oauth 2.0 security ietf oauth wg conference call, 14th december 2012
TRANSCRIPT
OAuth 2.0 SecurityIETF OAuth WG Conference Call, 14th December 2012
Note WellAny submission to the IETF intended by the Contributor for publication as all or part of an IETF
Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to:
– The IETF plenary session – The IESG, or any member thereof on behalf of the IESG – Any IETF mailing list, including the IETF list itself, any working group or design team list, or any other
list functioning under IETF auspices – Any IETF working group or portion thereof – The IAB or any member thereof on behalf of the IAB – The RFC Editor or the Internet-Drafts function
All IETF Contributions are subject to the rules of RFC 5378 and RFC 3979 (updated by RFC 4879).
Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice.
Please consult RFC 5378 and RFC 3979 for details.
A participant in any IETF activity is deemed to accept all IETF rules of process, as documented in Best Current Practices RFCs and IESG Statements.
A participant in any IETF activity acknowledges that written, audio and video records of meetings may be made and may be available to the public.
Agenda
• Discuss security requirements and use cases in order to get a better understanding of the design space outlined in <draft-tschofenig-oauth-security>
Use Case #1: Load Balancer
User Agent &
Resource Owner
Client (C)
Authorization Server (AS)
Resource Server (RS)
Load Balancer
TLS
Access Token
Keys & Meta Data
AS-C
AS-RS
Access Token
AS-RS
AuthenticatorC-RS
TLS
Notes for Use Case 1
• To prevent a load balancer from being used channel bindings can be deployed.
• The operator of the resource server may decide to “terminate” application security also at the load balancer.
Use Case #2: “Unprotected” Resource
User Agent &
Resource Owner
Client (C)
Authorization Server (AS)
Resource Server (RS)
Access Token
Keys & Meta Data
AS-C
AS-RS
Access Token
AS-RS
AuthenticatorC-RS
TLS
Notes for Use Case 2
• This use case only assumes that TLS is not used by the resource server.
• OAuth 2.0 requires TLS to be used with the authorization server.
• Hence, a TLS-incapable OAuth 2.0 client requires more changes.
Use Case #3: Prevent Access Token Re-Use
Access Token
User Agent &
Resource Owner
Client (C)
Authorization Server (AS)
Resource Server 1 (RS1)
Access Token
Keys & Meta Data
AS-C
AS
Access Token
AS
AuthenticatorC-RS1
TLS
Resource Server 2 (RS1)
AS
AuthenticatorC’-RS2
Notes for Use Case 3
• Assumption: – RS cannot re-generate Authenticator.
• Alternative solutions: 1. AS puts intended recipient (RS1) into the
access token.
2. AS encrypts token with key known to RS1 only.
Use Case #4: AS-to-RS Relationship Anonymity
• Idea: AS should not know with whom a resource owner is talking to.
• Implications:– No RS info made available to the AS by the
client– RS does not interact with the AS (in the
backend).– AS signs access token
Open Issue: Client Instance
• Client authentication allow authentication to the AS.– Same credentials may be re-use by a number
of different client instances
• Suggestion was made to offer authentication of a client instance.
• By whom would this identification be used and for what purpose?
• What identifier could be used?
Open Issue: Key Lifetime & Context
• The client obtains keying material from the AS.• Questions:
– Does it change when a new access token is requested?
– Is it valid only for a specific RS?– When an access token with a new scope is requested
does the keying material change?– Who contributes to the keying material: client, AS, or
both?– Is there an explicit lifetime associated?