Re: [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

[Mike Jones]

The virtual office hours in my calendar start 1/2 hour before that.  If the 
time has changed, can you have the meeting organizer update the calendar entry?

                                                          Thanks,
                                                          -- Mike

From: Rifaat Shekh-Yusef <rifaat.i...@gmail.com>
Sent: Thursday, January 24, 2019 12:46 PM
To: George Fletcher <gffle...@aol.com>
Cc: Vittorio Bertocci <vitto...@auth0.com>; Mike Jones 
<michael.jo...@microsoft.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] Shepherd write-up for 
draft-ietf-oauth-resource-indicators-01

All,

This coming Monday, Jan 28 @ 12:00pm Eastern Time, we have a scheduled OAuth WG 
Virtual Office meeting.
Feel free to attend the meeting to discuss this topic to try to get to a 
conclusion on this.

Regards,
 Rifaat


On Wed, Jan 23, 2019 at 3:00 PM George Fletcher 
<gffletch=40aol....@dmarc.ietf.org<mailto:40aol....@dmarc.ietf.org>> wrote:
+1

Also, I don't really like the parameter name 'req_aud' :) I'm not 100% 
convinced that 'audience' and 'logical resource' are completely overlapping 
concepts. We can potentially make them completely overlapping but we need text 
to that effect.

I also believe that we don't have a complete solution for all deployments using 
exact locations (see my previous email).

Thanks,
George
On 1/23/19 2:50 PM, Vittorio Bertocci wrote:
As mentioned below, I agree the two can be separated- but I also agree with 
George on the need to be clear an easy to reference for developers.
Just adding a reference to req_aud would just raise the cyclomatic complexity 
of the specs, which is already unusably high for mere mortals in the 
OAuth2/OIDC family of specs.

One additional complication is that this specification is reusing a parameter 
that is already used in a very large number of production systems (small 
example 
here<https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code>),
 and whose concrete semantic happens to be prevalently logic identifier. If the 
parameter you are defining here has a different semantic, at the very least it 
would seem good hygiene to rename it to avoid collision and confusion.

On Wed, Jan 23, 2019 at 11:03 AM Mike Jones 
<Michael.Jones=40microsoft....@dmarc.ietf.org<mailto:40microsoft....@dmarc.ietf.org>>
 wrote:
I agree with John’s logic.  The physical resource and logical resource should 
use different identifiers.  Fortunately, we already have “resource” and 
“req_aud” for these parameters.  I believe we’re good to go, as-is.

                                                       -- Mike

From: OAuth <oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>> On Behalf 
Of John Bradley
Sent: Wednesday, January 23, 2019 10:56 AM
To: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Shepherd write-up for 
draft-ietf-oauth-resource-indicators-01


I don't think they are necessarily mutually exclusive, that is why I think 
there is value in allowing them to be specified separately.

As an AS in the distributed OAuth case knowing that a client interacting with 
RS https://fire.hhs.com as the resource wants a OAuth token with an audience of 
HHS and a scope of read.

Without proof of possession we need to keep bad RS from asking for tokens with 
scopes and audiences of other RS that can be replayed.

I really like keeping the resource simple and unspoofable, it is the URI of the 
RS where you are presenting the AT.

I prefer to keep that separate from the logical resource that may span more 
than one RS endpoint.

Merging the two and we are probably back at the AS looking into the URI to 
figure out which one it is.  I think that is harder for implementations and 
more likely to have security issues down the road.

John B.
On 1/23/2019 1:44 PM, Vittorio Bertocci wrote:
Hi all,
thanks for you patience. Brian and myself iterated on modifying the text to 
cover the logical identifier use case, highlighting the security implications 
of going that route. You can find the revised text in 
https://github.com/vibronet/i-d/blob/master/draft-ietf-oauth-resource-indicators.xml,
 see the commits in the history from January 21 for the specific changes.
Note: I also had a chat with John offline, and he expressed the desire to split 
the resource parameter in two distinct parameters to better signal the intended 
usage. I am sure he can elaborate. I have nothing against it in principle, as 
long as we leave nothing as exercise to the reader and we are very clear on 
usage (e.g. mutual exclusivity, etc) but didn't have a chance to speak w Brian 
about it. If the discussion stretches further, I would suggest we pause it and 
let him enjoy his time off for the rest of the week.

On Mon, Jan 21, 2019 at 5:35 PM Rifaat Shekh-Yusef 
<rifaat.i...@gmail.com<mailto:rifaat.i...@gmail.com>> wrote:
Thank you guys!


On Monday, January 21, 2019, Vittorio Bertocci 
<vitto...@auth0.com<mailto:vitto...@auth0.com>> wrote:
Hi Rifaat,
absolutely. Brian and myself already started working on some language, however 
this week he is in vacation hence it might take few days before we come back to 
the list with something.
Cheers,
V.

On Mon, Jan 21, 2019 at 9:35 AM Rifaat Shekh-Yusef 
<rifaat.i...@gmail.com<mailto:rifaat.i...@gmail.com>> wrote:
Brian, Vittorio,

To move this discussion forward, can you guys suggest some text to make the 
logical identifier usage clearer?

Regards,
 Rifaat


On Mon, Jan 21, 2019 at 10:32 AM Brian Campbell 
<bcampbell=40pingidentity....@dmarc.ietf..org<mailto:40pingidentity....@dmarc.ietf.org>>
 wrote:
As I suggested before, I do think that's within the bounds of the draft's 
definition of 'resource' as a URI. And that perhaps all that's needed is some 
minor adjustment and/or augmentation of some text to make it more clear.

On Sun, Jan 20, 2019 at 7:39 PM Vittorio Bertocci 
<vitto...@auth0.com<mailto:vitto...@auth0.com>> wrote:
[sent to John only by mistake, resending to the ML]

In Azure AD v1 & ADFS, that's resource.. It could be used for both network and 
logical ids, with the concrete usage in the wild I described earlier.
In Azure AD v2, the resource as explicit parameter (network, logic or 
otherwise) is gone and is expressed as part of the scope string of all the 
scopes requested for a given resource- but it still exist in practice tho as it 
still end up in the resulting aud of the issued token.
This is 9 months old info hence

On Sun, Jan 20, 2019 at 17:58 John Bradley 
<ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>> wrote:

What is the parameter that Microsoft is using?
On 1/20/2019 3:59 PM, Vittorio Bertocci wrote:
First of all, it wasn't my intent to disrupt the established process. In my 
former position I wasn't monitoring those discussions hence I didn't have a 
chance to offer feedback. When I saw something that gave me the impression 
might lead to issues, and given that I worked with actual deployments and 
developers using a similar parameter for a long time, I thought prudent to 
bring this up. I really appreciate Rifaat's stance on this. End of preamble.

Ultimately my goal is for developers to have guidance on how to work with the 
concept of logical resource in a standard compliant way, hence it doesn't 
strictly matter whether the definition of the corresponding parameter lives in 
oauth-resource-indicators or elsewhere.
That said. Reading through the draft, it would appear that most of the reasons 
for which the spec was created apply to both the network addressable and the 
logical resource types: knowing what keys to use to encrypt the token, 
constrain access tokens to the intended audience, avoiding overloading scopes 
with resource indicating parts... those all apply to network addressable and 
logic identifiers alike. And both parameters are expected to result in audience 
restricted tokens. It seems the only difference comes at token usage time, with 
the network addressable case giving more guarantees that the token will go to 
its intended recipient, but the request and audience restriction syntax seems 
to be exactly the same.
On top of this: in the 99.999% of the scenarios I encountered in the wild in 
the last 5 years of using the resource parameter in the MS ecosystem, the 
resource identifier was known at design time: the developer discovered it out 
of band and placed it in the app config at deployment time. Those aren't fringe 
cases I occasionally encountered: the resource parameter in Azure AD v1 and 
ADFS was mandatory, hence literally every solution i saw or touched used it. As 
Brian suggested, this is a scenario where the security advantages of the 
network addressable case aren't as pronounced as in the case in which the 
client discovers the resource identifier at runtime. This isn't just because 
there is no specification suggesting location should be explicitly indicated, 
it's because there are many practical advantages at development and deployment 
time to be able to use logical identifiers- and if the concrete security 
advantages don't apply to the their case, people will simply not comply.

In summary: creating two different parameters in two different documents is 
better than ignoring he logical identifier case altogether, however I think 
that not acknowledging the logical id case in oauth-resource-indicators is 
going to create confusion and ultimately not be as useful to the developer 
community as it could be.



On Sat, Jan 19, 2019 at 12:38 Phil Hunt 
<phil.h...@oracle.com<mailto:phil.h...@oracle.com>> wrote:
+1 to Mike and John’s comments.
Phil

On Jan 19, 2019, at 12:34 PM, Mike Jones 
<Michael.Jones=40microsoft....@dmarc.ietf.org<mailto:Michael.Jones=40microsoft....@dmarc.ietf.org>>
 wrote:
I also agree that “resource” should be a specific network-addressable URL 
whereas a separate audience parameter (like “aud” in JWTs) can refer to one or 
more logical resources.  They are different, if related, things.

Note that the ACE WG is proposing to register a logical audience parameter 
“req_aud” in https://tools.ietf.org/html/draft-ietf-ace-oauth-params-01 - 
partly based on feedback from OAuth WG members.  This is a general OAuth 
parameter, which any OAuth deployment will be able to use.

I therefore believe that no changes are needed to 
draft-ietf-oauth-resource-indicators, as the logical audience work is already 
happening in another draft.

                                                          -- Mike

From: OAuth <oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>> On Behalf 
Of John Bradley
Sent: Saturday, January 19, 2019 9:01 AM
To: Brian Campbell 
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>
Cc: Vittorio Bertocci 
<Vittorio=40auth0....@dmarc.ietf.org<mailto:Vittorio=40auth0....@dmarc.ietf.org>>;
 IETF oauth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Shepherd write-up for 
draft-ietf-oauth-resource-indicators-01

We need to decide if we want to make a change.

For security we are location centric.

I prefer to keep resource location separate from logical audience that can be a 
scope or other parameter.

If becomes harder for people to use the parameter correctly if we are too 
flexible.

I would rather have a separate logical audience parameter if we think we want 
one.

John B.

On Sat, Jan 19, 2019, 11:41 AM Brian Campbell 
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com> wrote:
No apology needed, Rifaat. And I apologize if what I said came off the wrong 
way. I was just trying to make light of the situation.. And I agree that we 
should not be hamstrung by the process and there are times when it makes sense 
to be flexible with things.

On Fri, Jan 18, 2019 at 6:22 PM Rifaat Shekh-Yusef 
<rifaat.i...@gmail.com<mailto:rifaat.i...@gmail.com>> wrote:
Sorry Brian, I was not clear with my statement.
I meant to say that we should not allow the process to prevent the WG from 
producing a quality document without issues, assuming there is an issue in the 
first place.
Ideally we want to get these identified during the WGLC, but things happen and 
sometimes the WG misses something.

I hear you and agree that this make things difficult for authors. We will make 
sure that this does not become the norm, and we will try to stick to the 
process as much as possible.

Regards,
 Rifaat


On Fri, Jan 18, 2019 at 5:35 PM Brian Campbell 
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>> wrote:
Thanks Rifaat. Process is as process does, right? I do kinda want to grumble 
about WGCL having passed already but that's mostly because replying to these 
kinds of threads is hard for me and I'll just get over it...

As far as I understand things, the security concerns come into play when the 
client is being told the by the resource how to identity the resource like is 
described in https://tools.ietf.org/html/draft-ietf-oauth-distributed-01 and 
using the actual location in that context ,along with some other checks 
prescribed in that draft, prevents the kind of issues John described earlier in 
the thread.

In cases where the client knows the resource a priori or out-of-band or 
configured or whatever, I don't think the same security concerns arise. And 
using such a known value, be it an actual location or logical representation, 
would be okay.

The resource-indicators draft is admittedly somewhat location-centric in how it 
talks about the value of the 'resource' parameter. But ultimately it defines it 
as an absolute URI that indicates the location of the target service or 
resource where access is being requested. A location can be varying shades of 
abstract and I'd say that using a URI as 'resource' parameter value that's a 
logical identifier that points to some resource is well within the bounds of 
the draft.

So maybe the draft is okay as is?

Or perhaps that's too much to be left as an exerciser to the reader?  And some 
text should be added and/or adjusted so the resource-indicators draft would be 
a little more open/clear about the parameter value potentially being more of a 
logical or abstract identifier and not necessarily a network addressable URL?



On Fri, Jan 18, 2019 at 1:18 PM Rifaat Shekh-Yusef 
<rifaat.i...@gmail.com<mailto:rifaat.i...@gmail.com>> wrote:
I wouldn't worry too much about the process.
If it makes sense to update the document, then feel free to do that.

Regards,
 Rifaat


On Fri, Jan 18, 2019 at 3:08 PM John Bradley 
<ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>> wrote:
Yes the logical resource can be provided by "scope"

Some implementations like Ping and Auth0 have been adding another parameter 
"aud" to identify the logical resource and then using scopes to define 
permissions to the resource.

Fortunately, we are using a different parameter name so not stepping on that..

We could go back and try to add text explaining the difference, but we are 
quite late in the process.

I agree that a logical resource parameter may be helpful, but perhaps it should 
be a separate draft.

John B.

On Fri, Jan 18, 2019 at 4:38 PM Richard Backman, Annabelle 
<richa...@amazon.com<mailto:richa...@amazon.com>> wrote:
Doesn’t the “scope” parameter already provide a means of specifying a logical 
identifier?

--
Annabelle Richard Backman
AWS Identity


From: OAuth <oauth-boun...@ietf.org<mailto:oauth-boun...@ietf.org>> on behalf 
of Vittorio Bertocci 
<Vittorio=40auth0....@dmarc.ietf.org<mailto:40auth0.....@dmarc.ietf.org>>
Date: Friday, January 18, 2019 at 5:47 AM
To: John Bradley <ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>>
Cc: IETF oauth WG <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Shepherd write-up for 
draft-ietf-oauth-resource-indicators-01

Thanks John for the background.
I agree that from the client validation PoV, having an identifier corresponding 
to a location makes things more solid.
That said: the use of logical identifiers is widespread, as it has significant 
practical advantages (think of services that assign generated hosting URLs only 
at deployment time, or services that are somehow grouped under the same logical 
audience across regions/environment/deployments). People won't stop using 
logical identifiers, because they often have no alternative (generating new 
audiences on the fly at the AS every time you do a deployment and get assigned 
a new URL can be unfeasible). Leaving a widely used approach as exercise to the 
reader seems a disservice to the community, given that this might lead to 
vendors (for example Microsoft and Auth0) keeping their own proprietary 
parameters, or developers misusing the ones in place; would make it hard for 
SDK developers to provide libraries that work out of the box with different 
ASes; and so on.
Would it be feasible to add such parameter directly in this spec? That would 
eliminate the interop issues, and also gives us a chance to fully warn people 
about the security shortcomings of choosing that approach.



On Thu, Jan 17, 2019 at 4:32 PM John Bradley 
<ve7...@ve7jtb.com<mailto:ve7...@ve7jtb.com>> wrote:

We have discussed this.

Audiences can certainly be logical identifiers.

This however is a more specific location.  The AS is free to map the location 
into some abstract audience in the AT.

From a security point of view once the client starts asking for logical 
resources it can be tricked into asking for the wrong one as a bad resource can 
always lie about what logical resource it is.

If we were to change it, how a client would validate it becomes challenging to 
impossible.

The AS is free to do whatever mapping of locations to identifiers it needs for 
access tokens.

Some implementations may want to keep additional parameters like logical 
audience, but that should be separate from resource.

John B.
On 1/17/2019 9:56 AM, Rifaat Shekh-Yusef wrote:
Hi Vittorio,

The text you quoted is copied form the abstract of the draft itself.


Authors,

Should the draft be updated to cover the logical identifier case?

Regards,
 Rifaat


On Thu, Jan 17, 2019 at 8:19 AM Vittorio Bertocci 
<vitto...@auth0.com<mailto:vitto...@auth0.com>> wrote:
Hi Rifaat,
one detail. The tech summary says


An extension to the OAuth 2.0 Authorization Framework defining request

parameters that enable a client to explicitly signal to an authorization server

about the location of the protected resource(s) to which it is requesting

access.
But at least in the Microsoft implementation, the resource identifier doesn't 
have to be a network addressable URL (and if it is, it doesn't strictly need to 
match the actual resource location). It can be a logical identifier, tho using 
the actual resource location there has benefits (domain ownership check, 
prevention of token forwarding etc).
Same for Auth0, the audience parameter is a logical identifier rather than a 
location.



On Wed, Jan 16, 2019 at 6:32 PM Rifaat Shekh-Yusef 
<rifaat.i...@gmail.com<mailto:rifaat.i...@gmail.com>> wrote:
All,

The following is the first shepherd write-up for the 
draft-ietf-oauth-resource-indicators-01 document.
https://datatracker.ietf.org/doc/draft-ietf-oauth-resource-indicators/shepherdwriteup/

Please, take a look and let me know if I missed anything.

Regards,
 Rifaat

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf..org/mailman/listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited..  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited...  If you have 
received this communication in error, please notify the sender immediately by 
e-mail and delete the message and any file attachments from your computer. 
Thank you._______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf..org/mailman/listinfo/oauth<https://www.ietf.org/mailman/listinfo/oauth>

_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth