Re: [OAUTH-WG] Wrapping access token and codes
Sergey Beryozkin <sberyozkin@gmail.com> Fri, 07 November 2014 11:48 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0201F1ACFAF for <oauth@ietfa.amsl.com>; Fri, 7 Nov 2014 03:48:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4bsV3ccNYeX for <oauth@ietfa.amsl.com>; Fri, 7 Nov 2014 03:48:34 -0800 (PST)
Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89DE51ACFAE for <oauth@ietf.org>; Fri, 7 Nov 2014 03:48:34 -0800 (PST)
Received: by mail-wg0-f50.google.com with SMTP id z12so3500705wgg.37 for <oauth@ietf.org>; Fri, 07 Nov 2014 03:48:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=Xuu5CW2YrVCOpIzJ8G3+HfWZLkZ1PpyrC/Mfe/JJMbg=; b=AxhIuIQa8f6XL7N04c1eQjDGX1+dpX0H1Mk7ChVbMBVAFAHK4d9DWSOkBOHB5EQeCN Yzl1BtaZINxVgfn5cZbmqO6j6bRPT496XOTpkdXjkTpTol100nJw/r0GaF2z8Er2mGNX tgxxKNQzPGMcNWzGVPGzqrIhVypcQ5eWDkN5MrC6IEc2VDWIhbgPTj/xQPIITU2Zlf1G h8Howfwog0yfLOKX5DkGOyOXkG46ao1YwA8UL5xUyPOYIXpxdrk/yyuDdl1lkB/RMa7a BMnckKkNjGI5NBOToD25bO8jWFmP5P3T+KWzC+3Sk5c/GZDHoZlcyBf8GIstEadL2WX0 XEBg==
X-Received: by 10.180.19.234 with SMTP id i10mr4178614wie.28.1415359077242; Fri, 07 Nov 2014 03:17:57 -0800 (PST)
Received: from [10.36.226.2] ([80.169.137.63]) by mx.google.com with ESMTPSA id cr6sm3967731wjb.44.2014.11.07.03.17.56 for <multiple recipients> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 07 Nov 2014 03:17:56 -0800 (PST)
Message-ID: <545CAA63.7010304@gmail.com>
Date: Fri, 07 Nov 2014 11:17:55 +0000
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Bill Mills <wmills_92105@yahoo.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <545B6582.2030505@gmail.com> <486890415.168363.1415299911950.JavaMail.yahoo@jws10615.mail.bf1.yahoo.com> <545CA92C.3020900@gmail.com>
In-Reply-To: <545CA92C.3020900@gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wpY2Ej_NLKSof9C2_WxcQqJJNDY
Subject: Re: [OAUTH-WG] Wrapping access token and codes
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Nov 2014 11:48:37 -0000
Or if the confidential client does HTTP Accept: application/jose, why don't reply with the whole OAuth2 token response JWE or JWS encoded as opposed to tweaking individual token response parameters... may be I'm getting carried away here but I'm getting quite positive and even excited about the options JWE/JWS can offer :-). Sergey On 07/11/14 11:12, Sergey Beryozkin wrote: > Hi > On 06/11/14 18:51, Bill Mills wrote: >> So you're wanting end to end security not relying on TLS? >> > I was not really thinking about HTTPS vs HTTP in this case. I'm kind of > in the process of appreciating what JWE/JWS can do and I can't help > trying to consider it applying at the every possible opportunity :-) >> >> Have you seen the new draft on protecting codes from interception? >> Currently called SPOP but needs a different name. >> > Do you mean this one: > http://tools.ietf.org/html/draft-ietf-oauth-spop-02 > ? > > Yes I did - it's a different mechanism though, I guess it is of most > help to the pubic clients, though we do not distinguish in our code, a > confidential client can use the SPOP mechanism too. > > I think the wrapping idea is probably what > http://tools.ietf.org/html/draft-bradley-oauth-pop-key-distribution-01#ref-10 > > > talks about with respect to distributing a key using a JWE option. > That actually looks interesting; I haven't analyzed it much yet but > apparently it is tied to the access token being necessarily in a JWT > format, may be I did not get it right yet. > > I guess it just can be interesting even in the TLS case. I believe > people do not mind doing the extra protection even in the TLS cases. > > Or take the implicit grant; if the wrapped access token reaches a client > which is aware of WebCrypto API then it is probably making this grant > much more secure... > > Sergey > >> On Thursday, November 6, 2014 4:12 AM, Sergey Beryozkin >> <sberyozkin@gmail.com> wrote: >> >> >> Hi >> >> Does it make sense to consider supporting an access token or code >> wrapping as part of the standard OAuth2 responses ? >> >> For example, if a client has registered its public key with AS then say >> the access token response would contain the regular >> >> {"access_token":"1234345"} >> >> except that "1234345" would actually be a JWE RSA-OAEP wrapped opaque >> token with a client's public key being used. Or a direct key encrypted >> token if the client and the server only share the client secret >> allocated to the client during the registration. >> >> The net result is that only the registered confidential client would be >> able to extract the actual opaque access token. The response would >> actually be >> >> {"access_token":"1234345", wrapped:true}. >> >> I definitely plan to use this approach as a simple mechanism for making >> a safer distribution of mac keys as part of access token responses; but >> IMHO it can be handy for minimizing the possibility of the >> access/refresh tokens or codes being intercepted... >> >> Sergey >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> -- Sergey Beryozkin Talend Community Coders http://coders.talend.com/ Blog: http://sberyozkin.blogspot.com
- [OAUTH-WG] status of bearer token redelegation dr… Bas Zoetekouw
- Re: [OAUTH-WG] status of bearer token redelegatio… Phil Hunt
- Re: [OAUTH-WG] status of bearer token redelegatio… Richer, Justin P.
- Re: [OAUTH-WG] status of bearer token redelegatio… Bill Mills
- Re: [OAUTH-WG] status of bearer token redelegatio… Phil Hunt
- [OAUTH-WG] Code and token response thumbprints ? Sergey Beryozkin
- [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Bill Mills
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes John Bradley
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin
- Re: [OAUTH-WG] Wrapping access token and codes John Bradley
- Re: [OAUTH-WG] Wrapping access token and codes Sergey Beryozkin