Re: [OAUTH-WG] Regarding iat and nonce in DPoP Proofs

[Filip Skokan]

Hello Jacob, dear Authors,

If the server (AS or RS) utilizes the `nonce` mechanism to limit the
acceptance timeframe of DPoP Proof JWTs it would appear the need to check
the `iat` claim for "freshness" is redundant. If we're making the client
jump through hoops to enforce fresh proofs via `nonce` it seems counter
intuitive that the validation could still fail due to client or server side
clock skews (regardless of how unreasonable they may be).

Changes would need to be introduced in (source
)

   - section 4.3. point 11
  - the iat claim value is within an acceptable timeframe and, within a
  reasonable consideration of accuracy and resource utilization, a
proof JWT
  with the same jti value has not previously been received at the same
  resource during that time period (see Section 11.1)
  - section 11.1
  - To prevent this, servers MUST only accept DPoP proofs for a limited
  time window after their iat time, preferably only for a relatively brief
  period (on the order of seconds or minutes).

Proposal:

Section 4.3. point 11
*if the server did not provide a nonce value to the client that was
verified in the previous point*, that the iat claim value is within an
acceptable timeframe and, within a reasonable consideration of accuracy and
resource utilization, a proof JWT with the same jti value has not
previously been received at the same resource during that time period (see
Section 11.1)

Section 11.1 upon a second read may not need an update afteral due to the
following language "Server-provided nonces are an effective means of
preventing DPoP proof replay.". That being said, server-provided nonces do
nothing about replay within a short time window, they ensure freshness, so
may need a bit of language afterall.

S pozdravem,
*Filip Skokan*


On Tue, 29 Mar 2022 at 16:23, Jacob Ideskog  wrote:

> Hi all,
>
> We have encountered a situation in the wild which I would like to share
> and discuss with you.
>
> We have strict validation of the iat claim as per section 4.3 in the
> specification where we allow a reasonable skew.
>
> The problem we see is that some users (more than a few) have changed the
> clock on their mobile device. This is commonly done for users playing games
> where changing the clock gives them more credit in the game. This means
> that the drift is more than reasonable as per the specification. It can be
> hours to days.
>
> The solution is to use the newer "nonce" parameter (which wasn't in the
> early drafts) to be able to manage the TTL server side, since the server
> controls the nonce and can therefore control the TTL of any proof received.
>
> However, the wording in section 4.3 states that:
>
> the iat claim value is within an acceptable timeframe and,
> within a reasonable consideration of accuracy and resource
> utilization, a proof JWT with the same jti value has not
> previously been received at the same resource during that time
> period (see Section 11.1 
> ),
>
> And in section 11.1 this limits it to seconds or minutes.
>
> So, even though using nonces could solve clock sync issues, it's not
> possible due to the strictness of the iat claim verification.
>
> Could we relax the wording of the iat claim verification to let the nonce
> be the main solution in some cases:
>
> Suggestion:
> the iat claim value is within an acceptable timeframe and,
> within a reasonable consideration of accuracy and resource
> utilization, a proof JWT with the same jti value has not
> previously been received at the same resource during that time
> period (see Section 11.1), *unless the clock syncronization can
> be made to depend on the issuance of the nonce values.*
>
> Regards
> Jacob
>
> --
> Jacob Ideskog
> CTO
> Curity AB
> ---
> Sankt Göransgatan 66, Stockholm, Sweden
> M: +46 70-2233664
> j a...@curity.io
> curity.io
> ---
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for DPoP Document

[Pieter Kasselman]

I support publication

From: OAuth  On Behalf Of Warren Parad
Sent: Wednesday 30 March 2022 13:12
To: Torsten Lodderstedt 
Cc: oauth 
Subject: Re: [OAUTH-WG] WGLC for DPoP Document

I support publication.


[https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA]

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement 
Authress.


On Wed, Mar 30, 2022 at 2:08 PM Torsten Lodderstedt 
mailto:40lodderstedt@dmarc.ietf.org>>
 wrote:
I support publication of this specification.


Am 30.03.2022 um 09:18 schrieb Steinar Noem 
mailto:stei...@udelt.no>>:

I support publication of the specification

ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge 
mailto:dave.to...@momentumft.co.uk>>:
I support publication of the specification

On Wed, 30 Mar 2022 at 08:55, Daniel Fett 
mailto:f...@danielfett.de>> wrote:

I also support publication.

-Daniel
Am 29.03.22 um 23:20 schrieb David Waite:
I also support publication of this specification

-DW


On Mar 29, 2022, at 3:12 PM, Mike Jones 
mailto:Michael.Jones=40microsoft@dmarc.ietf.org>>
 wrote:

I support publication of the specification.

   -- Mike

From: OAuth mailto:oauth-boun...@ietf.org>> On Behalf 
Of Rifaat Shekh-Yusef
Sent: Monday, March 28, 2022 5:01 AM
To: oauth mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] WGLC for DPoP Document

All,

As discussed during the IETF meeting in Vienna last week, this is a WG Last 
Call for the DPoP document:
https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/

Please, provide your feedback on the mailing list by April 11th.

Regards,
 Rifaat & Hannes

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



___

OAuth mailing list

OAuth@ietf.org

https://www.ietf.org/mailman/listinfo/oauth

--

https://danielfett.de
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


--
Dave Tonge
CTO
[Moneyhub 
Enterprise]

[OAUTH-WG] OAuth2.1: auth-param in WWW-Authenticate optional?

[Johannes Koch]

Hi,

in https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-05 section
5.2.2:

  All challenges for this token type MUST use the auth-scheme value
  Bearer.  This scheme MUST be followed by one or more auth-param
  values.


Why is at least one auth-param required? It makes

  WWW-Authenticate: Bearer

in response to a request lacking any authentication information (thus not
containing an error auth-param attribute) non-compliant. The optional scope
attribute is not useful in this case. The optional realm attribute may not
be necessary (e.g. if there is only one realm). So to be compliant, you
would have to add a non-meaningful auth-param like foo=bar.

Note: While in rfc2617 challenge was defined as

  challenge   = auth-scheme 1*SP 1#auth-param

(requiring at least one auth-param), rfc7235 does not have this requirement:

  challenge   = auth-scheme [ 1*SP ( token68 / #auth-param ) ]

-- 
Johannes Koch
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] WGLC for DPoP Document

[Warren Parad]

I support publication.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress .


On Wed, Mar 30, 2022 at 2:08 PM Torsten Lodderstedt  wrote:

> I support publication of this specification.
>
> Am 30.03.2022 um 09:18 schrieb Steinar Noem :
>
> I support publication of the specification
>
> ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge  >:
>
>> I support publication of the specification
>>
>> On Wed, 30 Mar 2022 at 08:55, Daniel Fett  wrote:
>>
>>> I also support publication.
>>>
>>> -Daniel
>>> Am 29.03.22 um 23:20 schrieb David Waite:
>>>
>>> I also support publication of this specification
>>>
>>> -DW
>>>
>>> On Mar 29, 2022, at 3:12 PM, Mike Jones <
>>> Michael.Jones=40microsoft@dmarc.ietf.org> wrote:
>>>
>>> I support publication of the specification.
>>>
>>>-- Mike
>>>
>>> *From:* OAuth  *On Behalf Of *Rifaat Shekh-Yusef
>>> *Sent:* Monday, March 28, 2022 5:01 AM
>>> *To:* oauth 
>>> *Subject:* [OAUTH-WG] WGLC for DPoP Document
>>>
>>> All,
>>>
>>> As discussed during the IETF meeting in *Vienna* last week, this is a *WG
>>> Last Call *for the *DPoP* document:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
>>>
>>> Please, provide your feedback on the mailing list by April 11th.
>>>
>>> Regards,
>>>  Rifaat & Hannes
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> ___
>>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>>
>>> -- https://danielfett.de
>>>
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>> --
>> Dave Tonge
>> CTO
>> [image: Moneyhub Enterprise]
>> 
>> t: +44 (0)117 280 5120
>>
>> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
>> Limited which is authorised and regulated by the Financial Conduct
>> Authority ("FCA"). Moneyhub Financial Technology is entered on the
>> Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub 
>> Financial
>> Technology is registered in England & Wales, company registration number
>>  06909772 .
>> Moneyhub Financial Technology Limited 2018 ©
>>
>> DISCLAIMER: This email (including any attachments) is subject to
>> copyright, and the information in it is confidential. Use of this email or
>> of any information in it other than by the addressee is unauthorised and
>> unlawful. Whilst reasonable efforts are made to ensure that any attachments
>> are virus-free, it is the recipient's sole responsibility to scan all
>> attachments for viruses. All calls and emails to and from this company may
>> be monitored and recorded for legitimate purposes relating to this
>> company's business. Any opinions expressed in this email (or in any
>> attachments) are those of the author and do not necessarily represent the
>> opinions of Moneyhub Financial Technology Limited or of any other group
>> company.
>>
>> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
>> Limited which is authorised and regulated by the Financial Conduct
>> Authority ("FCA"). Moneyhub Financial Technology is entered on the
>> Financial Services Register (FRN 809360) at https://register.fca.org.uk/.
>> Moneyhub Financial Technology is registered in England & Wales, company
>> registration number 06909772. Moneyhub Financial Technology Limited 2022 ©
>> Moneyhub Enterprise,
>>
>> DISCLAIMER: This email (including any attachments) is subject to
>> copyright, and the information in it is confidential. Use of this email or
>> of any information in it other than by the addressee is unauthorised and
>> unlawful. Whilst reasonable efforts are made to ensure that any attachments
>> are virus-free, it is the recipient's sole responsibility to scan all
>> attachments for viruses. All calls and emails to and from this company may
>> be monitored and recorded for legitimate purposes relating to this
>> company's business. Any opinions expressed in this email (or in any
>> attachments) are those of the author and do not necessarily represent the
>> opinions of Moneyhub Financial Technology Limited or of any other group
>> company.
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> --
> Vennlig hilsen
>
> Steinar Noem
> Partner Udelt AS
> Systemutvikler
>
> | stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no |
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
>

Re: [OAUTH-WG] WGLC for DPoP Document

[Torsten Lodderstedt]

I support publication of this specification. 

> Am 30.03.2022 um 09:18 schrieb Steinar Noem :
> 
> I support publication of the specification
> 
> ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge  >:
> I support publication of the specification
> 
> On Wed, 30 Mar 2022 at 08:55, Daniel Fett  > wrote:
> I also support publication.
> 
> -Daniel
> 
> Am 29.03.22 um 23:20 schrieb David Waite:
>> I also support publication of this specification
>> 
>> -DW
>> 
>>> On Mar 29, 2022, at 3:12 PM, Mike Jones 
>>> >> > wrote:
>>> 
>>> I support publication of the specification.
>>>  
>>>-- Mike
>>>  
>>> From: OAuth mailto:oauth-boun...@ietf.org>> On 
>>> Behalf Of Rifaat Shekh-Yusef
>>> Sent: Monday, March 28, 2022 5:01 AM
>>> To: oauth mailto:oauth@ietf.org>>
>>> Subject: [OAUTH-WG] WGLC for DPoP Document
>>>  
>>> All,
>>> 
>>> As discussed during the IETF meeting in Vienna last week, this is a WG Last 
>>> Call for the DPoP document:
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ 
>>> 
>>> 
>>> Please, provide your feedback on the mailing list by April 11th.
>>> 
>>> Regards,
>>>  Rifaat & Hannes
>>>  
>>> ___
>>> OAuth mailing list
>>> OAuth@ietf.org 
>>> https://www.ietf.org/mailman/listinfo/oauth 
>>> 
>> 
>> 
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth 
>> 
> -- 
> https://danielfett.de 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> 
> -- 
> Dave Tonge
> CTO
>  
> 
> t: +44 (0)117 280 5120
> 
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology 
> Limited which is authorised and regulated by the Financial Conduct Authority 
> ("FCA"). Moneyhub Financial Technology is entered on the Financial Services 
> Register (FRN 809360) at fca.org.uk/register . 
> Moneyhub Financial Technology is registered in England & Wales, company 
> registration number  06909772 .
> Moneyhub Financial Technology Limited 2018 ©
> 
> DISCLAIMER: This email (including any attachments) is subject to copyright, 
> and the information in it is confidential. Use of this email or of any 
> information in it other than by the addressee is unauthorised and unlawful. 
> Whilst reasonable efforts are made to ensure that any attachments are 
> virus-free, it is the recipient's sole responsibility to scan all attachments 
> for viruses. All calls and emails to and from this company may be monitored 
> and recorded for legitimate purposes relating to this company's business. Any 
> opinions expressed in this email (or in any attachments) are those of the 
> author and do not necessarily represent the opinions of Moneyhub Financial 
> Technology Limited or of any other group company.
> 
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology 
> Limited which is authorised and regulated by the Financial Conduct Authority 
> ("FCA"). Moneyhub Financial Technology is entered on the Financial Services 
> Register (FRN 809360) at https://register.fca.org.uk/ 
> . Moneyhub Financial Technology is registered 
> in England & Wales, company registration number 06909772. Moneyhub Financial 
> Technology Limited 2022 © Moneyhub Enterprise, 
> 
> DISCLAIMER: This email (including any attachments) is subject to copyright, 
> and the information in it is confidential. Use of this email or of any 
> information in it other than by the addressee is unauthorised and unlawful. 
> Whilst reasonable efforts are made to ensure that any attachments are 
> virus-free, it is the recipient's sole responsibility to scan all attachments 
> for viruses. All calls and emails to and from this company may be monitored 
> and recorded for legitimate purposes relating to this company's business. Any 
> opinions expressed in this email (or in any attachments) are those of the 
> author and do not necessarily represent the opinions of Moneyhub Financial 
> Technology Limited or of any other group company.
> 
> 
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
> 
> 
> -- 
> Vennlig hilsen
> 
> Steinar Noem
> Partner Udelt AS
>

Re: [OAUTH-WG] WGLC for DPoP Document

[Steinar Noem]

I support publication of the specification

ons. 30. mar. 2022 kl. 08:56 skrev Dave Tonge :

> I support publication of the specification
>
> On Wed, 30 Mar 2022 at 08:55, Daniel Fett  wrote:
>
>> I also support publication.
>>
>> -Daniel
>> Am 29.03.22 um 23:20 schrieb David Waite:
>>
>> I also support publication of this specification
>>
>> -DW
>>
>> On Mar 29, 2022, at 3:12 PM, Mike Jones <
>> Michael.Jones=40microsoft@dmarc.ietf.org> wrote:
>>
>> I support publication of the specification.
>>
>>-- Mike
>>
>> *From:* OAuth  *On Behalf Of *Rifaat Shekh-Yusef
>> *Sent:* Monday, March 28, 2022 5:01 AM
>> *To:* oauth 
>> *Subject:* [OAUTH-WG] WGLC for DPoP Document
>>
>> All,
>>
>> As discussed during the IETF meeting in *Vienna* last week, this is a *WG
>> Last Call *for the *DPoP* document:
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
>>
>> Please, provide your feedback on the mailing list by April 11th.
>>
>> Regards,
>>  Rifaat & Hannes
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> ___
>> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>>
>> -- https://danielfett.de
>>
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
> --
> Dave Tonge
> CTO
> [image: Moneyhub Enterprise]
> 
> t: +44 (0)117 280 5120
>
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Moneyhub Financial Technology is entered on the
> Financial Services Register (FRN 809360) at fca.org.uk/register. Moneyhub 
> Financial
> Technology is registered in England & Wales, company registration number
> 06909772 .
> Moneyhub Financial Technology Limited 2018 ©
>
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this email or
> of any information in it other than by the addressee is unauthorised and
> unlawful. Whilst reasonable efforts are made to ensure that any attachments
> are virus-free, it is the recipient's sole responsibility to scan all
> attachments for viruses. All calls and emails to and from this company may
> be monitored and recorded for legitimate purposes relating to this
> company's business. Any opinions expressed in this email (or in any
> attachments) are those of the author and do not necessarily represent the
> opinions of Moneyhub Financial Technology Limited or of any other group
> company.
>
> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
> Limited which is authorised and regulated by the Financial Conduct
> Authority ("FCA"). Moneyhub Financial Technology is entered on the
> Financial Services Register (FRN 809360) at https://register.fca.org.uk/.
> Moneyhub Financial Technology is registered in England & Wales, company
> registration number 06909772. Moneyhub Financial Technology Limited 2022 ©
> Moneyhub Enterprise,
>
> DISCLAIMER: This email (including any attachments) is subject to
> copyright, and the information in it is confidential. Use of this email or
> of any information in it other than by the addressee is unauthorised and
> unlawful. Whilst reasonable efforts are made to ensure that any attachments
> are virus-free, it is the recipient's sole responsibility to scan all
> attachments for viruses. All calls and emails to and from this company may
> be monitored and recorded for legitimate purposes relating to this
> company's business. Any opinions expressed in this email (or in any
> attachments) are those of the author and do not necessarily represent the
> opinions of Moneyhub Financial Technology Limited or of any other group
> company.
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>


-- 
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler

| stei...@udelt.no | h...@udelt.no  | +47 955 21 620 | www.udelt.no |
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth