Re: [OAUTH-WG] Call for Feedback on draft-ietf-oauth-iss-auth-resp-00

Fri, 21 May 2021 01:05:08 -0700

The spec is fine, we've had it implemented for some time now and support its publication.
+1 to Brian's comment. I suppose it suffices to say the iss parameter is redundant when JARM is used as JARM provides the same countermeasure. I found the normative text about what JARM allows or disallows (or have text that reads like normative) problematic, the JARM spec should remain the place for this. 

Thanks for this work Karsten. Also my thanks to Daniel.

Vladimir

On 21/05/2021 00:00, Brian Campbell wrote:

Thanks Karsten,


That's moving in the right direction. But I think the last sentence is 
still too strong and maybe prone to misunderstanding given it's not 
100% obvious in the JARM case what exactly constitutes an 
authorization response parameter.



I'd say the last sentence could just be dropped altogether. Or maybe 
changed to something like this, "Therefore, an additional iss 
parameter outside the JWT is unneeded when JARM is used."




On Wed, May 19, 2021 at 12:45 AM Karsten Meyer zu Selhausen 
<karsten.meyerzuselhau...@hackmanit.de 
<mailto:karsten.meyerzuselhau...@hackmanit.de>> wrote:


    Hi Brian,

    thank you for your feedback.

    I agree that the language is too strong here. What do you think
    about this new note?


    Note: The "JWT Secured Authorization Response Mode for OAuth 2.0
    (JARM)" [JARM] defines a mechanism that conveys all authorization
    response parameters in a JWT. This JWT contains an iss claim that
    provides the same protection if it is validated as described in
    Section 2.4. Therefore, an additional iss authorization response
    parameter as defined by this document MUST NOT be used when JARM
    is used.


    Best regards,
    Karsten

    On 15.05.2021 00:35, Brian Campbell wrote:

    Overall it looks pretty good to me.
    One little nit is that I don't love this text from the end of sec
    2.4 that talks about JARM:

    'Note: The "JWT Secured Authorization Response Mode for OAuth 2.0
    (JARM)" [JARM] forbids the use of additional parameters in the
    authorization response. Therefore, the iss parameter MUST NOT be
    used when JARM is used. However, JARM responses contain an iss
    claim that provides the same protection if it is validated as
    described in Section 2.4.'

    JARM doesn't exactly forbid additional parameters but rather just
    wraps up all the authorization response parameters as claims in a
    JWT which is itself sent as a single form/query/fragment
    parameter. So really the iss authorization response parameter of
    this draft is still sent as a claim of the JARM JWT. It just
    happens to be the same as the iss claim value that JARM is
    already including.

    On Sat, May 1, 2021 at 2:47 PM Rifaat Shekh-Yusef
    <rifaat.s.i...@gmail.com <mailto:rifaat.s.i...@gmail.com>> wrote:

        All,

        We have not seen any comments on this document.
        Can you please review the document and provide feedback, or
        indicate that you have reviewed the document and have no
        concerns.

        Regards,
         Rifaat & Hannes


        On Thu, Apr 15, 2021 at 3:04 AM Karsten Meyer zu Selhausen
        <karsten.meyerzuselhau...@hackmanit.de
        <mailto:karsten.meyerzuselhau...@hackmanit.de>> wrote:

            Hi all,

            the latest version of the security BCP references
            draft-ietf-oauth-iss-auth-resp-00 as a countermeasures to
            mix-up attacks.

            There have not been any concerns with the first WG draft
            version so far:
            https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/
            <https://datatracker.ietf.org/doc/draft-ietf-oauth-iss-auth-resp/>

            I would like to ask the WG if there are any comments on
            or concerns with the current draft version.

            Otherwise I hope we can move forward with the next steps
            and hopefully finish the draft before/with the security BCP.

            Best regards,
            Karsten


            -- 
            Karsten Meyer zu Selhausen

            Senior IT Security Consultant
            Phone:      +49 (0)234 / 54456499
            Web:        https://hackmanit.de  <https://hackmanit.de>  | IT 
Security Consulting, Penetration Testing, Security Training

            Is your OAuth or OpenID Connect client vulnerable to the severe 
impacts of mix-up attacks? Learn how to protect your client in our latest blog 
post on single sign-on:
            
https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks
  
<https://www.hackmanit.de/en/blog-en/132-how-to-protect-your-oauth-client-against-mix-up-attacks>

            Hackmanit GmbH
            Universitätsstraße 60 (Exzenterhaus)
            44789 Bochum

            Registergericht: Amtsgericht Bochum, HRB 14896
            Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj 
Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz

            _______________________________________________
            OAuth mailing list
            OAuth@ietf.org <mailto:OAuth@ietf.org>
            https://www.ietf.org/mailman/listinfo/oauth
            <https://www.ietf.org/mailman/listinfo/oauth>

        _______________________________________________
        OAuth mailing list
        OAuth@ietf.org <mailto:OAuth@ietf.org>
        https://www.ietf.org/mailman/listinfo/oauth
        <https://www.ietf.org/mailman/listinfo/oauth>


    /CONFIDENTIALITY NOTICE: This email may contain confidential and
    privileged material for the sole use of the intended
    recipient(s). Any review, use, distribution or disclosure by
    others is strictly prohibited.  If you have received this
    communication in error, please notify the sender immediately by
    e-mail and delete the message and any file attachments from your

    computer. Thank you./ 



    -- 
    Karsten Meyer zu Selhausen

    Senior IT Security Consultant
    Phone:      +49 (0)234 / 54456499
    Web:        https://hackmanit.de  <https://hackmanit.de>  | IT Security 
Consulting, Penetration Testing, Security Training

    Möchten Sie sich für ein Projekt mit dem Thema Single Sign-On oder den 
Standards OAuth und OpenID Connect vertraut machen?
    Dann melden Sie sich jetzt an für Ihre Einführung in Single Sign-On, OAuth 
und OpenID Connect am Mittwoch, 09.06.2021, von 10:00 - 14:30 Uhr!
    
https://www.hackmanit.de/de/schulungen/uebersicht/139-einfuehrung-in-single-sign-on-oauth-und-openid-connect
  
<https://www.hackmanit.de/de/schulungen/uebersicht/139-einfuehrung-in-single-sign-on-oauth-und-openid-connect>

    Hackmanit GmbH
    Universitätsstraße 60 (Exzenterhaus)
    44789 Bochum

    Registergericht: Amtsgericht Bochum, HRB 14896
    Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. 
Christian Mainka, Dr. Marcus Niemietz



/CONFIDENTIALITY NOTICE: This email may contain confidential and 
privileged material for the sole use of the intended recipient(s). Any 
review, use, distribution or disclosure by others is strictly 
prohibited.  If you have received this communication in error, please 
notify the sender immediately by e-mail and delete the message and any 
file attachments from your computer. Thank you./


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth






















					Reply via email to