IETF Logo Mail Archive

Re: [OAUTH-WG] Holder-of-the-Key for OAuth

John Bradley <ve7jtb@ve7jtb.com> Wed, 11 July 2012 01:04 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39EAE11E80F9 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 18:04:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id baUGJ8cwY0Y5 for <oauth@ietfa.amsl.com>; Tue, 10 Jul 2012 18:04:29 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 1755E11E80A1 for <oauth@ietf.org>; Tue, 10 Jul 2012 18:04:16 -0700 (PDT)
Received: by qaea16 with SMTP id a16so593126qae.10 for <oauth@ietf.org>; Tue, 10 Jul 2012 18:04:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=fz9XHoc76PEVFERXMnbZN5PRp7vKVhiiaqezDb1/zg8=; b=VKNvesv7n2qqPEzfpplwgEydW4NBwbz/ksEv7BSDAH8czuu9LhfjOD3llDyH7P2GC7 M2VQ+bgt77KJVBqM4ZaAUc9qUrmxdZqJ602+oJLm8A7hY5bYklhZzWv2miDOLMFTs0Dm PIdx+4uFWi1KqVrTIT0du7/uiekPUfa0iW+GGylJ64orJRxdbLnQNoU4+GGNf3g4H4dh yetGxrHHUnZn1g5v7cbXShkta0aKAUBijCXCt/WLHiA9RPYRb+Dbz+3sCKleLVHp/JSw FgPkuI4lqSQiN4ElMfczpdENGPkDt2Dy8RxwVnISaTIRSsAVkraEfim/rHYsvTOBP+GL xBEg==
Received: by 10.224.101.3 with SMTP id a3mr12196559qao.66.1341968685594; Tue, 10 Jul 2012 18:04:45 -0700 (PDT)
Received: from [192.168.5.185] (ip-64-134-65-40.public.wayport.net. [64.134.65.40]) by mx.google.com with ESMTPS id gy9sm1213243qab.22.2012.07.10.18.04.41 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 10 Jul 2012 18:04:44 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/alternative; boundary="Apple-Mail=_925C0F96-EB1D-499C-B1E9-6B148529D249"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E114F7977D9C@WSMSG3153V.srv.dir.telstra.com>
Date: Tue, 10 Jul 2012 21:04:40 -0400
Message-Id: <ED7B5A28-B1FA-40AF-9916-4A272BA56F4A@ve7jtb.com>
References: <8FB1BC31-D183-47A0-9792-4FDF460AFAA1@gmx.net> <255B9BB34FB7D647A506DC292726F6E114F7977420@WSMSG3153V.srv.dir.telstra.com> <1341939214.6093.YahooMailNeo@web31811.mail.mud.yahoo.com> <255B9BB34FB7D647A506DC292726F6E114F7977D9C@WSMSG3153V.srv.dir.telstra.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQmJJWUbK7bwZ2/4LSLLvQQqMDKdgqXmd4SHOGRoKwiHaecTfW5zZWCaRx3QA2SKJajUGxpa
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2012 01:04:31 -0000

inline

On 2012-07-10, at 8:44 PM, Manger, James H wrote:

> William Mills wrote:
> > The server would need to issue a key pair and not just the private key.  Are you saying the private key is for the certificate, and that certificate is part of the access_token?
>  
> Yes. The AS issues temporary credentials for the client app to use. In this case the credentials are a public/private key pair and associated certificate to be used in TLS. The cert (which includes the public key and any info the AS wants) is returned in the “access_token” field. The private key is returned in a separate field.
>  
>  
> John Bradley wrote:
> > I suspect that we will need two OAuth bindings. One for TLS and one for signed message.
>  
> I agree. For instance, set “token_type”:”tls_client_cert” when the client has to use TLS; set “token_type”:”cms” when the client has to digitally sign messages using Crypto Message Syntax (CMS); ….
>  
Perhaps JWT/JOSE rather than CMS:)

Though there will need to be discussions about what part of the message needs to be signed.

>  
> > We should be supporting both the client providing the key pair and a server generated pair.
>  
> Ok. Do you expect a client app to use a separate key pair for each authorization? Or do you expect a client app to have one key pair for all actions (on behalf of all users) and use the access_token to distinguish the authorization in each request? Or something in between?
>  
Using a separate key pair per authorization is not required for asymmetric keys.
The idea is that the presenter of the token needs to prove that they know the proof key.

The only reason to change the key would be privacy, to prevent correlation.

If we look at how openID Connect used id_tokens a ephemeral key generated by the user agent on a per client basis may be useful.

The Client and the token issuer should sort out the proof mechanism and key rotation.

The protected resource should only care about the proof based on the token it receives.  

I think part of this is a JWT/JOSE issue and part of this ia a OAuth binding or bindings issue.

John B.

> --
> James Manger
>  
> From: "Manger, James H" <James.H.Manger@team.telstra.com>
> To: Hannes Tschofenig <hannes.tschofenig@gmx.net>; OAuth WG <oauth@ietf.org> 
> Sent: Monday, July 9, 2012 8:54 PM
> Subject: Re: [OAUTH-WG] Holder-of-the-Key for OAuth
> 
> Hannes,
> 
> > today I submitted a short document that illustrates the concept of
> > holder-of-the-key for OAuth.
> > Here is the document:
> > https://datatracker.ietf.org/doc/draft-tschofenig-oauth-hotk 
> 
> 
> A different approach would be for the service to issue a private asymmetric key to the client app, along with a certificate, in the access token response. This is a slightly better match to the OAuth2 model of the authorization service issuing temporary credentials for accessing resources on a user’s behalf.
> 
> When the token_type is "tls_client_cert" (probably a better label than "hotk"), the client can access protected resources using TLS with client authentication; using the key from the "private_key" field. The "access_token" field holds a base64url-encoded certificate to include in the TLS handshake.
> 
> An example access token response could be:
> 
>   HTTP/1.1 200 OK
>   Content-Type: application/json;charset=UTF-8
>   Cache-Control: no-store
>   Pragma: no-cache
> 
>   {
>     "token_type":"tls_client_cert",
>     "access_token":"MIIGcDCCBdmgAwIBAgIKE…",
>     "private_key":{
>       "alg":"RSA", "mod":"Ovx7…", "p":"7dE…", "q":"fJ3…", …
>     },
>     "expires_in":3600,
>     "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
>   }
> 
> 
> The suggestion above passes the "access_token" to the protected resource in the TLS protocol in the form of a certificate.
> draft-tschofenig-oauth-hotk says the client "presents the access token to the resource server", but it wasn't clear to me how it was done. Were you expecting the client to use the BEARER HTTP auth scheme inside the client-authenticated TLS connection?
> 
> --
> James Manger
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email