| < draft-hunt-oauth-pop-architecture-01.txt | draft-hunt-oauth-pop-architecture-02.txt > | |||
|---|---|---|---|---|
| OAuth P. Hunt, Ed. | OAuth P. Hunt, Ed. | |||
| Internet-Draft Oracle Corporation | Internet-Draft Oracle Corporation | |||
| Intended status: Informational J. Richer | Intended status: Informational J. Richer | |||
| Expires: October 27, 2014 The MITRE Corporation | Expires: December 28, 2014 The MITRE Corporation | |||
| W. Mills | W. Mills | |||
| Yahoo! Inc. | Yahoo! Inc. | |||
| P. Mishra | P. Mishra | |||
| Oracle Corporation | Oracle Corporation | |||
| H. Tschofenig | H. Tschofenig | |||
| ARM Limited | ARM Limited | |||
| April 25, 2014 | June 26, 2014 | |||
| OAuth 2.0 Proof-of-Possession (PoP) Security Architecture | OAuth 2.0 Proof-of-Possession (PoP) Security Architecture | |||
| draft-hunt-oauth-pop-architecture-01.txt | draft-hunt-oauth-pop-architecture-02.txt | |||
| Abstract | Abstract | |||
| The OAuth 2.0 bearer token specification, as defined in RFC 6750, | The OAuth 2.0 bearer token specification, as defined in RFC 6750, | |||
| allows any party in possession of a bearer token (a "bearer") to get | allows any party in possession of a bearer token (a "bearer") to get | |||
| access to the associated resources (without demonstrating possession | access to the associated resources (without demonstrating possession | |||
| of a cryptographic key). To prevent misuse, bearer tokens must to be | of a cryptographic key). To prevent misuse, bearer tokens must to be | |||
| protected from disclosure in transit and at rest. | protected from disclosure in transit and at rest. | |||
| Some scenarios demand additional security protection whereby a client | Some scenarios demand additional security protection whereby a client | |||
| skipping to change at page 1, line 46 ¶ | skipping to change at page 1, line 46 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 27, 2014. | This Internet-Draft will expire on December 28, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 25 ¶ | skipping to change at page 2, line 25 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Access to an 'Unprotected' Resource . . . . . . . . . . . 3 | 3.1. Preventing Access Token Re-Use by the Resource Server . . 3 | |||
| 3.2. Offering Application Layer End-to-End Security . . . . . 4 | 3.2. TLS Channel Binding Support . . . . . . . . . . . . . . . 4 | |||
| 3.3. Preventing Access Token Re-Use by the Resource Server . . 4 | 3.3. Access to a Non-TLS Protected Resource . . . . . . . . . 4 | |||
| 3.4. TLS Channel Binding Support . . . . . . . . . . . . . . . 5 | 3.4. Offering Application Layer End-to-End Security . . . . . 5 | |||
| 4. Security and Privacy Threats . . . . . . . . . . . . . . . . 5 | 4. Security and Privacy Threats . . . . . . . . . . . . . . . . 5 | |||
| 5. Threat Mitigation . . . . . . . . . . . . . . . . . . . . . . 6 | 5. Threat Mitigation . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Confidentiality Protection . . . . . . . . . . . . . . . 7 | 5.1. Confidentiality Protection . . . . . . . . . . . . . . . 7 | |||
| 5.2. Sender Constraint . . . . . . . . . . . . . . . . . . . . 7 | 5.2. Sender Constraint . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.3. Key Confirmation . . . . . . . . . . . . . . . . . . . . 8 | 5.3. Key Confirmation . . . . . . . . . . . . . . . . . . . . 8 | |||
| 5.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 9 | 5.4. Summary . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 6. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10 | 6. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 7. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 14 | 7. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 18 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 20 | 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| At the time of writing the OAuth 2.0 protocol family ([RFC6749], | At the time of writing the OAuth 2.0 protocol family ([RFC6749], | |||
| [RFC6750], and [RFC6819]) offer a single standardized security | [RFC6750], and [RFC6819]) offer a single standardized security | |||
| mechanism to access protected resources, namely the bearer token. | mechanism to access protected resources, namely the bearer token. | |||
| RFC 6750 [RFC6750] specifies the bearer token mechanism and defines | RFC 6750 [RFC6750] specifies the bearer token mechanism and defines | |||
| it as follows: | it as follows: | |||
| "A security token with the property that any party in possession | "A security token with the property that any party in possession | |||
| skipping to change at page 3, line 38 ¶ | skipping to change at page 3, line 38 ¶ | |||
| 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this | 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this | |||
| specification are to be interpreted as described in [RFC2119], with | specification are to be interpreted as described in [RFC2119], with | |||
| the important qualification that, unless otherwise stated, these | the important qualification that, unless otherwise stated, these | |||
| terms apply to the design of the protocol, not its implementation or | terms apply to the design of the protocol, not its implementation or | |||
| application. | application. | |||
| 3. Use Cases | 3. Use Cases | |||
| The main use case that motivates better-than-bearer token security is | The main use case that motivates better-than-bearer token security is | |||
| the desire of resource servers to obtain additional assurance that | the desire of resource servers to obtain additional assurance that | |||
| the client is indeed authorized to present this access token. The | the client is indeed authorized to present an access token. The | |||
| expectation is that the use of additional credentials (symmetric or | expectation is that the use of additional credentials (symmetric or | |||
| asymmetric keying material) will encourage developers to take | asymmetric keying material) will encourage developers to take | |||
| additional precautions when transferring or storing the access token | additional precautions when transferring and storing access token in | |||
| in combination with these credentials. | combination with these credentials. | |||
| Additional use cases listed below provide further requirements for | Additional use cases listed below provide further requirements for | |||
| the solution development. | the solution development. Note that a single solution does not | |||
| necessarily need to offer support for all use cases. | ||||
| 3.1. Access to an 'Unprotected' Resource | 3.1. Preventing Access Token Re-Use by the Resource Server | |||
| Imagine a scenario where a resource server that receives a valid | ||||
| access token re-uses it with other resource server. The reason for | ||||
| re-use may be malicious or may well be legitimate. In a legitimate | ||||
| use case consider chaining of computations whereby a resource server | ||||
| needs to consult other third party resource servers to complete the | ||||
| requested operation. In both cases it may be assumed that the scope | ||||
| of the access token is sufficiently large that it allows such a re- | ||||
| use. For example, imagine a case where a company operates email | ||||
| services as well as picture sharing services and that company had | ||||
| decided to issue access tokens with a scope that allows access to | ||||
| both services. | ||||
| With this use case the desire is to prevent such access token re-use. | ||||
| This also implies that the legitimate use cases require additional | ||||
| enhancements for request chaining. | ||||
| 3.2. TLS Channel Binding Support | ||||
| In this use case we consider the scenario where an OAuth 2.0 request | ||||
| to a protected resource is secured using TLS but the client and the | ||||
| resource server demand that the underlying TLS exchange is bound to | ||||
| additional application layer security to prevent cases where the TLS | ||||
| connection is terminated at a TLS intermediary, which splits the TLS | ||||
| connection into two separate connections. | ||||
| In this use case additional information is conveyed to the resource | ||||
| server to ensure that no entity entity has tampered with the TLS | ||||
| connection. | ||||
| 3.3. Access to a Non-TLS Protected Resource | ||||
| This use case is for a web client that needs to access a resource | This use case is for a web client that needs to access a resource | |||
| that makes data available (such as videos) without offering integrity | that makes data available (such as videos) without offering integrity | |||
| and confidentiality protection using TLS. Still, the initial | and confidentiality protection using TLS. Still, the initial | |||
| resource request using OAuth, which includes the access token, must | resource request using OAuth, which includes the access token, must | |||
| be protected against various threats (e.g., token replay, token | be protected against various threats (e.g., token replay, token | |||
| modification). | modification). | |||
| While it is possible to utilize bearer tokens in this scenario with | While it is possible to utilize bearer tokens in this scenario with | |||
| TLS protection when the request to the protected resource is made, as | TLS protection when the request to the protected resource is made, as | |||
| skipping to change at page 4, line 30 ¶ | skipping to change at page 5, line 14 ¶ | |||
| that the adversary may obtain the access token (if the | that the adversary may obtain the access token (if the | |||
| recommendations in [RFC6749] and [RFC6750] are not followed) using a | recommendations in [RFC6749] and [RFC6750] are not followed) using a | |||
| number of ways, including eavesdropping the communication on the | number of ways, including eavesdropping the communication on the | |||
| wireless link. | wireless link. | |||
| Consequently, the important assumption in this use case is that a | Consequently, the important assumption in this use case is that a | |||
| resource server does not have TLS support and the security solution | resource server does not have TLS support and the security solution | |||
| should work in such a scenario. Furthermore, it may not be necessary | should work in such a scenario. Furthermore, it may not be necessary | |||
| to provide authentication of the resource server towards the client. | to provide authentication of the resource server towards the client. | |||
| 3.2. Offering Application Layer End-to-End Security | 3.4. Offering Application Layer End-to-End Security | |||
| In Web deployments resource servers are often placed behind load | In Web deployments resource servers are often placed behind load | |||
| balancers, which are deployed by the same organization that operates | balancers, which are deployed by the same organization that operates | |||
| the resource servers. These load balancers may terminate the TLS | the resource servers. These load balancers may terminate the TLS | |||
| connection setup and HTTP traffic is transmitted in the clear from | connection setup and HTTP traffic is transmitted in the clear from | |||
| the load balancer to the resource server. With application layer | the load balancer to the resource server. With application layer | |||
| security independent of the underlying TLS security it is possible to | security independent of the underlying TLS security it is possible to | |||
| allow application servers to perform cryptographic verification on an | allow application servers to perform cryptographic verification on an | |||
| end-to-end basis. | end-to-end basis. | |||
| The key aspect in this use case is therefore to offer end-to-end | The key aspect in this use case is therefore to offer end-to-end | |||
| security in the presence of load balancers via application layer | security in the presence of load balancers via application layer | |||
| security. | security. | |||
| 3.3. Preventing Access Token Re-Use by the Resource Server | ||||
| Imagine a scenario where a resource server that receives a valid | ||||
| access token re-uses it with other resource server. The reason for | ||||
| re-use may be malicious or may well be legitimate. In a legitimate | ||||
| use case consider chaining of computations whereby a resource server | ||||
| needs to consult other third party resource servers to complete the | ||||
| requested operation. In both cases it may be assumed that the scope | ||||
| of the access token is sufficiently large that it allows such a re- | ||||
| use. For example, imagine a case where a company operates email | ||||
| services as well as picture sharing services and that company had | ||||
| decided to issue access tokens with a scope that allows access to | ||||
| both services. | ||||
| With this use case the desire is to prevent such access token re-use. | ||||
| This also implies that the legitimate use cases require additional | ||||
| enhancements for request chaining. | ||||
| 3.4. TLS Channel Binding Support | ||||
| In this use case we consider the scenario where an OAuth 2.0 request | ||||
| to a protected resource is secured using TLS but the client and the | ||||
| resource server demand that the underlying TLS exchange is bound to | ||||
| additional application layer security to prevent cases where the TLS | ||||
| connection is terminated at a TLS intermediary, which splits the TLS | ||||
| connection into two separate connections. | ||||
| In this use case additional information is conveyed to the resource | ||||
| server to ensure that no entity entity has tampered with the TLS | ||||
| connection. | ||||
| 4. Security and Privacy Threats | 4. Security and Privacy Threats | |||
| The following list presents several common threats against protocols | The following list presents several common threats against protocols | |||
| utilizing some form of tokens. This list of threats is based on NIST | utilizing some form of tokens. This list of threats is based on NIST | |||
| Special Publication 800-63 [NIST800-63]. We exclude a discussion of | Special Publication 800-63 [NIST800-63]. We exclude a discussion of | |||
| threats related to any form of identity proofing and authentication | threats related to any form of identity proofing and authentication | |||
| of the resource owner to the authorization server since these | of the resource owner to the authorization server since these | |||
| procedures are not part of the OAuth 2.0 protocol specification | procedures are not part of the OAuth 2.0 protocol specification | |||
| itself. | itself. | |||
| skipping to change at page 6, line 24 ¶ | skipping to change at page 6, line 26 ¶ | |||
| tokens because it cannot keep secrets confidential. A client may | tokens because it cannot keep secrets confidential. A client may | |||
| also re-use access tokens for some other resource servers. | also re-use access tokens for some other resource servers. | |||
| Finally, a resource server may use a token it had obtained from a | Finally, a resource server may use a token it had obtained from a | |||
| client and use it with another resource server that the client | client and use it with another resource server that the client | |||
| interacts with. A resource server, offering relatively | interacts with. A resource server, offering relatively | |||
| unimportant application services, may attempt to use an access | unimportant application services, may attempt to use an access | |||
| token obtained from a client to access a high-value service, such | token obtained from a client to access a high-value service, such | |||
| as a payment service, on behalf of the client using the same | as a payment service, on behalf of the client using the same | |||
| access token. | access token. | |||
| We excluded one threat from the list, namely 'token repudiation'. | Token repudiation: | |||
| Token repudiation refers to a property whereby a resource server is | ||||
| given an assurance that the authorization server cannot deny to have | Token repudiation refers to a property whereby a resource server | |||
| created a token for the Client. We believe that such a property is | is given an assurance that the authorization server cannot deny to | |||
| interesting but most deployments prefer to deal with the violation of | have created a token for the client. | |||
| this security property through business actions rather than by using | ||||
| cryptography. | ||||
| 5. Threat Mitigation | 5. Threat Mitigation | |||
| A large range of threats can be mitigated by protecting the content | A large range of threats can be mitigated by protecting the content | |||
| of the token, for example using a digital signature or a keyed | of the token, for example using a digital signature or a keyed | |||
| message digest. Alternatively, the content of the token could be | message digest. Alternatively, the content of the token could be | |||
| passed by reference rather than by value (requiring a separate | passed by reference rather than by value (requiring a separate | |||
| message exchange to resolve the reference to the token content). To | message exchange to resolve the reference to the token content). To | |||
| simplify the subsequent description we assume that the token itself | simplify the subsequent description we assume that the token itself | |||
| is digitally signed by the authorization server and therefore cannot | is digitally signed by the authorization server and therefore cannot | |||
| skipping to change at page 9, line 12 ¶ | skipping to change at page 9, line 12 ¶ | |||
| to avoid any form of public key infrastructure but this aspect is not | to avoid any form of public key infrastructure but this aspect is not | |||
| further elaborated in the scenario. | further elaborated in the scenario. | |||
| A similar mechanism can also be designed using asymmetric | A similar mechanism can also be designed using asymmetric | |||
| cryptography. When the client requests an access token the | cryptography. When the client requests an access token the | |||
| authorization server creates an ephemeral public / privacy key pair | authorization server creates an ephemeral public / privacy key pair | |||
| (PK/SK) and places the public key PK into the protected token. When | (PK/SK) and places the public key PK into the protected token. When | |||
| the authorization server returns the access token to the client it | the authorization server returns the access token to the client it | |||
| also provides the PK/SK key pair over a confidentiality protected | also provides the PK/SK key pair over a confidentiality protected | |||
| channel. When the client sends a request to the resource server it | channel. When the client sends a request to the resource server it | |||
| has to use the privacy key SK to sign the request. The Resource | has to use the privacy key SK to sign the request. The resource | |||
| Server, when receiving the message, retrieves the access token, | server, when receiving the message, retrieves the access token, | |||
| verifies it and extracts the public key PK. It uses this ephemeral | verifies it and extracts the public key PK. It uses this ephemeral | |||
| public key to verify the attached signature. | public key to verify the attached signature. | |||
| 5.4. Summary | 5.4. Summary | |||
| As a high level message, there are various ways how the threats can | As a high level message, there are various ways how the threats can | |||
| be mitigated and while the details of each solution is somewhat | be mitigated and while the details of each solution is somewhat | |||
| different they all ultimately accomplish the goal. | different they all ultimately accomplish the goal. | |||
| The three approaches are: | The three approaches are: | |||
| Confidentiality Protection: | Confidentiality Protection: | |||
| The weak point with this approach, which is briefly described in | The weak point with this approach, which is briefly described in | |||
| Section 5.1, is that the Client has to be careful to whom it | Section 5.1, is that the client has to be careful to whom it | |||
| discloses the access token. What can be done with the token | discloses the access token. What can be done with the token | |||
| entirely depends on what rights the token entitles the presenter | entirely depends on what rights the token entitles the presenter | |||
| and what constraints it contains. A token could encode the | and what constraints it contains. A token could encode the | |||
| identifier of the Client but there are scenarios where the Client | identifier of the client but there are scenarios where the client | |||
| is not authenticated to the Resource Server or where the | is not authenticated to the resource server or where the | |||
| identifier of the Client rather represents an application class | identifier of the client rather represents an application class | |||
| rather than a single application instance. As such, it is | rather than a single application instance. As such, it is | |||
| possible that certain deployments choose a rather liberal approach | possible that certain deployments choose a rather liberal approach | |||
| to security and that everyone who is in possession of the access | to security and that everyone who is in possession of the access | |||
| token is granted access to the data. | token is granted access to the data. | |||
| Sender Constraint: | Sender Constraint: | |||
| The weak point with this approach, which is briefly described in | The weak point with this approach, which is briefly described in | |||
| Section 5.2, is to setup the authentication infrastructure such | Section 5.2, is to setup the authentication infrastructure such | |||
| that Clients can be authenticated towards Resource Servers. | that clients can be authenticated towards resource servers. | |||
| Additionally, Authorization Server must encode the identifier of | Additionally, the authorization server must encode the identifier | |||
| the Client in the token for later verification by the Resource | of the client in the token for later verification by the resource | |||
| Server. Depending on the chosen layer for providing Client-side | server. Depending on the chosen layer for providing client-side | |||
| authentication there may be additional challenges due Web server | authentication there may be additional challenges due Web server | |||
| load balancing, lack of API access to identity information, etc. | load balancing, lack of API access to identity information, etc. | |||
| Key Confirmation: | Key Confirmation: | |||
| The weak point with this approach, see Section 5.3, is the | The weak point with this approach, see Section 5.3, is the | |||
| increased complexity: a complete key distribution protocol has to | increased complexity: a complete key distribution protocol has to | |||
| be defined. | be defined. | |||
| In all cases above it has to be ensured that the Client is able to | In all cases above it has to be ensured that the client is able to | |||
| keep the credentials secret. | keep the credentials secret. | |||
| 6. Architecture | 6. Architecture | |||
| The proof-of-possession security concept assumes that the | The proof-of-possession security concept assumes that the | |||
| authorization server acts as a trusted third party that binds keys to | authorization server acts as a trusted third party that binds keys to | |||
| access tokens. These keys are then used by the client to demonstrate | access tokens. These keys are then used by the client to demonstrate | |||
| the possession of the secret to the resource server when accessing | the possession of the secret to the resource server when accessing | |||
| the resource. The resource server, when receiving an access token, | the resource. The resource server, when receiving an access token, | |||
| needs to verify that the key used by the client matches the one | needs to verify that the key used by the client matches the one | |||
| skipping to change at page 10, line 31 ¶ | skipping to change at page 10, line 31 ¶ | |||
| There are slight differences between the use of symmetric keys and | There are slight differences between the use of symmetric keys and | |||
| asymmetric keys when they are bound to the access token and the | asymmetric keys when they are bound to the access token and the | |||
| subsequent interaction between the client and the authorization | subsequent interaction between the client and the authorization | |||
| server when demonstrating possession of these keys. Figure 1 shows | server when demonstrating possession of these keys. Figure 1 shows | |||
| the symmetric key procedure and Figure 2 illustrates how asymmetric | the symmetric key procedure and Figure 2 illustrates how asymmetric | |||
| keys are used. | keys are used. | |||
| With the JSON Web Token (JWT) a standardized format for access tokens | With the JSON Web Token (JWT) a standardized format for access tokens | |||
| is available. The necessary elements to bind symmetric or asymmetric | is available. The necessary elements to bind symmetric or asymmetric | |||
| keys to the JWT is described in | keys to the JWT are described in | |||
| [I-D.jones-oauth-proof-of-possession]. | [I-D.jones-oauth-proof-of-possession]. | |||
| +---------------+ | +---------------+ | |||
| ^| | | ^| | | |||
| // | Authorization | | // | Authorization | | |||
| / | Server | | / | Server | | |||
| // | | | // | | | |||
| / | | | / | | | |||
| (I) // /+---------------+ | (I) // /+---------------+ | |||
| Access / // | Access / // | |||
| skipping to change at page 12, line 10 ¶ | skipping to change at page 12, line 10 ¶ | |||
| resource server, namely | resource server, namely | |||
| Embedding the symmetric key inside the access token itself. This | Embedding the symmetric key inside the access token itself. This | |||
| requires that the symmetric key is confidentiality protected. | requires that the symmetric key is confidentiality protected. | |||
| The resource server queries the authorization server for the | The resource server queries the authorization server for the | |||
| symmetric key. This is an approach envisioned by the token | symmetric key. This is an approach envisioned by the token | |||
| introspection endpoint [I-D.richer-oauth-introspection]. | introspection endpoint [I-D.richer-oauth-introspection]. | |||
| The authorization server and the resource server both have access | The authorization server and the resource server both have access | |||
| to the same back-end database. This is case in smaller, tightly | to the same back-end database. Smaller, tightly coupled systems | |||
| coupled systems. | might prefer such a deployment strategy. | |||
| +---------------+ | +---------------+ | |||
| ^| | | ^| | | |||
| Access Token Req. // | Authorization | | Access Token Req. // | Authorization | | |||
| +Parameters / | Server | | +Parameters / | Server | | |||
| +[Fingerprint] // | | | +[Fingerprint] // | | | |||
| / | | | / | | | |||
| (I) // /+---------------+ | (I) // /+---------------+ | |||
| / // | / // | |||
| / / (II) | / / (II) | |||
| skipping to change at page 12, line 40 ¶ | skipping to change at page 12, line 40 ¶ | |||
| | | | | | | | | | | |||
| | | | | | | | | | | |||
| +-----------+ +------------+ | +-----------+ +------------+ | |||
| Figure 2: Interaction between the Client and the Authorization Server | Figure 2: Interaction between the Client and the Authorization Server | |||
| (Asymmetric Keys). | (Asymmetric Keys). | |||
| The use of asymmetric keys is slightly different since the client or | The use of asymmetric keys is slightly different since the client or | |||
| the server could be involved in the generation of the ephemeral key | the server could be involved in the generation of the ephemeral key | |||
| pair. This exchange is shown in Figure 1. If the client generates | pair. This exchange is shown in Figure 1. If the client generates | |||
| the key pair it includes a fingerprint of the public key (of the | the key pair it either includes a fingerprint of the public key or | |||
| SubjectPublicKeyInfo structure, more precisely). The authorization | the public key in the request to the authorization server. The | |||
| server would include this fingerprint in the access token and thereby | authorization server would include this fingerprint or public key in | |||
| bind the asymmetric key pair to the token. If the client did not | the confirmation claim inside the access token and thereby bind the | |||
| provide a fingerprint in the request then the authorization server is | asymmetric key pair to the token. If the client did not provide a | |||
| asked to create an ephemeral asymmetric key pair, binds the | fingerprint or a public key in the request then the authorization | |||
| server is asked to create an ephemeral asymmetric key pair, binds the | ||||
| fingerprint of the public key to the access token, and returns the | fingerprint of the public key to the access token, and returns the | |||
| asymmetric key pair to the client. | asymmetric key pair (public and private key) to the client. | |||
| The specification describing the interaction between the client and | The specification describing the interaction between the client and | |||
| the authorization server, as shown in Figure 1 and in Figure 2, can | the authorization server, as shown in Figure 1 and in Figure 2, can | |||
| be found in [I-D.bradley-oauth-pop-key-distribution]. | be found in [I-D.bradley-oauth-pop-key-distribution]. | |||
| Once the client has obtained the necessary access token and keying | Once the client has obtained the necessary access token and keying | |||
| material it can start to interact with the resource server. To | material it can start to interact with the resource server. To | |||
| demonstrate possession of the key bound to the access token it needs | demonstrate possession of the key bound to the access token it needs | |||
| to apply this key to the HTTP request by computing a keyed message | to apply this key to the request by computing a keyed message digest | |||
| digest (i.e., a symmetric key-based cryptographic primitive) or a | (i.e., a symmetric key-based cryptographic primitive) or a digital | |||
| digital signature (i.e., an asymmetric cryptographic primitive). | signature (i.e., an asymmetric cryptographic primitive). When the | |||
| When the resource server receives the request it verifies it and | resource server receives the request it verifies it and decides | |||
| decides whether access to the protected resource can be granted. | whether access to the protected resource can be granted. This | |||
| This exchange is shown in Figure 3. | exchange is shown in Figure 3. | |||
| +---------------+ | +---------------+ | |||
| | | | | | | |||
| | Authorization | | | Authorization | | |||
| | Server | | | Server | | |||
| | | | | | | |||
| | | | | | | |||
| +---------------+ | +---------------+ | |||
| HTTP Request | Request | |||
| +-----------+ + Signature/MAC (a) +------------+ | +-----------+ + Signature/MAC (a) +------------+ | |||
| | |---------------------->| | | | |---------------------->| | | |||
| | | [+Access Token] | Resource | | | | [+Access Token] | Resource | | |||
| | Client | | Server | | | Client | | Server | | |||
| | | HTTP Response (b) | | | | | Response (b) | | | |||
| | |<----------------------| | | | |<----------------------| | | |||
| +-----------+ +------------+ | +-----------+ +------------+ | |||
| ^ ^ | ^ ^ | |||
| | | | | | | |||
| | | | | | | |||
| Symmetric Key Symmetric Key | Symmetric Key Symmetric Key | |||
| or or | or or | |||
| Asymmetric Key Pair Public Key (Client) | Asymmetric Key Pair Public Key (Client) | |||
| + + | + + | |||
| Parameters Parameters | Parameters Parameters | |||
| Figure 3: Client demonstrates PoP. | Figure 3: Client demonstrates PoP. | |||
| The specification describing the ability to sign the HTTP request | The specification describing the ability to sign the HTTP request | |||
| from the client to the resource server can be found in | from the client to the resource server can be found in | |||
| [I-D.richer-oauth-signed-http-request]. | [I-D.richer-oauth-signed-http-request]. | |||
| [Editor's Note: Description about token introspection needs to be | So far the examples talked about access tokens that are passed by | |||
| added as well. | value and allow the resource server to make authorization decisions | |||
| immediately after verifying the request from the client. In some | ||||
| deployments a real-time interaction between the authorization server | ||||
| and the resource server is envisioned that lowers the need to pass | ||||
| self-contained access tokens around. In that case the access token | ||||
| merely serves as a handle or a reference to state stored at the | ||||
| authorization server. As a consequence, the resource server cannot | ||||
| autonomously make an authorization decision when receiving a request | ||||
| from a client but has to consult the authorization server. This can, | ||||
| for example, be done using the token introspection endpoint (see | ||||
| [I-D.richer-oauth-introspection]). Figure 4 shows the protocol | ||||
| interaction graphically. Despite the additional token exchange | ||||
| previous descriptions about associating symmetric and asymmetric keys | ||||
| to the access token are still applicable to this scenario. | ||||
| +---------------+ | ||||
| Access ^| | | ||||
| Token Req. // | Authorization |\ | ||||
| (I) / | Server | \ (IV) Token | ||||
| // | | \ Introspection | ||||
| / | | \ +Access | ||||
| // /+---------------+ \ Token | ||||
| / // (II) \ \\ | ||||
| / / Access \ \ | ||||
| // // Token \ (V) \ | ||||
| / / \Resp.\ | ||||
| // // \ \ | ||||
| / v \ \ | ||||
| +-----------+ Request +Signature/MAC+------------+ | ||||
| | | (III) +Access Token | | | ||||
| | |---------------------->| Resource | | ||||
| | Client | (VI) Success or | Server | | ||||
| | | Failure | | | ||||
| | |<----------------------| | | ||||
| +-----------+ +------------+ | ||||
| Figure 4: Token Introspection and Access Token Handles. | ||||
| 7. Requirements | 7. Requirements | |||
| RFC 4962 [RFC4962] gives useful guidelines for designers of | RFC 4962 [RFC4962] gives useful guidelines for designers of | |||
| authentication and key management protocols. While RFC 4962 was | authentication and key management protocols. While RFC 4962 was | |||
| written with the AAA framework used for network access authentication | written with the AAA framework used for network access authentication | |||
| in mind the offered suggestions are useful for the design of other | in mind the offered suggestions are useful for the design of other | |||
| key management systems as well. The following requirements list | key management systems as well. The following requirements list | |||
| applies OAuth 2.0 terminology to the requirements outlined in RFC | applies OAuth 2.0 terminology to the requirements outlined in RFC | |||
| 4962. | 4962. | |||
| skipping to change at page 14, line 35 ¶ | skipping to change at page 15, line 28 ¶ | |||
| The key management protocol MUST be cryptographic algorithm | The key management protocol MUST be cryptographic algorithm | |||
| independent. | independent. | |||
| Strong, fresh session keys: | Strong, fresh session keys: | |||
| Session keys MUST be strong and fresh. Each session deserves an | Session keys MUST be strong and fresh. Each session deserves an | |||
| independent session key, i.e., one that is generated specifically | independent session key, i.e., one that is generated specifically | |||
| for the intended use. In context of OAuth this means that keying | for the intended use. In context of OAuth this means that keying | |||
| material is created in such a way that can only be used by the | material is created in such a way that can only be used by the | |||
| combination of a Client instance, protected resource, and | combination of a client instance, protected resource, and | |||
| authorization scope. | authorization scope. | |||
| Limit Key Scope: | Limit Key Scope: | |||
| Following the principle of least privilege, parties MUST NOT have | Following the principle of least privilege, parties MUST NOT have | |||
| access to keying material that is not needed to perform their | access to keying material that is not needed to perform their | |||
| role. Any protocol that is used to establish session keys MUST | role. Any protocol that is used to establish session keys MUST | |||
| specify the scope for session keys, clearly identifying the | specify the scope for session keys, clearly identifying the | |||
| parties to whom the session key is available. | parties to whom the session key is available. | |||
| skipping to change at page 15, line 15 ¶ | skipping to change at page 16, line 9 ¶ | |||
| Authenticate All Parties: | Authenticate All Parties: | |||
| Each party in the key management protocol MUST be authenticated to | Each party in the key management protocol MUST be authenticated to | |||
| the other parties with whom they communicate. Authentication | the other parties with whom they communicate. Authentication | |||
| mechanisms MUST maintain the confidentiality of any secret values | mechanisms MUST maintain the confidentiality of any secret values | |||
| used in the authentication process. Secrets MUST NOT be sent to | used in the authentication process. Secrets MUST NOT be sent to | |||
| another party without confidentiality protection. | another party without confidentiality protection. | |||
| Authorization: | Authorization: | |||
| Client and Resource Server authorization MUST be performed. These | Client and resource server authorization MUST be performed. These | |||
| entities MUST demonstrate possession of the appropriate keying | entities MUST demonstrate possession of the appropriate keying | |||
| material, without disclosing it. Authorization is REQUIRED | material, without disclosing it. Authorization is REQUIRED | |||
| whenever a Client interacts with an Authorization Server. The | whenever a client interacts with an authorization server. The | |||
| authorization checking prevents an elevation of privilege attack, | authorization checking prevents an elevation of privilege attack, | |||
| and it ensures that an unauthorized authorized is detected. | and it ensures that an unauthorized authorized is detected. | |||
| Keying Material Confidentiality and Integrity: | Keying Material Confidentiality and Integrity: | |||
| While preserving algorithm independence, confidentiality and | While preserving algorithm independence, confidentiality and | |||
| integrity of all keying material MUST be maintained. | integrity of all keying material MUST be maintained. | |||
| Confirm Cryptographic Algorithm Selection: | Confirm Cryptographic Algorithm Selection: | |||
| skipping to change at page 15, line 45 ¶ | skipping to change at page 16, line 39 ¶ | |||
| Key management proposals require a robust key naming scheme, | Key management proposals require a robust key naming scheme, | |||
| particularly where key caching is supported. The key name | particularly where key caching is supported. The key name | |||
| provides a way to refer to a key in a protocol so that it is clear | provides a way to refer to a key in a protocol so that it is clear | |||
| to all parties which key is being referenced. Objects that cannot | to all parties which key is being referenced. Objects that cannot | |||
| be named cannot be managed. All keys MUST be uniquely named, and | be named cannot be managed. All keys MUST be uniquely named, and | |||
| the key name MUST NOT directly or indirectly disclose the keying | the key name MUST NOT directly or indirectly disclose the keying | |||
| material. | material. | |||
| Prevent the Domino Effect: | Prevent the Domino Effect: | |||
| Compromise of a single Client MUST NOT compromise keying material | Compromise of a single client MUST NOT compromise keying material | |||
| held by any other Client within the system, including session keys | held by any other client within the system, including session keys | |||
| and long-term keys. Likewise, compromise of a single Resource | and long-term keys. Likewise, compromise of a single resource | |||
| Server MUST NOT compromise keying material held by any other | server MUST NOT compromise keying material held by any other | |||
| Resource Server within the system. In the context of a key | Resource Server within the system. In the context of a key | |||
| hierarchy, this means that the compromise of one node in the key | hierarchy, this means that the compromise of one node in the key | |||
| hierarchy must not disclose the information necessary to | hierarchy must not disclose the information necessary to | |||
| compromise other branches in the key hierarchy. Obviously, the | compromise other branches in the key hierarchy. Obviously, the | |||
| compromise of the root of the key hierarchy will compromise all of | compromise of the root of the key hierarchy will compromise all of | |||
| the keys; however, a compromise in one branch MUST NOT result in | the keys; however, a compromise in one branch MUST NOT result in | |||
| the compromise of other branches. There are many implications of | the compromise of other branches. There are many implications of | |||
| this requirement; however, two implications deserve highlighting. | this requirement; however, two implications deserve highlighting. | |||
| First, the scope of the keying material must be defined and | First, the scope of the keying material must be defined and | |||
| understood by all parties that communicate with a party that holds | understood by all parties that communicate with a party that holds | |||
| skipping to change at page 16, line 35 ¶ | skipping to change at page 17, line 30 ¶ | |||
| * The expected lifetime of the keying material. Lifetime of a | * The expected lifetime of the keying material. Lifetime of a | |||
| child key SHOULD NOT be greater than the lifetime of its parent | child key SHOULD NOT be greater than the lifetime of its parent | |||
| in the key hierarchy. | in the key hierarchy. | |||
| Any party with legitimate access to keying material can determine | Any party with legitimate access to keying material can determine | |||
| its context. In addition, the protocol MUST ensure that all | its context. In addition, the protocol MUST ensure that all | |||
| parties with legitimate access to keying material have the same | parties with legitimate access to keying material have the same | |||
| context for the keying material. This requires that the parties | context for the keying material. This requires that the parties | |||
| are properly identified and authenticated, so that all of the | are properly identified and authenticated, so that all of the | |||
| parties that have access to the keying material can be determined. | parties that have access to the keying material can be determined. | |||
| The context will include the Client and the Resource Server | The context will include the client and the resource server | |||
| identities in more than one form. | identities in more than one form. | |||
| Authorization Restriction: | Authorization Restriction: | |||
| If Client authorization is restricted, then the Client SHOULD be | If client authorization is restricted, then the client SHOULD be | |||
| made aware of the restriction. | made aware of the restriction. | |||
| Client Identity Confidentiality: | Client Identity Confidentiality: | |||
| A Client has identity confidentiality when any party other than | A client has identity confidentiality when any party other than | |||
| the Resource Server and the Authorization Server cannot | the resource server and the authorization server cannot | |||
| sufficiently identify the Client within the anonymity set. In | sufficiently identify the client within the anonymity set. In | |||
| comparison to anonymity and pseudonymity, identity confidentiality | comparison to anonymity and pseudonymity, identity confidentiality | |||
| is concerned with eavesdroppers and intermediaries. A key | is concerned with eavesdroppers and intermediaries. A key | |||
| management protocol SHOULD provide this property. | management protocol SHOULD provide this property. | |||
| Resource Owner Identity Confidentiality: | Resource Owner Identity Confidentiality: | |||
| Resource servers SHOULD be prevented from knowing the real or | Resource servers SHOULD be prevented from knowing the real or | |||
| pseudonymous identity of the Resource Owner, since the | pseudonymous identity of the resource owner, since the | |||
| Authorization Server is the only entity involved in verifying the | authorization server is the only entity involved in verifying the | |||
| Resource Owner's identity. | resource owner's identity. | |||
| Collusion: | Collusion: | |||
| Resource Servers that collude can be prevented from using | Resource servers that collude can be prevented from using | |||
| information related to the Resource Owner to track the individual. | information related to the resource owner to track the individual. | |||
| That is, two different Resource Servers can be prevented from | That is, two different resource servers can be prevented from | |||
| determining that the same Resource Owner has authenticated to both | determining that the same resource owner has authenticated to both | |||
| of them. This requires that each Authorization Server obtains | of them. This requires that each authorization server obtains | |||
| different keying material as well as different access tokens with | different keying material as well as different access tokens with | |||
| content that does not allow identification of the Resource Owner. | content that does not allow identification of the resource owner. | |||
| AS-to-RS Relationship Anonymity: | AS-to-RS Relationship Anonymity: | |||
| This MAC Token security does not provide AAS-to-RS Relationship | This MAC Token security does not provide AS-to-RS relationship | |||
| Anonymity since the Client has to inform the resource server about | anonymity since the client has to inform the resource server about | |||
| the Resource Server it wants to talk to. The Authorization Server | the resource server it wants to talk to. The authorization server | |||
| needs to know how to encrypt the session key the Client and the | needs to know how to encrypt the session key the client and the | |||
| Resource Server will be using. | resource server will be using. | |||
| As an additional requirement a solution MUST enable support for | As an additional requirement a solution MUST enable support for | |||
| channel bindings. The concept of channel binding, as defined in | channel bindings. The concept of channel binding, as defined in | |||
| [RFC5056], allows applications to establish that the two end-points | [RFC5056], allows applications to establish that the two end-points | |||
| of a secure channel at one network layer are the same as at a higher | of a secure channel at one network layer are the same as at a higher | |||
| layer by binding authentication at the higher layer to the channel at | layer by binding authentication at the higher layer to the channel at | |||
| the lower layer. | the lower layer. | |||
| There are performance concerns with the use of asymmetric | There are performance concerns with the use of asymmetric | |||
| cryptography. Although symmetric key cryptography offers better | cryptography. Although symmetric key cryptography offers better | |||
| performance asymmetric cryptography offers additional security | performance asymmetric cryptography offers additional security | |||
| properties. A solution MUST therefore offer the capability to | properties. A solution MUST therefore offer the capability to | |||
| support both symmetric as well as asymmetric keys. | support both symmetric as well as asymmetric keys. | |||
| There are threats that relate to the experience of the software | There are threats that relate to the experience of the software | |||
| developer as well as operational practices. Verifying the servers | developer as well as operational practices. Verifying the servers | |||
| identity in TLS is discussed at length in [RFC6125]. | identity in TLS is discussed at length in [RFC6125]. | |||
| A number of the threats listed in Section 4 demand protection of the | A number of the threats listed in Section 4 demand protection of the | |||
| access token content and a standardized solution, in form of a JSON- | access token content and a standardized solution, in form of a JSON- | |||
| based format, is available with the JSON Web Token (JWT) | based format, is available with the JWT | |||
| [I-D.ietf-oauth-json-web-token]. Hence, threat related to the | ||||
| protection of the access token itself are deferred to the | ||||
| [I-D.ietf-oauth-json-web-token]. | [I-D.ietf-oauth-json-web-token]. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| The purpose of this document is to provide use cases, requirements, | The purpose of this document is to provide use cases, requirements, | |||
| and motivation for developing an OAuth security solution extending | and motivation for developing an OAuth security solution extending | |||
| Bearer Tokens. As such, this document is only about security. | Bearer Tokens. As such, this document is only about security. | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| skipping to change at page 18, line 47 ¶ | skipping to change at page 19, line 41 ¶ | |||
| Client Key Distribution", draft-bradley-oauth-pop-key- | Client Key Distribution", draft-bradley-oauth-pop-key- | |||
| distribution-00 (work in progress), April 2014. | distribution-00 (work in progress), April 2014. | |||
| [I-D.ietf-httpbis-p1-messaging] | [I-D.ietf-httpbis-p1-messaging] | |||
| Fielding, R. and J. Reschke, "Hypertext Transfer Protocol | Fielding, R. and J. Reschke, "Hypertext Transfer Protocol | |||
| (HTTP/1.1): Message Syntax and Routing", draft-ietf- | (HTTP/1.1): Message Syntax and Routing", draft-ietf- | |||
| httpbis-p1-messaging-26 (work in progress), February 2014. | httpbis-p1-messaging-26 (work in progress), February 2014. | |||
| [I-D.ietf-jose-json-web-encryption] | [I-D.ietf-jose-json-web-encryption] | |||
| Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", | |||
| draft-ietf-jose-json-web-encryption-25 (work in progress), | draft-ietf-jose-json-web-encryption-29 (work in progress), | |||
| March 2014. | June 2014. | |||
| [I-D.ietf-oauth-json-web-token] | [I-D.ietf-oauth-json-web-token] | |||
| Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token | |||
| (JWT)", draft-ietf-oauth-json-web-token-19 (work in | (JWT)", draft-ietf-oauth-json-web-token-23 (work in | |||
| progress), March 2014. | progress), June 2014. | |||
| [I-D.jones-oauth-proof-of-possession] | [I-D.jones-oauth-proof-of-possession] | |||
| Jones, M., Bradley, J., and H. Tschofenig, "Proof-Of- | Jones, M., Bradley, J., and H. Tschofenig, "Proof-Of- | |||
| Possession Semantics for JSON Web Tokens (JWTs)", draft- | Possession Semantics for JSON Web Tokens (JWTs)", draft- | |||
| jones-oauth-proof-of-possession-00 (work in progress), | jones-oauth-proof-of-possession-00 (work in progress), | |||
| April 2014. | April 2014. | |||
| [I-D.richer-oauth-introspection] | [I-D.richer-oauth-introspection] | |||
| Richer, J., "OAuth Token Introspection", draft-richer- | Richer, J., "OAuth Token Introspection", draft-richer- | |||
| oauth-introspection-04 (work in progress), May 2013. | oauth-introspection-04 (work in progress), May 2013. | |||
| [I-D.richer-oauth-introspection] | ||||
| Richer, J., "OAuth Token Introspection", draft-richer- | ||||
| oauth-introspection-04 (work in progress), May 2013. | ||||
| [I-D.richer-oauth-signed-http-request] | [I-D.richer-oauth-signed-http-request] | |||
| Richer, J., Bradley, J., and H. Tschofenig, "A Method for | Richer, J., Bradley, J., and H. Tschofenig, "A Method for | |||
| Signing an HTTP Requests for OAuth", draft-richer-oauth- | Signing an HTTP Requests for OAuth", draft-richer-oauth- | |||
| signed-http-request-01 (work in progress), April 2014. | signed-http-request-01 (work in progress), April 2014. | |||
| [I-D.tschofenig-oauth-audience] | [I-D.tschofenig-oauth-audience] | |||
| Tschofenig, H., "OAuth 2.0: Audience Information", draft- | Tschofenig, H., "OAuth 2.0: Audience Information", draft- | |||
| tschofenig-oauth-audience-00 (work in progress), February | tschofenig-oauth-audience-00 (work in progress), February | |||
| 2013. | 2013. | |||
| End of changes. 42 change blocks. | ||||
| 127 lines changed or deleted | 157 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||