[Openid-specs-ab] -00 of draft-bradley-stateless-oauth-client

Brian Campbell bcampbell at pingidentity.com
Sun Nov 3 18:26:06 UTC 2013

inline below...

On Sun, Nov 3, 2013 at 9:04 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> YEs in my other response to Hannes I noted that in the simple case of a one
> to one relationship between a AS and a registration server AES_CBC_HMAC_SHA2
> is probably the best way to do integrity(must not say signing or the crypto
> wonks go nuts)  and confidentiality if a symetric secret is included in the
> JWT.

I think we agree on this. But the text in -00 of the document doesn't
reflect that situation very well.

> The need for confidentiality goes away if the client is using a asymmetric
> key to authenticate.
> Separately I have been dealing with several OAuth clients (Websites) that
> have been compromised and lost all of there OAuth 1 tokens and secrets as
> well as all of there Oauth 2 tokens.
> We can put it down to bad security, but having long lived access tokens and
> there secrets hanging around in databases is a tempting target.
> It is also challenging for a client to protect there symmetric client secret
> in these cases as it is typically in some file on the disk.
> There may at some point be a push to use asymmetric keys from a HSM to
> secure access to the token endpoint and keep the lifetime of the access
> tokens short.

That's all potential true but symmetric secretes aren't going to just
go away so they need to be considered accordingly.

> One thing that is a limitation of encoding information in the client_id is
> that we don't currently allow the client_id to change during updated in
> client registration.
> If we did then the JWT could contain some fixed id for the client that the
> AS would use as the key for authorizations.

Yes, that's pretty much what I was thinking. True, it's a change to
registration but registration is still in progress so now is a good
time. And the main implication is that clients would need to be able
to handle the client_id changing along with other parameters.

> I was trying to stay inside the scope of the current drafts.

Understood. But I think some kind of life-cycle support for update
etc. is needed for this to work beyond just simple set up and test
scenarios. So I'd like to consider potential changes to other drafts
in order to accommodate.

> Our options are to allow client_id to change  this requires only a change in
> dynamic registration, and not the rest of the client logic, or to crate a
> separate parameter for client_assertion that would contain the signed
> information including the client_id sending the client_id twice.

In a vacuum I think that a separate parameter is a cleaner solution.
But with RFC 6749 already out there, I don't think it's particularly
viable at this point.

> I think allowing the client_id to be reference or assertion  as determined
> by the AS is more in keeping with what we are doing with access tokens.
> I don't think that should require any change to clients,  though it would
> require change to server logic to treat the incoming client_id as a
> reference or assertion to the actual client identifier rather than always
> being a literal.

Yes but the wire protocol of RFC 6749 is unchanged and I think it's
perfectly reasonable to expect an AS that wants stateless clients to
make those kinds of changes.

> I think it is worth discussing.

Thanks, I'll see you in a few hours...

> On Nov 3, 2013, at 8:36 AM, Brian Campbell <bcampbell at pingidentity.com>
> wrote:
> Some musings on
> http://tools.ietf.org/html/draft-bradley-stateless-oauth-client-00
> Abstract: "... allowing for fully stateless operation." --> saying that the
> statelessness is on the AS side might avoid some confusion. The client is
> still going to have to maintain state.
> The kid is header rather than a claim.
> "The issuer SHOULD sign the JWT with JWS ...  issuer MAY encrypt the JWT
> with JWE." --> this text seems a little off given that the most common case,
> I'd think, would be an AS who issues these client id JWTs only for its own
> consumption using JWE's AES_CBC_HMAC_SHA2 which gives encryption and
> integrity protection.
> Does the relationship between the "iat" and "exp" claims here and the
> "client_secret_expires_at" and "client_id_issued_at" parameters of dyn reg
> need to be explained or explored more? Strikes me as potentially
> problematic.
> And what happens when one of these JWT client ids expires or needs to be
> updated? Or the keys used to create or verify them expire? I know the answer
> thus far has been that the client will just have to get a new one. But I
> feel like that might be too limiting in practice. I'd like to further pursue
> understanding/defining how these kinds of client ids might be used in
> conjunction with a longer lived way to identify the client that allows the
> client id (i.e. the metadata) to change but can allow correlation across
> such changes (the sub claim in this doc even suggests that a client might
> have such an identifier).
> As was pointed out in another review, there's a difference between
> documenting how it's possible for an AS to issue "stateless" client ids for
> its own use and defining something that allows for some other party to issue
> such ids. It may make sense to discuss them in the same document but I
> believe it'd be valuable to have the doc acknowledge and address the
> difference more.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list