Re: [OAUTH-WG] [EXTERNAL] Re: Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

2020-08-17 Thread Brian Campbell 
I might suggest that thinking about it in the context of interoperability
would be more meaningful than certification tests.

Saying that an AS MUST reject the Request object if it has a typ header and
the value of the header is not ‘oauth.authz.req+jwt’ [1] should allow for
interoperability with respect to JWT typing between all combinations of
existing and updated clients with existing and updated authorization
servers.

Saying that an AS MUST NOT include a sub with client id as the value would
break for an updated authorization server when receiving such a request
object JWT. But that's erroneous and potentially dangerous behaviour from
the client so I don't know that we need to try and maintain
interoperability there.

[1] Unfortunately "typ":"JWT" would probably also need to be allowed. As
best I understand it "typ":"JWT" basically says "this JWT is a JWT", which
isn't useful for explicit typing and I think makes it effectively
equivalent to an untyped JWT. I've honestly never understood why one would
use "typ":"JWT" but it shows up in a lot of places including examples and
explanations on sites like jwt.io so it seems very likely that it'd just
get copied over and show up in some amount of real world request object
JWTs.


On Sat, Aug 15, 2020 at 10:41 AM Mike Jones  wrote:

> Answering Filip and Vladirmir’s question about adding normative language
> around “typ” and “sub”:  Anytime you add a new required feature, you are
> breaking existing deployments.  Suppose we added the normative requirement
> “If a ‘typ’ header parameter is present, ASs MUST reject the Request object
> if its value is not ‘oauth.authz.req+jwt’”.  One could then write a
> certification test sending the AS a different “typ” value – which to pass,
> ASs would have to reject the JWT.  *Every existing deployment would fail
> this test!*  That’s exactly what we don’t want to have happen.
>
>
>
> Brian asked for security considerations.  The IESG asked for security
> considerations.  I added them in the PR – working with Nat and John.  They
> point the way to the future without breaking existing deployments.  That’s
> as it should be.
>
>
>
>-- Mike
>
>
>
> *From:* OAuth  *On Behalf Of * Warren Parad
> *Sent:* Saturday, August 15, 2020 9:27 AM
> *To:* Vladimir Dzhuvinov 
> *Cc:* oauth 
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] Benjamin Kaduk's No Objection on
> draft-ietf-oauth-jwsreq-26: (with COMMENT)
>
>
>
> In the case of
>
> if the Request Object includes a sub claim with the value of the client_id
> the AS MUST reject the request
>
>
>
> What would the expectation be in terms of a client_credentials grant?
>
>
>
> From experience, the *sub *is frequently populated with the client_id
> value and the client_id is not used. Which would mean breaking for that
> type of grant wouldn't it?
>
>
>
> *Warren Parad*
>
> Founder, CTO
>
> Secure your user data and complete your authorization architecture.
> Implement Authress .
>
>
>
>
>
> On Sat, Aug 15, 2020 at 11:08 AM Vladimir Dzhuvinov <
> vladi...@connect2id.com> wrote:
>
> +1 to make the "typ" check, as Filip suggested, normative, as existing
> client and RP deployments with undefined "typ" will not be affected. New
> deployments should be encouraged to type the JWT, and thus be made safer.
>
>
>
> Regarding the "sub != client_id" check -- could a simple rejection of all
> JWTs with "sub" present suffice?
>
> I find it difficult to imagine what else a client could end up setting the
> "sub" claim to, if it does end up populating it for some reason.
>
> Rejecting JWTs with "sub=client_id" or "sub" present will break
> deployments where a client for some reason sets the "typical" JWT claims,
> and "sub" is a typical one, but if those deployments happen to accept
> client_secret_jwt or private_key_jwt client authentication, they could well
> be vulnerable to cross-JWT confusion attacks.
>
>
>
> Vladimir
>
> On 14/08/2020 13:58, Filip Skokan wrote:
>
> Hi Mike, Nat,
>
>
>
> I thought we would go as far as making these normative requirements
>
>- if the Request Object includes a sub claim with the value of the
>client_id the AS MUST reject the request
>- if the Request Object is explicitly typed (typ) its value MUST be 
>
> First rejects client assertions to be passed as Request Objects. Second
> rejects all future typed JWT profiles from being used as Request Objects
> without worrying about the claims they may or may not contain.
>
>
>
> Or is that breaking?
>
>
>
> S pozdravem,
> *Filip Skokan*
>
>
>
>
>
> On Fri, 14 Aug 2020 at 00:59, Mike Jones  40microsoft@dmarc.ietf.org> wrote:
>
> At Nat's request, I've created a pull request addressing Cross-JWT
> Confusion security considerations.  It addresses both Brian's comment and
> the IESG comments about explicit typing.  See the full PR at
> https://bitbucket.org/Nat/oauth-jwsreq/pull-requests/10.  See the source
> diffs at
> https://bitbuck

Re: [OAUTH-WG] Benjamin Kaduk's No Objection on draft-ietf-oauth-jwsreq-26: (with COMMENT)

2020-08-17 Thread Brian Campbell 
On Sat, Aug 15, 2020 at 3:08 AM Vladimir Dzhuvinov 
wrote:

> Regarding the "sub != client_id" check -- could a simple rejection of all
> JWTs with "sub" present suffice?
>

Prohibiting the use of "sub" in request object JWTs would suffice, yes. I'd
suggested the more narrow/specific prohibition with the aim of a smaller
scoped change. But perhaps it'd be simpler to just say don't use "sub"? I
can't think of any non-erroneous reason sub would be in a request object.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth