Discussion:
[OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
John Bradley
2016-10-10 20:59:49 UTC
Permalink
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.

The Banks want to use it for some server to server API use cases being driven by new open banking regulation.

The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.

The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.

I hope that this is non controversial and the WG can adopt it quickly.

Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
Preibisch, Sascha H
2016-10-11 02:58:53 UTC
Permalink
+1

From: Openid-specs-fapi <openid-specs-fapi-***@lists.openid.net<mailto:openid-specs-fapi-***@lists.openid.net>> on behalf of John Bradley via Openid-specs-fapi <openid-specs-***@lists.openid.net<mailto:openid-specs-***@lists.openid.net>>
Reply-To: John Bradley <***@ve7jtb.com<mailto:***@ve7jtb.com>>, Financial API Working Group List <openid-specs-***@lists.openid.net<mailto:openid-specs-***@lists.openid.net>>
Date: Monday, October 10, 2016 at 1:59 PM
To: OAuth WG <***@ietf.org<mailto:***@ietf.org>>
Cc: Nat Sakimura via Openid-specs-fapi <openid-specs-***@lists.openid.net<mailto:openid-specs-***@lists.openid.net>>
Subject: [Openid-specs-fapi] Fwd: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt

At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.

The Banks want to use it for some server to server API use cases being driven by new open banking regulation.

The largest thing in the draft is the IANA registration of "tls_client_auth" Token Endpoint authentication method for use in Registration and discovery.

The trust model is intentionally left open so that you could use a "common name" and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.

I hope that this is non controversial and the WG can adopt it quickly.

Regards
John B.




Begin forwarded message:

From: internet-***@ietf.org<mailto:internet-***@ietf.org>
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
To: "Brian Campbell" <***@gmail.com<mailto:***@gmail.com>>, "John Bradley" <***@ve7jtb.com<mailto:***@ve7jtb.com>>


A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.

Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_internet-2Ddrafts_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth-2D00.txt&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=260YDXh2PcZARRiXTxOl8pc5v0ziWSLzLiG9CI0OOlI&e=>
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/<https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth_&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=NOkb8avw2ZN74wW-gLDbuZfXskqV9xRqyYvV5Fg18_Y&e=>
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dcampbell-2Doauth-2Dtls-2Dclient-2Dauth-2D00&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=9z770xRpUnNkMOo9UDUj5gYGUZXwQljipKvN0VfMC74&e=>


Abstract:
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.




Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org&d=DQMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=y0V-Som1RDD_XSON16geiVwizJHHdigmrpofDystITA&s=kqP8TZStoJyWhk2OJiXgoNTWIsNvNH5qgGX7QBWBHWA&e=>.

The IETF Secretariat
Vladimir Dzhuvinov
2016-10-17 08:47:45 UTC
Permalink
Superb, I welcome that!

Regarding
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00#section-5.2
:

My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.

Have you considered some kind of an open ended enumeration of the
possible binding methods, and giving them some identifiers or names, so
that AS / OPs can advertise them in their metadata, and clients register
accordingly?

For example:

"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]


Cheers,

Vladimir
Post by John Bradley
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-10-21 22:51:23 UTC
Permalink
I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the basic
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's some
consensus that it'd be useful.
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the possible
binding methods, and giving them some identifiers or names, so that AS /
OPs can advertise them in their metadata, and clients register accordingly?
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Vladimir Dzhuvinov
2016-10-27 02:42:57 UTC
Permalink
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the basic
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's some
consensus that it'd be useful.
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the possible
binding methods, and giving them some identifiers or names, so that AS /
OPs can advertise them in their metadata, and clients register accordingly?
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Samuel Erdtman
2016-10-27 06:00:38 UTC
Permalink
I think it is awesome that this document has been written since this is one
of the solutions that exists in the wild.

However I think that the connection to client (client_id) and certificate
could be more clearly specified, at the moment it is exemplified under
security considerations. I think there should be text saying that there
MUST be a binding and provide the default solution e.g. client_id as
subject common name.

Further I would prefer if it was not a MUST to include the client_id in the
HTTP request since I think there MUST exist a client binding in the
certificate. I think there is no need to have it explicitly in the HTTP
request. This might not be a problem for Classic OAuth but when adopted for
ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03)
we would like to lessen the duplicated information as much as possible.

//Samuel
Post by Vladimir Dzhuvinov
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the
basic
Post by Brian Campbell
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's
some
Post by Brian Campbell
consensus that it'd be useful.
On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the
possible
Post by Brian Campbell
Post by Vladimir Dzhuvinov
binding methods, and giving them some identifiers or names, so that AS /
OPs can advertise them in their metadata, and clients register
accordingly?
Post by Brian Campbell
Post by Vladimir Dzhuvinov
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
Post by Brian Campbell
Post by Vladimir Dzhuvinov
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-
client-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS)
Authentication for OAuth Clients
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-
drafts/draft-campbell-oauth-tls-client-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Status: https://datatracker.ietf.org/
doc/draft-campbell-oauth-tls-client-auth/
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-
client-auth-00
Post by Brian Campbell
Post by Vladimir Dzhuvinov
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of
submission
Post by Brian Campbell
Post by Vladimir Dzhuvinov
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
oauth
Post by Brian Campbell
Post by Vladimir Dzhuvinov
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-10-28 20:56:21 UTC
Permalink
Post by Samuel Erdtman
I think it is awesome that this document has been written since this is
one of the solutions that exists in the wild.
Thanks. To some extent I was working to codify those existing solutions,
which is one of the reasons why the specific binding between client and
certificate is left open ended.
Post by Samuel Erdtman
However I think that the connection to client (client_id) and certificate
could be more clearly specified, at the moment it is exemplified under
security considerations. I think there should be text saying that there
MUST be a binding and provide the default solution e.g. client_id as
subject common name.
I sort of thought the need for connection between client and certificate
was implicit in the text that is in section 2. But I can work to make the
language more explicit. As I mentioned in my recent reply to Vladimir, I
expect client_id as subject common name to be more the exception rather
than the common case so don't feel it'd be appropriate as a default.
Post by Samuel Erdtman
Further I would prefer if it was not a MUST to include the client_id in
the HTTP request since I think there MUST exist a client binding in the
certificate. I think there is no need to have it explicitly in the HTTP
request. This might not be a problem for Classic OAuth but when adopted for
ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03)
we would like to lessen the duplicated information as much as possible.
There needs to be a binding between the client and certificate but that
doesn't mean the client id will be in the certificate. Having the client id
explicitly available in the HTTP request allows the AS to easily identify
the client independently and consistently from the content of the
certificate or key and allows the AS to not have to index its client
storage by some other value. It may lead to a small amount of duplicate
info in some cases but I believe the consistency is worth it.
//Samuel
Post by Samuel Erdtman
On Thu, Oct 27, 2016 at 4:42 AM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in
the
Post by Brian Campbell
-00 document. I'm not convinced that some metadata around it would
really
Post by Brian Campbell
contribute to interop one way or the other. I also wanted to get the
basic
Post by Brian Campbell
concept written down before going too far into the weeds. But I'd be
open
Post by Brian Campbell
to adding something along those lines in future revisions, if there's
some
Post by Brian Campbell
consensus that it'd be useful.
On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is
left
Post by Brian Campbell
Post by Vladimir Dzhuvinov
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the
possible
Post by Brian Campbell
Post by Vladimir Dzhuvinov
binding methods, and giving them some identifiers or names, so that AS
/
Post by Brian Campbell
Post by Vladimir Dzhuvinov
OPs can advertise them in their metadata, and clients register
accordingly?
Post by Brian Campbell
Post by Vladimir Dzhuvinov
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
Post by Brian Campbell
Post by Vladimir Dzhuvinov
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-clien
t-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS)
Authentication for OAuth Clients
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-
drafts/draft-campbell-oauth-tls-client-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Status: https://datatracker.ietf.org/
doc/draft-campbell-oauth-tls-client-auth/
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Htmlized: https://tools.ietf.org/html/d
raft-campbell-oauth-tls-client-auth-00
Post by Brian Campbell
Post by Vladimir Dzhuvinov
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of
submission
Post by Brian Campbell
Post by Vladimir Dzhuvinov
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
ietf.org/mailman/listinfo/oauth
Post by Brian Campbell
Post by Vladimir Dzhuvinov
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Samuel Erdtman
2016-10-30 15:27:56 UTC
Permalink
Thanks for the reply Brian,

See inline
Post by Brian Campbell
Post by Samuel Erdtman
I think it is awesome that this document has been written since this is
one of the solutions that exists in the wild.
Thanks. To some extent I was working to codify those existing solutions,
which is one of the reasons why the specific binding between client and
certificate is left open ended.
Post by Samuel Erdtman
However I think that the connection to client (client_id) and certificate
could be more clearly specified, at the moment it is exemplified under
security considerations. I think there should be text saying that there
MUST be a binding and provide the default solution e.g. client_id as
subject common name.
I sort of thought the need for connection between client and certificate
was implicit in the text that is in section 2. But I can work to make the
language more explicit. As I mentioned in my recent reply to Vladimir, I
expect client_id as subject common name to be more the exception rather
than the common case so don't feel it'd be appropriate as a default.
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.

When it comes to the client_id I think subject common name or maybe subject
serial numbers will be the common location, and I think an example would be
valuable.
Post by Brian Campbell
Post by Samuel Erdtman
Further I would prefer if it was not a MUST to include the client_id in
the HTTP request since I think there MUST exist a client binding in the
certificate. I think there is no need to have it explicitly in the HTTP
request. This might not be a problem for Classic OAuth but when adopted for
ACE framework (https://tools.ietf.org/html/draft-ietf-ace-oauth-authz-03)
we would like to lessen the duplicated information as much as possible.
There needs to be a binding between the client and certificate but that
doesn't mean the client id will be in the certificate. Having the client id
explicitly available in the HTTP request allows the AS to easily identify
the client independently and consistently from the content of the
certificate or key and allows the AS to not have to index its client
storage by some other value. It may lead to a small amount of duplicate
info in some cases but I believe the consistency is worth it.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Post by Brian Campbell
//Samuel
Post by Samuel Erdtman
On Thu, Oct 27, 2016 at 4:42 AM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in
the
Post by Brian Campbell
-00 document. I'm not convinced that some metadata around it would
really
Post by Brian Campbell
contribute to interop one way or the other. I also wanted to get the
basic
Post by Brian Campbell
concept written down before going too far into the weeds. But I'd be
open
Post by Brian Campbell
to adding something along those lines in future revisions, if there's
some
Post by Brian Campbell
consensus that it'd be useful.
On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is
left
Post by Brian Campbell
Post by Vladimir Dzhuvinov
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the
possible
Post by Brian Campbell
Post by Vladimir Dzhuvinov
binding methods, and giving them some identifiers or names, so that
AS /
Post by Brian Campbell
Post by Vladimir Dzhuvinov
OPs can advertise them in their metadata, and clients register
accordingly?
Post by Brian Campbell
Post by Vladimir Dzhuvinov
"tls_client_auth_bind_methods_supported" : [
"subject_alt_name_match",
Post by Brian Campbell
Post by Vladimir Dzhuvinov
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API
Working group, Brian Campbell and I have documented
Post by Brian Campbell
Post by Vladimir Dzhuvinov
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The Banks want to use it for some server to server API use cases
being driven by new open banking regulation.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-clien
t-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS)
Authentication for OAuth Clients
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-
drafts/draft-campbell-oauth-tls-client-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Status: https://datatracker.ietf.org/
doc/draft-campbell-oauth-tls-client-auth/
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Htmlized: https://tools.ietf.org/html/d
raft-campbell-oauth-tls-client-auth-00
Post by Brian Campbell
Post by Vladimir Dzhuvinov
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of
submission
Post by Brian Campbell
Post by Vladimir Dzhuvinov
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
ietf.org/mailman/listinfo/oauth
Post by Brian Campbell
Post by Vladimir Dzhuvinov
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-11-02 21:03:16 UTC
Permalink
Post by Samuel Erdtman
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to do
so.
Post by Samuel Erdtman
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.

I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
Post by Samuel Erdtman
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
Justin Richer
2016-11-03 12:41:55 UTC
Permalink
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the authorization server
for the client to use at that single AS. The certificate is issued by
the CA for the client to use on any connection. The AS and CA are not
likely to be the same system in most deployments. The client will use
the same cert across multiple connections, possibly multiple AS's, but
the same isn't true of the client_id.

Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already
allow binding of a client-generated JWK today.

I do think that more examples and guidance are warranted, though, to
help AS developers.

-- Justin
Post by Samuel Erdtman
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was
explicit written since the lack of a connection would result in a
potential security hole.
That's fair. I agree it can be made more explicit and that it be good
to do so.
When it comes to the client_id I think subject common name or
maybe subject serial numbers will be the common location, and I
think an example would be valuable.
In my experience and the way we built support for mutual TLS OAuth
client auth the client_id value does not appear in the certificate
anywhere. I'm not saying it can't happen but don't think it's
particularly common.
I can look at adding some examples, if there's some consensus that
they'd be useful and this document moves forward.
IŽm not saying it is a bad Idea just that I would prefer if it was
not a MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the
HTTP request data (at least in java). I also think that with the
requirement to match the incoming certificate in some way one has
to read out the certificate that was used to establish the
connection to do some kind of matching.
Getting data out of the certificate isn't a concern. I just believe
that the constancy of having the client id parameter is worth the
potential small amount duplicate data in some cases. It's just a -00
draft though and if the WG wants to proceed with this document, we
seek further input and work towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Jim Manico
2016-11-03 12:48:41 UTC
Permalink
Just to be clear, the relationship should more like...

AS issues public key to clients, or client sends public key to AS. The authorities job is NOT to give the client the public key, but to sign the public key for authenticity. It's bad practice to accept the full cert (pub key+signature) from an authority. If an authority is creating your public key, they are also creating your private key.... bad.
The client will use the same cert across multiple connections, possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
I agree that the client_id is unlikely to be found inside the certificate itself. The client_id is issued by the authorization server for the client to use at that single AS. The certificate is issued by the CA for the client to use on any connection. The AS and CA are not likely to be the same system in most deployments. The client will use the same cert across multiple connections, possibly multiple AS's, but the same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a self-signed certificate using dynamic registration, much the way that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted, though, to help AS developers.
-- Justin
I agree it is written so that the connection to the certificate is implicitly required but I think it would be better if it was explicit written since the lack of a connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it be good to do so.
When it comes to the client_id I think subject common name or maybe subject serial numbers will be the common location, and I think an example would be valuable.
In my experience and the way we built support for mutual TLS OAuth client auth the client_id value does not appear in the certificate anywhere. I'm not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a MUST.
With very limited addition of code it is just as easy to get the certificate attribute for client id as it is to get it from the HTTP request data (at least in java). I also think that with the requirement to match the incoming certificate in some way one has to read out the certificate that was used to establish the connection to do some kind of matching.
Getting data out of the certificate isn't a concern. I just believe that the constancy of having the client id parameter is worth the potential small amount duplicate data in some cases. It's just a -00 draft though and if the WG wants to proceed with this document, we seek further input and work towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2016-11-03 12:51:13 UTC
Permalink
Yes, I elided the certificate issuance process. The point remains the
same: you're not going to be submitting a CSR to the same party you're
getting your client_id from, usually. If the draft assumes that, then
it's incredibly limiting.


Do people really use separate TLS client certs for separate connections
in the wild? I've personally never seen that. What I've seen is that a
piece of software gets its certificate that it uses to make whatever
connections it needs to make.


-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to AS. The
authorities job is NOT to give the client the public key, but to sign
the public key for authenticity. It's bad practice to accept the full
cert (pub key+signature) from an authority. If an authority is
creating your public key, they are also creating your private key.... bad.
The client will use the same cert across multiple connections,
possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the authorization
server for the client to use at that single AS. The certificate is
issued by the CA for the client to use on any connection. The AS and
CA are not likely to be the same system in most deployments. The
client will use the same cert across multiple connections, possibly
multiple AS's, but the same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already
allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted, though, to help AS developers.
-- Justin
Post by Samuel Erdtman
I agree it is written so that the connection to the certificate
is implicitly required but I think it would be better if it was
explicit written since the lack of a connection would result in
a potential security hole.
That's fair. I agree it can be made more explicit and that it be good to do so.
When it comes to the client_id I think subject common name or
maybe subject serial numbers will be the common location, and I
think an example would be valuable.
In my experience and the way we built support for mutual TLS OAuth
client auth the client_id value does not appear in the certificate
anywhere. I'm not saying it can't happen but don't think it's
particularly common.
I can look at adding some examples, if there's some consensus that
they'd be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it
was not a MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the
HTTP request data (at least in java). I also think that with the
requirement to match the incoming certificate in some way one
has to read out the certificate that was used to establish the
connection to do some kind of matching.
Getting data out of the certificate isn't a concern. I just believe
that the constancy of having the client id parameter is worth the
potential small amount duplicate data in some cases. It's just a -00
draft though and if the WG wants to proceed with this document, we
seek further input and work towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Jim Manico
2016-11-03 14:31:39 UTC
Permalink
Thanks Justin. I use several security intel services and they all have different cert delivery mechanisms for mutual TLS. It's •rare• for services to let clients choose certs, they are usually assigned to users by each service from my experience.

Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
Yes, I elided the certificate issuance process. The point remains the same: you're not going to be submitting a CSR to the same party you're getting your client_id from, usually. If the draft assumes that, then it's incredibly limiting.
Do people really use separate TLS client certs for separate connections in the wild? I've personally never seen that. What I've seen is that a piece of software gets its certificate that it uses to make whatever connections it needs to make.
-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to AS. The authorities job is NOT to give the client the public key, but to sign the public key for authenticity. It's bad practice to accept the full cert (pub key+signature) from an authority. If an authority is creating your public key, they are also creating your private key.... bad.
The client will use the same cert across multiple connections, possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
I agree that the client_id is unlikely to be found inside the certificate itself. The client_id is issued by the authorization server for the client to use at that single AS. The certificate is issued by the CA for the client to use on any connection. The AS and CA are not likely to be the same system in most deployments. The client will use the same cert across multiple connections, possibly multiple AS's, but the same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a self-signed certificate using dynamic registration, much the way that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted, though, to help AS developers.
-- Justin
I agree it is written so that the connection to the certificate is implicitly required but I think it would be better if it was explicit written since the lack of a connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it be good to do so.
When it comes to the client_id I think subject common name or maybe subject serial numbers will be the common location, and I think an example would be valuable.
In my experience and the way we built support for mutual TLS OAuth client auth the client_id value does not appear in the certificate anywhere. I'm not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a MUST.
With very limited addition of code it is just as easy to get the certificate attribute for client id as it is to get it from the HTTP request data (at least in java). I also think that with the requirement to match the incoming certificate in some way one has to read out the certificate that was used to establish the connection to do some kind of matching.
Getting data out of the certificate isn't a concern. I just believe that the constancy of having the client id parameter is worth the potential small amount duplicate data in some cases. It's just a -00 draft though and if the WG wants to proceed with this document, we seek further input and work towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2016-11-03 16:32:45 UTC
Permalink
Jim,

In those circumstances, are the clients generally calling multiple different services? Or just one? For those that call multiple services, are they using multiple (different) client certificates?

I’m not saying the client would issue its own cert in all cases — much more common is what I’ve seen, with clients being assigned a certificate from a trusted CA, and then services that the client talks to being told to trust that CA and also assign the CN/DN of the cert a set of privileges. What I *haven’t* seen is a client being issued multiple certificates to talk to multiple systems. That latter case is common enough in the OAuth world that I wouldn’t want us to paint ourselves in a corner.

— Justin
Post by Jim Manico
Thanks Justin. I use several security intel services and they all have different cert delivery mechanisms for mutual TLS. It's •rare• for services to let clients choose certs, they are usually assigned to users by each service from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
Yes, I elided the certificate issuance process. The point remains the same: you're not going to be submitting a CSR to the same party you're getting your client_id from, usually. If the draft assumes that, then it's incredibly limiting.
Do people really use separate TLS client certs for separate connections in the wild? I've personally never seen that. What I've seen is that a piece of software gets its certificate that it uses to make whatever connections it needs to make.
-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to AS. The authorities job is NOT to give the client the public key, but to sign the public key for authenticity. It's bad practice to accept the full cert (pub key+signature) from an authority. If an authority is creating your public key, they are also creating your private key.... bad.
The client will use the same cert across multiple connections, possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
I agree that the client_id is unlikely to be found inside the certificate itself. The client_id is issued by the authorization server for the client to use at that single AS. The certificate is issued by the CA for the client to use on any connection. The AS and CA are not likely to be the same system in most deployments. The client will use the same cert across multiple connections, possibly multiple AS's, but the same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a self-signed certificate using dynamic registration, much the way that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted, though, to help AS developers.
-- Justin
I agree it is written so that the connection to the certificate is implicitly required but I think it would be better if it was explicit written since the lack of a connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it be good to do so.
When it comes to the client_id I think subject common name or maybe subject serial numbers will be the common location, and I think an example would be valuable.
In my experience and the way we built support for mutual TLS OAuth client auth the client_id value does not appear in the certificate anywhere. I'm not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a MUST.
With very limited addition of code it is just as easy to get the certificate attribute for client id as it is to get it from the HTTP request data (at least in java). I also think that with the requirement to match the incoming certificate in some way one has to read out the certificate that was used to establish the connection to do some kind of matching.
Getting data out of the certificate isn't a concern. I just believe that the constancy of having the client id parameter is worth the potential small amount duplicate data in some cases. It's just a -00 draft though and if the WG wants to proceed with this document, we seek further input and work towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
Jim Manico
2016-11-03 16:40:46 UTC
Permalink
Post by Justin Richer
In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple services,
are they using multiple (different) client certificates?

Ah, good point. I hear you now. I personally like the idea of "one cert
per service" so I can selectively manage each access separately, but I
understand where you are coming from and it makes sense.

Thanks for taking the time to respectfully explain your perspective and
provide me with a little education. :)

ALOHA,

Jim Manico
Post by Justin Richer
Jim,
In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple
services, are they using multiple (different) client certificates?
I’m not saying the client would issue its own cert in all cases — much
more common is what I’ve seen, with clients being assigned a
certificate from a trusted CA, and then services that the client talks
to being told to trust that CA and also assign the CN/DN of the cert a
set of privileges. What I *haven’t* seen is a client being issued
multiple certificates to talk to multiple systems. That latter case is
common enough in the OAuth world that I wouldn’t want us to paint
ourselves in a corner.
— Justin
Post by Jim Manico
Thanks Justin. I use several security intel services and they all
have different cert delivery mechanisms for mutual TLS. It's •rare•
for services to let clients choose certs, they are usually assigned
to users by each service from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
Post by Justin Richer
Yes, I elided the certificate issuance process. The point remains
the same: you're not going to be submitting a CSR to the same party
you're getting your client_id from, usually. If the draft assumes
that, then it's incredibly limiting.
Do people really use separate TLS client certs for separate
connections in the wild? I've personally never seen that. What I've
seen is that a piece of software gets its certificate that it uses
to make whatever connections it needs to make.
-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to AS.
The authorities job is NOT to give the client the public key, but
to sign the public key for authenticity. It's bad practice to
accept the full cert (pub key+signature) from an authority. If an
authority is creating your public key, they are also creating your
private key.... bad.
The client will use the same cert across multiple connections,
possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the authorization
server for the client to use at that single AS. The certificate is
issued by the CA for the client to use on any connection. The AS
and CA are not likely to be the same system in most deployments.
The client will use the same cert across multiple connections,
possibly multiple AS's, but the same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a
self-signed certificate using dynamic registration, much the way
that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted, though,
to help AS developers.
-- Justin
On Sun, Oct 30, 2016 at 9:27 AM, Samuel Erdtman
I agree it is written so that the connection to the
certificate is implicitly required but I think it would be
better if it was explicit written since the lack of a
connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it be good to do so.
When it comes to the client_id I think subject common name or
maybe subject serial numbers will be the common location, and
I think an example would be valuable.
In my experience and the way we built support for mutual TLS
OAuth client auth the client_id value does not appear in the
certificate anywhere. I'm not saying it can't happen but don't
think it's particularly common.
I can look at adding some examples, if there's some consensus
that they'd be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if
it was not a MUST.
With very limited addition of code it is just as easy to get
the certificate attribute for client id as it is to get it
from the HTTP request data (at least in java). I also think
that with the requirement to match the incoming certificate
in some way one has to read out the certificate that was used
to establish the connection to do some kind of matching.
Getting data out of the certificate isn't a concern. I just
believe that the constancy of having the client id parameter is
worth the potential small amount duplicate data in some cases.
It's just a -00 draft though and if the WG wants to proceed with
this document, we seek further input and work towards some
consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Jim Manico
Manicode Security
https://www.manicode.com
Samuel Erdtman
2016-11-03 16:48:14 UTC
Permalink
I can see your point, maybe the client_id will not be in the certificate.
If I had an AS I would select to trust one or several CAs and then create
certificate mappings between certificate serial number (or some other
unique attribute in the certificate) and client_id. If I were to bind a
specific certificate to a client_id I lose the flexibility of the PKI
(maybe what you want).

I think multiple certificates might not be a uncommon situation especially
if you call ASs from different organizations because they will trust
different CAs.

//Samuel
Post by Justin Richer
Jim,
In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple services, are
they using multiple (different) client certificates?
I’m not saying the client would issue its own cert in all cases — much
more common is what I’ve seen, with clients being assigned a certificate
from a trusted CA, and then services that the client talks to being told to
trust that CA and also assign the CN/DN of the cert a set of privileges.
What I *haven’t* seen is a client being issued multiple certificates to
talk to multiple systems. That latter case is common enough in the OAuth
world that I wouldn’t want us to paint ourselves in a corner.
— Justin
Thanks Justin. I use several security intel services and they all have
different cert delivery mechanisms for mutual TLS. It's •rare• for services
to let clients choose certs, they are usually assigned to users by each
service from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
Yes, I elided the certificate issuance process. The point remains the
same: you're not going to be submitting a CSR to the same party you're
getting your client_id from, usually. If the draft assumes that, then it's
incredibly limiting.
Do people really use separate TLS client certs for separate connections in
the wild? I've personally never seen that. What I've seen is that a piece
of software gets its certificate that it uses to make whatever connections
it needs to make.
-- Justin
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to AS. The
authorities job is NOT to give the client the public key, but to sign the
public key for authenticity. It's bad practice to accept the full cert (pub
key+signature) from an authority. If an authority is creating your public
key, they are also creating your private key.... bad.
The client will use the same cert across multiple connections, possibly
multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
I agree that the client_id is unlikely to be found inside the certificate
itself. The client_id is issued by the authorization server for the client
to use at that single AS. The certificate is issued by the CA for the
client to use on any connection. The AS and CA are not likely to be the
same system in most deployments. The client will use the same cert across
multiple connections, possibly multiple AS's, but the same isn't true of
the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
I do think that more examples and guidance are warranted, though, to help AS developers.
-- Justin
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to do so.
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Sergey Beryozkin
2016-11-03 17:11:22 UTC
Permalink
Hi

In our implementation we support the following scenario:
- the client registers its public certificate during the client registration

- next, mutual/two-way TLS is used, so AccessTokenService tries to
figure out the client_id. At the moment it assumes the client_id is
(Java) X509Certificate.getSubjectX500Principal().getName().

Next it retrieves a client with this name and compares the TLS
client/peer certificate against the pre-registered one.

I think it may be interesting to explore further if client_id can become
optional based on what Samuel said.

For example, indeed I can see how I can update our code to have a
mapping between some of client certificate's properties and a client id
stored within a Client registration.

The question is how to find a given Client registration effectively
given only a certificate, without an optional client_id. One would need
to have a map between these client certificate attribute and client_id
or Clients.

Cheers, Sergey
Post by Samuel Erdtman
I can see your point, maybe the client_id will not be in the certificate.
If I had an AS I would select to trust one or several CAs and then
create certificate mappings between certificate serial number (or some
other unique attribute in the certificate) and client_id. If I were to
bind a specific certificate to a client_id I lose the flexibility of the
PKI (maybe what you want).
I think multiple certificates might not be a uncommon situation
especially if you call ASs from different organizations because they
will trust different CAs.
//Samuel
Jim,
In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple
services, are they using multiple (different) client certificates?
I’m not saying the client would issue its own cert in all cases —
much more common is what I’ve seen, with clients being assigned a
certificate from a trusted CA, and then services that the client
talks to being told to trust that CA and also assign the CN/DN of
the cert a set of privileges. What I *haven’t* seen is a client
being issued multiple certificates to talk to multiple systems. That
latter case is common enough in the OAuth world that I wouldn’t want
us to paint ourselves in a corner.
— Justin
Post by Jim Manico
Thanks Justin. I use several security intel services and they all
have different cert delivery mechanisms for mutual TLS. It's
•rare• for services to let clients choose certs, they are usually
assigned to users by each service from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
Post by Justin Richer
Yes, I elided the certificate issuance process. The point remains
the same: you're not going to be submitting a CSR to the same
party you're getting your client_id from, usually. If the draft
assumes that, then it's incredibly limiting.
Do people really use separate TLS client certs for separate
connections in the wild? I've personally never seen that. What
I've seen is that a piece of software gets its certificate that
it uses to make whatever connections it needs to make.
-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to
AS. The authorities job is NOT to give the client the public
key, but to sign the public key for authenticity. It's bad
practice to accept the full cert (pub key+signature) from an
authority. If an authority is creating your public key, they are
also creating your private key.... bad.
The client will use the same cert across multiple connections,
possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature
for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the
authorization server for the client to use at that single AS.
The certificate is issued by the CA for the client to use on
any connection. The AS and CA are not likely to be the same
system in most deployments. The client will use the same cert
across multiple connections, possibly multiple AS's, but the
same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a
self-signed certificate using dynamic registration, much the
way that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted,
though, to help AS developers.
-- Justin
On Sun, Oct 30, 2016 at 9:27 AM, Samuel Erdtman
I agree it is written so that the connection to the
certificate is implicitly required but I think it would be
better if it was explicit written since the lack of a
connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it
be good to do so.
When it comes to the client_id I think subject common name
or maybe subject serial numbers will be the common
location, and I think an example would be valuable.
In my experience and the way we built support for mutual TLS
OAuth client auth the client_id value does not appear in the
certificate anywhere. I'm not saying it can't happen but don't
think it's particularly common.
I can look at adding some examples, if there's some consensus
that they'd be useful and this document moves forward.
I´m not saying it is a bad Idea just that I would prefer
if it was not a MUST.
With very limited addition of code it is just as easy to
get the certificate attribute for client id as it is to
get it from the HTTP request data (at least in java). I
also think that with the requirement to match the incoming
certificate in some way one has to read out the
certificate that was used to establish the connection to
do some kind of matching.
Getting data out of the certificate isn't a concern. I just
believe that the constancy of having the client id parameter
is worth the potential small amount duplicate data in some
cases. It's just a -00 draft though and if the WG wants to
proceed with this document, we seek further input and work
towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/
Jim Manico
2016-11-04 17:06:13 UTC
Permalink
You could also sign the client_id with your private cert and send it
like normal OAuth requests...

But I like the idea of mapping the client_id server-side to the cert as
well.

Now we're talking real security. Bearer tokens are so Q1-2016. :)

Aloha, Jim
Post by Sergey Beryozkin
Hi
- the client registers its public certificate during the client registration
- next, mutual/two-way TLS is used, so AccessTokenService tries to
figure out the client_id. At the moment it assumes the client_id is
(Java) X509Certificate.getSubjectX500Principal().getName().
Next it retrieves a client with this name and compares the TLS
client/peer certificate against the pre-registered one.
I think it may be interesting to explore further if client_id can
become optional based on what Samuel said.
For example, indeed I can see how I can update our code to have a
mapping between some of client certificate's properties and a client
id stored within a Client registration.
The question is how to find a given Client registration effectively
given only a certificate, without an optional client_id. One would
need to have a map between these client certificate attribute and
client_id or Clients.
Cheers, Sergey
Post by Samuel Erdtman
I can see your point, maybe the client_id will not be in the
certificate.
If I had an AS I would select to trust one or several CAs and then
create certificate mappings between certificate serial number (or some
other unique attribute in the certificate) and client_id. If I were to
bind a specific certificate to a client_id I lose the flexibility of the
PKI (maybe what you want).
I think multiple certificates might not be a uncommon situation
especially if you call ASs from different organizations because they
will trust different CAs.
//Samuel
Jim,
In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple
services, are they using multiple (different) client certificates?
I’m not saying the client would issue its own cert in all cases —
much more common is what I’ve seen, with clients being assigned a
certificate from a trusted CA, and then services that the client
talks to being told to trust that CA and also assign the CN/DN of
the cert a set of privileges. What I *haven’t* seen is a client
being issued multiple certificates to talk to multiple systems. That
latter case is common enough in the OAuth world that I wouldn’t want
us to paint ourselves in a corner.
— Justin
Post by Jim Manico
Thanks Justin. I use several security intel services and they all
have different cert delivery mechanisms for mutual TLS. It's
•rare• for services to let clients choose certs, they are usually
assigned to users by each service from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
Post by Justin Richer
Yes, I elided the certificate issuance process. The point remains
the same: you're not going to be submitting a CSR to the same
party you're getting your client_id from, usually. If the draft
assumes that, then it's incredibly limiting.
Do people really use separate TLS client certs for separate
connections in the wild? I've personally never seen that. What
I've seen is that a piece of software gets its certificate that
it uses to make whatever connections it needs to make.
-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to
AS. The authorities job is NOT to give the client the public
key, but to sign the public key for authenticity. It's bad
practice to accept the full cert (pub key+signature) from an
authority. If an authority is creating your public key, they are
also creating your private key.... bad.
The client will use the same cert across multiple connections,
possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature
for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the
authorization server for the client to use at that single AS.
The certificate is issued by the CA for the client to use on
any connection. The AS and CA are not likely to be the same
system in most deployments. The client will use the same cert
across multiple connections, possibly multiple AS's, but the
same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a
self-signed certificate using dynamic registration, much the
way that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted,
though, to help AS developers.
-- Justin
On Sun, Oct 30, 2016 at 9:27 AM, Samuel Erdtman
I agree it is written so that the connection to the
certificate is implicitly required but I think it would be
better if it was explicit written since the lack of a
connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it
be good to do so.
When it comes to the client_id I think subject common name
or maybe subject serial numbers will be the common
location, and I think an example would be valuable.
In my experience and the way we built support for mutual TLS
OAuth client auth the client_id value does not appear in the
certificate anywhere. I'm not saying it can't happen but don't
think it's particularly common.
I can look at adding some examples, if there's some consensus
that they'd be useful and this document moves forward.
I´m not saying it is a bad Idea just that I would prefer
if it was not a MUST.
With very limited addition of code it is just as easy to
get the certificate attribute for client id as it is to
get it from the HTTP request data (at least in java). I
also think that with the requirement to match the incoming
certificate in some way one has to read out the
certificate that was used to establish the connection to
do some kind of matching.
Getting data out of the certificate isn't a concern. I just
believe that the constancy of having the client id parameter
is worth the potential small amount duplicate data in some
cases. It's just a -00 draft though and if the WG wants to
proceed with this document, we seek further input and work
towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Jim Manico
Manicode Security
https://www.manicode.com
Vladimir Dzhuvinov
2016-11-10 20:10:54 UTC
Permalink
Post by Sergey Beryozkin
Hi
- the client registers its public certificate during the client registration
Did you extend the standard client reg API for this purpose?

How does the cert registration actually take place?
Post by Sergey Beryozkin
- next, mutual/two-way TLS is used, so AccessTokenService tries to
figure out the client_id. At the moment it assumes the client_id is
(Java) X509Certificate.getSubjectX500Principal().getName().
Next it retrieves a client with this name and compares the TLS
client/peer certificate against the pre-registered one.
I think it may be interesting to explore further if client_id can
become optional based on what Samuel said.
For example, indeed I can see how I can update our code to have a
mapping between some of client certificate's properties and a client
id stored within a Client registration.
The question is how to find a given Client registration effectively
given only a certificate, without an optional client_id. One would
need to have a map between these client certificate attribute and
client_id or Clients.
Cheers, Sergey
Post by Samuel Erdtman
I can see your point, maybe the client_id will not be in the
certificate.
If I had an AS I would select to trust one or several CAs and then
create certificate mappings between certificate serial number (or some
other unique attribute in the certificate) and client_id. If I were to
bind a specific certificate to a client_id I lose the flexibility of the
PKI (maybe what you want).
I think multiple certificates might not be a uncommon situation
especially if you call ASs from different organizations because they
will trust different CAs.
//Samuel
Jim,
In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple
services, are they using multiple (different) client certificates?
I’m not saying the client would issue its own cert in all cases —
much more common is what I’ve seen, with clients being assigned a
certificate from a trusted CA, and then services that the client
talks to being told to trust that CA and also assign the CN/DN of
the cert a set of privileges. What I *haven’t* seen is a client
being issued multiple certificates to talk to multiple systems. That
latter case is common enough in the OAuth world that I wouldn’t want
us to paint ourselves in a corner.
— Justin
Post by Jim Manico
Thanks Justin. I use several security intel services and they all
have different cert delivery mechanisms for mutual TLS. It's
•rare• for services to let clients choose certs, they are usually
assigned to users by each service from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
Post by Justin Richer
Yes, I elided the certificate issuance process. The point remains
the same: you're not going to be submitting a CSR to the same
party you're getting your client_id from, usually. If the draft
assumes that, then it's incredibly limiting.
Do people really use separate TLS client certs for separate
connections in the wild? I've personally never seen that. What
I've seen is that a piece of software gets its certificate that
it uses to make whatever connections it needs to make.
-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to
AS. The authorities job is NOT to give the client the public
key, but to sign the public key for authenticity. It's bad
practice to accept the full cert (pub key+signature) from an
authority. If an authority is creating your public key, they are
also creating your private key.... bad.
The client will use the same cert across multiple connections,
possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature
for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the
authorization server for the client to use at that single AS.
The certificate is issued by the CA for the client to use on
any connection. The AS and CA are not likely to be the same
system in most deployments. The client will use the same cert
across multiple connections, possibly multiple AS's, but the
same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a
self-signed certificate using dynamic registration, much the
way that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted,
though, to help AS developers.
-- Justin
On Sun, Oct 30, 2016 at 9:27 AM, Samuel Erdtman
I agree it is written so that the connection to the
certificate is implicitly required but I think it would be
better if it was explicit written since the lack of a
connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it
be good to do so.
When it comes to the client_id I think subject common name
or maybe subject serial numbers will be the common
location, and I think an example would be valuable.
In my experience and the way we built support for mutual TLS
OAuth client auth the client_id value does not appear in the
certificate anywhere. I'm not saying it can't happen but don't
think it's particularly common.
I can look at adding some examples, if there's some consensus
that they'd be useful and this document moves forward.
IŽm not saying it is a bad Idea just that I would prefer
if it was not a MUST.
With very limited addition of code it is just as easy to
get the certificate attribute for client id as it is to
get it from the HTTP request data (at least in java). I
also think that with the requirement to match the incoming
certificate in some way one has to read out the
certificate that was used to establish the connection to
do some kind of matching.
Getting data out of the certificate isn't a concern. I just
believe that the constancy of having the client id parameter
is worth the potential small amount duplicate data in some
cases. It's just a -00 draft though and if the WG wants to
proceed with this document, we seek further input and work
towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Vladimir Dzhuvinov :: ***@connect2id.com
Sergey Beryozkin
2016-11-10 21:57:54 UTC
Permalink
Post by Vladimir Dzhuvinov
Post by Sergey Beryozkin
Hi
- the client registers its public certificate during the client registration
Did you extend the standard client reg API for this purpose?
No. Should there be an option in the client reg API ?
Post by Vladimir Dzhuvinov
How does the cert registration actually take place?
The encoded certificate is an optional property of the Client class
which is part of the larger OAuth2 model. The clients are registered out
of band - the assumption that the product integrating our model will let
the admins upload a certificate associated with a given client,
alongside all the other information one would typically allocate at a
client registration time via some UI page.
In a particular integration instance I'm aware of no such option to
upload the certs is offered yet
Sergey
Post by Vladimir Dzhuvinov
Post by Sergey Beryozkin
- next, mutual/two-way TLS is used, so AccessTokenService tries to
figure out the client_id. At the moment it assumes the client_id is
(Java) X509Certificate.getSubjectX500Principal().getName().
Next it retrieves a client with this name and compares the TLS
client/peer certificate against the pre-registered one.
I think it may be interesting to explore further if client_id can
become optional based on what Samuel said.
For example, indeed I can see how I can update our code to have a
mapping between some of client certificate's properties and a client
id stored within a Client registration.
The question is how to find a given Client registration effectively
given only a certificate, without an optional client_id. One would
need to have a map between these client certificate attribute and
client_id or Clients.
Cheers, Sergey
Post by Samuel Erdtman
I can see your point, maybe the client_id will not be in the certificate.
If I had an AS I would select to trust one or several CAs and then
create certificate mappings between certificate serial number (or some
other unique attribute in the certificate) and client_id. If I were to
bind a specific certificate to a client_id I lose the flexibility of the
PKI (maybe what you want).
I think multiple certificates might not be a uncommon situation
especially if you call ASs from different organizations because they
will trust different CAs.
//Samuel
Jim,
In those circumstances, are the clients generally calling multiple
different services? Or just one? For those that call multiple
services, are they using multiple (different) client certificates?
I’m not saying the client would issue its own cert in all cases —
much more common is what I’ve seen, with clients being assigned a
certificate from a trusted CA, and then services that the client
talks to being told to trust that CA and also assign the CN/DN of
the cert a set of privileges. What I *haven’t* seen is a client
being issued multiple certificates to talk to multiple systems. That
latter case is common enough in the OAuth world that I wouldn’t want
us to paint ourselves in a corner.
— Justin
Post by Jim Manico
Thanks Justin. I use several security intel services and they all
have different cert delivery mechanisms for mutual TLS. It's
•rare• for services to let clients choose certs, they are usually
assigned to users by each service from my experience.
Aloha,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
Post by Justin Richer
Yes, I elided the certificate issuance process. The point remains
the same: you're not going to be submitting a CSR to the same
party you're getting your client_id from, usually. If the draft
assumes that, then it's incredibly limiting.
Do people really use separate TLS client certs for separate
connections in the wild? I've personally never seen that. What
I've seen is that a piece of software gets its certificate that
it uses to make whatever connections it needs to make.
-- Justin
Post by Jim Manico
Just to be clear, the relationship should more like...
AS issues public key to clients, or client sends public key to
AS. The authorities job is NOT to give the client the public
key, but to sign the public key for authenticity. It's bad
practice to accept the full cert (pub key+signature) from an
authority. If an authority is creating your public key, they are
also creating your private key.... bad.
The client will use the same cert across multiple connections,
possibly multiple AS's, but the same isn't true of the client_id.
This seems like a bad idea. I suggest a separate key/signature
for each service.
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805 <tel:%2B1%20%28808%29%20652-3805>
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the
authorization server for the client to use at that single AS.
The certificate is issued by the CA for the client to use on
any connection. The AS and CA are not likely to be the same
system in most deployments. The client will use the same cert
across multiple connections, possibly multiple AS's, but the
same isn't true of the client_id.
Additionally, I think we want to allow for a binding of a
self-signed certificate using dynamic registration, much the
way that we already allow binding of a client-generated JWK today.
I do think that more examples and guidance are warranted,
though, to help AS developers.
-- Justin
On Sun, Oct 30, 2016 at 9:27 AM, Samuel Erdtman
I agree it is written so that the connection to the
certificate is implicitly required but I think it would be
better if it was explicit written since the lack of a
connection would result in a potential security hole.
That's fair. I agree it can be made more explicit and that it
be good to do so.
When it comes to the client_id I think subject common name
or maybe subject serial numbers will be the common
location, and I think an example would be valuable.
In my experience and the way we built support for mutual TLS
OAuth client auth the client_id value does not appear in the
certificate anywhere. I'm not saying it can't happen but don't
think it's particularly common.
I can look at adding some examples, if there's some consensus
that they'd be useful and this document moves forward.
I´m not saying it is a bad Idea just that I would prefer
if it was not a MUST.
With very limited addition of code it is just as easy to
get the certificate attribute for client id as it is to
get it from the HTTP request data (at least in java). I
also think that with the requirement to match the incoming
certificate in some way one has to read out the
certificate that was used to establish the connection to
do some kind of matching.
Getting data out of the certificate isn't a concern. I just
believe that the constancy of having the client id parameter
is worth the potential small amount duplicate data in some
cases. It's just a -00 draft though and if the WG wants to
proceed with this document, we seek further input and work
towards some consensus.
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
<https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
--
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/
Brian Campbell
2016-11-04 21:17:54 UTC
Permalink
few little things inline...
I agree that the client_id is unlikely to be found inside the certificate
itself. The client_id is issued by the authorization server for the client
to use at that single AS. The certificate is issued by the CA for the
client to use on any connection. The AS and CA are not likely to be the
same system in most deployments. The client will use the same cert across
multiple connections, possibly multiple AS's, but the same isn't true of
the client_id.
You said it better than I.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
Binding the client to a self-signed certificate is pretty similar to
binding to the public key. But I agree it should be possible.

The jwks_uri or jwks client registration metadata parameters are well
suited to convey such info. The JWKs in them can convey the public key
(obviously) but can also can convey a self-signed certificate with the
"x5c" (X.509 Certificate Chain) parameter.
I do think that more examples and guidance are warranted, though, to help
AS developers.
Noted.
-- Justin
Post by Samuel Erdtman
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to
do so.
Post by Samuel Erdtman
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
Post by Samuel Erdtman
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
Samuel Erdtman
2016-11-11 16:41:17 UTC
Permalink
Just a quick comment, see inline
I agree that the client_id is unlikely to be found inside the certificate
itself. The client_id is issued by the authorization server for the client
to use at that single AS. The certificate is issued by the CA for the
client to use on any connection. The AS and CA are not likely to be the
same system in most deployments. The client will use the same cert across
multiple connections, possibly multiple AS's, but the same isn't true of
the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
Should this specification then extend the dynamic registration
specification (https://tools.ietf.org/html/rfc7591) with the certificate
parameter to actually do the registration or is that another document?
I do think that more examples and guidance are warranted, though, to help
AS developers.
-- Justin
Post by Samuel Erdtman
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to
do so.
Post by Samuel Erdtman
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
Post by Samuel Erdtman
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
Brian Campbell
2016-11-11 18:13:05 UTC
Permalink
Wouldn't the existing jwks/jwks_uri client metadata parameters suffice?
Perhaps some guidance in this document about that is warranted. But I don't
believe anything new is needed for that case.
Post by Samuel Erdtman
Just a quick comment, see inline
I agree that the client_id is unlikely to be found inside the certificate
itself. The client_id is issued by the authorization server for the client
to use at that single AS. The certificate is issued by the CA for the
client to use on any connection. The AS and CA are not likely to be the
same system in most deployments. The client will use the same cert across
multiple connections, possibly multiple AS's, but the same isn't true of
the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
Should this specification then extend the dynamic registration
specification (https://tools.ietf.org/html/rfc7591) with the certificate
parameter to actually do the registration or is that another document?
I do think that more examples and guidance are warranted, though, to help
AS developers.
-- Justin
Post by Samuel Erdtman
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to
do so.
Post by Samuel Erdtman
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
Post by Samuel Erdtman
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
Samuel Erdtman
2016-11-11 20:17:13 UTC
Permalink
You are absolutely right one could use the
Post by Brian Campbell
Wouldn't the existing jwks/jwks_uri client metadata parameters suffice?
Perhaps some guidance in this document about that is warranted. But I don't
believe anything new is needed for that case.
Just a quick comment, see inline
I agree that the client_id is unlikely to be found inside the certificate
itself. The client_id is issued by the authorization server for the client
to use at that single AS. The certificate is issued by the CA for the
client to use on any connection. The AS and CA are not likely to be the
same system in most deployments. The client will use the same cert across
multiple connections, possibly multiple AS's, but the same isn't true of
the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
Should this specification then extend the dynamic registration
specification (https://tools.ietf.org/html/rfc7591) with the certificate
parameter to actually do the registration or is that another document?
I do think that more examples and guidance are warranted, though, to help
AS developers.
-- Justin
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to
do so.
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
Samuel Erdtman
2016-11-11 20:21:30 UTC
Permalink
You are right one could absolutely use the jwks or jwks_uri attribute, but
from my point of view that would be a workaround.
I would prefer that x5u, x5c and/or x5t was directly available in the
client registration request not via jwks. This would be a cleaner solution.

Best Regards
Samuel
Post by Brian Campbell
Wouldn't the existing jwks/jwks_uri client metadata parameters suffice?
Perhaps some guidance in this document about that is warranted. But I don't
believe anything new is needed for that case.
Just a quick comment, see inline
I agree that the client_id is unlikely to be found inside the certificate
itself. The client_id is issued by the authorization server for the client
to use at that single AS. The certificate is issued by the CA for the
client to use on any connection. The AS and CA are not likely to be the
same system in most deployments. The client will use the same cert across
multiple connections, possibly multiple AS's, but the same isn't true of
the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
Should this specification then extend the dynamic registration
specification (https://tools.ietf.org/html/rfc7591) with the certificate
parameter to actually do the registration or is that another document?
I do think that more examples and guidance are warranted, though, to help
AS developers.
-- Justin
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to
do so.
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
Brian Campbell
2016-11-11 21:54:14 UTC
Permalink
From my point of view, the cleaner solution is using existing fields for
what they are well suited rather than inventing new ones.
You are right one could absolutely use the jwks or jwks_uri attribute, but
from my point of view that would be a workaround.
I would prefer that x5u, x5c and/or x5t was directly available in the
client registration request not via jwks. This would be a cleaner solution.
Best Regards
Samuel
Post by Brian Campbell
Wouldn't the existing jwks/jwks_uri client metadata parameters suffice?
Perhaps some guidance in this document about that is warranted. But I don't
believe anything new is needed for that case.
Just a quick comment, see inline
I agree that the client_id is unlikely to be found inside the certificate
itself. The client_id is issued by the authorization server for the client
to use at that single AS. The certificate is issued by the CA for the
client to use on any connection. The AS and CA are not likely to be the
same system in most deployments. The client will use the same cert across
multiple connections, possibly multiple AS's, but the same isn't true of
the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
Should this specification then extend the dynamic registration
specification (https://tools.ietf.org/html/rfc7591) with the certificate
parameter to actually do the registration or is that another document?
I do think that more examples and guidance are warranted, though, to help
AS developers.
-- Justin
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to
do so.
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth client
auth the client_id value does not appear in the certificate anywhere. I'm
not saying it can't happen but don't think it's particularly common.
I can look at adding some examples, if there's some consensus that they'd
be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
Samuel Erdtman
2016-11-15 17:02:01 UTC
Permalink
The reason I think it is a workaround to use the jwks or jwks_uri is that
you would then wrap the x5u, x5c and/or x5t in a jwk object that you do not
really need. So the implementation needs to be aware of how to create and
read jwk even though it will not use any of the jwk data.

With that said, lets see what others think.
From my point of view, the cleaner solution is using existing fields for
what they are well suited rather than inventing new ones.
Post by Samuel Erdtman
You are right one could absolutely use the jwks or jwks_uri attribute,
but from my point of view that would be a workaround.
I would prefer that x5u, x5c and/or x5t was directly available in the
client registration request not via jwks. This would be a cleaner solution.
Best Regards
Samuel
Post by Brian Campbell
Wouldn't the existing jwks/jwks_uri client metadata parameters suffice?
Perhaps some guidance in this document about that is warranted. But I don't
believe anything new is needed for that case.
Just a quick comment, see inline
I agree that the client_id is unlikely to be found inside the
certificate itself. The client_id is issued by the authorization server for
the client to use at that single AS. The certificate is issued by the CA
for the client to use on any connection. The AS and CA are not likely to be
the same system in most deployments. The client will use the same cert
across multiple connections, possibly multiple AS's, but the same isn't
true of the client_id.
Additionally, I think we want to allow for a binding of a self-signed
certificate using dynamic registration, much the way that we already allow
binding of a client-generated JWK today.
Should this specification then extend the dynamic registration
specification (https://tools.ietf.org/html/rfc7591) with the
certificate parameter to actually do the registration or is that another
document?
I do think that more examples and guidance are warranted, though, to
help AS developers.
-- Justin
I agree it is written so that the connection to the certificate is
implicitly required but I think it would be better if it was explicit
written since the lack of a connection would result in a potential security
hole.
That's fair. I agree it can be made more explicit and that it be good to
do so.
When it comes to the client_id I think subject common name or maybe
subject serial numbers will be the common location, and I think an example
would be valuable.
In my experience and the way we built support for mutual TLS OAuth
client auth the client_id value does not appear in the certificate
anywhere. I'm not saying it can't happen but don't think it's particularly
common.
I can look at adding some examples, if there's some consensus that
they'd be useful and this document moves forward.
IÂŽm not saying it is a bad Idea just that I would prefer if it was not a
MUST.
With very limited addition of code it is just as easy to get the
certificate attribute for client id as it is to get it from the HTTP
request data (at least in java). I also think that with the requirement to
match the incoming certificate in some way one has to read out the
certificate that was used to establish the connection to do some kind of
matching.
Getting data out of the certificate isn't a concern. I just believe that
the constancy of having the client id parameter is worth the potential
small amount duplicate data in some cases. It's just a -00 draft though and
if the WG wants to proceed with this document, we seek further input and
work towards some consensus.
_______________________________________________
Brian Campbell
2016-10-28 20:31:20 UTC
Permalink
Not wanting to add more meta parameters was a motivation. Also not being
sure of how to enumerate the possible approaches. My thinking was also that
there are a lot of factors involved and that it'd probably be better left
to service documentation to describe things like what authorities are
trusted and what the client to cert binding is. Like I said, we can look at
adding more metadata, if there's some consensus to do so. But I worry that
it'll just be bloat that doesn't really add value.

I also think that, in many situations, it's unlikely that a cert will
contain a client id anywhere as subject information. A client id is scoped
to a particular authorization server and it's hard to imagine a CA issuing
a cert with an identifier that's only meaningful in the context of some
other entity like that. Maybe in a more closed system where the AS and an
organizational CA are both in the same management/administrative domain but
not in the more general case.
Post by Vladimir Dzhuvinov
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the
basic
Post by Brian Campbell
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's
some
Post by Brian Campbell
consensus that it'd be useful.
On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the
possible
Post by Brian Campbell
Post by Vladimir Dzhuvinov
binding methods, and giving them some identifiers or names, so that AS /
OPs can advertise them in their metadata, and clients register
accordingly?
Post by Brian Campbell
Post by Vladimir Dzhuvinov
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
Post by Brian Campbell
Post by Vladimir Dzhuvinov
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-clien
t-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS)
Authentication for OAuth Clients
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-
drafts/draft-campbell-oauth-tls-client-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Status: https://datatracker.ietf.org/
doc/draft-campbell-oauth-tls-client-auth/
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Htmlized: https://tools.ietf.org/html/d
raft-campbell-oauth-tls-client-auth-00
Post by Brian Campbell
Post by Vladimir Dzhuvinov
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of
submission
Post by Brian Campbell
Post by Vladimir Dzhuvinov
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
ietf.org/mailman/listinfo/oauth
Post by Brian Campbell
Post by Vladimir Dzhuvinov
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
John Bradley
2016-11-05 01:11:19 UTC
Permalink
I can easily see Research and education publishing self signed certs in meta-data that is then used for client authentication and other things.
I don’t want to limit this to only CA issued certs where the client_id is in the DN. Client_id tend not to be domain names currently.
Looking up a raw key provided via JWK in registration based on client_id will be one way that people will use this. Passing the cert is seen as just a way of passing the key to many people.

I also understand the desire in ACE to save bytes.

If you are using self signed certs then including the client_id in the cert vs as a parameter is a bit of a no op re size.

Perhaps if there is a common pattern we could document a IoT profile where ca issued cert is used and what it would look like.

I have concerns that this may open a can of worms around what the CN would be and the interpretations of use extensions if this is flagged as something other than a host cert. What do devices do now when they are issued certs. Is there a common standard or is it by manufacturer.

My main concern would be to not hold up what should be a simple spec for the server to server case, but am willing to accommodate IoT if possible.

Regards
John B.
Not wanting to add more meta parameters was a motivation. Also not being sure of how to enumerate the possible approaches. My thinking was also that there are a lot of factors involved and that it'd probably be better left to service documentation to describe things like what authorities are trusted and what the client to cert binding is. Like I said, we can look at adding more metadata, if there's some consensus to do so. But I worry that it'll just be bloat that doesn't really add value.
I also think that, in many situations, it's unlikely that a cert will contain a client id anywhere as subject information. A client id is scoped to a particular authorization server and it's hard to imagine a CA issuing a cert with an identifier that's only meaningful in the context of some other entity like that. Maybe in a more closed system where the AS and an organizational CA are both in the same management/administrative domain but not in the more general case.
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the basic
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's some
consensus that it'd be useful.
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls- <https://tools.ietf.org/html/draft-campbell-oauth-tls->
My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the possible
binding methods, and giving them some identifiers or names, so that AS /
OPs can advertise them in their metadata, and clients register accordingly?
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/ <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00 <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
Phil Hunt (IDM)
2016-11-05 01:14:23 UTC
Permalink
+1

Phil
Post by John Bradley
I can easily see Research and education publishing self signed certs in meta-data that is then used for client authentication and other things.
I don’t want to limit this to only CA issued certs where the client_id is in the DN. Client_id tend not to be domain names currently.
Looking up a raw key provided via JWK in registration based on client_id will be one way that people will use this. Passing the cert is seen as just a way of passing the key to many people.
I also understand the desire in ACE to save bytes.
If you are using self signed certs then including the client_id in the cert vs as a parameter is a bit of a no op re size.
Perhaps if there is a common pattern we could document a IoT profile where ca issued cert is used and what it would look like.
I have concerns that this may open a can of worms around what the CN would be and the interpretations of use extensions if this is flagged as something other than a host cert. What do devices do now when they are issued certs. Is there a common standard or is it by manufacturer.
My main concern would be to not hold up what should be a simple spec for the server to server case, but am willing to accommodate IoT if possible.
Regards
John B.
Not wanting to add more meta parameters was a motivation. Also not being sure of how to enumerate the possible approaches. My thinking was also that there are a lot of factors involved and that it'd probably be better left to service documentation to describe things like what authorities are trusted and what the client to cert binding is. Like I said, we can look at adding more metadata, if there's some consensus to do so. But I worry that it'll just be bloat that doesn't really add value.
I also think that, in many situations, it's unlikely that a cert will contain a client id anywhere as subject information. A client id is scoped to a particular authorization server and it's hard to imagine a CA issuing a cert with an identifier that's only meaningful in the context of some other entity like that. Maybe in a more closed system where the AS and an organizational CA are both in the same management/administrative domain but not in the more general case.
Post by Vladimir Dzhuvinov
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the basic
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's some
consensus that it'd be useful.
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the possible
binding methods, and giving them some identifiers or names, so that AS /
OPs can advertise them in their metadata, and clients register accordingly?
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Samuel Erdtman
2016-11-07 16:43:28 UTC
Permalink
Phil, what is your +1 referring to?

//Samuel
Post by John Bradley
+1
Phil
I can easily see Research and education publishing self signed certs in
meta-data that is then used for client authentication and other things.
I don’t want to limit this to only CA issued certs where the client_id is
in the DN. Client_id tend not to be domain names currently.
Looking up a raw key provided via JWK in registration based on client_id
will be one way that people will use this. Passing the cert is seen as
just a way of passing the key to many people.
I also understand the desire in ACE to save bytes.
If you are using self signed certs then including the client_id in the
cert vs as a parameter is a bit of a no op re size.
Perhaps if there is a common pattern we could document a IoT profile where
ca issued cert is used and what it would look like.
I have concerns that this may open a can of worms around what the CN would
be and the interpretations of use extensions if this is flagged as
something other than a host cert. What do devices do now when they are
issued certs. Is there a common standard or is it by manufacturer.
My main concern would be to not hold up what should be a simple spec for
the server to server case, but am willing to accommodate IoT if possible.
Regards
John B.
Not wanting to add more meta parameters was a motivation. Also not being
sure of how to enumerate the possible approaches. My thinking was also that
there are a lot of factors involved and that it'd probably be better left
to service documentation to describe things like what authorities are
trusted and what the client to cert binding is. Like I said, we can look at
adding more metadata, if there's some consensus to do so. But I worry that
it'll just be bloat that doesn't really add value.
I also think that, in many situations, it's unlikely that a cert will
contain a client id anywhere as subject information. A client id is scoped
to a particular authorization server and it's hard to imagine a CA issuing
a cert with an identifier that's only meaningful in the context of some
other entity like that. Maybe in a more closed system where the AS and an
organizational CA are both in the same management/administrative domain but
not in the more general case.
On Wed, Oct 26, 2016 at 8:42 PM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in
the
Post by Brian Campbell
-00 document. I'm not convinced that some metadata around it would
really
Post by Brian Campbell
contribute to interop one way or the other. I also wanted to get the
basic
Post by Brian Campbell
concept written down before going too far into the weeds. But I'd be
open
Post by Brian Campbell
to adding something along those lines in future revisions, if there's
some
Post by Brian Campbell
consensus that it'd be useful.
On Mon, Oct 17, 2016 at 2:47 AM, Vladimir Dzhuvinov <
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is
left
Post by Brian Campbell
Post by Vladimir Dzhuvinov
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the
possible
Post by Brian Campbell
Post by Vladimir Dzhuvinov
binding methods, and giving them some identifiers or names, so that AS
/
Post by Brian Campbell
Post by Vladimir Dzhuvinov
OPs can advertise them in their metadata, and clients register
accordingly?
Post by Brian Campbell
Post by Vladimir Dzhuvinov
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
Post by Brian Campbell
Post by Vladimir Dzhuvinov
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
Post by Brian Campbell
Post by Vladimir Dzhuvinov
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-clien
t-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS)
Authentication for OAuth Clients
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-
drafts/draft-campbell-oauth-tls-client-auth-00.txt
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Status: https://datatracker.ietf.org/
doc/draft-campbell-oauth-tls-client-auth/
Post by Brian Campbell
Post by Vladimir Dzhuvinov
Htmlized: https://tools.ietf.org/html/d
raft-campbell-oauth-tls-client-auth-00
Post by Brian Campbell
Post by Vladimir Dzhuvinov
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of
submission
Post by Brian Campbell
Post by Vladimir Dzhuvinov
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
ietf.org/mailman/listinfo/oauth
Post by Brian Campbell
Post by Vladimir Dzhuvinov
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Phil Hunt (IDM)
2016-11-07 17:11:53 UTC
Permalink
John's comments

Phil
Post by Samuel Erdtman
Phil, what is your +1 referring to?
//Samuel
Post by John Bradley
+1
Phil
Post by John Bradley
I can easily see Research and education publishing self signed certs in meta-data that is then used for client authentication and other things.
I don’t want to limit this to only CA issued certs where the client_id is in the DN. Client_id tend not to be domain names currently.
Looking up a raw key provided via JWK in registration based on client_id will be one way that people will use this. Passing the cert is seen as just a way of passing the key to many people.
I also understand the desire in ACE to save bytes.
If you are using self signed certs then including the client_id in the cert vs as a parameter is a bit of a no op re size.
Perhaps if there is a common pattern we could document a IoT profile where ca issued cert is used and what it would look like.
I have concerns that this may open a can of worms around what the CN would be and the interpretations of use extensions if this is flagged as something other than a host cert. What do devices do now when they are issued certs. Is there a common standard or is it by manufacturer.
My main concern would be to not hold up what should be a simple spec for the server to server case, but am willing to accommodate IoT if possible.
Regards
John B.
Not wanting to add more meta parameters was a motivation. Also not being sure of how to enumerate the possible approaches. My thinking was also that there are a lot of factors involved and that it'd probably be better left to service documentation to describe things like what authorities are trusted and what the client to cert binding is. Like I said, we can look at adding more metadata, if there's some consensus to do so. But I worry that it'll just be bloat that doesn't really add value.
I also think that, in many situations, it's unlikely that a cert will contain a client id anywhere as subject information. A client id is scoped to a particular authorization server and it's hard to imagine a CA issuing a cert with an identifier that's only meaningful in the context of some other entity like that. Maybe in a more closed system where the AS and an organizational CA are both in the same management/administrative domain but not in the more general case.
Post by Vladimir Dzhuvinov
I see. Do you reckon the AS could simply probe the likely cert places
for containing the client_id? My reasoning is that there aren't that
many places where you could stick the client_id (let me know if I'm
wrong). If the AS is in doubt it will respond with invalid_client. I'm
starting to think this can work quite well. No extra meta param will be
needed (of which we have enough already).
Post by Brian Campbell
I did consider something like that but stopped short of putting it in the
-00 document. I'm not convinced that some metadata around it would really
contribute to interop one way or the other. I also wanted to get the basic
concept written down before going too far into the weeds. But I'd be open
to adding something along those lines in future revisions, if there's some
consensus that it'd be useful.
Post by Vladimir Dzhuvinov
Superb, I welcome that!
Regarding https://tools.ietf.org/html/draft-campbell-oauth-tls-
My concern is that the choice of how to bind the client identity is left
to implementers, and that may eventually become an interop problem.
Have you considered some kind of an open ended enumeration of the possible
binding methods, and giving them some identifiers or names, so that AS /
OPs can advertise them in their metadata, and clients register accordingly?
"tls_client_auth_bind_methods_supported" : [ "subject_alt_name_match",
"subject_public_key_info_match" ]
Cheers,
Vladimir
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Torsten Lodderstedt
2016-11-13 03:31:22 UTC
Permalink
Hi John and Brian,

thanks for writting this draft.

One question: how does the AS determine the authentication method is TLS
authentication? I think you assume this is defined by the
client-specific policy, independent of whether the client is registered
automatically or manually. Would you mind to explicitely state this in
the draft?

best regards,
Torsten.
Post by John Bradley
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the
subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name:draft-campbell-oauth-tls-client-auth
Revision:00
Title:Mutual X.509 Transport Layer Security (TLS) Authentication for
OAuth Clients
Document date:2016-10-10
Group:Individual Submission
Pages:5
https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2016-11-13 04:39:55 UTC
Permalink
Torsten, I believe this is intended to be triggered by the tls_client_auth value specified in §3.

Nit on that section, the field name for the client metadata in RFC7591 is token_endpoint_auth_method, the _supported version is from the corresponding discovery document.

— Justin
Post by Torsten Lodderstedt
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is TLS authentication? I think you assume this is defined by the client-specific policy, independent of whether the client is registered automatically or manually. Would you mind to explicitely state this in the draft?
best regards,
Torsten.
Post by John Bradley
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/ <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00 <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Torsten Lodderstedt
2016-11-13 05:21:12 UTC
Permalink
Justin,
Post by Justin Richer
Torsten, I believe this is intended to be triggered by the
tls_client_auth value specified in §3.
in the token request?
Post by Justin Richer
Nit on that section, the field name for the client metadata in RFC7591
is token_endpoint_auth_method, the _supported version is from the
corresponding discovery document.
— Justin
Torsten.
Post by Justin Richer
On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is
TLS authentication? I think you assume this is defined by the
client-specific policy, independent of whether the client is
registered automatically or manually. Would you mind to explicitely
state this in the draft?
best regards,
Torsten.
Post by John Bradley
At the request of the OpenID Foundation Financial Services API
Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases
being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the
subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name:draft-campbell-oauth-tls-client-auth
Revision:00
Title:Mutual X.509 Transport Layer Security (TLS) Authentication
for OAuth Clients
Document date:2016-10-10
Group:Individual Submission
Pages:5
https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org
<http://tools.ietf.org/>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2016-11-13 05:24:29 UTC
Permalink
As part of the client’s registered data model. At least, based on how our own implementation works (where we support client_secret_basic, private_key_jwt, etc), that’s where we’d check to see if the client was supposed to be using TLS auth or not.

We don’t let clients switch away from their registered auth mechanism.

— Justin
Post by Torsten Lodderstedt
Justin,
Post by Justin Richer
Torsten, I believe this is intended to be triggered by the tls_client_auth value specified in §3.
in the token request?
Post by Justin Richer
Nit on that section, the field name for the client metadata in RFC7591 is token_endpoint_auth_method, the _supported version is from the corresponding discovery document.
— Justin
Torsten.
Post by Justin Richer
Post by Torsten Lodderstedt
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is TLS authentication? I think you assume this is defined by the client-specific policy, independent of whether the client is registered automatically or manually. Would you mind to explicitely state this in the draft?
best regards,
Torsten.
Post by John Bradley
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/ <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00 <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
Torsten Lodderstedt
2016-11-13 05:59:21 UTC
Permalink
I understand. My point is different: the text seems to assume everybody
is using client registration, but that's not the case. I would like to
point out it makes sense to explicitely state the assumption that it is
determined by client policy (indepedent of the way this policy is
established).
Post by Justin Richer
As part of the client’s registered data model. At least, based on how
our own implementation works (where we support client_secret_basic,
private_key_jwt, etc), that’s where we’d check to see if the client
was supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt
Justin,
Post by Justin Richer
Torsten, I believe this is intended to be triggered by the
tls_client_auth value specified in §3.
in the token request?
Post by Justin Richer
Nit on that section, the field name for the client metadata in
RFC7591 is token_endpoint_auth_method, the _supported version is
from the corresponding discovery document.
— Justin
Torsten.
Post by Justin Richer
On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method
is TLS authentication? I think you assume this is defined by the
client-specific policy, independent of whether the client is
registered automatically or manually. Would you mind to explicitely
state this in the draft?
best regards,
Torsten.
Post by John Bradley
At the request of the OpenID Foundation Financial Services API
Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases
being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of
the subject public key against a reregistered value, or something
in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name:draft-campbell-oauth-tls-client-auth
Revision:00
Title:Mutual X.509 Transport Layer Security (TLS) Authentication
for OAuth Clients
Document date:2016-10-10
Group:Individual Submission
Pages:5
https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at
tools.ietf.org <http://tools.ietf.org/>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-11-13 21:21:03 UTC
Permalink
Yes, the intend is that the authentication method is determined by client
policy regardless of whether the client was dynamically registered or
statically configured or whatever. I can make that point more explicit in
future revisions of the draft.

On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <
I understand. My point is different: the text seems to assume everybody is
using client registration, but that's not the case. I would like to point
out it makes sense to explicitely state the assumption that it is
determined by client policy (indepedent of the way this policy is
established).
As part of the client’s registered data model. At least, based on how our
own implementation works (where we support client_secret_basic,
private_key_jwt, etc), that’s where we’d check to see if the client was
supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
Justin,
Torsten, I believe this is intended to be triggered by the tls_client_auth
value specified in §3.
in the token request?
Nit on that section, the field name for the client metadata in RFC7591 is
token_endpoint_auth_method, the _supported version is from the
corresponding discovery document.
— Justin
Torsten.
On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is TLS
authentication? I think you assume this is defined by the client-specific
policy, independent of whether the client is registered automatically or
manually. Would you mind to explicitely state this in the draft?
best regards,
Torsten.
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people
do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a “common
name” and a restricted list of CA or a direct lookup of the subject public
key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for
OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-
auth-00.txt
<https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Justin Richer
2016-11-14 00:26:37 UTC
Permalink
Right — this is a fine way to put it. RFC7591 defines a client model where RFC6749 didn’t. Ideally all that metadata would’ve been in the original spec, but it’s not. It doesn’t matter whether the client was registered dynamically or statically, it just matters that the AS knows what to expect from a given client.

— Justin
Yes, the intend is that the authentication method is determined by client policy regardless of whether the client was dynamically registered or statically configured or whatever. I can make that point more explicit in future revisions of the draft.
I understand. My point is different: the text seems to assume everybody is using client registration, but that's not the case. I would like to point out it makes sense to explicitely state the assumption that it is determined by client policy (indepedent of the way this policy is established).
As part of the client’s registered data model. At least, based on how our own implementation works (where we support client_secret_basic, private_key_jwt, etc), that’s where we’d check to see if the client was supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
Post by Torsten Lodderstedt
Justin,
Torsten, I believe this is intended to be triggered by the tls_client_auth value specified in §3.
in the token request?
Nit on that section, the field name for the client metadata in RFC7591 is token_endpoint_auth_method, the _supported version is from the corresponding discovery document.
— Justin
Torsten.
Post by Torsten Lodderstedt
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is TLS authentication? I think you assume this is defined by the client-specific policy, independent of whether the client is registered automatically or manually. Would you mind to explicitely state this in the draft?
best regards,
Torsten.
Post by John Bradley
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt <https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
Status: <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/ <https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
Htmlized: <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00 <https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org <http://tools.ietf.org/>.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
Samuel Erdtman
2016-11-15 17:14:09 UTC
Permalink
Torstens questions triggers another question from me.

If we have an AS that can handle both certificate client auth and client
secret, how does the AS know that it should ask for client certificate on
the TLS layer.

It was a while since I last read the TLS specification and it might have
changed but if i remember correctly client certificates are provided in
initial handshake or in re-negotiate and it is only provided on request by
the server.

If this is still true the AS would need to first get the token request, see
that this is a client that authenticates with certificate and request a TLS
re-negotiate to get the certificate authentication and a re-submission of
the token request since we cannot trust the data first submitted.

Are I missing something obvious, or is this something that needs to be
defined?

//Samuel
Post by Justin Richer
Right — this is a fine way to put it. RFC7591 defines a client model where
RFC6749 didn’t. Ideally all that metadata would’ve been in the original
spec, but it’s not. It doesn’t matter whether the client was registered
dynamically or statically, it just matters that the AS knows what to expect
from a given client.
— Justin
Yes, the intend is that the authentication method is determined by client
policy regardless of whether the client was dynamically registered or
statically configured or whatever. I can make that point more explicit in
future revisions of the draft.
On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <
Post by Torsten Lodderstedt
I understand. My point is different: the text seems to assume everybody
is using client registration, but that's not the case. I would like to
point out it makes sense to explicitely state the assumption that it is
determined by client policy (indepedent of the way this policy is
established).
As part of the client’s registered data model. At least, based on how our
own implementation works (where we support client_secret_basic,
private_key_jwt, etc), that’s where we’d check to see if the client was
supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
Justin,
Torsten, I believe this is intended to be triggered by the
tls_client_auth value specified in §3.
in the token request?
Nit on that section, the field name for the client metadata in RFC7591 is
token_endpoint_auth_method, the _supported version is from the
corresponding discovery document.
— Justin
Torsten.
On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is TLS
authentication? I think you assume this is defined by the client-specific
policy, independent of whether the client is registered automatically or
manually. Would you mind to explicitely state this in the draft?
best regards,
Torsten.
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people
do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for
OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
https://www.ietf.org/internet-drafts/draft-campbe
ll-oauth-tls-client-auth-00.txt
<https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-11-15 23:08:56 UTC
Permalink
Yes, I believe you are correct. Client certificates are provided in the
handshake (initial or renegotiated) at the request of the server. If the
server asks and the client doesn't provide a cert, it's up to the server
whether to continue or about the handshake.

There seem to be a number of different ways of trying to deal with this
(not strictly for this OAuth case but similar situations).

The AS could always request client certs but allow connections to proceed
regardless. Then check for certs for appropriate clients while processing
token requests. I guess there's a little overhead in the handshake with
this for all the connections that won't present a cert. But not a ton. The
main drawback is that some/many browsers have UI that will prompt users to
choose a cert even when they don't have any. And the user experience can be
very bad or confusing as a result.

The token endpoint could be on a different host or port which always
requests client certs. Still allow connections to proceed regardless and
check the client credentials at the OAuth layer. Pretty similar to the
above but avoids the usability issues with end users because it's only at
the token endpoint.

Trying renegotiation after the application sees that it's a token request
or that it's a token request from a client id that's configured for mutual
TLS is another approach. In my own limited experience with this kind of
thing, however, this approach can be kind of flaky. And your point about
the initial data not being trustworthy is legitimate. I'm not sure if it
really matters in this case. I don't know. And signaling to resubmit is
another issue all together.

There are probably other approaches too but those are the things I've seen
or can imagine. In all (or nearly all) the deployments of our stuff that I
know about that deal with mutual TLS, some variation of the second option
is used.

All this seem like implementation/deployment details though and I'm
hesitant to try and define how to do it in this doc. Maybe providing some
guidance. I'm not exactly sure how to do that though.
Post by Samuel Erdtman
Torstens questions triggers another question from me.
If we have an AS that can handle both certificate client auth and client
secret, how does the AS know that it should ask for client certificate on
the TLS layer.
It was a while since I last read the TLS specification and it might have
changed but if i remember correctly client certificates are provided in
initial handshake or in re-negotiate and it is only provided on request by
the server.
If this is still true the AS would need to first get the token request,
see that this is a client that authenticates with certificate and request a
TLS re-negotiate to get the certificate authentication and a re-submission
of the token request since we cannot trust the data first submitted.
Are I missing something obvious, or is this something that needs to be
defined?
//Samuel
Post by Justin Richer
Right — this is a fine way to put it. RFC7591 defines a client model
where RFC6749 didn’t. Ideally all that metadata would’ve been in the
original spec, but it’s not. It doesn’t matter whether the client was
registered dynamically or statically, it just matters that the AS knows
what to expect from a given client.
— Justin
Yes, the intend is that the authentication method is determined by client
policy regardless of whether the client was dynamically registered or
statically configured or whatever. I can make that point more explicit in
future revisions of the draft.
On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <
Post by Torsten Lodderstedt
I understand. My point is different: the text seems to assume everybody
is using client registration, but that's not the case. I would like to
point out it makes sense to explicitely state the assumption that it is
determined by client policy (indepedent of the way this policy is
established).
As part of the client’s registered data model. At least, based on how
our own implementation works (where we support client_secret_basic,
private_key_jwt, etc), that’s where we’d check to see if the client was
supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <
Justin,
Torsten, I believe this is intended to be triggered by the
tls_client_auth value specified in §3.
in the token request?
Nit on that section, the field name for the client metadata in RFC7591
is token_endpoint_auth_method, the _supported version is from the
corresponding discovery document.
— Justin
Torsten.
On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is TLS
authentication? I think you assume this is defined by the client-specific
policy, independent of whether the client is registered automatically or
manually. Would you mind to explicitely state this in the draft?
best regards,
Torsten.
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for
OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
https://www.ietf.org/internet-drafts/draft-campbe
ll-oauth-tls-client-auth-00.txt
<https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-11-16 00:03:49 UTC
Permalink
Whoops, "about" at the end of the 1st paragraph should be "abort".
Post by Brian Campbell
Yes, I believe you are correct. Client certificates are provided in the
handshake (initial or renegotiated) at the request of the server. If the
server asks and the client doesn't provide a cert, it's up to the server
whether to continue or about the handshake.
There seem to be a number of different ways of trying to deal with this
(not strictly for this OAuth case but similar situations).
The AS could always request client certs but allow connections to proceed
regardless. Then check for certs for appropriate clients while processing
token requests. I guess there's a little overhead in the handshake with
this for all the connections that won't present a cert. But not a ton. The
main drawback is that some/many browsers have UI that will prompt users to
choose a cert even when they don't have any. And the user experience can be
very bad or confusing as a result.
The token endpoint could be on a different host or port which always
requests client certs. Still allow connections to proceed regardless and
check the client credentials at the OAuth layer. Pretty similar to the
above but avoids the usability issues with end users because it's only at
the token endpoint.
Trying renegotiation after the application sees that it's a token request
or that it's a token request from a client id that's configured for mutual
TLS is another approach. In my own limited experience with this kind of
thing, however, this approach can be kind of flaky. And your point about
the initial data not being trustworthy is legitimate. I'm not sure if it
really matters in this case. I don't know. And signaling to resubmit is
another issue all together.
There are probably other approaches too but those are the things I've seen
or can imagine. In all (or nearly all) the deployments of our stuff that I
know about that deal with mutual TLS, some variation of the second option
is used.
All this seem like implementation/deployment details though and I'm
hesitant to try and define how to do it in this doc. Maybe providing some
guidance. I'm not exactly sure how to do that though.
Post by Samuel Erdtman
Torstens questions triggers another question from me.
If we have an AS that can handle both certificate client auth and client
secret, how does the AS know that it should ask for client certificate on
the TLS layer.
It was a while since I last read the TLS specification and it might have
changed but if i remember correctly client certificates are provided in
initial handshake or in re-negotiate and it is only provided on request by
the server.
If this is still true the AS would need to first get the token request,
see that this is a client that authenticates with certificate and request a
TLS re-negotiate to get the certificate authentication and a re-submission
of the token request since we cannot trust the data first submitted.
Are I missing something obvious, or is this something that needs to be
defined?
//Samuel
Post by Justin Richer
Right — this is a fine way to put it. RFC7591 defines a client model
where RFC6749 didn’t. Ideally all that metadata would’ve been in the
original spec, but it’s not. It doesn’t matter whether the client was
registered dynamically or statically, it just matters that the AS knows
what to expect from a given client.
— Justin
Yes, the intend is that the authentication method is determined by
client policy regardless of whether the client was dynamically registered
or statically configured or whatever. I can make that point more explicit
in future revisions of the draft.
On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <
Post by Torsten Lodderstedt
I understand. My point is different: the text seems to assume everybody
is using client registration, but that's not the case. I would like to
point out it makes sense to explicitely state the assumption that it is
determined by client policy (indepedent of the way this policy is
established).
As part of the client’s registered data model. At least, based on how
our own implementation works (where we support client_secret_basic,
private_key_jwt, etc), that’s where we’d check to see if the client was
supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <
Justin,
Torsten, I believe this is intended to be triggered by the
tls_client_auth value specified in §3.
in the token request?
Nit on that section, the field name for the client metadata in RFC7591
is token_endpoint_auth_method, the _supported version is from the
corresponding discovery document.
— Justin
Torsten.
On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is
TLS authentication? I think you assume this is defined by the
client-specific policy, independent of whether the client is registered
automatically or manually. Would you mind to explicitely state this in the
draft?
best regards,
Torsten.
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for
OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
https://www.ietf.org/internet-drafts/draft-campbe
ll-oauth-tls-client-auth-00.txt
<https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Samuel Erdtman
2016-11-24 06:48:52 UTC
Permalink
+1 on providing guidance.
Post by Brian Campbell
Yes, I believe you are correct. Client certificates are provided in the
handshake (initial or renegotiated) at the request of the server. If the
server asks and the client doesn't provide a cert, it's up to the server
whether to continue or about the handshake.
There seem to be a number of different ways of trying to deal with this
(not strictly for this OAuth case but similar situations).
The AS could always request client certs but allow connections to proceed
regardless. Then check for certs for appropriate clients while processing
token requests. I guess there's a little overhead in the handshake with
this for all the connections that won't present a cert. But not a ton. The
main drawback is that some/many browsers have UI that will prompt users to
choose a cert even when they don't have any. And the user experience can be
very bad or confusing as a result.
The token endpoint could be on a different host or port which always
requests client certs. Still allow connections to proceed regardless and
check the client credentials at the OAuth layer. Pretty similar to the
above but avoids the usability issues with end users because it's only at
the token endpoint.
Trying renegotiation after the application sees that it's a token request
or that it's a token request from a client id that's configured for mutual
TLS is another approach. In my own limited experience with this kind of
thing, however, this approach can be kind of flaky. And your point about
the initial data not being trustworthy is legitimate. I'm not sure if it
really matters in this case. I don't know. And signaling to resubmit is
another issue all together.
There are probably other approaches too but those are the things I've seen
or can imagine. In all (or nearly all) the deployments of our stuff that I
know about that deal with mutual TLS, some variation of the second option
is used.
All this seem like implementation/deployment details though and I'm
hesitant to try and define how to do it in this doc. Maybe providing some
guidance. I'm not exactly sure how to do that though.
Post by Samuel Erdtman
Torstens questions triggers another question from me.
If we have an AS that can handle both certificate client auth and client
secret, how does the AS know that it should ask for client certificate on
the TLS layer.
It was a while since I last read the TLS specification and it might have
changed but if i remember correctly client certificates are provided in
initial handshake or in re-negotiate and it is only provided on request by
the server.
If this is still true the AS would need to first get the token request,
see that this is a client that authenticates with certificate and request a
TLS re-negotiate to get the certificate authentication and a re-submission
of the token request since we cannot trust the data first submitted.
Are I missing something obvious, or is this something that needs to be
defined?
//Samuel
Post by Justin Richer
Right — this is a fine way to put it. RFC7591 defines a client model
where RFC6749 didn’t. Ideally all that metadata would’ve been in the
original spec, but it’s not. It doesn’t matter whether the client was
registered dynamically or statically, it just matters that the AS knows
what to expect from a given client.
— Justin
Yes, the intend is that the authentication method is determined by
client policy regardless of whether the client was dynamically registered
or statically configured or whatever. I can make that point more explicit
in future revisions of the draft.
On Sat, Nov 12, 2016 at 10:59 PM, Torsten Lodderstedt <
Post by Torsten Lodderstedt
I understand. My point is different: the text seems to assume everybody
is using client registration, but that's not the case. I would like to
point out it makes sense to explicitely state the assumption that it is
determined by client policy (indepedent of the way this policy is
established).
As part of the client’s registered data model. At least, based on how
our own implementation works (where we support client_secret_basic,
private_key_jwt, etc), that’s where we’d check to see if the client was
supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
On Nov 13, 2016, at 2:21 PM, Torsten Lodderstedt <
Justin,
Torsten, I believe this is intended to be triggered by the
tls_client_auth value specified in §3.
in the token request?
Nit on that section, the field name for the client metadata in RFC7591
is token_endpoint_auth_method, the _supported version is from the
corresponding discovery document.
— Justin
Torsten.
On Nov 13, 2016, at 12:31 PM, Torsten Lodderstedt <
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is
TLS authentication? I think you assume this is defined by the
client-specific policy, independent of whether the client is registered
automatically or manually. Would you mind to explicitely state this in the
draft?
best regards,
Torsten.
At the request of the OpenID Foundation Financial Services API Working
group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of
people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being
driven by new open banking regulation.
The largest thing in the draft is the IANA registration of
“tls_client_auth” Token Endpoint authentication method for use in
Registration and discovery.
The trust model is intentionally left open so that you could use a
“common name” and a restricted list of CA or a direct lookup of the subject
public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
*Subject: **New Version Notification for
draft-campbell-oauth-tls-client-auth-00.txt*
*Date: *October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for
OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
<https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt>
https://www.ietf.org/internet-drafts/draft-campbe
ll-oauth-tls-client-auth-00.txt
<https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/>
https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
<https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00>
https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Jim Manico
2016-11-24 08:42:15 UTC
Permalink
Dude. You're freaking awesome. Thanks for this insight.

--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805
Post by Samuel Erdtman
+1 on providing guidance.
Yes, I believe you are correct. Client certificates are provided in the handshake (initial or renegotiated) at the request of the server. If the server asks and the client doesn't provide a cert, it's up to the server whether to continue or about the handshake.
There seem to be a number of different ways of trying to deal with this (not strictly for this OAuth case but similar situations).
The AS could always request client certs but allow connections to proceed regardless. Then check for certs for appropriate clients while processing token requests. I guess there's a little overhead in the handshake with this for all the connections that won't present a cert. But not a ton. The main drawback is that some/many browsers have UI that will prompt users to choose a cert even when they don't have any. And the user experience can be very bad or confusing as a result.
The token endpoint could be on a different host or port which always requests client certs. Still allow connections to proceed regardless and check the client credentials at the OAuth layer. Pretty similar to the above but avoids the usability issues with end users because it's only at the token endpoint.
Trying renegotiation after the application sees that it's a token request or that it's a token request from a client id that's configured for mutual TLS is another approach. In my own limited experience with this kind of thing, however, this approach can be kind of flaky. And your point about the initial data not being trustworthy is legitimate. I'm not sure if it really matters in this case. I don't know. And signaling to resubmit is another issue all together.
There are probably other approaches too but those are the things I've seen or can imagine. In all (or nearly all) the deployments of our stuff that I know about that deal with mutual TLS, some variation of the second option is used.
All this seem like implementation/deployment details though and I'm hesitant to try and define how to do it in this doc. Maybe providing some guidance. I'm not exactly sure how to do that though.
Post by Samuel Erdtman
Torstens questions triggers another question from me.
If we have an AS that can handle both certificate client auth and client secret, how does the AS know that it should ask for client certificate on the TLS layer.
It was a while since I last read the TLS specification and it might have changed but if i remember correctly client certificates are provided in initial handshake or in re-negotiate and it is only provided on request by the server.
If this is still true the AS would need to first get the token request, see that this is a client that authenticates with certificate and request a TLS re-negotiate to get the certificate authentication and a re-submission of the token request since we cannot trust the data first submitted.
Are I missing something obvious, or is this something that needs to be defined?
//Samuel
Post by Justin Richer
Right — this is a fine way to put it. RFC7591 defines a client model where RFC6749 didn’t. Ideally all that metadata would’ve been in the original spec, but it’s not. It doesn’t matter whether the client was registered dynamically or statically, it just matters that the AS knows what to expect from a given client.
— Justin
Yes, the intend is that the authentication method is determined by client policy regardless of whether the client was dynamically registered or statically configured or whatever. I can make that point more explicit in future revisions of the draft.
I understand. My point is different: the text seems to assume everybody is using client registration, but that's not the case. I would like to point out it makes sense to explicitely state the assumption that it is determined by client policy (indepedent of the way this policy is established).
As part of the client’s registered data model. At least, based on how our own implementation works (where we support client_secret_basic, private_key_jwt, etc), that’s where we’d check to see if the client was supposed to be using TLS auth or not.
We don’t let clients switch away from their registered auth mechanism.
— Justin
Post by Torsten Lodderstedt
Justin,
Torsten, I believe this is intended to be triggered by the tls_client_auth value specified in §3.
in the token request?
Nit on that section, the field name for the client metadata in RFC7591 is token_endpoint_auth_method, the _supported version is from the corresponding discovery document.
— Justin
Torsten.
Post by Torsten Lodderstedt
Hi John and Brian,
thanks for writting this draft.
One question: how does the AS determine the authentication method is TLS authentication? I think you assume this is defined by the client-specific policy, independent of whether the client is registered automatically or manually. Would you mind to explicitely state this in the draft?
best regards,
Torsten.
Post by John Bradley
At the request of the OpenID Foundation Financial Services API Working group, Brian Campbell and I have documented
mutual TLS client authentication. This is something that lots of people do in practice though we have never had a spec for it.
The Banks want to use it for some server to server API use cases being driven by new open banking regulation.
The largest thing in the draft is the IANA registration of “tls_client_auth” Token Endpoint authentication method for use in Registration and discovery.
The trust model is intentionally left open so that you could use a “common name” and a restricted list of CA or a direct lookup of the subject public key against a reregistered value, or something in between.
I hope that this is non controversial and the WG can adopt it quickly.
Regards
John B.
Subject: New Version Notification for draft-campbell-oauth-tls-client-auth-00.txt
Date: October 10, 2016 at 5:44:39 PM GMT-3
A new version of I-D, draft-campbell-oauth-tls-client-auth-00.txt
has been successfully submitted by John Bradley and posted to the
IETF repository.
Name: draft-campbell-oauth-tls-client-auth
Revision: 00
Title: Mutual X.509 Transport Layer Security (TLS) Authentication for OAuth Clients
Document date: 2016-10-10
Group: Individual Submission
Pages: 5
URL: https://www.ietf.org/internet-drafts/draft-campbell-oauth-tls-client-auth-00.txt
Status: https://datatracker.ietf.org/doc/draft-campbell-oauth-tls-client-auth/
Htmlized: https://tools.ietf.org/html/draft-campbell-oauth-tls-client-auth-00
This document describes X.509 certificates as OAuth client
credentials using Transport Layer Security (TLS) mutual
authentication as a mechanism for client authentication to the
authorization server's token endpoint.
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
The IETF Secretariat
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth
Brian Campbell
2016-11-13 21:25:33 UTC
Permalink
Good catch Justin, thank you. I got the filed names switched around for
some reason.
Post by Justin Richer
Nit on that section, the field name for the client metadata in RFC7591 is
token_endpoint_auth_method, the _supported version is from the
corresponding discovery document.
Loading...