[OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-10: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 27 January 2021 04:32 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: oauth@ietf.org
Delivered-To: oauth@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id D5E043A1211; Tue, 26 Jan 2021 20:32:18 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-oauth-jwt-introspection-response@ietf.org, oauth-chairs@ietf.org, oauth@ietf.org, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, rifaat.s.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.24.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <161172193850.26768.7940243594405897258@ietfa.amsl.com>
Date: Tue, 26 Jan 2021 20:32:18 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qDT1t4qxMxnYu56RZKWsesuccVw>
Subject: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf-oauth-jwt-introspection-response-10: (with DISCUSS and COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2021 04:32:19 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-oauth-jwt-introspection-response-10: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-jwt-introspection-response/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- We've made a lot of progress at unravelling the gnarly issues relating to merging the introspection response and JWT claims namespaces, which is good. That said, I'd still like to discuss a little bit more the behavior described in Section 5, where the "token_introspection" claim in the response can also contain JWT claims (''' In addition, claims from the JSON Web Token Claims registry [IANA.JWT] established by [RFC7519] MAY be included as members in the "token_introspection" claim.''') That seems to be granting carte blanche to do the thing that was deemed problematic, i.e., mix the namespaces. As such, the current formulation in the document, in the general case of independent uncoordinated implementations, seems to admit the prospect of an AS adding something to an introspection response under the guise of the JWT claim exception that is interpreted by the recipient RS as a new introspection response parameter (or, I think, vice versa). Yes, this would require conflicting registrations to occur, but we still don't have a procedure in place that would prevent such conflicting registrations from occurring in the future. How can we add some low-cost safety controls that mitigate the risk while still enabling the desired functionality? I have a couple thoughts on this: there is already an exception for implementation/service-specific (unregistered) claims in the introspection response, which could apply to JWT claims under the same requisite conditions of administrative control, if that's going to cover the scenarios in question. One could also imagine a new registration procedure for introspection response parameters whereby (for example) any non-conflicting value already registered as a JWT claim can be mechanically propagated into the introspection response registry potentially just by IANA without even expert review. Then we would just require the contents to be registered introspection response parameters, and someone who wants to use JWT claims can trivially get them registered before using them. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I'm not balloting this at a DISCUSS-level, because it may just be me failing to understand the intended meaning (or being forgetful), but I'm having a hard time seeing how we're self-consistent about the requirement for an RS to authenticate and authorize a given RS for a given introspection transaction. In particular, in Section 3 we see that "the authorization server MUST be able to identify, authenticate and authorize resource servers" and that "[t]he authorization server MUST be able to determine whether an RS is the audience for a particular access token and what data it is entitled to receive, otherwise the RS is not authorized to obtain data for the access token". While I see that there is also some discussion about using the "scope" parameter of the token being introspected as an indicator of the RS it is to be used for (and thus the identity of the RS that would legitimately be making an introspection request), and I also see discussion of using an encrypted introspection response as a way to ensure that the contents are only viewable by the intended RS, I'm not sure how clearly either (or both) mechanisms constitute "authentication" of the introspection request. Since we already require a "strong two-way trust relationship", it's not clear to me that it would be difficult to strongly authenticate the actual introspection request itself or that there is much gained by skipping such a check in favor of other mechanisms. Several of my inline comments touch on this topic (on the assumption that there is a strong MUST for strong authentication); I left them in place to benefit from the context of where they appear, rather than constructing a laundry list of all of them. That said, it will suffice to explain how I'm wrong/confused just once; there's no need to repeat it at each place I bring up the topic. Section 3 To support encrypted token introspection response JWTs, the authorization server MUST also be provided with the respective resource server encryption keys and algorithms. That seems more of a descriptive than a normative "must", to me. Section 4 A resource server requests a JWT introspection response by including an "Accept" HTTP header "application/token-introspection+jwt" in the introspection request. nit: "header field". and probably also something about "containing" or "with body". The AS SHOULD authenticate the caller at the token introspection endpoint. Authentication can utilize client authentication methods or a separate access token issued to the resource server. Whether a resource server is required to authenticate is determined by the respective RS-specific policy at the AS. I don't think this can be only a SHOULD-level requirement and be consistent with the MUST-level requirements in the previous section (most notably, "[AS] MUST be able to determine whether an RS is the audience for a particular access token". It is hard to believe that an unauthenticated RS could have such authorization. The following is a non-normative example request with client authentication: POST /introspect HTTP/1.1 Host: as.example.com Accept: application/token-introspection+jwt Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW (side note: "Authorization: Basic" makes me sad.) Section 5 The introspection endpoint responds with a JWT, setting the "Content- Type" HTTP header to "application/token-introspection+jwt" and the nit: "header field" again. If possible, the AS MUST narrow down the "scope" value to the scopes relevant to the particular RS. What's the difference between "if possible, <X> MUST" and "<X> SHOULD"? The JWT MAY include other claims, including those from the "JSON Web Token Claims" registry established by [RFC7519]. The JWT SHOULD NOT include the "sub" and "exp" claims as an additional prevention against misuse of the JWT as an access token (see Section 8.1). nit: I think a comma after "'exp' claims" would increase clarity. The JWT is cryptographically secured as specified in [RFC7662]. I think that this was intended to refer to 7519 (JWT), not 7662 (introspection)? Depending on the specific resource server policy the JWT is either signed, or signed and encrypted. If the JWT is signed and encrypted it MUST be a Nested JWT, as defined in JWT [RFC7519]. Note: If the resource server policy requires a signed and encrypted (nit?) Just to confirm: the "resource server policy" here is a policy that's applied at the AS on a per-resource-server basis? If so, perhaps writing it "resource-server-specific policy" would clarify. response and the authorization server receives an unauthenticated request containing an "Accept" header with content type other than "application/token-introspection+jwt", it MUST refuse to serve the request and return an HTTP status code 400. This is done to prevent downgrading attacks to obtain token data intended for release to legitimate recipients only (see Section 8.2). An unauthenticated request should be denied unconditionally, right? Should this MUST apply to just requests containing the "Accept" header (field) with other content-types? The example response JWT payload contains the following JSON document: [...] "token_introspection": { [...] "scope":"read write dolphin", Is there any chance the minimizer that was run on this payload as input to JWT generation also removed the spaces in the scope string? I seem to be having some unexpected behavior from my local tooling, but it is looking like the claims set from the example HTTP payload lists "scope":"readwritedolphin". Section 8.2 To prevent introspection of leaked tokens and to present an additional security layer against token guessing attacks the authorization server MAY require all requests to the token introspection endpoint to be authenticated. As an alternative or as an addition to the authentication, the intended recipients MAY be set up for encrypted responses. Isn't this ("require all requests to be authenticated") also a MUST now?
- [OAUTH-WG] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk via Datatracker
- Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Benjamin Kaduk's Discuss on draft-… Benjamin Kaduk