Re: [OAUTH-WG] DPoP - access token hash format
Brian Campbell <bcampbell@pingidentity.com> Wed, 27 October 2021 15:35 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC973A0E68 for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 08:35:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HcBoHE3cEszD for <oauth@ietfa.amsl.com>; Wed, 27 Oct 2021 08:35:02 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1B003A11D8 for <oauth@ietf.org>; Wed, 27 Oct 2021 08:35:01 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id x27so7036940lfu.5 for <oauth@ietf.org>; Wed, 27 Oct 2021 08:35:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Unc/zBvX/rcEeQIl8VCyfb8i2xnf0pyDbKqM8qWiqY4=; b=IGDPJOvL0vaEArzGnYwC+sQ2DpevgfSoIj4ue0FboCPXGRQmxj3NQEIw+JB6MDe4Ln Lc7WzPzpMftpHnGs+9Q+GKSL6Se6foHeaggY4wqNs2rXFZXGk5La588WFbxIo7eZW6XB gi0GfY+1uH835az0uEIfNhkn2V0FeRgzTsWHMLiOIf02mSlfbpsea4waGDJ76pqo85a5 zMUru2Pc4vnY+f9sGzbDE+HdJzCgqXxjtri6Z/p2PnoYsv4DAXihfNozYhAtr3lrBX8u VALrpJ58svF/Wr7xtEhbaiXe2FgD+2j7sN1YvEaPrCoOSBn+0F+/+6sPXylgRyvS1x+P GVJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Unc/zBvX/rcEeQIl8VCyfb8i2xnf0pyDbKqM8qWiqY4=; b=LuFrUpOe6e99qPdJDsIBjm0p6iQ9qCjoIOJrkiXZ2rVRjw9vgO14czYzkru4qdsn1J bQWmKFW4W6NGtB80wfPFsYvw+QrEm1RptwjfD4/zOY4/z0gewzSzs1KuM68fvKEAoTFZ El5slxwlWr5dSdzCwIl3bnIyr9E5ndCwScRr+uafZ8zT4NSSK7Ly1V736vwPHmfY0IL8 Bren5xSK8di9fyYkePwe2SJ16+nz0j3nYcZHGrQabiX8lRk9RiRX8zewEQtGesJ2V1GX 3Yu5BiXzXXwgCXV0vEKz1M3iRFQ4xcVzyA0NsmBFwNIj9M3IusWrtINM6iLJWctJUtp+ Yg3A==
X-Gm-Message-State: AOAM532nIz6IRJQYZvIPSSuZ6XzKsD7B8ffDX+JBsiFaGkB9iVYWVHCO /bvr1nN7+GijA67s+lwdbh5kinrjmaqcgRuG4s+8ocq5TaogEDvZf4pj/ElaIk6vLoLBcrhGtI5 Rl7HF9Y4X1EWJWcxqO80OPw==
X-Google-Smtp-Source: ABdhPJyueArgj5cdD63dBICyMY0SyBQoaXSIsCWXKZ+TDF7IxJIItp/MHaOOAADDgIbFS/c0c0Inpg2hl6rpne+k+8Y=
X-Received: by 2002:a05:6512:23a9:: with SMTP id c41mr27978106lfv.573.1635348899189; Wed, 27 Oct 2021 08:34:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAOtx8DnriUGYX_Fv7b388bEzh-d0r10Msez+QpdT6csfS0nb7Q@mail.gmail.com>
In-Reply-To: <CAOtx8DnriUGYX_Fv7b388bEzh-d0r10Msez+QpdT6csfS0nb7Q@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 27 Oct 2021 09:34:32 -0600
Message-ID: <CA+k3eCSVdaqy5OhJCEHRV7dW1juWfU2L46Ntqm_7C4kR+QL6EQ@mail.gmail.com>
To: Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003871f805cf5756e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vFRI2AS4MPRoLNF7sBX4qblQA9I>
Subject: Re: [OAUTH-WG] DPoP - access token hash format
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2021 15:35:06 -0000
There's discussions around this in the mail and meeting archives, if you want to dig into it. But generally the "at_hash" approach has proven to be complicated while not really achieving the algorithm agility it aims for. We opted for something more straightforward with "ath" in DPoP. On Wed, Oct 27, 2021 at 7:25 AM Dmitry Telegin <dmitryt= 40backbase.com@dmarc.ietf.org> wrote: > As of -03, the "ath" DPoP proof claim has been introduced: > > ath: hash of the access token (REQUIRED). The value MUST be the result of >> a base64url encoding (with no padding) the SHA-256 hash of the ASCII >> encoding of the associated access token's value. >> > > OpenID Connect has a similar concept used to bind ID token to access token: > > at_hash OPTIONAL. Access Token hash value. Its value is the base64url >> encoding of the left-most half of the hash of the octets of the ASCII >> representation of the access_token value, where the hash algorithm used >> is the hash algorithm used in the alg Header Parameter of the ID Token's >> JOSE Header. For instance, if the alg is RS256, hash the access_token >> value with SHA-256, then take the left-most 128 bits and base64url encode >> them. The at_hash value is a case sensitive string. >> >> > OIDC derives the hashing algorithm from the token header, while DPoP uses > SHA-256 unconditionally. OIDC uses the left-most half of the hash, while > DPoP uses the whole hash. Would it make sense to be aligned with OIDC on > this? > > Regards, > Dmitry > Backbase > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] DPoP - access token hash format Dmitry Telegin
- Re: [OAUTH-WG] DPoP - access token hash format Brian Campbell