[OAUTH-WG] WGLC review of PAR
Neil Madden <neil.madden@forgerock.com> Thu, 20 August 2020 11:30 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C5CE3A082D for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2020 04:30:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id evze9uoNk7Tg for <oauth@ietfa.amsl.com>; Thu, 20 Aug 2020 04:30:34 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409FC3A0805 for <oauth@ietf.org>; Thu, 20 Aug 2020 04:30:33 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id f1so1690768wro.2 for <oauth@ietf.org>; Thu, 20 Aug 2020 04:30:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:mime-version:subject:message-id:date:to; bh=S4CJleXtHmUV6VL62ZsP6BxpLtD5FY6L/iLp2KqP1ho=; b=dv6oYsb1hqZdKogyiJl2hrY3PPDiG8rE0hoaaDavFLem2uG95En1Ixms8bcPEEsPhw NRL8O9e7eZDCkzVtwmZ/JkRd9jwzWbHYatwWNWGOvVd1EweIp5k5v8e019Uq7Cl+JDQY HxvGJaoEyg33J7VbKm8kUkM7v1jQ8YO1gZBDs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=S4CJleXtHmUV6VL62ZsP6BxpLtD5FY6L/iLp2KqP1ho=; b=QJDtSPhLX0L2OUteO6Ivspf403eKsd508qa0hGAHZsmCZArfPsVOAdewtMhcJ2ASNA jD4wEE1Qmz25lY7stu9nxqSymRyv89TIWRAMJuN5E26aI+djtZ8YKbqfSIHJulqHJ9z1 94ozFbLPBnw3+cGOkwAPzmRSEawWFwzsFQBpmt7s8Txx0ssb8vV1CWcBaxWxH/uQI2sT mQH+4DzwwjsencZer+JS7Q5jWKqYwEy+IWDc/O89dFALygqp+OYOOtUi3Kw4/ntg2LkU IN0xy5jJoHWK3gm9e5LxaBh9ixJGbxi6Xpsu7ybY4ZUWGe6YFD7lCLpk8I0xo1fjE+NT HkMg==
X-Gm-Message-State: AOAM531/twXMyKNMaJtOoBj6TQa22YEyCktzsqtllpzvNmp2vrXr+p4+ 1KQOBTi9OcDXH1kQMO7bjvlg0vofZptYZ1UuZ7Cnjn6jAXALEdWBZFEjSAPOV2SvtnJitIOFXVM iB0gHqLOMRd61fv8ECQSkgAaHl+Sf9NGfQ725ncXX4dWEtIyjJxYfJ6tdkjDVsqe8tQ==
X-Google-Smtp-Source: ABdhPJwLNBf/0Bl2kvYGbFjoEA1iMiEjbTEIhOf/obZVrK9nAOUxVskbCFuoaIUDbUrwlSoEF+IKxQ==
X-Received: by 2002:adf:a3d0:: with SMTP id m16mr2667466wrb.232.1597923029518; Thu, 20 Aug 2020 04:30:29 -0700 (PDT)
Received: from [10.0.0.6] (38.227.143.150.dyn.plus.net. [150.143.227.38]) by smtp.gmail.com with ESMTPSA id i7sm3846678wrs.25.2020.08.20.04.30.28 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Aug 2020 04:30:28 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B22A644F-8ECA-4284-8370-666C425FD534"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Message-Id: <A1FC4925-3A92-4F13-B33E-280A1D703CC8@forgerock.com>
Date: Thu, 20 Aug 2020 12:30:28 +0100
To: oauth <oauth@ietf.org>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t1CUZ4CyfbO3Vc6On0yrPqlv0C8>
Subject: [OAUTH-WG] WGLC review of PAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 11:30:37 -0000
As promised in the last interim meeting, I’ve reviewed the current (03) draft-ietf-oauth-par document. Overall it looks close to ready to me, with mostly minor comments and one security-relevant comment on section 2.1 that should be discussed further, and one additional proposed security consideration:
Abstract:
The wording here could be improved - “allows clients to push an authorization request […] used as a reference to the data in a subsequent authorization request.” Both the pushed data and the call to the authorization endpoint are referred to as an “authorization request”. Maybe change the second usage to “in a subsequent call to the authorization endpoint”.
Section 1:
The introductory part here is quite long. Maybe adding a new sub-heading before the example would make it flow better.
The end of the introduction uses the acronym “PAR” for the first time, but never explicitly defines it.
I agree with Justin that ACR is not the best example to lead with. If it stays there should be a reference to OIDC to explain what this means.
The paragraph that begins “It also allows clients to push the form encoded …” is confusing because the use of “also” suggests this is different from the previous paragraph, but it seems to actually be saying the same thing?
“[…] but it also allows clients requiring
an even higher security level, especially cryptographically confirmed
non-repudiation, to explicitly adopt JWT-based request objects”
The “but” should be an “and” in this paragraph. It’s also not clear what is being said here - isn’t JAR what provides JWT-based request objects?
The paragraph beginning “As a further benefit, …” is a little bit of a Columbo moment (“Just one more thing…”) at the end of the introduction. Maybe move this as another bullet point at the start of the section. The following paragraph can then be rewritten as “The increased confidence in the identity of the client during the authorization process allows confidential clients to provide a different redirect_uri on every request. […]”
Section 2:
The 3rd paragraph contains statements like
The endpoint also supports sending all authorization
request parameters as request object according to
[I-D.ietf-oauth-jwsreq <https://tools.ietf.org/html/draft-ietf-oauth-par-03#ref-I-D.ietf-oauth-jwsreq>].
presumably this is not a normative requirement that any PAR implementation has to also support JAR, or is it? Maybe change the wording to “MAY also support …”.
The first mention of “token_endpoint_auth_method” and client metadata should have a reference to RFC 7591 - currently it’s only referenced later in section 2.1.
2.1:
I’m a little bit wary of the relaxing of the redirect_uri processing rules, because this removes a layer of defence in depth. With the current requirement for pre-registered URIs an attacker needs to compromise the redirect endpoint *and* the client credentials in order to steal an authorization code and use it. With this change, compromising the client credentials alone would be enough. If the use-case is specifically in a PKI environment, could the redirect_uri be baked into the cert? Maybe this use-case could be better addressed in a separate draft.
2.2:
The definition of “expires_in” as a "JSON number" suggests that fractional/floating-point values are allowed. Presumably this is intended to be an integer? Is there a recommended minimum/maximum? Suggested wording:
===
* "expires_in" : A JSON number that represents the lifetime of the
request URI in seconds as a positive integer. The lifetime SHOULD
be at least 5 seconds and at most 600 seconds, but other values are
permitted at the discretion of the authorization server.
===
Those values are fairly arbitrary - 5 seconds seems a reasonable lower bound for a client with a bad network connection, and 10 minutes seems more than adequate upper bound for the typical uses.
3:
I confirmed that the request JWT verifies with the given JWK using our internal JWT library :-)
5:
“require_pushed_authorization_requests” might be better named “requires_pushed_authorization_requests” given that it is describing the server’s policy rather than telling the client to require them, but this is a really pedantic point. Same for the client metadata in section 6.
7:
I would like to propose an additional security consideration, with the following wording:
===
7.5. Request URI swapping
An attacker could capture the request URI from one request and then substitute it into a different authorization request. For example, in the context of OpenID Connect, an attacker could replace a request URI asking for a high level of authentication assurance with one that requires a lower level of assurance. Clients SHOULD make use of PKCE, a unique “state" parameter, or the OIDC “nonce” parameter in the pushed request object to prevent this attack.
===
— Neil
- [OAUTH-WG] WGLC review of PAR Neil Madden
- Re: [OAUTH-WG] WGLC review of PAR Brian Campbell
- Re: [OAUTH-WG] WGLC review of PAR Neil Madden
- Re: [OAUTH-WG] WGLC Review of PAR Mike Jones