IETF Logo Mail Archive

Re: [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)

Warren Parad <wparad@rhosys.ch> Sun, 12 December 2021 11:27 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90FCC3A0AA7 for <oauth@ietfa.amsl.com>; Sun, 12 Dec 2021 03:27:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9GzCkcHTZBd for <oauth@ietfa.amsl.com>; Sun, 12 Dec 2021 03:26:55 -0800 (PST)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CAF93A0AA3 for <oauth@ietf.org>; Sun, 12 Dec 2021 03:26:55 -0800 (PST)
Received: by mail-yb1-xb30.google.com with SMTP id v203so31810089ybe.6 for <oauth@ietf.org>; Sun, 12 Dec 2021 03:26:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=z7uTfsMUAauduQV9OFBmQUbzBM6srapdtKP5XsT79vY=; b=Syq4jeLpEm8fI+3zefWQZnKSa0DtTr9EqiBT0vuEh3+uaQEEH025pOgWocf9+TtwlI OJa578dZma+IFFpQ4YW09902Q8W2cG5TBXW0N9EM8djG2nv83jrURy7I/utaIsjU8EyK RNPSvHJO08FcDUUxzW6xlC+Jz1ghDnjmH/UP6nxyfwSrkwHPE1zWeSfRFFF3exkvzjNv D8uisyQzlfXrFQF/1cfjcb6OYztH52p84cSFMpcS2pZZSIz5nutPV8vU+sV/NvxP7x/L MiK/b6fdf0cSG39l2GnxCSGD6JByHtRAiB2e4LMggP6exLmZHil6s8A60s0l2EnHS0pg Z0jQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=z7uTfsMUAauduQV9OFBmQUbzBM6srapdtKP5XsT79vY=; b=pp56hI2DYu+WInFWpAVTPEW+GNYPLvhwZIV2SelSnNutImgOvJBfYAQuEQ/2a6Nts5 dC8QxHYNo9js1nxVzqBWH7SEhuX8SYFVNg8rsm7s4Fyb+L4HsmV8NsD4PQ7mVLx33sIZ 00ANETBbER8xVPlMwhVuaXtl2ifoZ3YhmLeAHlXXz9n7Fawg+NJs6Spiz4ogKlK0cUpl ObiArLVnx1WVmn+B1Ac5hR3DHw/9izNYUUJsUQ2Ea++1hJpMYT8Mb2MJwsNF6zEMKH/k 1ZrVn8ymEWdmkOaEZYdgegdW3i3YgwCWj7CJ8nbpmfnUEwvbJS4HoS3Hi24HZB8d57+d ob7w==
X-Gm-Message-State: AOAM533VF62qSOpJfHyQU37bDllIWFVBEWVTK2RHI6ZwY7vKbAstsA61 zQb9Gz2O0ohWewyoabUewr48J48CX5jZFXN70OUX
X-Google-Smtp-Source: ABdhPJyLGdm0lq5HOog26BCDOLxZE0kNwyLQDAqUM/YF+784/5+jtGCmtjfPxpwt38f6VfrE3L1GyqP4jNBZu6i39XU=
X-Received: by 2002:a25:6b4a:: with SMTP id o10mr12801312ybm.660.1639308413991; Sun, 12 Dec 2021 03:26:53 -0800 (PST)
MIME-Version: 1.0
References: <CAOtx8Dm_zbG-cosMELOkoDoCrJP=XGsazATSv7mLmpztj+qcvw@mail.gmail.com> <B77A2D8B-946D-4A71-8D2A-90C36FA94722@forgerock.com> <458129C5-F23C-465C-85ED-4CA939E60983@mit.edu> <CAJot-L2oeE-3tYVXGPEpVqJGbS+Q32Z5+37822cdVMdfmFqbHQ@mail.gmail.com> <20211212012912.GR11486@mit.edu>
In-Reply-To: <20211212012912.GR11486@mit.edu>
From: Warren Parad <wparad@rhosys.ch>
Date: Sun, 12 Dec 2021 12:26:43 +0100
Message-ID: <CAJot-L2UJ1DGO2kEokRnjv75ZopLXKfmNKBSwt-kjL3P-96hoQ@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>, Dmitry Telegin <dmitryt@backbase.com>
Content-Type: multipart/alternative; boundary="000000000000b19bad05d2f13bf0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/u9P7DnkxrKIcb5jUZ9OGK2vsje8>
Subject: Re: [OAUTH-WG] Proposed changes to RFC 8705 (oauth-mtls)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Dec 2021 11:27:01 -0000

Point taken, although we can easily change the language of the original
RFC, what's more important is what we would want it to say, rather than
what it does say. I think in this case, it was an oversight to encourage
deployments to not add/require anything on top of the tokens. But now we
are in the place where we are saying, oh wait that advice was wrong,
deployments should add something on top, but here is what that is. That in
this instance should be the new recommendation.

If there is some technical reason that would break compliant deployments to
use the Bearer with DPoP or mTLS, then the reasonable thing to do, only in
that case, would be release a generic, but consistent, token type:
Bearer_v2. But as this is a requirement provided by RS after the AS
exchange, and the client has to already know about the need before ever
calling the AS if it wants the cfn populated, there is no reason to signal
back to the client nor convey this to the RS.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Sun, Dec 12, 2021 at 2:29 AM Benjamin Kaduk <kaduk@mit.edu> wrote:

> <soapbox warning>
>
> On Thu, Dec 09, 2021 at 09:59:58PM +0100, Warren Parad wrote:
> >
> > If we want to signal that the token should be used with mTLS and not
> > without, that to me says "claim" as "*mtls: true"*. Further, Bearer says
> > "use this as is, it doesn't need to be modified", the token doesn't need
> to
> > be modified to use it with mTLS so Bearer is correct.
>
> I can see how you might read Section 7.1 of RFC 6749 as saying that
> "bearer" refers soley to "simply including the access token string in the
> request".  But if you go follow the reference to RFC 6750, it's right there
> in the abstract that:
>
>    [...] Any party in
>    possession of a bearer token (a "bearer") can use it to get access to
>    the associated resources (without demonstrating possession of a
>    cryptographic key).
>
> I.e., if a token requires proof of possession of a cryptographic key in
> order to use the token, it's not a bearer token.
> So I really don't see any evidence to support a claim that the original
> intent was for Bearer to be used even for PoP tokens.
> That said...
>
> > I really wish we would stop trying to create different token values for
> the
> > part of the Authorization header string that comes before the token.
> Having
> > DPoP token type is bothering me as well, do we need it there, probably
> not,
> > but that's not this discussion. At this point we should consider the
> > *token_type* functionality fundamentally broken, and realistically a
> > vestigial piece of OAuth that neither offers value nor should be
> reasonably
> > used for any purpose. If so desired, then let's put the mTLS signaling
> flag
> > as a claim where anyone and everyone can see it without having to
> magically
> > know what protocol was used to convey the HTTP message to the RS.
>
> ... this part may still be true, in practice, given the current deployed
> reality.
>
> -Ben
>

v2.23.0 | Report a Bug | By Email