[OAUTH-WG] [Technical Errata Reported] RFC6749 (4749)

Discussion:

RFC Errata System

2016-07-26 20:48:39 UTC

The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=4749

--------------------------------------
Type: Technical
Reported by: Phil Hunt <***@oracle.com>

Section: 2.3.1

Original Text
-------------
Clients in possession of a client password MAY use the HTTP Basic
authentication scheme as defined in [RFC2617] to authenticate with
the authorization server. The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password. The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.

Corrected Text
--------------
Clients in possession of a client password MAY use the HTTP Basic
authentication scheme as defined in [RFC2617] to authenticate with
the authorization server. The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password. The url encoded values are then encoded as defined in
[RFC2617]. The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.

Notes
-----
It was not clear to some implementers that the intention is a 2-step encoding. First for special characters and second the 2617 base 64 encoding. Implementers thought 6749 was in conflict with 2617.

To avoid inter-op issues, a new clarifying sentence is proposed.
"The url encoded values are then encoded as defined in [RFC2617]."

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.

--------------------------------------
RFC6749 (draft-ietf-oauth-v2-31)
--------------------------------------
Title : The OAuth 2.0 Authorization Framework
Publication Date : October 2012
Author(s) : D. Hardt, Ed.
Category : PROPOSED STANDARD
Source : Web Authorization Protocol
Area : Security
Stream : IETF
Verifying Party : IESG

Jim Manico

2016-07-27 00:08:29 UTC

Permalink

Please forgive me if this comment is out of order or inappropriate in any way...

...but why is HTTP Basic even being discussed in 2016? It has horrific security properties at multiple levels; shouldn't we at least move to HTTP Digest if not something stronger?

Regards.
--
Jim Manico
@Manicode

Post by RFC Errata System
The following errata report has been submitted for RFC6749,
"The OAuth 2.0 Authorization Framework".
--------------------------------------
http://www.rfc-editor.org/errata_search.php?rfc=6749&eid=4749
--------------------------------------
Type: Technical
Section: 2.3.1
Original Text
-------------
Clients in possession of a client password MAY use the HTTP Basic
authentication scheme as defined in [RFC2617] to authenticate with
the authorization server. The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password. The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
Corrected Text
--------------
Clients in possession of a client password MAY use the HTTP Basic
authentication scheme as defined in [RFC2617] to authenticate with
the authorization server. The client identifier is encoded using the
"application/x-www-form-urlencoded" encoding algorithm per
Appendix B, and the encoded value is used as the username; the client
password is encoded using the same algorithm and used as the
password. The url encoded values are then encoded as defined in
[RFC2617]. The authorization server MUST support the HTTP Basic
authentication scheme for authenticating clients that were issued a
client password.
Notes
-----
It was not clear to some implementers that the intention is a 2-step encoding. First for special characters and second the 2617 base 64 encoding. Implementers thought 6749 was in conflict with 2617.
To avoid inter-op issues, a new clarifying sentence is proposed.
"The url encoded values are then encoded as defined in [RFC2617]."
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary.
--------------------------------------
RFC6749 (draft-ietf-oauth-v2-31)
--------------------------------------
Title : The OAuth 2.0 Authorization Framework
Publication Date : October 2012
Author(s) : D. Hardt, Ed.
Category : PROPOSED STANDARD
Source : Web Authorization Protocol
Area : Security
Stream : IETF
Verifying Party : IESG
_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

Justin Richer

2016-07-28 20:25:35 UTC

Permalink

These are client secrets, not user passwords, so they’re supposed to be high entropy and not human-memorable (or human-typable really). Also, this needs to be used over TLS. The connection requires TLS anyway because the tokens returned (or the token keys in the OAuth PoP case) also need to be protected, regardless of how you hash the client’s secret. With that in mind, Digest doesn’t buy you much.

— Justin

Post by Jim Manico
Please forgive me if this comment is out of order or inappropriate in any way...
...but why is HTTP Basic even being discussed in 2016? It has horrific security properties at multiple levels; shouldn't we at least move to HTTP Digest if not something stronger?
Regards.
--
Jim Manico
@Manicode

_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

Jim Manico

2016-07-29 03:09:14 UTC

Permalink

Thank you Justin, comments inline.

Post by Justin Richer
These are client secrets, not user passwords, so they’re supposed to be high entropy and not human-memorable (or human-typable really).

This still sounds like sensitive data, and I don't understand the relevance of "human memorable". If time allows can you tell me more?

Post by Justin Richer
Also, this needs to be used over TLS.

Sure, but the problems of HTTP Basic are well established and go beyond TLS (no timeout, included in each request, cached by the browser for that window session, etc).

Post by Justin Richer
The connection requires TLS anyway because the tokens returned (or the token keys in the OAuth PoP case) also need to be protected, regardless of how you hash the client’s secret. With that in mind, Digest doesn’t buy you much.

So this looks like a way to transport the client id and secret. Wouldn't some form of "strong authentication" like mutual TLS or similar be a better default standard? The OAuth 2 threat model makes this exact recommendation.

Respectfully,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805

Post by Justin Richer
These are client secrets, not user passwords, so they’re supposed to be high entropy and not human-memorable (or human-typable really). Also, this needs to be used over TLS. The connection requires TLS anyway because the tokens returned (or the token keys in the OAuth PoP case) also need to be protected, regardless of how you hash the client’s secret. With that in mind, Digest doesn’t buy you much.
— Justin

_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

Phil Hunt (IDM)

2016-07-29 03:35:55 UTC

Permalink

This is off topic for the errata process. This is not the place to propose a re-write.

As one of the authors of the threat model and sec considerations I think we covered this to too much. :-) Justin's comments are spot on.

This has nothing to do with user authentication.

Phil

Post by Jim Manico
Thank you Justin, comments inline.

Post by Justin Richer
These are client secrets, not user passwords, so they’re supposed to be high entropy and not human-memorable (or human-typable really).

This still sounds like sensitive data, and I don't understand the relevance of "human memorable". If time allows can you tell me more?

Post by Justin Richer
Also, this needs to be used over TLS.

Sure, but the problems of HTTP Basic are well established and go beyond TLS (no timeout, included in each request, cached by the browser for that window session, etc).

So this looks like a way to transport the client id and secret. Wouldn't some form of "strong authentication" like mutual TLS or similar be a better default standard? The OAuth 2 threat model makes this exact recommendation.
Respectfully,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805

_______________________________________________
OAuth mailing list
https://www.ietf.org/mailman/listinfo/oauth

Vladimir Dzhuvinov

2016-07-29 06:39:30 UTC

Permalink

Post by Jim Manico
Thank you Justin, comments inline.

These are client secrets, not user passwords, so theyâre supposed to be high entropy and not human-memorable (or human-typable really).

This still sounds like sensitive data, and I don't understand the relevance of "human memorable". If time allows can you tell me more?

Also, this needs to be used over TLS.

Sure, but the problems of HTTP Basic are well established and go beyond TLS (no timeout, included in each request, cached by the browser for that window session, etc).

The browser is not involved in the token request.

One alternative to HTTP Basic (and its POST variant) is for the client
to authenticate by submitting a JWT hashed with the client secret, or a
JWT signed with an RSA or EC key that was previously registered with the AS:

https://tools.ietf.org/html/rfc7523#section-2.2

I find JWT auth the more secure method, as it mitigates against some
attacks previously discussed here. And it also lessens the potential
security damage if the client accidentally makes a plain HTTP request to
the token endpoint (the client_secret itself is not leaked).

Post by Jim Manico

The connection requires TLS anyway because the tokens returned (or the token keys in the OAuth PoP case) also need to be protected, regardless of how you hash the clientâs secret. With that in mind, Digest doesnât buy you much.

So this looks like a way to transport the client id and secret. Wouldn't some form of "strong authentication" like mutual TLS or similar be a better default standard? The OAuth 2 threat model makes this exact recommendation.
Respectfully,
--
Jim Manico
@Manicode
Secure Coding Education
+1 (808) 652-3805

These are client secrets, not user passwords, so theyâre supposed to be high entropy and not human-memorable (or human-typable really). Also, this needs to be used over TLS. The connection requires TLS anyway because the tokens returned (or the token keys in the OAuth PoP case) also need to be protected, regardless of how you hash the clientâs secret. With that in mind, Digest doesnât buy you much.
â Justin