Re: [Unbearable] Token Binding Demo Online
Brian Campbell <bcampbell@pingidentity.com> Wed, 31 May 2017 22:53 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7B36127333 for <unbearable@ietfa.amsl.com>; Wed, 31 May 2017 15:53:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q2a9fQJz8_eN for <unbearable@ietfa.amsl.com>; Wed, 31 May 2017 15:53:45 -0700 (PDT)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 986E6124D37 for <unbearable@ietf.org>; Wed, 31 May 2017 15:53:45 -0700 (PDT)
Received: by mail-pf0-x236.google.com with SMTP id e193so19887419pfh.0 for <unbearable@ietf.org>; Wed, 31 May 2017 15:53:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=wnf1WAnjxZBTICinWEKqX+0caxpOLzNKVC8OFJa3Zss=; b=eI+SsBZvQQ4TnJXJdcb2YYUOzueE/5p+HRRe1NVaYuIaGFI6Dj/KqVZYj7WerW06KY LwxFvgHkcKCafxxa1daOWppO25L9RWIydS2ZAw4lN9NnATNwEP/wxC9XSFZdjfq9XsNi r92XiWDKQSI7rL6wdVqC4ilGqrBUo5S3y/tto=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=wnf1WAnjxZBTICinWEKqX+0caxpOLzNKVC8OFJa3Zss=; b=LaNKz8bOX8Tkseo5YGkDjMCTozIHvh+pTwX8OJ9MIc/8EI+QQGJShBQl2fM/uG4kaR rHr64mfHv1WtcP3ny5X1Uf2YcryN076rObiF2hmvddFYskR0UnCnwRAVsJxcKYUU3FBW xJPmyWYGeInHo9W6wAp1FpkvyHaEeY71IfiAj6H/DEHjyWmstEl2tWabMs3wakCZKZr0 +BmUQuoJZeuFR+xQnLIpuCKIDYSZJES6gC3pwrAtLI9a0Tfapj0NYESQpKW74S8UPKag QGz2FTG8Ii8gMK0xIavr+2acnvu+XJKBbn5PAUdI+2yOcrKUrxEp8O4vHispnctXy28P 4I5A==
X-Gm-Message-State: AODbwcCZ1Z5+zm4QnH7rc2YIPSloUgW3HWgj0X+aee0nrBw2EUzbdFN5 grCsb7clroK2q+/n1rGV4aOm7tDRZBee9eE=
X-Received: by 10.84.168.67 with SMTP id e61mr73823208plb.124.1496271225036; Wed, 31 May 2017 15:53:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.149.4 with HTTP; Wed, 31 May 2017 15:53:14 -0700 (PDT)
In-Reply-To: <CA+k3eCQrSH3AXOvzH56qo-N9MgPFA37vGZ9EQzLGvagTE=cgKQ@mail.gmail.com>
References: <CA+k3eCQrSH3AXOvzH56qo-N9MgPFA37vGZ9EQzLGvagTE=cgKQ@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 31 May 2017 16:53:14 -0600
Message-ID: <CA+k3eCQZ7D8S10nmgR5v=J0YAx_nsC5sb907yGvBCXNriSmvFA@mail.gmail.com>
To: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c11acd6db3dd30550d9ca9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/OI0ibKfSXkwGjnenVaac_aXZu1o>
Subject: Re: [Unbearable] Token Binding Demo Online
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 May 2017 22:53:48 -0000
Just wanted to share a quick note that I've updated this demo slightly so that what would typically be the auto-submitting form page that sends the ID Token back to the RP now sends (ugly) HTML with the form and needs a user click to continue. This should make it easier to grab the ID Token and decode it to see if it was token bound with the confirmation "cnf" claim or not. On Fri, Mar 24, 2017 at 3:11 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > I put up a demonstration of some token binding functionality that I wanted > to share. There are a few parts to it, which I'll attempt to describe > below. > > At https://unbearable-bc.ping-eng.com:3000/open/ is a token binding > capable reverse proxy (of sorts) that is proxying requests to > http://httpbin.org/ with a little path rewriting. If you go to > https://unbearable-bc.ping-eng.com:3000/open/headers with a token binding > (-10 to -13) capable browser, for example, you should see the a dump of the > request headers including "Sec-Token-Binding". > > The reverse proxy is also set up with some access control and will proxy > from https://unbearable-bc.ping-eng.com:3000/ to http://httpbin.org/ but > require an authenticated session to do so. And it's using OpenID Connect > Token Bound Authentication > <http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html> > with an IDP at https://token-provider-bc.ping-eng.com:9031 to > authenticate users. > > So, for example, if you go to https://unbearable-bc.ping- > eng.com:3000/headers without a session you will be redirected to the > authorization endpoint at that IDP and presented with a login page. Use > USERNAME: brian and PASSWORD: Test5555 on that page. After login, you'll be > sent back to the relying party via the Form Post Response Mode > <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html> > where the ID Token is sent though the browser. If you grab that token and > decode it, there should be a confirmation method claim that has the hash of > the Token Binding ID used with the relying party (i.e. "cnf": {"tbh": > "...hash..."}). > > The relying party sets up its own session from the OIDC SSO, which is a > cookie named PA.unbearable that is a JWT. The page at > https://unbearable-bc.ping-eng.com:3000/headers will dump the headers > including that cookie. If you decode that JWT, you should also see that the > local session is token bound with the confirmation method claim. > > Things will still work when using a non token binding capable browser but > none of the tokens will be token bound. > > As a reminder, you can enable Token Binding in Chrome by putting > chrome://flags/#enable-token-binding into the address bar. Chrome and Chrome > Canaryā€ˇ are what I've been using to play with this. I'm hopping someone > with the TB enabled Edge/IE can poke around on this demo too. > > > > > > > >
- [Unbearable] Token Binding Demo Online Brian Campbell
- Re: [Unbearable] Token Binding Demo Online =JeffH
- Re: [Unbearable] Token Binding Demo Online Brian Campbell