug 26, 2023 at 7:03 AM Aaron Parecki <aaron=40parecki.com@dmarc.ietf.org> wrote:
Hi Jaimandeep,

As with many OAuth extensions, this is not obligatory to implement unless you need the functionality it provides. Many of the concerns you mention are referenced in the security considerations section of the draft already, and we would of course be happy to further expand that section as appropriate. 

As we presented during the last two IETF meetings, there are many use cases that would benefit from this draft that currently don't have an interoperable solution. I would suggest you review those presentation recordings so better understand the use cases.

Aaron




On Fri, Aug 25, 2023 at 12:31 PM Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org> wrote:
I do not support the adoption because of following:

1. Increased Attack Surface and Information Disclosure: The proposed draft inherently expands the attack surface by allowing the retrieval of detailed information about the protected resources held with a particular resource server, as outlined in section 3.1. We are inadvertently exposing the resources supported by the protected resource server. The secondary URIs which correspond to each of the protected resources further expands the potential attack vectors. To illustrate, if a protected resource server supports resources from 1 to 10, and a client requests metadata for all these resources, it leads to 11 requests (1 + 10). This exposes a total of 11 URIs to potential attackers with information disclosure.

2. Lack of Client Verification and Potential DDoS Vulnerability: There is absence of client application verification before it accesses the APIs. This can lead to the possibility of malicious client applications initiating Distributed Denial of Service (DDoS) attacks. 

3. Impact on Processing Time due to Multiple Resources: The need to wildcard match/support numerous secondary URIs based on the number of protected resources could lead to increased processing time.

4. Strengthening the Existing System with Adequate Error Codes: Our existing OAuth RFC, can handle this issue gracefully by incorporating error codes. This ensures that, at the very least, access tokens are verified before any specific information is disclosed.

Thanks
Jaimandeep Singh

On Thu, Aug 24, 2023 at 12:32 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
All,

This is an official call for adoption for the Protected Resource Metadata draft:
https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/" rel="noreferrer nofollow" target="_blank">https://datatracker.ietf.org/doc/draft-jones-oauth-resource-metadata/

Please, reply on the mailing list and let us know if you are in favor of adopting this draft as WG document, by Sep 6th.

Regards,
 Rifaat & Hannes

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth" rel="noreferrer noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/oauth


--
Regards and Best Wishes
Jaimandeep Singh
http://www.linkedin.com/in/jaimandeep-singh-07834b1b7" rel="noreferrer nofollow" target="_blank">LinkedIn
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth" rel="noreferrer noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/oauth


--
Regards and Best Wishes
Jaimandeep Singh
http://www.linkedin.com/in/jaimandeep-singh-07834b1b7" rel="noreferrer nofollow" target="_blank">LinkedIn
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth" rel="noreferrer noreferrer nofollow" target="_blank">https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email