Re: [regext] Feedback on draft-ietf-regext-rdap-openid from OAuth WG
"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 05 October 2023 12:57 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24EABC16B5A5 for <regext@ietfa.amsl.com>; Thu, 5 Oct 2023 05:57:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.797
X-Spam-Level:
X-Spam-Status: No, score=-2.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O4l0lPxFAbur for <regext@ietfa.amsl.com>; Thu, 5 Oct 2023 05:57:50 -0700 (PDT)
Received: from mail1.verisign.com (mail1.verisign.com [72.13.63.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DEAE1C1519A6 for <regext@ietf.org>; Thu, 5 Oct 2023 05:57:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=11709; q=dns/txt; s=VRSN; t=1696510670; h=from:to:cc:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=xOkgdwXc+aW0/xQ111TcTW8VZvsQoINS+Eu5tVtSgoA=; b=dDMCAMj0hnPul8iFkMXoYu6z4/5JIqeqBEC780agg7Cf4/XnwcUKi8je JZnT274nV9rIgGHSDvfCLuw5UB9u6mVEXbdnt3um0xGjeY4U1/mI1L6XN kaQZmbd0d5vD6bKuuZ0Trhh+k21Rr9P5To1nFCzXti5YGhP53D2E3sv+J BbxEvpLdzdahdn0nzb7zxQToaKBrAAITrhf+pqk49JfZ+GKeWwlJBS4jw Y23FxlqJFQ51iaeYJuftJxxyFuwRx1h7SL08QqH6EpXeYkiQ2RfDbZwNC PHpbPDEw2fWLKdCNdlFGkNvDKC0oWgDcX+yJPKuNvwQlZ2DoPDVZZwGaR Q==;
IronPort-Data: A9a23:/hkyRKvPHftmIZubfqdQDeX8JOfnVCVfMUV32f8akzHdYApBsoF/q tZmKT2Fa/jcZGagKdslOo6xoB8OscTTyoc1SQo6rXgwFi0a9ZOVVN+UEBz9bniYRiHhoOCLz O1FM4Wdc5pkJpP4jk3wWlQ0hSAkjclkfpKlVKiefHoZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqqUzAnf8s9JPGjxSs/nrRC9H5qyo42pA5gFmP5ingXeF/5UrJMNHTU2OByagKmVkNrbSb /rOyri/4lTY838FYj9yuu+mGqGiaue60Tmm0hK6aYD76vRxjnVaPpIACRYpQRw/ZwOhxIktl YoX5fRcfi9yVkHEsLx1vxBwTXkibfUekFPNCSDXXce7lyUqf5ZwqhnH4Y5f0YAwo45K7W9yG fMwaxshRy/cjeGNwZWLVvUzvNwPDMbFFdZK0p1g5Wmx4fcOa6rlGprsyO8AhXEujcdUBbDXa 4wHcyFpKh/HZnWjOH9OUNRnw7zu3ySkNWEIwL6WjfNfD2z71wx21LzgNtDYcd+iW8hPn12Zq WSA9GP8av0fHIbOk2LcqyL07gPJtS7WeIkrLbfgyqBz3E+j4WoWDxsUelTu9JFVjWb7AbqzM Xc84CYihaM/7lDtScPyNzWirXGJrgI0WtdMHas98g7l4qjO4g2ZC3IsSz9dLtEqqacLqScC3 EWPxszvCCw36fiOV2jb87aP6Dm1fyIPKzZEezUfS00O5NyLTJwPsy8jh+1LSMad5uAZ0xmpq 9xWhEDSX4kusPM=
IronPort-HdrOrdr: A9a23:ghUJp62XsCufsdtfF73J2gqjBJAkLtp133Aq2lEZdPUMSL39qy iv9M526faGskd3ZJhGo6H7BEDgewKmyXcb2+ks1NuZNjUO/VHYSb2KjrGSvgEIeReOldK1vJ 0IG8ND4Z/LfDpHZK3BjzVQZuxA/DDxys6VbInlokuFBjsaDZ2Ipz0JczpzPHcGPDV7OQ==
X-Talos-CUID: 9a23:20DlVWDLtXTANDL6E2pM2GcrRcomSXz6/GvMfHWgJUZmZpTAHA==
X-Talos-MUID: 9a23:MUkNXgl2rlNMACFAxwWjdnpvGedj2p2kUHxTiMkUi+6CMCt2ORiS2WE=
X-IronPort-AV: E=Sophos;i="6.03,203,1694736000"; d="scan'208";a="29201180"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.31; Thu, 5 Oct 2023 08:57:48 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2507.031; Thu, 5 Oct 2023 08:57:48 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "rdd@cert.org" <rdd@cert.org>, "regext@ietf.org" <regext@ietf.org>
CC: "jricher@mit.edu" <jricher@mit.edu>
Thread-Topic: [EXTERNAL] [regext] Feedback on draft-ietf-regext-rdap-openid from OAuth WG
Thread-Index: AdnzIAgTyVOS3DkSR8e8t9pewFEAJAEY/mHw
Date: Thu, 05 Oct 2023 12:57:48 +0000
Message-ID: <81dcc883d4594fc6a643d801bf65664f@verisign.com>
References: <BN2P110MB11070A787E6B75CC4990B83ADCC0A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB11070A787E6B75CC4990B83ADCC0A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/_NUsDyaInVvO_9QUONMtU85nhac>
Subject: Re: [regext] Feedback on draft-ietf-regext-rdap-openid from OAuth WG
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2023 12:57:54 -0000
> -----Original Message----- > From: regext <regext-bounces@ietf.org> On Behalf Of Roman Danyliw > Sent: Friday, September 29, 2023 6:06 PM > To: regext@ietf.org > Cc: Justin Richer <jricher@mit.edu>; Roman Danyliw <rdd@cert.org> > Subject: [EXTERNAL] [regext] Feedback on draft-ietf-regext-rdap-openid > from OAuth WG > > Hi! > > I noted that in the shepherd report > (https://datatracker.ietf.org/doc/draft-ietf-regext-rdap-openid/shephe > rdwriteup/) that there were pointers to requests made in 2015 and 2016 > for a review from the OAUTH WG. Following the threads, nothing came > back 7 - 8 years ago. I don't remember the circumstances of the OAUTH > WG so long ago, so I ask again earlier this week. With great > appreciate to him, I wanted to share a pointer to Justin Richer's review: > https://mailarchive.ietf.org/arch/msg/oauth/33Ci5v7EHDLRC7pvvK85uarXut > Y/ [SAH] I'm no longer subscribed to the oauth mailing list, so I can't reply directly to Justin's note. I'll copy it and reply here. Hi Roman, The concerns of this document are largely specific to OpenID Connect, and not vanilla OAuth, but of course many of us in the community overlap and I'm happy to help provide some feedback here. I'm not familiar with RDAP, so if any of my concerns are addressed by other aspects of the RDAP ecosystem, I would be happy to be corrected. [SAH] That may be the case. More below. That said, I believe parts of the approach are fundamentally flawed as it conflates the RS and client roles in a potentially dangers and certainly confusing way. Some thoughts as I read through this: §3.2.1: - there seems to be some conflation of the RP and RS roles here in the RDAP server; it seems more proper that the RDAP server is the RS, and the RDAP client is the RP (the same as the OAuth client); this seems to stem from a problem with how the RDAP server actually gets user claims, see paragraph below for more [SAH] The RDAP server is intended to serve both roles. It's the Resource Server (RS) because the data resides there. RDAP clients aren't trusted, and the RDAP server needs direct access to the identity information associated with the end user in order to make authorization and access control decisions to release data in response to a query, so it's also serving in the Relying Party (RP) role. For the most part, an RDAP client is just a conduit through which information is shared with the end user. §3.1.3: - this seems to assume the authorization code grant type; though this is explained a little bit more in 3.1.4.2, it's not clear that other grant types are supported here within this protocol [SAH] This section is a summary of the steps described later in the document. The Authorization Grant type is explicitly identified in Section 3.1.4.5. - the first section on "session-oriented clients" conflates the end-user with the client (to wit: "An RDAP client (acting as an OpenID End-User)"); [SAH] I agree, that "acting as" part is confusing. I can strike it. consequently it's unclear who is getting "redirected" or interacting at any step; more properly, it seems that the end-user is interacting with the RDAP client to initiate the flow, which is borne out in the diagram [SAH] That's correct, the user interacts with the client. It's the client that gets redirected. More importantly, in this section it becomes clear that the core of the specification's "token-oriented" approach relies on the RDAP client passing the access token to the RDAP server and then having the RDAP server replay that same token to the OpenID IdP in order to get user claims. It is not considered good practice to have the RS replay the access tokens it receives to an external party, and on the surface this could potentially be exploited by an attacker. This also fails under sender-constrained token usage, wherein the RDAP client would need to also share key material with the RDAP server in order for the latter to use the token. A better pattern would be a profile of OAuth Token Introspection (RFC7667) wherein user information could be specified. This would also allow the RDAP server to authenticate its call to the OpenID IdP. Introspection was designed specifically to allow the RS to call back to the AS to determine what (and who) a token is for, and it provides an extensible mechanism for doing so. An alternative would be to profile the access token itself to contain user information in a format readable by the RDAP server. More on this in the note for §6.3 below. [SAH] The RDAP server needs the claims associated with the end user's credential. I don't see claims returned in a Token Introspection response. That being the case, it needs the token to contact the Userinfo Endpoint. §3.1.5.1 - The registry information here should be in a separate IANA section that is forward-referenced from here [SAH] what's described here is protocol, not registry management, but as I said in my reply to Roman's IESG review feedback I can move this text if it helps provide clarity. - which parties are responsible for validating the allowed purposes claims? Does the IdP need to know the list of allowed purposes applicable to the RS (RDAP server)? [SAH] Validation of applicability to a user's credential is the responsibility of the IdP, just as the IdP is responsible for associating other claims with the credential. The RDAP server receives and processes those claims in order to make an authorization and access control decision regarding the information to be returned in a query response. §4.1 - I appreciate that the fav1 data structure separates the applicable flags into a clear substructure, which will be easier to process as an extension to existing code §4.2 - RFC3986 doesn't actually specify the key=value format normatively; these days, that belongs to the HTML URL specification from WHATWG and so I would recommend that this reference be used instead: https://url.spec.whatwg.org/#application/x-www-form-urlencoded<https://url.spec.whatwg.org/> [SAH] OK, I'll look at that. §4.2.1 - is it really the case that a client can only request a single purpose, but multiple can be authorized? I'm not an expert in the RDAP world, but this would seem to be quickly turn insufficient as purposes are not required to be completely separate and distinct from each other in the registration section [SAH] As described in Section 3.1.5.1, multiple purposes can be specified. §4.3 - I think this section was probably meant to be a subsection of 4.2? [SAH] No, but it could be if that would help add clarity. §5.1.1 - OpenID Connect does not define a single global string value for a user identifier; instead only the tuple of issuer and subject are considered suitably unique; ergo, the UserID value in the data structure would need to have either a construction method or some other specification, or to have this declared as RDAP-server-specific explicitly [SAH] It *is* described as an RDAP-specific thing. That's why it's in a data structure that's explicitly identified as an RDAP extension. §5.1.2 - this seems to replicate RFC8628, OAuth Device Flow, without any of the implementation detail or security considerations of that specification; furthermore, the device flow isn't specified in OpenID Connect (which is being profiled here) though its use is far from unheard of in practice; this use is further expanded in §5.2.4, but it's unclear that that's why this is here [SAH] Right, as I noted in my reply to Roman's discuss, I could import the "Device Authorization Response" data structure described in Section 3.2 of RFC 8628 by reference. §5.2.1 - I'm unclear when reading this whether the identifier in question is an OAuth client_id or a user identifier, as the text seems to indicate it can be either; these represent drastically different things, and one could argue that separating the identity of the client software from the identity of the end-user is the entire point of OAuth and protocols like it - Ultimately this seems to be a discovery step for RDAP, and so I would expect to see more types of identifiers that could be used for discovery purposes, such as user-facing identifiers like email addresses or phone numbers if that's the goal [SAH] It's a user identifier issued by an IdP. It's described in Section 1.2, 3.1, 3.1.1, and elsewhere. - Significant effort is currently being proposed in the OAuth WG for dealing with the inherent security issues of multi-device authorization issues like this; this draft would do well to incorporate some of that [SAH] Such as? I don't mind including a reference in the Security Considerations section as long as the reference won't hold this draft up. §5.2.4.2 - the device code is included here as a query parameter instead of a body parameter, what's the purpose of that? As written it's incompatible with RFC8628, which is claims to be a profile of (eg, "This request performs the polling function described in...") [SAH] Yes, that needs to be fixed. §6.3 - if the token is intended to be used in proxy as stated in §6.2, then the validation here is redundant as an invalid token would not return claims listed in this step; I would suggest that the pattern in §6.2 be removed entirely and instead the validation patterns in §6.3 be expanded into a full profile [SAH] Reading both sections again, I do think they can be combined. §6.4 - Token exchange is generally targeted for access tokens, not ID tokens; it seems that this is part of the conflation between RS and RP in this mode [SAH] Section 3 of RFC 8693 specifically notes that ID tokens are one of the supported token types. The reasons why this type of exchange might be needed are described in the text of the draft. §11 - The security considerations section is remarkably thin for a protocol of this nature, and I would especially expect more discussion on how to select which mode of operation and for which purposes [SAH] There isn't really any mode selection happening here. Clients exist as one type or the other, and they operate accordingly. As such, I'm unsure of what else needs to be added. In closing, I think the "token-oriented" approach has major problems in that it seems to be encoding an anti-pattern without a lot of guidance for why it would be applied. But to reiterate, I am not an expert in the RDAP ecosystem, so if any of these concerns are addressed by that ecosystem I am ignorant of those considerations. [SAH] We discovered the need to support this type of client when testing session-oriented clients with my experimental RDAP test server. If the RDAP client is running on a web server, and working with an RDAP server that's itself running on another web server, we found it impossible to manage sessions associated with the end user. Pawel Kowalik did the experimental client implementation. Perhaps he can add more info here. - Justin
- [regext] Feedback on draft-ietf-regext-rdap-openi… Roman Danyliw
- Re: [regext] Feedback on draft-ietf-regext-rdap-o… Hollenbeck, Scott
- Re: [regext] Feedback on draft-ietf-regext-rdap-o… Hollenbeck, Scott
- Re: [regext] Feedback on draft-ietf-regext-rdap-o… Hollenbeck, Scott