Markdown Version | Recording 1 | Recording 2

Session Date/Time: 18 Mar 2025 06:00

oauth

Summary

The OAuth working group meeting covered several key topics, including the Token Status List, Attestation-Based Client Authentication, OAuth 2.1, OAuth for First-Party Apps, Client ID Scheme, and updates to the Security BCP. The discussion focused on recent changes, outstanding issues, and potential future directions for each topic.

Key Discussion Points

• Token Status List:
  • Discussion on incorporating X.509 certificates into the status list. Decision was made this is out of scope for the OAuth working group.
  • Consideration of registering a content format for the plus CD media type.
  • Agreement to initiate a second working group last call for the document after incorporating size comparison data.
• Attestation-Based Client Authentication:
  • Discussion on the use of HTTP OPTIONS for retrieving nonces and potential conflicts with CORS pre-flight checks.
  • Feedback on the need for explicit Nonce reaching
  • Concerns about the complexity of the metadata endpoint listing mechanism for discovering when to use nonces.
  • Request for reviewers - Peter, Tim and Monty volunteered.
• OAuth 2.1:
  • Agreement to remove strict binding of OAuth 2.1 to HTTP, allowing for non-HTTP transports.
  • Targeting a working group last call before the next IETF meeting.
• OAuth for First-Party Apps:
  • Discussion on whether the draft should be an extension of Pushed Authorization Requests (PAR).
  • Opinions varied, with some arguing for a cleaner layering and potential for driving PAR adoption, while others expressed concerns about conflating different flows and increased complexity.
• Client ID Scheme:
  • Presentation of a mechanism for client ID schemes to handle URLs as client identifiers.
  • Discussion of potential conflicts with existing uses and the need for alignment with the OpenID for Verifiable Presentations (VP) specification.
• Security BCP Update:
  • Brief overview of the audience injection attack and a mix-up variant.
  • Discussion on the process for updating the BCP, with a consensus towards publishing small, focused documents on specific issues rather than a complete rewrite.

Decisions and Action Items

• Token Status List: Start a second work group last call.
• Attestation-Based Client Authentication: Continue discussion on the mailing list, focusing on Nonce retrieval.
• OAuth for First-Party Apps: More feedback is needed - move the discussion to the mailing list.
• Security BCP Update: Create a small, focused document about the discovered attacks.

Next Steps

• Token Status List: Authors to update the document with size comparisons.
• Attestation-Based Client Authentication: Authors to consider feedback on Nonce mechanism, implement changes, and send to reviewers for feedback.
• OAuth 2.1: Editor to incorporate feedback and prepare for working group last call.
• OAuth for First-Party Apps: Encourage more feedback on the mailing list.
• Client ID Scheme: Await the outcome of discussions in the OpenID for VP working group before finalizing the draft.
• Security BCP Update: Authors to begin working on a new document detailing the recently discovered attacks.

Session Date/Time: 21 Mar 2025 02:30

oauth

Summary

This OAuth working group meeting covered several important topics, including updates on SD-JWT and SD-JWT-VC, a vulnerability in the JWT assertion profile (RFC 7523), transaction tokens, identity chaining, and proposals for improvements to token endpoint responses. The discussion around the RFC 7523 vulnerability and its potential fixes sparked debate about the best approach.

Key Discussion Points

• SD-JWT and SD-JWT-VC: Status updates were provided. The SD-JWT document is undergoing AD evaluation. Extensibility and verification of SD-JWT-VC were discussed with concerns about web squatting.
• RFC 7523 (JWT Assertion Profile) Vulnerability: A vulnerability was discovered related to the audience value in JWT assertions used for client authentication. An attack is possible in ecosystems with multiple authorization servers using the same client ID across different authorization servers. The proposed fix is to use the issuer identifier as the sole audience value.
• Differing Proposals for RFC 7523 Mitigation:
  • One proposal advocated a targeted update focused specifically on addressing the issue in JWT-based client authentication, including explicit typing and prohibiting the use of SAML-based client authentication.
  • Another proposal preferred a more comprehensive approach replacing RFC 7523 and updating all affected OAuth specs, causing concerns of fixing more than necessary and introducing extra churn.
• Transaction Tokens: Discussion centered on the lifetime of transaction tokens relative to access tokens, with concerns raised about simply ignoring access token lifetime. Suggestions were made to track the initial timestamp of the access token and validate against that. Batch processing was deemed out of scope.
• Identity Chaining: The challenges of conveying the need to request a sender-constrained token were discussed, highlighting the complicated nature of the topic.
• Fair Key Binding for OAuth: The complexity of requesting tokens bound to keys the client does not possess was explored, raising concerns about blindly trusting clients. The working group will address this with a dedicated interim meeting.
• Token Endpoint Error Expressiveness: Proposals were presented to enhance error expressiveness from the token endpoint, including adding a field to signal the need for re-attempting authorization or returning a URL with encoded parameters.
• Refresh Token Expiration: Clients want to know refresh token expiration time in relation to consent expiration to notify user of needed action. A future spec should include a glossary to define terms like consent duration and session duration.

Decisions and Action Items

• SD-JWT: Brian will respond to the AD review post-vacation.
• RFC 7523: A decision on the mitigation approach (targeted vs. comprehensive update) will be taken to the mailing list.
• Transaction Tokens: Prepare a PR based on the discussion about token lifetime and initial timestamp validity. Aim to move to working group last call after reviews.
• Identity Chaining: Get volunteers and perform reviews on this subject.
• Fair Key Binding: A dedicated interim meeting will be scheduled to focus on deferred key binding.
• Token Endpoint Error Expressiveness: Nick will write an Internet Draft with suggested solutions to improve the expressiveness of the error messages.

Next Steps

• Discussion on RFC 7523 mitigation approach will continue on the mailing list.
• The proposed changes for Transaction Tokens will be implemented in a PR and reviewed.
• An interim meeting will be scheduled to address the issue of Deferred Key Binding.
• Nick will draft an Internet Draft discussing the proposals to address the Expressiveness of Error Messages.