[Unbearable] Token Binding Demo Online

Brian Campbell <bcampbell@pingidentity.com> Fri, 24 March 2017 21:12 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65AFD1286B2 for <unbearable@ietfa.amsl.com>; Fri, 24 Mar 2017 14:12:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vpH9JLen3dOt for <unbearable@ietfa.amsl.com>; Fri, 24 Mar 2017 14:12:06 -0700 (PDT)
Received: from mail-pf0-x22f.google.com (mail-pf0-x22f.google.com [IPv6:2607:f8b0:400e:c00::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 112FB1294FB for <unbearable@ietf.org>; Fri, 24 Mar 2017 14:12:05 -0700 (PDT)
Received: by mail-pf0-x22f.google.com with SMTP id o126so805784pfb.3 for <unbearable@ietf.org>; Fri, 24 Mar 2017 14:12:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:from:date:message-id:subject:to; bh=4gqRWGYV3lqcjewl4wn1dfkTcvYB7PpwJgDWIKpo5J4=; b=pZuAPsVXcSU54wl2wav4wdM5J+X5OeIHHR+qgFGAK9Czyigv1/wPKozES1xD3ubDdA FhkGyYYaF4U/oq8z8jqrDwYNArlO2yF9KNVo+2eHObG2N0CKIerxZ3aO2C/Ezuj/TeTL +kzfF+7fISeT8KGza7sG7Z1IG3gA7SIIj+rxg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=4gqRWGYV3lqcjewl4wn1dfkTcvYB7PpwJgDWIKpo5J4=; b=lI61EEf6fuwsR5qY48I7QPgkTyCSTWun2/TZtMUxjzWa8clNcmiY/SnPuG9PPL8ww6 9CXsQtqL+82vF9LKZ2YYC5LsrHdtey9N0sQqX5ksDrcA3R75bWvJ6raerl2GXEarGfcs BVYNKW+g0C64Dqwf6toztXuu8xvxIeIUBjQBrVznsIcg1MKmH3pkNzYATLcsZ++0TssY 5m2yKJNNADcNXWNN7ibV0sfK2z+Dpl6FIeMVAh3Rf1LcaMeY64QT9/0TrXJDBc4aXnxj +PbN92EsaiqXgbR8TG6yBsV/GKrfWtfXkX/PAwTsbMQrmRr53AdoOwxbnD45nelxojiR fDZA==
X-Gm-Message-State: AFeK/H0j8iKQiMMeFpWOENYibEP7bYS30o7r6amZCWQYZVb2FT/EcDMx+KPYUBBZ3VbLv20iNrsO1zwwmRUqJyAB
X-Received: by 10.98.159.82 with SMTP id g79mr11720419pfe.189.1490389925290; Fri, 24 Mar 2017 14:12:05 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.170.138 with HTTP; Fri, 24 Mar 2017 14:11:34 -0700 (PDT)
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 24 Mar 2017 15:11:34 -0600
Message-ID: <CA+k3eCQrSH3AXOvzH56qo-N9MgPFA37vGZ9EQzLGvagTE=cgKQ@mail.gmail.com>
To: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary=94eb2c0a542e13079f054b8072b2
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/Om-hUZWUR6HqKW733jOoYTAYeog>
Subject: [Unbearable] Token Binding Demo Online
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Mar 2017 21:12:08 -0000

I put up a demonstration of some token binding functionality that I wanted
to share. There are a few parts to it, which I'll attempt to describe
below.

At https://unbearable-bc.ping-eng.com:3000/open/ is a token binding capable
reverse proxy (of sorts) that is proxying requests to http://httpbin.org/
with a little path rewriting. If you go to
https://unbearable-bc.ping-eng.com:3000/open/headers with a token binding
(-10 to -13) capable browser, for example, you should see the a dump of the
request headers including "Sec-Token-Binding".

The reverse proxy is also set up with some access control and will proxy
from https://unbearable-bc.ping-eng.com:3000/ to http://httpbin.org/ but
require an authenticated session to do so. And it's using OpenID Connect
Token Bound Authentication
<http://openid.net/specs/openid-connect-token-bound-authentication-1_0.html>
with an IDP at https://token-provider-bc.ping-eng.com:9031 to authenticate
users.

So, for example, if you go to
https://unbearable-bc.ping-eng.com:3000/headers without a session you will
be redirected to the authorization endpoint at that IDP and presented with
a login page. Use USERNAME: brian and PASSWORD: Test5555 on that page.
After login, you'll be sent back to the relying party via the Form Post
Response Mode
<https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html> where
the ID Token is sent though the browser. If you grab that token and decode
it, there should be a confirmation method claim that has the hash of the
Token Binding ID used with the relying party (i.e. "cnf": {"tbh":
"...hash..."}).

The relying party sets up its own session from the OIDC SSO, which is a
cookie named PA.unbearable that is a JWT. The page at
https://unbearable-bc.ping-eng.com:3000/headers will dump the headers
including that cookie. If you decode that JWT, you should also see that the
local session is token bound with the confirmation method claim.

Things will still work when using a non token binding capable browser but
none of the tokens will be token bound.

As a reminder, you can enable Token Binding in Chrome by putting
chrome://flags/#enable-token-binding into the address bar. Chrome and Chrome
Canaryā€ˇ are what I've been using to play with this. I'm hopping someone
with the TB enabled Edge/IE can poke around on this demo too.