idnits 2.17.1 

draft-jones-oauth-dpop-implicit-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 9, 2020) is 1509 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	OAuth Working Group                                             M. Jones
3	Internet-Draft                                                 Microsoft
4	Intended status: Standards Track                        B. Campbell, Ed.
5	Expires: September 10, 2020                                Ping Identity
6	                                                              J. Bradley
7	                                                                  Yubico
8	                                                           March 9, 2020

10	                  OAuth 2.0 DPoP for the Implicit Flow
11	                   draft-jones-oauth-dpop-implicit-00

13	Abstract

15	   This specification describes a mechanism for sender-constraining
16	   OAuth 2.0 tokens via a proof-of-possession mechanism on the
17	   application level.  This mechanism allows for the detection of replay
18	   attacks with access tokens.

20	   This specification compliments and builds upon the mechanisms defined
21	   in draft-fett-oauth-dpop, in which access tokens are returned from
22	   the token endpoint.  In particular, this specification extends the
23	   Demonstration of Proof-of-Possession at the Application Layer (DPoP)
24	   mechanisms to also be usable with the OAuth 2.0 implicit flow, in
25	   which access tokens are returned from the authorization endpoint.

27	Status of This Memo

29	   This Internet-Draft is submitted in full conformance with the
30	   provisions of BCP 78 and BCP 79.

32	   Internet-Drafts are working documents of the Internet Engineering
33	   Task Force (IETF).  Note that other groups may also distribute
34	   working documents as Internet-Drafts.  The list of current Internet-
35	   Drafts is at https://datatracker.ietf.org/drafts/current/.

37	   Internet-Drafts are draft documents valid for a maximum of six months
38	   and may be updated, replaced, or obsoleted by other documents at any
39	   time.  It is inappropriate to use Internet-Drafts as reference
40	   material or to cite them other than as "work in progress."

42	   This Internet-Draft will expire on September 10, 2020.

44	Copyright Notice

46	   Copyright (c) 2020 IETF Trust and the persons identified as the
47	   document authors.  All rights reserved.

49	   This document is subject to BCP 78 and the IETF Trust's Legal
50	   Provisions Relating to IETF Documents
51	   (https://trustee.ietf.org/license-info) in effect on the date of
52	   publication of this document.  Please review these documents
53	   carefully, as they describe your rights and restrictions with respect
54	   to this document.  Code Components extracted from this document must
55	   include Simplified BSD License text as described in Section 4.e of
56	   the Trust Legal Provisions and are provided without warranty as
57	   described in the Simplified BSD License.

59	Table of Contents

61	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
62	     1.1.  Requirements Notation and Conventions . . . . . . . . . .   2
63	     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
64	   2.  DPoP for the Implicit Flow  . . . . . . . . . . . . . . . . .   3
65	     2.1.  DPoP OAuth Request Parameter  . . . . . . . . . . . . . .   3
66	     2.2.  DPoP Proof JWT for the Implicit Flow  . . . . . . . . . .   3
67	   3.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
68	   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
69	     4.1.  OAuth Parameters Registration . . . . . . . . . . . . . .   3
70	       4.1.1.  Registry Contents . . . . . . . . . . . . . . . . . .   4
71	   5.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
72	     5.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
73	     5.2.  Informative References  . . . . . . . . . . . . . . . . .   4
74	   Appendix A.  Document History . . . . . . . . . . . . . . . . . .   4
75	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

77	1.  Introduction

79	   This specification defines additions to the mechanisms defined in
80	   [I-D.fett-oauth-dpop] enabling Demonstration of Proof-of-Possession
81	   at the Application Layer (DPoP) mechanisms to be used with the OAuth
82	   2.0 implicit flow, in which access tokens are returned from the
83	   authorization endpoint.  These additions are intended for use with
84	   these "response_type" values: "token", "id_token token",
85	   "code token", and "code id_token token".

87	1.1.  Requirements Notation and Conventions

89	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
90	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
91	   "OPTIONAL" in this document are to be interpreted as described in BCP
92	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
93	   capitals, as shown here.

95	1.2.  Terminology

97	   This specification uses the terms "access token", "authorization
98	   endpoint", "authorization request", and "token endpoint" defined by
99	   The OAuth 2.0 Authorization Framework [RFC6749].

101	2.  DPoP for the Implicit Flow

103	   Demonstration of Proof-of-Possession at the Application Layer (DPoP)
104	   for the implicit flow is performed in the same manner as
105	   [I-D.fett-oauth-dpop], with this exception: Rather than sending the
106	   DPoP proof JWT in a DPoP HTTP header, the DPoP proof JWT is instead
107	   sent as the value the new "dpop" OAuth request parameter, which is
108	   defined in this section.

110	2.1.  DPoP OAuth Request Parameter

112	   This specification defines the following OAuth request parameter for
113	   use at the authorization endpoint:

115	   dpop
116	      The DPoP proof JWT for requests using the implicit flow.

118	2.2.  DPoP Proof JWT for the Implicit Flow

120	   DPoP proof JWTs used with the implicit flow are as specified in
121	   [I-D.fett-oauth-dpop], with the following modifications.

123	   o  The value of the "htm" claim MUST be the HTTP verb used in the
124	      authorization request, which is normally "GET".

126	   o  The value of the "htu" claim MUST be the URL of the authorization
127	      endpoint used in the request.

129	3.  Security Considerations

131	   The security considerations described in [I-D.fett-oauth-dpop] also
132	   apply to this specification.

134	4.  IANA Considerations

136	4.1.  OAuth Parameters Registration

138	   This specification registers the following value in the IANA "OAuth
139	   Parameters" registry [IANA.OAuth.Parameters] established by
140	   [RFC6749].

142	4.1.1.  Registry Contents

144	   o  Parameter name: dpop
145	   o  Parameter usage location: authorization request
146	   o  Change controller: IESG
147	   o  Specification document(s): Section 2.1 of [[ this specification ]]

149	5.  References

151	5.1.  Normative References

153	   [I-D.fett-oauth-dpop]
154	              Fett, D., Campbell, B., Bradley, J., Lodderstedt, T.,
155	              Jones, M., and D. Waite, "OAuth 2.0 Demonstration of
156	              Proof-of-Possession at the Application Layer (DPoP)",
157	              draft-fett-oauth-dpop-04 (work in progress), March 2020.

159	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
160	              Requirement Levels", BCP 14, RFC 2119,
161	              DOI 10.17487/RFC2119, March 1997,
162	              <https://www.rfc-editor.org/info/rfc2119>.

164	   [RFC6749]  Hardt, D., Ed., "The OAuth 2.0 Authorization Framework",
165	              RFC 6749, DOI 10.17487/RFC6749, October 2012,
166	              <https://www.rfc-editor.org/info/rfc6749>.

168	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
169	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
170	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

172	5.2.  Informative References

174	   [IANA.OAuth.Parameters]
175	              IANA, "OAuth Parameters",
176	              <http://www.iana.org/assignments/oauth-parameters>.

178	Appendix A.  Document History

180	   [[ to be removed by the RFC Editor before publication as an RFC ]]

182	   -00

184	   o  Initial version.

186	Authors' Addresses

188	   Michael B. Jones
189	   Microsoft

191	   Email: mbj@microsoft.com
192	   URI:   https://self-issued.info/

194	   Brian Campbell (editor)
195	   Ping Identity

197	   Email: brian.d.campbell@gmail.com

199	   John Bradley
200	   Yubico

202	   Email: ve7jtb@ve7jtb.com