IETF Logo Mail Archive

Re: [Unbearable] Include-Referred-Token-Binding-ID redirects within a domain

Nick Harper <nharper@google.com> Fri, 29 July 2016 05:12 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C093112D0E1 for <unbearable@ietfa.amsl.com>; Thu, 28 Jul 2016 22:12:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.287
X-Spam-Level:
X-Spam-Status: No, score=-3.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmMeJV-xFr0l for <unbearable@ietfa.amsl.com>; Thu, 28 Jul 2016 22:12:27 -0700 (PDT)
Received: from mail-ua0-x233.google.com (mail-ua0-x233.google.com [IPv6:2607:f8b0:400c:c08::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB13A12D533 for <unbearable@ietf.org>; Thu, 28 Jul 2016 22:12:26 -0700 (PDT)
Received: by mail-ua0-x233.google.com with SMTP id l32so54635094ual.2 for <unbearable@ietf.org>; Thu, 28 Jul 2016 22:12:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XLirrmcrKTJS2VzWxUQt+z5TU/XnmBZnKUznSMucwF4=; b=KRurImNB0YjFlnLkFIxwyAXNGIupXJcsgf7/KFgK9cO5tGvUnXrsCBWxXQG+3V/Vvu QCVlzQdkFTYsCUPPVW4pE4GnK8cocqUqUAYb+bZ+ifwBaVhXqvu84fOeJrFxwMpM3wrs idXJnwzbfpjHzz/WZO8wVjb0unkjJ7+JM7/52thqRQs+rDGqJM+b7MVm2TYdikaHQXUM z5du0XWeGx1V61TPP8hC+aG0EpZEoNt8EQSuzxiBE2ZqtUshX5E535hTTabK2FJA0yt+ 6ENWk7faK1PekytJZV4FFfEoUaog0q+0ikTcD9gQy57JAWUMlqA+5Trzm1geS6yvl7F9 Mp5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XLirrmcrKTJS2VzWxUQt+z5TU/XnmBZnKUznSMucwF4=; b=WL6vg/QiV+ZsNickuhyaj5pUkTi5FIlmAjNRkaztHWbX9PEM/5F/Zr+bMCeBF/EdRc s6G/ZyrhEft1DrNm+rCUKbu5hQjYmdN0XGeNKvd8G1xQzJhjyNmo0iGdLHjXaz0O1949 OhmLQ40f1BUhH75fPzT+0KszBJRajX5i+ywQl6ynvXHTOj09eHiQCfZVnzXtXnAMucJG Sx4YiTdaKWXt9jp1w3O0rPYlAlhyO6AqYnrxtIq5GVBPQPmt3WjCG4DItwiK3x7pmQ3L rTXGATTDE3dzsu6IG7UgECtqoG9mUmGIy63Pux0m26wLondMGYyz6+METde3dSRW+sOx Msrg==
X-Gm-Message-State: AEkoouvz6G4YtR6etxDYfTFpP2+8rHGCWatxCG3MpGeQ+AdJF51r1hvuI3Rfl/G0P+7gbLBqRGkt+3j/UxvMVYjo
X-Received: by 10.159.33.182 with SMTP id 51mr18830047uac.104.1469769145695; Thu, 28 Jul 2016 22:12:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.191.148 with HTTP; Thu, 28 Jul 2016 22:12:06 -0700 (PDT)
In-Reply-To: <CA+k3eCQBubC1Cfzo2gtO_7ntw_pOVF7UQAukr-DcACkra-ivLA@mail.gmail.com>
References: <CA+k3eCQBubC1Cfzo2gtO_7ntw_pOVF7UQAukr-DcACkra-ivLA@mail.gmail.com>
From: Nick Harper <nharper@google.com>
Date: Thu, 28 Jul 2016 22:12:06 -0700
Message-ID: <CACdeXiKoOvdR9udCOi2VvYtjj9ZDPFWgfmWwAuc2M7fcFGb2VA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a113ac7c2d50b4a0538bf4b27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/nE9STluqMjjjs_44bU81k-6s4qQ>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] Include-Referred-Token-Binding-ID redirects within a domain
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2016 05:12:28 -0000

On Wed, Jul 27, 2016 at 12:30 PM, Brian Campbell <bcampbell@pingidentity.com
> wrote:

> What is the expected behavior when a browser receives a redirect with the
> Include-Referred-Token-Binding-ID but is from and to URIs in the same TLD+1
> and everyone is able to negotiate Token Binding? I don't think the
> situation is explicitly covered in HTTPSTB.
>
> For example, when a request made to https://application.example.com
> receives an HTTP 302 that has Include-Referred-Token-Binding-ID:true with
> https://idp.example.com as the location. Is only the provided token
> binding sent by the browser to https://idp.example.com? Or are a provided
> and referred token binding both sent (with the same token binding id)? Or
> something else?
>

It should send both. If it doesn't send both, then the idp has to check
other signals (e.g. Referer header) when it receives only a provided TB to
determine whether it should issue an unbound token or a token bound to the
provided (and in effect the referred) TB. I think it's easier for both the
client and the server if the client sends a referred TB even when the
eTLD+1 is the same.

>
> This situation is fairly common in federated SSO deployments today and,
> depending on how things work from the HTTPSTB perspective, the referred
> token binding alone might not be enough of a signal to the token provider
> about what token binding ID to bind into the SSO token. The initial draft
> of TB for OpenID Connect,
> <http://self-issued.info/docs/openid-connect-token-bound-authentication-1_0-00.html>
> for example, relies on the presence of the Referred Token Binding being
> sent.
>
> I guess I'm suggesting, so federated protocols that use HTTPSTB don't have
> to have special treatment of this situation, that HTTPSTB explicitly say
> that a redirect with the Include-Referred-Token-Binding-ID header signals
> to the browser that it is to send a referred token binding on the resulting
> request even when both resources fall under the same same TLD+1 and the
> provided and referred token bindings would be the same.
>

This is how Chrome currently behaves, and matches what the the HTTPSTB spec
says, since the spec doesn't call for any special treatment when the token
bindings would be the same. I don't have any objections to the spec
clarifying this point.

>
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable
>
>

v2.23.0 | Report a Bug | By Email