IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

Joseph Heenan <joseph@authlete.com> Wed, 19 August 2020 12:09 UTC

Return-Path: <joseph@authlete.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABBD03A08A6 for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2020 05:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=authlete-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NpnV5L0tseTu for <oauth@ietfa.amsl.com>; Wed, 19 Aug 2020 05:09:16 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A9573A08AB for <oauth@ietf.org>; Wed, 19 Aug 2020 05:09:16 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id x5so1852641wmi.2 for <oauth@ietf.org>; Wed, 19 Aug 2020 05:09:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=authlete-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=jx52W8/tMz8ycWNcdNMSwSIWy3uzicvJx8KT6Ue30a4=; b=Vlw58Yu+parCiyHwWc7yxhBYnufS/FdX+NRh6HxfGBQXFZL3b8HTsoFS10rR/Wl24r emDi2Ij42/tcGZvftE+8/2I/5ND+itBEnEWXnq7rsyldQ4OFADk2ih/ywIjEeRdE8v4R f3qxV/48dOzujGWM0I/DeZxVJ+WHJvpjHM+3IEXa/6X1/to80K/TsNHPWNpEIspalhGy ZdA9s8zhWfUkDiNs+DtyDLuz1Dw2Cm9lMtjvp4GRNh9ED98XY7QJda5qtPfk4t0cDy3O wjJ0dthcT6wxl3qd3eyUX71thnCaz2JB8bywkWzxPkVxCE5oxKrPowunbhNATAIMylVc A7yA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=jx52W8/tMz8ycWNcdNMSwSIWy3uzicvJx8KT6Ue30a4=; b=CBXIXYZvh8YKkKy9gIXnZrysnkyaDSaFioVB7MGPFtpNzbKqqYfTUrvNq2okmmKKjl dk0exPClEdoT++VMu76zLHlSVLRDEWFvKuEFz/41nJ1SeLYxQbEkq9+yJYDfys1V4nRf cVKAnDwe0ldvDJkIVVeAJguJcCN2hD8uSQId99t4pZZgwON/7V1XOCMkdVVXllKVVgVe b8mZsVd5EHf6d6lDmRJ97cR9QB7UZc+MeigB1y/qOJsJ0Pgp7ao9PYDkJuRvR7Vea+5J cUvag8//4+DE9RPZMuNAyc+e+jexVrlyKYGhIB6o2tWM1Dx5QhevBOegZRWvanHLOWeX i7NA==
X-Gm-Message-State: AOAM532yTJAa8RND/WikXnVvUI4HPXerUlBz/4mRma07+EhPr4bcDUll P6hK1oN9+DoXEfvjz+N6sxmMGQVGPlUHTQ6m
X-Google-Smtp-Source: ABdhPJxnaKHyqT84X04eCfnfIWuhl3BdOwvWb5a2uqNU1uimJa0yROpugqC87/tl1DWCY4l1pIs02Q==
X-Received: by 2002:a1c:1b93:: with SMTP id b141mr4715592wmb.150.1597838954662; Wed, 19 Aug 2020 05:09:14 -0700 (PDT)
Received: from [192.168.1.112] (home.heenan.me.uk. [212.159.108.133]) by smtp.gmail.com with ESMTPSA id c10sm39157806wrx.15.2020.08.19.05.09.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Aug 2020 05:09:14 -0700 (PDT)
From: Joseph Heenan <joseph@authlete.com>
Message-Id: <F9FD48C2-4BDA-490A-9AE4-BD0C6757EE49@authlete.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8212231D-17BD-4FA1-9488-E0F6019A14EA"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Wed, 19 Aug 2020 13:09:13 +0100
In-Reply-To: <CA+k3eCSGMmYb6boc=RV7KN3QsEB9_65zxNWZbyqj5bYD5eMxqA@mail.gmail.com>
Cc: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
References: <MN2PR00MB06863A1064A05D8029C44788F5431@MN2PR00MB0686.namprd00.prod.outlook.com> <CALAqi_9M40enpWOMO2h5rVdiveOxh6hnA1ZLc9EJJ-H_Fp59+g@mail.gmail.com> <c9620f5f-55f2-9b85-61ad-bac5dc1e9877@connect2id.com> <CAJot-L3UKNjdxnDZr3JHt_YuBC5zAv=hAq3AGGgMRo8hhhopiw@mail.gmail.com> <DM6PR00MB0684908CEB778DED9943E0CDF5411@DM6PR00MB0684.namprd00.prod.outlook.com> <CA+k3eCSGMmYb6boc=RV7KN3QsEB9_65zxNWZbyqj5bYD5eMxqA@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xx33_YlEzLv_ag9juN14_qJcz3g>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2020 12:09:21 -0000

I agree with Brian here, I think “typ”:”JWT” should be permitted as well as no typ and “typ”: "oauth.authz.req+jwt".

There are other tests we could write for JAR that an OIDC server will fail (for example, one that tested the behaviour of passing a value only outside the request object - which an OIDC server would process, but one compliant with JAR [or FAPI-RW] would ignore the value outside). I don’t see having one more case of this as an issue - some servers will not be JAR compliant, and hence would fail tests that test JAR-specific behaviour.

I also agree with Brian about requiring AS to reject request objects that have a sub that’s a client_id, this doesn’t seem to cause significant interoperability concerns as it is hopefully unlikely that any client is doing so. I could possibly see an argument for weakening the requirement for an AS to reject a request object with sub=client_id to a ’should’ (rather than a must) given there is a small chance it could end up breaking an ecosystem, but I’m not entirely convinced.

Joseph


> On 17 Aug 2020, at 23:55, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> I might suggest that thinking about it in the context of interoperability would be more meaningful than certification tests. 
> 
> Saying that an AS MUST reject the Request object if it has a typ header and the value of the header is not ‘oauth.authz.req+jwt’ [1] should allow for interoperability with respect to JWT typing between all combinations of existing and updated clients with existing and updated authorization servers. 
> 
> Saying that an AS MUST NOT include a sub with client id as the value would break for an updated authorization server when receiving such a request object JWT. But that's erroneous and potentially dangerous behaviour from the client so I don't know that we need to try and maintain interoperability there. 
> 
> [1] Unfortunately "typ":"JWT" would probably also need to be allowed. As best I understand it "typ":"JWT" basically says "this JWT is a JWT", which isn't useful for explicit typing and I think makes it effectively equivalent to an untyped JWT. I've honestly never understood why one would use "typ":"JWT" but it shows up in a lot of places including examples and explanations on sites like jwt.io <http://jwt.io/> so it seems very likely that it'd just get copied over and show up in some amount of real world request object JWTs. 
> 
> 
> On Sat, Aug 15, 2020 at 10:41 AM Mike Jones <Michael..Jones=40microsoft.com@dmarc.ietf.org <mailto:40microsoft.com@dmarc.ietf.org>> wrote:
> Answering Filip and Vladirmir’s question about adding normative language around “typ” and “sub”:  Anytime you add a new required feature, you are breaking existing deployments.  Suppose we added the normative requirement “If a ‘typ’ header parameter is present, ASs MUST reject the Request object if its value is not ‘oauth.authz.req+jwt’”.  One could then write a certification test sending the AS a different “typ” value – which to pass, ASs would have to reject the JWT.  Every existing deployment would fail this test!  That’s exactly what we don’t want to have happen.
> 
>  
> 
> Brian asked for security considerations.  The IESG asked for security considerations.  I added them in the PR – working with Nat and John.  They point the way to the future without breaking existing deployments.  That’s as it should be.
> 
>  
> 
>                                                        -- Mike
> 
>  
> 
> From: OAuth <oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>> On Behalf Of Warren Parad
> Sent: Saturday, August 15, 2020 9:27 AM
> To: Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>>
> Cc: oauth <oauth@ietf.org <mailto:oauth@ietf.org>>
> Subject: [EXTERNAL] Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
> 
>  
> 
> In the case of
> 
> if the Request Object includes a sub claim with the value of the client_id the AS MUST reject the request
> 
>  
> 
> What would the expectation be in terms of a client_credentials grant?
> 
>  
> 
> From experience, the sub is frequently populated with the client_id value and the client_id is not used. Which would mean breaking for that type of grant wouldn't it?
> 
>  
> 
> 
> Warren Parad
> Founder, CTO
> Secure your user data and complete your authorization architecture. Implement Authress <https://bit.ly/37SSO1p>.
> 
>  
> 
>  
> 
> On Sat, Aug 15, 2020 at 11:08 AM Vladimir Dzhuvinov <vladimir@connect2id.com <mailto:vladimir@connect2id.com>> wrote:
> 
> +1 to make the "typ" check, as Filip suggested, normative, as existing client and RP deployments with undefined "typ" will not be affected. New deployments should be encouraged to type the JWT, and thus be made safer.
> 
>  
> 
> Regarding the "sub != client_id" check -- could a simple rejection of all JWTs with "sub" present suffice?
> 
> I find it difficult to imagine what else a client could end up setting the "sub" claim to, if it does end up populating it for some reason.
> 
> Rejecting JWTs with "sub=client_id" or "sub" present will break deployments where a client for some reason sets the "typical" JWT claims, and "sub" is a typical one, but if those deployments happen to accept client_secret_jwt or private_key_jwt client authentication, they could well be vulnerable to cross-JWT confusion attacks.
> 
>  
> 
> Vladimir
> 
> On 14/08/2020 13:58, Filip Skokan wrote:
> 
> Hi Mike, Nat,
> 
>  
> 
> I thought we would go as far as making these normative requirements
> 
> if the Request Object includes a sub claim with the value of the client_id the AS MUST reject the request
> if the Request Object is explicitly typed (typ) its value MUST be ...
> First rejects client assertions to be passed as Request Objects. Second rejects all future typed JWT profiles from being used as Request Objects without worrying about the claims they may or may not contain.
> 
>  
> 
> Or is that breaking?
> 
>  
> 
> S pozdravem,
> Filip Skokan
> 
>  
> 
>  
> 
> On Fri, 14 Aug 2020 at 00:59, Mike Jones <Michael..Jones=40microsoft.com@dmarc.ietf.org <mailto:40microsoft.com@dmarc.ietf.org>> wrote:
> 
> At Nat's request, I've created a pull request addressing Cross-JWT Confusion security considerations.  It addresses both Brian's comment and the IESG comments about explicit typing.  See the full PR athttps://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10 <https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10>.  See the source diffs at https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml <https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10/address-iesg-and-working-group-comments/diff#chg-draft-ietf-oauth-jwsreq.xml>.  Please review!
> 
> This is only the first commit, albeit, one that addresses some of the must substantive issues.  More commits will follow addressing additional IESG comments.
> 
>                                 -- Mike
> 
> -----Original Message-----
> From: OAuth <oauth-bounces@ietf.org <mailto:oauth-bounces@ietf.org>> On Behalf Of Benjamin Kaduk
> Sent: Thursday, August 13, 2020 2:59 PM
> To: Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>>
> Cc: draft-ietf-oauth-jwsreq@ietf.org <mailto:draft-ietf-oauth-jwsreq@ietf.org>; oauth-chairs@ietf.org <mailto:oauth-chairs@ietf.org>; The IESG <iesg@ietf.org <mailto:iesg@ietf.org>>; oauth <oauth@ietf.org <mailto:oauth@ietf.org>>
> Subject: Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)
> 
> Oops, that's my bad.  Thanks for the correction -- I've linked to your message in the datatracker (but didn't bother to have the datatracker send a third copy of my updated-again ballot position).
> 
> -Ben
> 
> On Thu, Aug 13, 2020 at 03:00:33PM -0600, Brian Campbell wrote:
> > While some discussion of why explicit typing was not used might be 
> > useful to have, that thread started with a request for security 
> > considerations prohibiting use of the "sub" with a client ID value. 
> > Because such a request JWT could be repurposed for JWT client 
> > authentication. And explicit typing wouldn't help in that situation.
> > 
> > On Tue, Aug 11, 2020 at 2:50 PM Benjamin Kaduk via Datatracker < 
> > noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
> > 
> > >
> > > --------------------------------------------------------------------
> > > --
> > > COMMENT:
> > > --------------------------------------------------------------------
> > > --
> > >
> > > [updated to note that, per
> > > https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0 <https://mailarchive.ietf.org/arch/msg/oauth/Lqu15MJikyZrXZo5qsTPK2o0>
> > > eaE/ and the JWT BCP (RFC 8725), some discussion of why explicit 
> > > typing is not used would be in order]
> > >
> > >
> > 
> > --
> > _CONFIDENTIALITY NOTICE: This email may contain confidential and 
> > privileged material for the sole use of the intended recipient(s). Any 
> > review, use, distribution or disclosure by others is strictly 
> > prohibited.  If you have received this communication in error, please 
> > notify the sender immediately by e-mail and delete the message and any 
> > file attachments from your computer. Thank you._
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>  
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> -- 
> Vladimir Dzhuvinov
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>_______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email