Re: [OAUTH-WG] PAR: pushed requests must become JWTs

Brian Campbell <bcampbell@pingidentity.com> Fri, 10 January 2020 19:57 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF64A1200FA for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 11:57:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7plMDeGnNgsp for <oauth@ietfa.amsl.com>; Fri, 10 Jan 2020 11:57:21 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5B9C12001A for <oauth@ietf.org>; Fri, 10 Jan 2020 11:57:20 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id n12so2383280lfe.3 for <oauth@ietf.org>; Fri, 10 Jan 2020 11:57:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hrgmVxmXgtdaYhmQG7ngP9Tns+xi/L672OZmltnTS28=; b=VRNWXeRPkZzUlqZWeeVIgKmiW7gKW5OrGNU9xb7ohezEBbb25PJdWGgUNFfKjkASpL IHWOBq4Q0yP+EZ6YGJLY4ySao6j3/JEhMg3nH7Yq/GABIGUukw3HWd52mIesrx8fosxG JLb7GE99aB3JKkYq5Rw+w9YhtYLahRpU9XnHtfM36hK7ySPWC586qZwgVlgUZBWmwalm ugea/UEopEl1UNyHvkxx128vGs3MBfIVAejl27dCAav5jN7dHI+PUeA8eML5g+gCnQbL IZ8XNg+m+p/FETBIUlyfJao3+DeCzAeFPiPB8ONu7LR0NZByqIwKHzNVhA+Kj7m6GZes RfHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hrgmVxmXgtdaYhmQG7ngP9Tns+xi/L672OZmltnTS28=; b=al2YMTCO+JiwEQITQuMQYauOFkb+igRjhftaZCUMHm5n9jy5NaVegb6D4Nr8vsGhib sFxddKQaXOq2b+9kqYhP1q42Z59KivvLrNbTWDq+H9ijD5G8tQq7vXIQQhs65rOpydTt 7kJoqrJNGJkO9CAB76Ym/bAO5nmOKRvAjkh8/H/bBishSi/lS/W/CVD5udz1VuPeuEC2 fnwsqdoX+8nkEcBSm5jGv1ikxdS+ZMAF2jgg2PTIugWa+2QnZwiuLJaIwDevQzQV+jxU UxFB+WD1FEnm3lNsrBH1YiQ6AcpB9N7etWA9QM18uF/RgLIUswyXify/7tN0XKFDRHC3 plQA==
X-Gm-Message-State: APjAAAW7wXrRzuBhbcKRez8MsjPj9gCeIrTzn8NDGSrwk8hMRBERRdab s2Rl3US82rUr4FE/hgOlWAHoYUAlFj3Qypy4Ew3b5WNFfBXzhuQABBHZPtwfAqcGpWl8OnIoerN M3xh8+Fu0jg/CXw==
X-Google-Smtp-Source: APXvYqx8h0RSYSB5KGByMy0S9Ci4hHyBA7M5TMRBCsiESMl+wCqNtYW/uQDemN6ee57v9amyVOzIgS/HlzTBumcSrhw=
X-Received: by 2002:ac2:5f59:: with SMTP id 25mr1420007lfz.193.1578686238395; Fri, 10 Jan 2020 11:57:18 -0800 (PST)
MIME-Version: 1.0
References: <8D1DD3BF-97B5-416A-B914-6867FD3553B0@amazon.com> <72A27E43-72C6-44D0-8D95-07FBF8CE332F@lodderstedt.net> <CA+k3eCSL5nS81uKbL3sPh9-SesPnaLsGgnO2=R4jjDy-fSVGKw@mail.gmail.com> <CAANoGh+9+g=2kzh5k-n5eOVHNX=F6kxWbwrP-u=yG-F_C02i8g@mail.gmail.com>
In-Reply-To: <CAANoGh+9+g=2kzh5k-n5eOVHNX=F6kxWbwrP-u=yG-F_C02i8g@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 10 Jan 2020 12:56:52 -0700
Message-ID: <CA+k3eCSSSnX2oCoSvtGpbZZCQ+xydaE0g1SseikAs19M8VBLpw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Cc: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Nat Sakimura <nat@sakimura.org>, "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000073b434059bce88a3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qgsyk64EDZ1YK03cldXGVc__mhY>
Subject: Re: [OAUTH-WG] PAR: pushed requests must become JWTs
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 19:57:26 -0000

Sure but the text proposed (or something like it) qualifies it such that
there aren't interoperability questions because it's only an implementation
detail to the AS who both produces the URI and consumes its content.

On Fri, Jan 10, 2020 at 12:48 PM John Bradley <ve7jtb@ve7jtb.com> wrote:

> It may be a challenge to change text saying that the contents of the
> resource could be something other than a request object.
>
> If not a request object then what and how is that interoperable are likely
> AD questions.
>
> I could perhaps see changing it to must be a request object, or other
> format defined by a profile.
>
> John B.
>
>
> On Fri, Jan 10, 2020, 3:45 PM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> Agree and agree. But given that the change suggested by Annabelle has no
>> impact on the client or interoperability, perhaps Nat or John could work
>> the change into the draft during the edits that happen during the final
>> stages of things?
>>
>> On Thu, Jan 9, 2020 at 1:56 AM Torsten Lodderstedt <torsten=
>> 40lodderstedt.net@dmarc.ietf.org> wrote:
>>
>>> I would assume given the status of JAR, we don’t want to change it. And
>>> as I said, this difference does not impact interoperability from client
>>> perspective.
>>>
>>> Am 09.01.2020 um 00:58 schrieb Richard Backman, Annabelle <richanna=
>>> 40amazon.com@dmarc.ietf.org>gt;:
>>>
>>> 
>>>
>>> It would be more appropriate to add the text to JAR rather than PAR. It
>>> doesn't seem right for PAR to retcon rules in JAR. Moving the text to JAR
>>> also highlights the weirdness of giving PAR special treatment.
>>>
>>>
>>>
>>> What if we changed this sentence in Section 5.2 of JAR:
>>>
>>> The contents of the resource referenced by the URI MUST be a Request
>>>
>>> Object.
>>>
>>>
>>>
>>> To:
>>>
>>> The contents of the resource referenced by the URI MUST be a Request
>>>
>>> Object, unless the URI was provided to the client by the Authorization
>>>
>>> Server.
>>>
>>>
>>>
>>> This would allow for use cases such as an AS that provides pre-defined
>>> request URIs, or vends request URIs via a client management console, or
>>> bakes them into their client apps.
>>>
>>>
>>>
>>> –
>>>
>>> Annabelle Richard Backman
>>>
>>> AWS Identity
>>>
>>>
>>>
>>> On 1/8/20, 2:50 PM, "Torsten Lodderstedt" <torsten=
>>> 40lodderstedt.net@dmarc.ietf.org> wrote:
>>>
>>>
>>>
>>>     Hi,
>>>
>>>
>>>
>>>     you are right, PAR does not require the AS to represent the request
>>> as a JWT-based request object. The URI is used as internal reference only.
>>> That why the draft states
>>>
>>>
>>>
>>>     "There is no need to make the
>>>
>>>           authorization request data available to other parties via this
>>>
>>>           URI.”
>>>
>>>
>>>
>>>     This difference matters from an AS implementation perspective, it
>>> doesn't matter from a client's (interop) perspective.
>>>
>>>
>>>
>>>     We may add a statement to PAR saying that request_uris issued by the
>>> PAR mechanism (MAY) deviate from the JAR definition.
>>>
>>>
>>>
>>>     best regards,
>>>
>>>     Torsten.
>>>
>>>
>>>
>>>     > On 8. Jan 2020, at 23:42, Richard Backman, Annabelle <richanna=
>>> 40amazon.com@dmarc.ietf.org> wrote:
>>>
>>>     >
>>>
>>>     > Hi all,
>>>
>>>     >
>>>
>>>     > The current drafts of PAR (-00) and JAR (-20) require that the AS
>>> transform all pushed requests into JWTs. This requirement arises from the
>>> following:
>>>
>>>     >         • PAR uses the request_uri parameter defined in JAR to
>>> communicate the pushed request to the authorization endpoint.
>>>
>>>     >         • According to JAR, the resource referenced by request_uri
>>> MUST be a Request Object. (Section 5.2)
>>>
>>>     >         • Request Object is defined to be a JWT containing all the
>>> authorization request parameters. (Section 2.1)
>>>
>>>     >
>>>
>>>     > There is no need for this requirement to support interoperability,
>>> as this is internal to the AS. It is also inconsistent with the rest of
>>> JAR, which avoids attempting to define the internal communications between
>>> the two AS endpoints. Worse, this restriction makes it harder for the
>>> authorization endpoint to leverage validation and other work performed at
>>> the PAR endpoint, as the state or outcome of that work must be forced into
>>> the JWT format (or retrieved via a subsequent service call or database
>>> lookup).
>>>
>>>     >
>>>
>>>     > –
>>>
>>>     > Annabelle Richard Backman
>>>
>>>     > AWS Identity
>>>
>>>     >
>>>
>>>     > _______________________________________________
>>>
>>>     > OAuth mailing list
>>>
>>>     > OAuth@ietf.org
>>>
>>>     > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._