IETF Logo Mail Archive

Re: [OAUTH-WG] PAR metadata

"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 03 January 2020 21:43 UTC

Return-Path: <prvs=264719d21=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8D941200DB for <oauth@ietfa.amsl.com>; Fri, 3 Jan 2020 13:43:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8e0zzqP-nl_T for <oauth@ietfa.amsl.com>; Fri, 3 Jan 2020 13:43:42 -0800 (PST)
Received: from smtp-fw-9101.amazon.com (smtp-fw-9101.amazon.com [207.171.184.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10845120045 for <oauth@ietf.org>; Fri, 3 Jan 2020 13:43:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1578087823; x=1609623823; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=J9T3xfgGDAZS9it1iKeARnOigajpAFQFXkFe8dNBHEA=; b=OFzlIMQwZp0CsiahzlHNm8DUXwFOiZXK7HvygY55w/1QF9f9JJE96XVx pviAapa58CboIBn40pdPKl0iuY1XAgLg5VtTEfFIe7l1rnyttY+k94GKp 2v+UODZe6he/Daxej/VOzunJmoe+anZdXrc4T7rSQOOPD+s+T9QOgKzv5 A=;
IronPort-SDR: AxDToUGgW7tK7tJEEEM0FzE+MYJw5Pmv4JauJx8xMWRWWN7sLrUWhwsCFo0fJpxizApYiZhEbR UX9tJjMWYCQA==
X-IronPort-AV: E=Sophos;i="5.69,392,1571702400"; d="scan'208";a="8305084"
Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-1e-a70de69e.us-east-1.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP; 03 Jan 2020 21:43:42 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162]) by email-inbound-relay-1e-a70de69e.us-east-1.amazon.com (Postfix) with ESMTPS id 917A1A2522; Fri, 3 Jan 2020 21:43:39 +0000 (UTC)
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 3 Jan 2020 21:43:38 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 3 Jan 2020 21:43:36 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Fri, 3 Jan 2020 21:43:36 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org>, Filip Skokan <panva.ip@gmail.com>
CC: Dave Tonge <dave.tonge@moneyhub.com>, oauth <oauth@ietf.org>, Nat Sakimura <nat@sakimura.org>
Thread-Topic: [OAUTH-WG] PAR metadata
Thread-Index: AQHVv+g7xiAB+Bj4Q0q9tvboHgAv9qfUXGKAgAAMNwCABI8uAA==
Date: Fri, 03 Jan 2020 21:43:36 +0000
Message-ID: <05AB19DB-FCD2-4FAA-A470-0978E7B65354@amazon.com>
References: <E1C4F217-8A9F-4E26-A488-C17D741C1D34@lodderstedt.net> <CALAqi_-J6vUSc11V1L2L+tGfZEjqdya6R0rqV-kxiM2NoFb0Zw@mail.gmail.com> <50191CC6-0A19-42B4-87C2-880F53FD3C4F@lodderstedt.net>
In-Reply-To: <50191CC6-0A19-42B4-87C2-880F53FD3C4F@lodderstedt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.161.16]
Content-Type: text/plain; charset="utf-8"
Content-ID: <CE9E805B0284C2448E3FA761BE03A809@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/s28lwmWQRyQeNvdiyKj1DijPFVA>
Subject: Re: [OAUTH-WG] PAR metadata
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jan 2020 21:43:44 -0000

PAR introduces an added wrinkle for encrypted request objects: the PAR endpoint and authorization endpoint may not have access to the same cryptographic keys, even though they're both part of the "authorization server." Since they're different endpoints with different roles, it's reasonable to put them in separate trust boundaries. There is no way to support this isolation with just a single "jwks_uri" metadata property.

The two options that I see are:

1. Define a new par_jwks_uri metadata property.
2. Explicitly state that this separation is not supported.

I strongly perfer #1 as it has a very minor impact on deployments that don't care (i.e., they just set par_jwks_uri and jwks_uri to the same value) and failing to support this trust boundary creates an artificial limit on implementation architecture and could lead to compatibility-breaking workarounds.

– 
Annabelle Richard Backman
AWS Identity
 

On 12/31/19, 8:07 AM, "OAuth on behalf of Torsten Lodderstedt" <oauth-bounces@ietf.org on behalf of torsten=40lodderstedt.net@dmarc.ietf.org> wrote:

    Hi Filip, 
    
    > On 31. Dec 2019, at 16:22, Filip Skokan <panva.ip@gmail.com> wrote:
    > 
    > I don't think we need a *_auth_method_* metadata for every endpoint the client calls directly, none of the new specs defined these (e.g. device authorization endpoint or CIBA), meaning they also didn't follow the scheme from RFC 8414 where introspection and revocation got its own metadata. In most cases the unfortunately named `token_endpoint_auth_method` and its related metadata is what's used by clients for all direct calls anyway.
    > 
    > The same principle could be applied to signing (and encryption) algorithms as well.
    > 
    > This I do not follow, auth methods and their signing is dealt with by using `token_endpoint_auth_methods_supported` and `token_endpoint_auth_signing_alg_values_supported` - there's no encryption for the `_jwt` client auth methods. 
    > Unless it was meant to address the Request Object signing and encryption metadata, which is defined and IANA registered by OIDC. PAR only references JAR section 6.1 and 6.2 for decryption/signature validation and these do not mention the metadata (e.g. request_object_signing_alg) anymore since draft 07.
    
    Dammed! You are so right. Sorry, I got confused somehow. 
    
    > 
    > PS: I also found this comment related to the same question about auth metadata but for CIBA.
    
    Thanks for sharing. 
    
    > 
    > Best,
    > Filip
    
    thanks,
    Torsten. 
    
    > 
    > 
    > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
    > Hi all,
    > 
    > Ronald just sent me an email asking whether we will define metadata for 
    > 
    > pushed_authorization_endpoint_auth_methods_supported and
    > pushed_authorization_endpoint_auth_signing_alg_values_supported.
    > 
    > The draft right now utilises the existing token endpoint authentication methods so there is basically no need to define another parameter. The same principle could be applied to signing (and encryption) algorithms as well. 
    > 
    > What’s your opinion?
    > 
    > best regards,
    > Torsten.

v2.23.0 | Report a Bug | By Email