Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object

Benjamin Kaduk <kaduk@mit.edu> Fri, 17 January 2020 03:58 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5716C1200C7 for <oauth@ietfa.amsl.com>; Thu, 16 Jan 2020 19:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2EDPjnD5BkX for <oauth@ietfa.amsl.com>; Thu, 16 Jan 2020 19:58:50 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94948120044 for <oauth@ietf.org>; Thu, 16 Jan 2020 19:58:50 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 00H3wj6b031433 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 16 Jan 2020 22:58:47 -0500
Date: Thu, 16 Jan 2020 19:58:44 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Nat Sakimura <sakimura@gmail.com>, IETF oauth WG <oauth@ietf.org>
Message-ID: <20200117035844.GQ80030@kduck.mit.edu>
References: <CAO7Ng+vZk2OCuc_JOp6Nwh=+GXrDnOop4KBhierFCvoBOOcw6Q@mail.gmail.com> <CCE34816-FBAF-4971-B75B-3F70769E56AE@forgerock.com> <20200116143233.GJ80030@kduck.mit.edu> <CABzCy2C1Bi_ic8XoELCw=qpo_3UcuEb8opX9s_6QFMq3ZBkCTA@mail.gmail.com> <57F86DC4-F413-4D94-BFF8-2425222A69ED@forgerock.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <57F86DC4-F413-4D94-BFF8-2425222A69ED@forgerock.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/wnwFiiQZQHc7KSq4U0tkynmI_2g>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 03:58:52 -0000

On Thu, Jan 16, 2020 at 04:31:30PM +0000, Neil Madden wrote:
> The mitigations of 10.4.1 are related, but the section heading is about (D)DoS attacks. I think this heading needs to be reworded to apply to SSRF attacks too or else add another section with similar mitigations. 
> 
> Mitigation (a) is a bit vague as to what an "unexpected location" is. Perhaps specific wording that it should be a URI that has been pre-registered for the client (and validated at that time) or is otherwise known to be safe (e.g., is a URI scheme controlled by the AS itself as with PAR).

pedantic nit: "URI scheme" is probably not what we want, as the authority
component of the URI (per RFC 3986) seems more likely to match "controlled
by the AS itself"

-Ben

> In addition for this to be effective the AS should not follow redirects when fetching the URI. It's not clear to me whether that is implied by "not perform recursive GET" so it may be worth explicitly spelling that out.
>