Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns
Filip Skokan <panva.ip@gmail.com> Fri, 17 April 2020 15:26 UTC
Return-Path: <panva.ip@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D7AC3A0DB1 for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 08:26:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hIBVnq3wtF6 for <oauth@ietfa.amsl.com>; Fri, 17 Apr 2020 08:26:05 -0700 (PDT)
Received: from mail-yb1-xb2d.google.com (mail-yb1-xb2d.google.com [IPv6:2607:f8b0:4864:20::b2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 145FB3A0A7E for <oauth@ietf.org>; Fri, 17 Apr 2020 08:25:56 -0700 (PDT)
Received: by mail-yb1-xb2d.google.com with SMTP id b17so1054484ybq.13 for <oauth@ietf.org>; Fri, 17 Apr 2020 08:25:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RQttaasDrWqDwFeUA7kfXj5oZq8jjxG/auoAce6883o=; b=gczalB/dOnFAIpgKAtcSVCe7eaj3FI7j/dv/CfZEVx83fxNxEaje8LjVVVPeKsKMtZ NEyJqgEG3TjE789fEOiLaGIJIkytZU6uDDDXifQhkvOxzfLj4eoaJKdqZYDQB007gfif zmg7uATz8+7CsDlkBn9myshMZEeXLaU88oQ7Is/gC4XyU+/TMhcCLJlREquqS2K8N3Zk xgt9r9niZHbdLVokbKnoGh6CVEEP9jGotjQUkHtfI45pm+4heCf5ni7euwAr5Vstx9YR KYDoS0WZOZVbWzg5bk5AWmX6UIpYn8Z8h0VyEVM7Q+ERnx+XxiV92Xk6sRWKkI0nJMew Ps/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RQttaasDrWqDwFeUA7kfXj5oZq8jjxG/auoAce6883o=; b=nL1eAjVUYSZ59sYf9+lKpjb9tlF4Hk8OTmcNxjGNrJPfEElcwb1H+X2p3r/r+t+tzS KqRLONNdqto8hlT3g6xIebeV09SOYf8P5h6ecxP/NvcYUaR7fBq/ABCjDv2dCR+2bXw+ svnJXUa0Tn08h8xYalf7Lznj9eKlZ64xFfDTtndIx3eSqtbESUA/rZTmfmq5Luois1PK 9OPfLn1ms5n/Smn6j0bHWiz4t5vtze8OJMaOUS/G5vQgExo2PgToGLm6dsrZZI2SExWG jBXzCnXgmWL5Ybqh7LVLc1r7BcAicatEMO6/cL4/Qe3zG7Jcj6NkBskUwcMRFE4RJr8/ aXkg==
X-Gm-Message-State: AGi0PuY1lNKKL17oxYaWKLsBa1E6BVWx9UJ2SZVs8DKtC8quyzQr1WrF BbMYebAdpbjmBx6SLJLuzQ0ok7g//mF17vIaAw==
X-Google-Smtp-Source: APiQypK6etlvrp6pRrhdCj5bOlQVcKfXkvJQMqkUgHRI5RG5gCAg1uBfffFUcWyvXRasWFFsbQXlGLXCcuoA24vBz8o=
X-Received: by 2002:a25:9b06:: with SMTP id y6mr6413575ybn.127.1587137155068; Fri, 17 Apr 2020 08:25:55 -0700 (PDT)
MIME-Version: 1.0
References: <CALAqi_-9+JYBMSSBnX9PUZkvrPrGTtS8wrJduoPCxMs9+FguPQ@mail.gmail.com> <CA+k3eCRsvETUJUZ=+n2CvQ=y_Lgn+cKgmaAoXBW8WyVJu6yzzg@mail.gmail.com> <CALAqi_9C3ndhWX8Th_ow_Jp-3wM-m=ED-B22bmJyD-KULLDXug@mail.gmail.com> <1E6724FE-9EBE-4A1F-BE24-099771FACEFD@mit.edu>
In-Reply-To: <1E6724FE-9EBE-4A1F-BE24-099771FACEFD@mit.edu>
From: Filip Skokan <panva.ip@gmail.com>
Date: Fri, 17 Apr 2020 17:25:16 +0200
Message-ID: <CALAqi_9=5ea99VO1xwmU61CiixrNQ_EN2S1UMbU09fM4DmWKkg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005678c705a37e2a19"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/v0X6MgAoR8yK7otTtqNYcr4-26E>
Subject: Re: [OAUTH-WG] DPoP - new authorization scheme / immediate usability concerns
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Apr 2020 15:26:08 -0000
I completely agree Justin, as mentioned - i wondered a year ago, I don't anymore. But i'd like it to be clear that sending a DPoP proof does not necessarily mean the AS MUST issue a DPoP access token. Depending on the AS/RS relationship and configuration a regular Bearer may be still be issued and only the public client's refresh token would be constrained. Best, *Filip* On Fri, 17 Apr 2020 at 17:16, Justin Richer <jricher@mit.edu> wrote: > The idea of “Continuing to work without taking advantage of sender > constraints” is, I would argue, a security hole. Systems are allowed to > fail security checks but still offer functionality. This is exactly the > pattern behind allowing an unsigned JWT because you checked the “alg" > header and it was “none” and so you’re OK with that. Yes, you shouldn’t do > that, but maybe we could’ve also made this more explicit within JOSE. By > using the ‘DPoP’ auth scheme, we’re making a clear syntactic change that > says to the RS “either you know to look for this or you don’t know what it > is”. > > It’s one of the problems I have with how the OAuth MTLS spec was written. > By re-using the “Bearer” scheme there, I believe we’ve made a mistake that > allows things to fall through in an insecure fashion. The same argument > against it — ease of porting existing deployments — was raised there as > well, and it won in the end. I hope we can do better this time. > > — Justin > > On Apr 16, 2020, at 4:05 AM, Filip Skokan <panva.ip@gmail.com> wrote: > > I'm still somewhat on the fence as to the pros and cons of using a new >> token type and authorization scheme. But the draft has gone with a new one. >> Would it have really helped this situation, if it'd stuck with "bearer"? Or >> would it just be less obvious? >> > > If we had stuck "bearer" than i wouldn't have raised this topic, since > existing RS would most likely ignore the cnf claim and the resource server > calls would continue to work, obviously without taking advantage of the > available sender check. > > As I wrote the preceding rambling paragraph I am starting to think that >> more should be said in the draft about working with RSs that don't support >> DPoP. Which isn't really what you were asking about. But maybe would cover >> some of the same ground. > > > I agree. > > The AS is the one that does the binding (which includes checking the >> proof) so I don't see how sending two proofs would really work or help the >> situation? > > > :facepalm: indeed, sorry. > > S pozdravem, > *Filip Skokan* > > > On Tue, 14 Apr 2020 at 23:39, Brian Campbell <bcampbell@pingidentity.com> > wrote: > >> Hi Filip, >> >> My attempts at responses to your questions/comments are inline: >> >> On Tue, Apr 14, 2020 at 2:14 AM Filip Skokan <panva.ip@gmail.com> wrote: >> >>> I've wondered about the decision to use a new scheme before >>> <https://github.com/danielfett/draft-dpop/issues/41#issuecomment-490096716> but >>> this time i'd like to challenge the immediate usability of the future spec >>> for one specific case - sender constraining public client Refresh Tokens. >>> >> >> I'm still somewhat on the fence as to the pros and cons of using a new >> token type and authorization scheme. But the draft has gone with a new one. >> Would it have really helped this situation, if it'd stuck with "bearer"? Or >> would it just be less obvious? >> >> >>> >>> If at all, it is going to take time for RS implementations to recognize >>> the new `DPoP` authorization scheme, let alone process it properly. In the >>> meantime, i'd still like to have the option to bind issued public client >>> refresh tokens using DPoP without affecting the access tokens. In doing so >>> i get an immediate win in sender constraining the refresh tokens but not >>> introducing a breaking change for the RS. >>> >>> >>> - Do you see this as something an AS implementation is just free to >>> do since it's both the issuer and recipient of a refresh token? >>> >>> That's my first thought, yes. >> >> >>> >>> - Should this be somehow baked in the draft? >>> >>> I'm not sure. Do you think it needs to be? I'm not sure what it would >> say though. >> >> In such a case the AS could bind the RT to the given dpop proof and >> either not bind the AT while returning token_type=Bearer or bind the AT >> while returning token_type value DPoP. In the latter case the AT would >> almost certainly still work as a bearer token at the RS and the client that >> knew the RS's needs could send it as such with an `Authorization: Bearer >> <at>`. Or if it didn't know the RS's needs, it could start with >> `Authorization: DPoP <at>` which would get a 401 with `WWW-Authenticate: >> Bearer` at which point it could send `Authorization: Bearer <at>`. >> >> As I wrote the preceding rambling paragraph I am starting to think that >> more should be said in the draft about working with RSs that don't support >> DPoP. Which isn't really what you were asking about. But maybe would cover >> some of the same ground. >> >> >> >>> >>> - Do you think client registration metadata could be used to signal >>> such intent? >>> >>> I think it certainly could. But it seems maybe too specific to warrant >> metadata. >> >> >>> >>> - Do you think the protocol should have signals in the messages >>> themselves to say what the client wants to apply DPoP to? >>> >>> My initial thought here is no. Take the case of a client working with an >> AS that supports DPoP and one RS that does and one RS that doesn't. I can't >> really even think what signaling might look like there or how it could be >> made to be generally useful. >> >> >>> >>> - What if AS and RS don't have a shared support DPoP JWS Algorithm? >>> Do we disqualify such cases or allow for sending two proofs, one for the AS >>> to bind refresh tokens to, one for the RS to bind access tokens to? >>> >>> The AS is the one that does the binding (which includes checking the >> proof) so I don't see how sending two proofs would really work or help the >> situation? >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited.. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] DPoP - new authorization scheme / imme… Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Brian Campbell
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Brian Campbell
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Justin Richer
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Filip Skokan
- Re: [OAUTH-WG] DPoP - new authorization scheme / … George Fletcher
- Re: [OAUTH-WG] DPoP - new authorization scheme / … Torsten Lodderstedt
- Re: [OAUTH-WG] DPoP - new authorization scheme / … John Bradley
- [OAUTH-WG] DPoP draft-ietf-oauth-dpop-0 Client co… Denis
- Re: [OAUTH-WG] DPoP draft-ietf-oauth-dpop-0 Clien… Benjamin Kaduk