IETF Logo Mail Archive

Re: [Wish] Authentication for resource url

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Sat, 11 September 2021 12:57 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: wish@ietfa.amsl.com
Delivered-To: wish@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCB83A13A4 for <wish@ietfa.amsl.com>; Sat, 11 Sep 2021 05:57:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5vyruhXWu1Mt for <wish@ietfa.amsl.com>; Sat, 11 Sep 2021 05:56:59 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD163A13A1 for <wish@ietf.org>; Sat, 11 Sep 2021 05:56:59 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id f21so653589plb.4 for <wish@ietf.org>; Sat, 11 Sep 2021 05:56:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P7ZLuksU6Xgl14D/rPUixzlIGG0qpVyJEmDSrCAvAbo=; b=N585pY/y9HjomKjbt7JL9MZh5WFxlRMvuPFFyf2c5eSuQdEB9OvRijwA4uVI1Oe6e2 d4zOvhrdHyn0LPHQoMyW2uIBIFqdl+Tkhg19yYnb7qyVfkZAW3v1YraVyNotPjPxAlNG 9kSRqOrWvRdgpRQWsvMGKPigUUs/enRyrBDkOneAEz1u626QXwSNf+rW09DB3VblvBTd 0XK2foRishblPDBAUaBzPhVklMB0Apky4mKHFizgAflvh/1tSpPMRkoktDQKqSuzP3Ik rQDr3+QL5oTCdTp62hKvR7RL7m9hSq0OElPFvcHWy7dXWO18OFmk57ucr4vSqHn3owcJ lT4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P7ZLuksU6Xgl14D/rPUixzlIGG0qpVyJEmDSrCAvAbo=; b=TaJxkms4aWL39n4YAisU4zgiNUnA912sRQw+fql2kU73llI7Q4UkeemGI7yz2f/dzl jJNlE3xKEggT8R301AIVrgqEbcJw128V33bYPs/RsSUAWSGXoQ6oeNVCUQyCy2Uu2iJO N7y4/CNKmVefX93Fsv44t6lXoBNNnX1CKRXYwr02OeK1bbi1fHFzTkz/74bZsAd5jWdp H/hQmRqn/5OaQ9UrD3AYUMIsiv8q/oJJPi7LoZsdnF0X4ZzUKosFdwk6sM0fmWKTI0bb sAdmsWtXpk/UEqRZSLWb3hhtvyq3zKVf0tNE+wzIzfFsdI+q1JrBdCZcuiU2ZxM8kpia h4GQ==
X-Gm-Message-State: AOAM53313SjUeCFiwlkm6VssLSJsHh0XheZu4ltHw6jojaYQAY50D3OJ /RfNgjdQSNXSXBcNDDGwBttVqkJGwjW0Gq9U4KmFmrV0
X-Google-Smtp-Source: ABdhPJzJmS8lSuzFnbOnOwtRlZN9cYy6Zjw2OcqCsasi2MHwNvRxBbPeGAYmnBmxkY5qS8j/4m2Ohuy78y2x7kxIi3Y=
X-Received: by 2002:a17:90a:4b4d:: with SMTP id o13mr2876838pjl.236.1631365018078; Sat, 11 Sep 2021 05:56:58 -0700 (PDT)
MIME-Version: 1.0
References: <CA+ag07bjtS1Ucw1BZ5qQ_jJFfXbfQ3-hzDgxfkV1APhV1JZMnQ@mail.gmail.com> <87o893vuz4.wl-jch@irif.fr> <CA+ag07Y41bg_K-60=d5yyODj+bN442enQn-Grb-NkX7zQ8vVBQ@mail.gmail.com> <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com>
In-Reply-To: <1e55c847-6a6c-5fca-d7c0-cd3a822855a7@nostrum.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Date: Sat, 11 Sep 2021 14:56:45 +0200
Message-ID: <CA+ag07YZdQooVBLtn=R=Lj0XpojCmVzd51P6=ExFUqwhvqYNdA@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: Juliusz Chroboczek <jch@irif.fr>, WISH List <wish@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000066d0eb05cbb7c45e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wish/D_0ge7BkmAmSwW4WIISKZjp5wVE>
Subject: Re: [Wish] Authentication for resource url
X-BeenThere: wish@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: WebRTC Ingest Signaling over HTTPS <wish.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wish>, <mailto:wish-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wish/>
List-Post: <mailto:wish@ietf.org>
List-Help: <mailto:wish-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wish>, <mailto:wish-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Sep 2021 12:57:05 -0000

As said in a different email, we are not mandating the usage of oauth2.

Anyway, in my implementation the token is a unique value that is matched
against database on the whip enpoint. Media servers don't have access to
that database.

It doesn't harm my implementation to receive y
the token on the media server, but not sure if we should mandate it if
there are no plans for using it.

Best regards
Sergio

El sáb., 11 sept. 2021 5:59, Adam Roach <adam@nostrum.com> escribió:

> This is OAUTH, right? They might be different servers, but I would expect
> them to be the same audience (as OAUTH uses that term) -- implying that the
> same token would be applicable to both of them (if my understanding is
> correct).
>
> My relatively strong preference is to specify that the same token is used
> for the requests; and, that being the case, it's not clear what additional
> security properties you gain by putting a token in the URL path (but I'm
> not, strictly speaking, opposed to it -- I just don't see the value).
>
> /a
>
> On 9/10/2021 2:24 AM, Sergio Garcia Murillo wrote:
>
> The second method (returning an unique url) could be detailed on the
> security considerations, but sending the same authentication bearer token
> in both requests should be in the normative part.
>
> Somehow, I don't like any of both ideas, sending the same token in both
> requests doesn't feel appropriate as the idea is that the whip endpoint and
> the whip resource could be in different servers, so the token for the
> PATH/DELETE request is most probably irrelevant for the media server.
>
> But returning an unique url doesn't seem a very secure idea. Anyway, if
> anyone could get access to the resource url. On the other hand, if an
> attacker has access to the url in the http response, it would most probably
> have access to the data in the request (i.e. the token).
>
> What do you think?
> Sergio
>
> El mié, 8 sept 2021 a las 19:27, Juliusz Chroboczek (<jch@irif.fr>)
> escribió:
>
>> > I think we have the following options:
>> >  - Use the same mechanism/info as the initial request to the whip url
>> (i.e.
>> > sending the Authentication header with the same bearer token)
>> >  - Returning a randomized opaque unique url
>> >  - Allow using both?
>>
>> I think this is better left unspecified in the normative part of the
>> document, but should be explained in detail in the Security Considerations
>> section or in an informative appendix.
>>
>> -- Juliusz
>>
>
>
>

v2.8.7 | Report a Bug | By Email