[Openid-specs-ab] -00 of draft-bradley-stateless-oauth-client

John Bradley ve7jtb at ve7jtb.com
Sun Nov 3 17:04:01 UTC 2013

YEs in my other response to Hannes I noted that in the simple case of a one to one relationship between a AS and a registration server AES_CBC_HMAC_SHA2 is probably the best way to do integrity(must not say signing or the crypto wonks go nuts)  and confidentiality if a symetric secret is included in the JWT.

The need for confidentiality goes away if the client is using a asymmetric key to authenticate.

Separately I have been dealing with several OAuth clients (Websites) that have been compromised and lost all of there OAuth 1 tokens and secrets as well as all of there Oauth 2 tokens.
We can put it down to bad security, but having long lived access tokens and there secrets hanging around in databases is a tempting target.  
It is also challenging for a client to protect there symmetric client secret in these cases as it is typically in some file on the disk.

There may at some point be a push to use asymmetric keys from a HSM to secure access to the token endpoint and keep the lifetime of the access tokens short.

One thing that is a limitation of encoding information in the client_id is that we don't currently allow the client_id to change during updated in client registration.
If we did then the JWT could contain some fixed id for the client that the AS would use as the key for authorizations.

I was trying to stay inside the scope of the current drafts.    
Our options are to allow client_id to change  this requires only a change in dynamic registration, and not the rest of the client logic, or to crate a separate parameter for client_assertion that would contain the signed information including the client_id sending the client_id twice.

I think allowing the client_id to be reference or assertion  as determined by the AS is more in keeping with what we are doing with access tokens.  
I don't think that should require any change to clients,  though it would require change to server logic to treat the incoming client_id as a reference or assertion to the actual client identifier rather than always being a literal.

I think it is worth discussing.

John B.

On Nov 3, 2013, at 8:36 AM, Brian Campbell <bcampbell at pingidentity.com> wrote:

> Some musings on http://tools.ietf.org/html/draft-bradley-stateless-oauth-client-00
> Abstract: "... allowing for fully stateless operation." --> saying that the statelessness is on the AS side might avoid some confusion. The client is still going to have to maintain state. 
> The kid is header rather than a claim.
> "The issuer SHOULD sign the JWT with JWS ...  issuer MAY encrypt the JWT with JWE." --> this text seems a little off given that the most common case, I'd think, would be an AS who issues these client id JWTs only for its own consumption using JWE's AES_CBC_HMAC_SHA2 which gives encryption and integrity protection.
> Does the relationship between the "iat" and "exp" claims here and the "client_secret_expires_at" and "client_id_issued_at" parameters of dyn reg need to be explained or explored more? Strikes me as potentially problematic.
> And what happens when one of these JWT client ids expires or needs to be updated? Or the keys used to create or verify them expire? I know the answer thus far has been that the client will just have to get a new one. But I feel like that might be too limiting in practice. I'd like to further pursue understanding/defining how these kinds of client ids might be used in conjunction with a longer lived way to identify the client that allows the client id (i.e. the metadata) to change but can allow correlation across such changes (the sub claim in this doc even suggests that a client might have such an identifier).
> As was pointed out in another review, there's a difference between documenting how it's possible for an AS to issue "stateless" client ids for its own use and defining something that allows for some other party to issue such ids. It may make sense to discuss them in the same document but I believe it'd be valuable to have the doc acknowledge and address the difference more.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131103/77c9ee11/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131103/77c9ee11/attachment.p7s>

More information about the Openid-specs-ab mailing list