OAuth IETF 121 Monday

Notetakers:

Chair Updates

OAuth Security Workshop 2025

Reykjavik Iceland
Feb 26-28 2025
https://oauth.secworkshop.events/osw2025

Draft Updates

Waiting for shepherd writeups on browser-based and cross-device apps

PR metadata in RFC Editor's Queue

Token Status List

https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/

problem: enable the issuer of a token to communicate dynamic status for
longer lived tokens

similar to CRL, but more scalable and aimed at tokens

has been tested and interopped, various implementations

Security/privacy considerations notably updated since last IETF

big changes since last time:

drop the unsigned option? makes spec significantly cleaner

Justin: Architecturally cleaner to seperate content/delivery format.
Probably fine to drop unsigned option. But do add security
considerations that it's expected to be in a secured container.

Aaron: My use case doesn't require a signed JWT but I'm not planning on
using it immediately; would be good to be able to expand it to these use
cases later

Brian: suggestion to keep unsigned option was to keep only the unsigned
option; if signed is needed then simplify to just signed

Hannes (chair hat off): Do we really need JOSE and CBOR? Wouldn't it be
simpler to have just one.
- paul: people are looking to use this in existing ecosystems that are
already based on JOSE/COSE; want to avoid bringing in more dependencies

Brian: why don't ISO/mDL define their own mechanisms?
- Hannes: we can't answer that
- Tobias: ISO already relies on IETF documents already, COSE is the
base of mDOC

Joseph: there's a lot of developers that have to develop across ISO mDL
and SD-JWT, it simplifies to keep things aligned

Hannes: Task for the chairs to reach out to ISO -- no we don't want to
do that

Brian: There's already an entire fork of things that are different. I
can see we're gonna keep it but it's odd

Tobias: mDOC is just as general purpose as SD-JWT, not just driving
licenses

Tony: we (ISO) did look at using other things, but this work was natural
to use

Other compression algorithms

Justin: It's fine for a RFC to update an existing registry to add new
columns, just have to be approved by relevant experts. There are some
general purposes registries for hash algs etc already, would be better
to reuse rather than reinvent, having a lot of overlapping registries is
confusing / results in slightly dight be pmaren urevalues.

Hannes: do we want to add options? last slide we were removing options
for simplicity

Brian: building out options to support extensibility in this structure
seems like a bad idea, particularly you have a construct of making this
whole thing extensible at another layer. Don't do it.

Paul: the whole idea is that compression is really important. Compared
to CRL we include every issued credential. more about having "none" as
compression alg. Mifferent optimizations

joseph: problem with single nonce point is the same semantics for all
the nonces, shouldn't use the same thing for everything in oauth

hannes: and we aren't going to change dpop, it's in the past

pieter: not about expense, it's a risk decision and willing to pay the
price

hannes: also issue of who creates the signature. in dpop it's software,
in this it is very low level hardware

Justin: nonces exist in context, another disadvantage of a single nonce
endpoint is you lose that context. Specific protocol/crypto
mechanism/particular exchange. Yes, we're reinventing, but the context
gives the nonce a purpose/use.

hannes: will find a time slot, beginning of december

Attestation Basic Client Authentication

get attestation from backend to present with client frontend

changes since last ietf:

key attestation vs. client attestation

nonce fetching:

dpop optimization:

george: can we just have a common nonce solution?

paul: nonce endpoint was proposed here but rejected

george: it seems like we're leveraging nonce a lot to address
time/freshness aspects; having a generic way to do this would be good
instead of tweaking it every time

christian: it's reoccuring but there are different optimizations

joseph: problem with single nonce point is the same semantics for all
the nonces, shouldn't use the same thing for everything in oauth

hannes: and we aren't going to change dpop, it's in the past

pieter: not about expense, it's a risk decision and willing to pay the
price

hannes: also issue of who creates the signature. in dpop it's software,
in this it is very low level hardware

Justin: nonces exist in context, another disadvantage of a single nonce
endpoint is you lose that context. Specific protocol/crypto
mechanism/particular exchange. Yes, we're reinventing, but the context
gives the nonce a purpose/use.

hannes: sounds like we need to work more on this

Transaction Tokens

goal is to look at transactions w/in multi-workload environment as a
whole instead of series of api invocations

updates from last time

discovery

hannes: what would be input to discovery?

george: that's a good question, i don't know how you'd do that without
binding it into some other document that's already known

arndt: ability to find correct transaction token server, do you imagine
that for the gateway or all the way through the domain?

george: it's relatively easy to define in some circumstances, but there
is an issue here; have come up with three likely models

1) embedded in AS or gateway
2) truly centralized, logical single entity, externalized from AS or
gateway
3) distributed set of services that form a logical single unit

hannes: should this be asked in WIMSE?

justin: drop a note to the WIMSE list

dean: related to token translation, bring the conversation there

joe: we want to update and include more on transaction and context.
quesiton on 3rd mechanism, would you see all distributed services as
equivalent?

george: generally thinking they're equivalent, it's a performance
mechanism. at the end of the day, transaction token service is
performing an authorization: can this client do something on this
transaction. if they perform slightly different functions, creates
question of whether they're different services. spec says there's one
logical service per trust domain. would that change?

batch processing:

hannes: have you looked at kerberos mechanism for dealing with
long-running batch jobs?

Yaron: this is even more of a WIMSE question. very much in the context
of how workloads are authenticated and authorized, suggest going to
WIMSE list. let's not have transaction tokens as access tokens, keep
them as context, but we need to have that discussion.

arndt: also to keep it out of scope. transaction tokens can be safely
forwarded, batch job means "allow-*", anything in the chain can act on
behalf of user

george: agree with concerns, would lean more towards special token. It's
weird for transaction token service to issue something that's not a
transaction token.

RAR:

Justin: authorization details lives at the top level of the transaction
token

George: what does top level mean?

Justin: I meant where George had said. But claim name & internal syntax
should come straight from RAR. Additional things transaction spec
defines for context adds valuable things RAR isn't talking about and
have them both along aside each other semantically makes sense.

George: If authz request came with RAR environment, and AS issues token
in context of RAR objects, in some cases RAR is in the access token and
can just be copied into transaction token. Exactly how we do that
depends on best practice, we don't have that kind of guidance for scopes
either.

Hannes: Does RAR syntax give a rich enough capability or do we need more
powerful policy languages like discussed at previous IETF.

Justin: If there's a place we can decide where policy languages fit
inside, we define a claim/place for it and transaction tokens can use
it.

Client ID Hint for AS Metadata Requests

no ID to present, goal is to figure out if there should be one

AS discovery always sends the same thing back

can be expanded via registry, always say "if omitted, default is..."

metadata chances CAN break existing integrations

AS metadata does not support migration

AS server metadata with a client hint

does not replace or deprecate RFC8414

some servers already accomodate this discovery mechanism, some started
giving errors

Justin: Seems like great idea. Emphasis on "seems". Lesson from past is
failure of webfinger, I wanted it to be real, but in practice getting a
dynamic service up at the root domain of a system (i.e. .well-known at
origin) is very difficult in a lot of systems on a lot of domains. In
practice in many deployments I was involved with web finger ignored all
the parameters & served a static document. It wouldn't hurt to do this
but I don't have high hopes for this really sticking in the system
because of those .well-known constrains.

Filip: So would be useful, but deployment often doesn't accomodate it?

Justin: Yes. Related issue of very strict path mapping to the static
files, something with a ? will often go to a 404. Just a lot of issues
with making this work on the deployment side. There are some
security/privacy consideration, but conceptually I don't see problems
but deployment I do.

Filip: Will that stop us defining the mechanism?

Justin: WG has great history of defining things that don't get deployed.
Web finger was fabulous and solved a key need but never took off. We can
still define it but we can't make people use it. We need to go in with
our eyes open, maybe we can't avoid them, maybe we can do better this
time.

Aaron: Agree with most of what Justin says. deployment issues around top
level domain can be challenging. In the scenarios where this is needed
the top level domain is under control of oauth anyway. For a sub-domain
under control of particular customer this is okay and works. As long as
it's not required it's probably fine. If this was required for
everything it'd be a problem but this is just an upgrade for certain
thing. Privacy issues similar to those being discussed in FedCM, but
probably this won't be used with FedCM.

Filip: Our discovery endpoint isn't being used with FedCM

Aaron: Yes, but there is an endpoint where FedCM fetches metadata, but
it's done without the cookie. In general a good idea and useful.

Arndt: dont' think we should do this to mitigate misbehaving clients.
it's not going to end and it adds chaos to the system if clients behave
differently. It's good for gradual rollout of changes.

George: dealt with trying to implement webfinger @ aol/aim, agree in
this context that AS often doesn't run at ETLD, usually a separate
domain. There's opportunity for some security principles. Had done
complicated thing between webfinger and UMA, some of those principles
could come back.

Mike Jones: observe that if you're using dynamic client registration,
you have to hit discovery first, there's a chicken and egg problem

Dick: echo conerns about dynamic clients, having recently implemented
activitypub. another approach would be a version, not a query string.

Filip: doesn't work with resolving based on identifier

OAuth IETF 121 Tuesday

Notetakers:

91 attendees

OAuth Identity and Authorization Chaining Across Domains

https://datatracker.ietf.org/meeting/121/materials/slides-121-oauth-oauth-identity-and-authorization-chaining-across-domains-00

https://datatracker.ietf.org/doc/draft-ietf-oauth-identity-chaining/

Open Issues

Action

Identity Assertion Authorization Grant - Aaron (15 min)

https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/

First Party Apps – Aaron (30 min)

https://datatracker.ietf.org/doc/draft-ietf-oauth-first-party-apps/

OAuth Client ID Metadata Document - Aaron (15 min)

https://datatracker.ietf.org/doc/draft-parecki-oauth-client-id-metadata-document/

OAuth 2.1 update – Aaron (15 min)

https://datatracker.ietf.org/doc/draft-ietf-oauth-v2-1/

Changes since last draft:

Various open issues, most already discussed

OAuth Meeting Thursday (120 min)

We have three meetings, is that still OK with people?

What can we do about it?

Justin: We should consider dividing the work in the working group into
other forums. We've gotten too big. IETF has successfully realigned work
in the past.

SD-JWT – Brian (30 min)

https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/

SD-JWT-VC – Brian (30 min)

https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/

One-time confirmation tokens - Dmitry Telegin (30 min)

(No draft at this point)

One-time auth tokens - via macaroons – Neil Madden (30 min)