Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object

Jim Manico <jim@manicode.com> Fri, 17 January 2020 16:29 UTC

Return-Path: <jim@manicode.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A28E120024 for <oauth@ietfa.amsl.com>; Fri, 17 Jan 2020 08:29:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=manicode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SsHbWZVllgOW for <oauth@ietfa.amsl.com>; Fri, 17 Jan 2020 08:29:32 -0800 (PST)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7771B120018 for <oauth@ietf.org>; Fri, 17 Jan 2020 08:29:32 -0800 (PST)
Received: by mail-qk1-x734.google.com with SMTP id x1so23169963qkl.12 for <oauth@ietf.org>; Fri, 17 Jan 2020 08:29:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=manicode.com; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=S6fsX3nX9kYojIZH+9dHSTo+WS57syeMpjFpq67qqNA=; b=KHNdhKu+bH57vG0XGKeXmrolTFfTnioCYuiftOPxUKQIe7wMzSmvmh9s6nn//RwoUW +eGktV3ogHY0f9FJWrGCrroON0niE+WX4j2IAAdKUdWYTWkYLkYzItD5jspb5cRjaoX/ Ppq4DPZ+TgErZItcDdPmvsuxpr0QJtio1Zt27Q9VN5gv8Wcvar0KM9JhSZQ50hNGVX5c +IKEXUzikxJvnFXpDGJ0VmLOUTWnPsjdYbbLLz7UEHCmn7grnuGW41Wku3l8+pT/V/is QjdKM2hHKezv+d/DyPLfgH6ThKO75JJkmH6Mo1gcOFfHyJzCCxFXHF91gzf4t6niMcOK AHZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=S6fsX3nX9kYojIZH+9dHSTo+WS57syeMpjFpq67qqNA=; b=QSFYnuuuJXiLHC8oqiSNq4q/EARgD+U6Y82jPf3i6J9pfD1C2biAWPAJOdV9E/xAhh X39BfhIno394uYh70HHv3oWERna1mtocU6tbt+VyN5LyLjzUYLRS2CHM3MFCSrOXGFNj Gbx7THhJyX9MHlkQ7kxLew9cIGhnJN+HYZOn7RqMwOoAfQ1uNQY5Lf3gyt39irASWRv/ 3/hb0U4m8qgQbQOVh9UeSEUcNQr56Vl5NuBwdBGuI1TDOSBEMIVr3OH9uiPdT1rfgF0c Fgpc4bhbqunt02qKRQFlGdn7JKZ/k8IDoepBYT8cT4FzyeBhX0c44aFWJGj0ic27YhS/ NwiQ==
X-Gm-Message-State: APjAAAVoojJJu4I3HcPD38YDPfJ4PbGTSV4SJazVm9NA4EoURV9LNGXn wPTUlPLw0OE9doMcBEGCuVCvyg==
X-Google-Smtp-Source: APXvYqyQxHsaafrO9Nbj7flJAmUS7+X5FaDcSpv+R7P+d/lzjvfO8g8OHpWROv8XR17syl+jYRnHjw==
X-Received: by 2002:a37:6313:: with SMTP id x19mr40271018qkb.231.1579278571538; Fri, 17 Jan 2020 08:29:31 -0800 (PST)
Received: from [192.168.0.197] (pool-173-66-45-125.washdc.fios.verizon.net. [173.66.45.125]) by smtp.gmail.com with ESMTPSA id y18sm11817555qki.0.2020.01.17.08.29.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Jan 2020 08:29:30 -0800 (PST)
Content-Type: multipart/alternative; boundary=Apple-Mail-F48B2799-732B-40E9-8706-EA8E0631BA33
Content-Transfer-Encoding: 7bit
From: Jim Manico <jim@manicode.com>
Mime-Version: 1.0 (1.0)
Date: Fri, 17 Jan 2020 11:29:29 -0500
Message-Id: <E299150F-13A6-4929-A0C1-FCA9557BB83E@manicode.com>
References: <BBBA7134-B34D-4A0C-8DFF-AD52E78BDB58@amazon.com>
Cc: Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org>
In-Reply-To: <BBBA7134-B34D-4A0C-8DFF-AD52E78BDB58@amazon.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>
X-Mailer: iPhone Mail (17C54)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yEQRj6Lgoi3E0MWdhjISYTc0648>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: JWT Secured Authorization Request (JAR) vs OIDC request object
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 16:29:38 -0000

It’s actually worse. Parameters in a URL leak over bookmarks, browser history, logs everywhere, referrer headers... 

One of the most primary rules of secure coding on the web is to never put sensitive data in a URL for •any• verb, not just GET.

--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805

> On Jan 17, 2020, at 11:24 AM, Richard Backman, Annabelle <richanna=40amazon.com@dmarc.ietf.org> wrote:
> 
> 
> +1 to Justin’s comments. From a security standpoint parameters in the query  string are no different from those in JWT unprotected headers (or protected if they’re also in the request object). Although I‘d amend Justin’s suggestion to say that if a parameter is both inside the request object and outside and they do not match, reject the request as suspicious.
> 
>>> On Jan 17, 2020, at 5:45 AM, Justin Richer <jricher@mit.edu> wrote:
>>> 
>>  I don’t agree with this stance from a security or implementation perspective. 
>> 
>> If there’s a clear order of precedence for the information, it’s not particularly problematic. Everything inside the request object is to be taken over things outside the request object. We have the exact same semantics and process with dynamic registration, where the software statement is carried alongside plain JSON claims, and the two are mixed with a very simple algorithm:
>> 
>>  - If a field is inside the signed payload, use that value and ignore any copy of it on the outside
>>  - If a field is not inside the signed payload and is outside the signed payload, use the outside value
>> 
>> Can someone please point out a concrete security issue with this algorithm? This is the extent of the “merge” semantics that we need here, and it would solve not only the ability to use this for use cases that call for a more static request object (perhaps signed by a third party and not the client) along side the plain parameters that can vary, but also the backwards compatibility issue that’s been discussed. With this algorithm in place, you could have OIDC clients actually be compliant with the spec, since OIDC requires replication of the values inside the request object on the outside with exact matches. An OIDC server wouldn’t be fully compliant with the new spec since it would reject some compliant JAR requests that are missing the external parameters, but that’s fairly easy logic to add on the OIDC side. And in that case you get a matrix of compatibility like:
>> 
>> 
>>               JAR Server | OIDC Server  |
>> ------------+------------+--------------+
>> JAR Client  |     YES    |      NO      |
>> OIDC Client |     YES    |     YES      |
>> 
>> Breaking one out of the four possible combinations in a very predictable way is, I think, the best way to handle backwards compatibility here. 
>> 
>> But between this issue and JAR’s problematic call for the value of a request_uri to always be a JWT and be fetchable by the AS (neither of which are true in the case of PAR) makes me think we need to pull this back and rework those things, in a push back to the IESG’s comments.
>> 
>>  — Justin
>> 
>> 
>>> On Jan 16, 2020, at 7:38 PM, Joseph Heenan <joseph@authlete.com> wrote:
>>> 
>>> I agree with this, particularly the security concerns of merging. If we merge, we can much guarantee there will eventually be a security issue where an attacker is able to gain an advantage by adding a parameter to the url query (which the server would then happily process if that parameter isn’t found inside the request object). Ruling out that case makes security analysis (particularly when creating new OAuth2 parameters) significantly simpler.
>>> 
>>> Putting the iss in the JWE header and having the client_id duplicated outside the request object seem to address all the concerns I’ve seen raised.
>>> 
>>> (It seems like it may be unnecessary to have the client_id duplicated outside if the request_uri is a PAR one though.)
>>> 
>>> Joseph
>>> 
>>> 
>>> 
>>>> On 16 Jan 2020, at 22:40, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>> 
>>>> I agree with the IESG reasoning that merging is problimatic.  Once we
>>>> allow that given a unknown list of possible paramaters with diffrent
>>>> security properties it would be quite difficult to specify safely.
>>>> 
>>>> Query paramaters can still be sent outside the JAR, but if they are in
>>>> the OAuth registry the AS MUST ignore them.
>>>> 
>>>> Puting the iss in the JWE headder addresses the encryption issue without
>>>> merging.
>>>> 
>>>> I understand that some existing servers have dependencys on getting the
>>>> clientID as a query paramater.
>>>> 
>>>> Is that the only paramater that people have a issue with as oposed to a
>>>> nice to have?
>>>> 
>>>> Would allowing the AS to not ignore the clientID as a query paramater as
>>>> long as it matches the one inside the JAR, basicly the same as Connect
>>>> request object but for just the one paramater make life easier for the
>>>> servers?
>>>> 
>>>> I am not promising a change but gathering info before proposing something.
>>>> 
>>>> John B.
>>>> 
>>>> 
>>>>> On 1/16/2020 1:53 AM, Benjamin Kaduk wrote:
>>>>>> On Wed, Jan 15, 2020 at 11:02:33PM +0200, Vladimir Dzhuvinov wrote:
>>>>>>> On 14/01/2020 19:20, Takahiko Kawasaki wrote:
>>>>>>> Well, embedding a client_id claim in the JWE header in order to
>>>>>>> achieve "request parameters outside the request object should not be
>>>>>>> referred to" is like "putting the cart before the horse". Why do we
>>>>>>> have to avoid using the traditional client_id request parameter so
>>>>>>> stubbornly?
>>>>>>> 
>>>>>>> The last paragraph of Section 3.2.1
>>>>>>> <https://tools.ietf.org/html/rfc6749#section-3.2.1> of RFC 6749 says
>>>>>>> as follows.
>>>>>>> 
>>>>>>>   /A client MAY use the "client_id" request parameter to identify
>>>>>>>   itself when sending requests to the token endpoint.  In the
>>>>>>>   "authorization_code" "grant_type" request to the token endpoint,
>>>>>>>   *an unauthenticated client MUST send its "client_id" to prevent
>>>>>>>   itself from inadvertently accepting a code intended for a client
>>>>>>>   with a different "client_id".*  This protects the client from
>>>>>>>   substitution of the authentication code.  (It provides no
>>>>>>>   additional security for the protected resource.)/
>>>>>>> 
>>>>>>> 
>>>>>>> If the same reasoning applies, a client_id must always be sent with
>>>>>>> request / request_uri because client authentication is not performed
>>>>>>> at the authorization endpoint. In other words, */an unauthenticated
>>>>>>> client (every client is unauthenticated at the authorization endpoint)
>>>>>>> MUST send its "client_id" to prevent itself from inadvertently
>>>>>>> accepting a request object for a client with a different "client_id"./*
>>>>>>> 
>>>>>> Identifying the client in JAR request_uri requests can be really useful
>>>>>> so that an AS which requires request_uri registration to prevent DDoS
>>>>>> attacks and other checks can do those without having to index all
>>>>>> request_uris individually. I mentioned this before.
>>>>>> 
>>>>>> I really wonder what the reasoning of the IESG reviewers was to insist
>>>>>> on no params outside the JAR JWT / request_uri.
>>>>>> 
>>>>>> I'm beginning to realise this step of the review process isn't
>>>>>> particularly transparent to WG members.
>>>>> Could you expand on that a bit more?  My understanding is that the IESG
>>>>> ballot mail gets copied to the WG precisely so that there is transparency,
>>>>> e.g., the thread starting at
>>>>> https://mailarchive.ietf.org/arch/msg/oauth/lkOhwiDj_hCI55BQRdiR9R0JwgI
>>>>> Which admittely is from almost three years ago, but that's the earliest
>>>>> that I found that could be seen as the source of this behavior.
>>>>> 
>>>>> -Ben
>>>>> 
>>>>> P.S. some other discussion at
>>>>> https://mailarchive.ietf.org/arch/msg/oauth/-tUrNY1X9eI_tQGI8T-IGx4xHy8 and
>>>>> https://mailarchive.ietf.org/arch/msg/oauth/Uke1nxRlgx62EJLevZgpWCz_UwY and
>>>>> so on.
>>>>> 
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth