| Network Working Group | J. Bradley |
| Internet-Draft | Ping Identity |
| Intended status: Standards Track | P. Hunt |
| Expires: January 15, 2013 | Oracle Corporation |
| T. Nadalin | |
| Microsoft | |
| H. Tschofenig | |
| Nokia Siemens Networks | |
| July 16, 2012 |
The OAuth 2.0 Authorization Framework: Holder-of-the-Key Token Usage
draft-tschofenig-oauth-hotk-01.txt
OAuth 2.0 deployments currently rely on bearer tokens for securing access to protected resources. Bearer tokens require Transport Layer Security to be used between an OAuth client and the resource server when presenting the access token. The security model is based on proof-of-possession: access token storage and transfer has to be done with care to prevent leakage.
There are, however, use cases that require a more active involvement of the OAuth client for an increased level of security, particularly to secure against token leakage. This document specifies an OAuth security framework using the holder-of-the-key concept, which requires the OAuth client when presenting an OAuth access token to also demonstrate knowledge of keying material that is bound to the token.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 15, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
At the time of writing the OAuth 2.0 [I-D.ietf-oauth-v2] and accompanying protocols offer one main security mechanism to access protected resources, namely the bearer token. In [I-D.ietf-oauth-v2-bearer] a bearer token is defined as
The bearer token meets the security needs of number of use cases OAuth had been designed for. There are, however, scenarios that require stronger security properties and ask for active participation of the OAuth client software in form of cryptographic computations when presenting an access token to a resource server.
This specification defines a new security mechanism for usage with OAuth that combines various existing specifications to offer enhanced security properties for OAuth. The incredients for this security solution are:
The rest of the document describes how these different components work together.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this specification are to be interpreted as described in [RFC2119].
To describe the architecture of the proposed security mechanism it is best to start by looking at the main OAuth 2.0 protocol exchange sequence. Figure 1 shows the abstract OAuth 2.0 protocol exchanges graphically. The exchange in this document will focus on two interactions, namely
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
Figure 1: Abstract OAuth 2.0 Protocol Flow
OAuth 2.0 offers different ways to obtain an access token, namely using authorization grants and using a refresh token. The core OAuth specification defines four authorization grants, see Section 1.3 of [I-D.ietf-oauth-v2], and [I-D.ietf-oauth-assertions] adds an assertion-based authorization grant to that list.
This document extends the communication with the token endpoint. The token endpoint, which is described in Section 3.2 of [I-D.ietf-oauth-v2], is used with every authorization grant except for the implicit grant type. In the implicit grant type the access token is issued directly.
Two types of keying material can be bound to an access token, namely symmetric keys and asymmetric keys, and we explain them in separate sub-sections.
In case a symmetric key shall be bound to an access token then the following procedure is applicable. In the request message from the OAuth client to the authorization server the following parameters MUST be included:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
&token_type=hotk-sk
&profile=jws,mac
For example, the client makes the following HTTP request using TLS (extra line breaks are for display purposes only):
If the access token request is valid and authorized, the authorization server issues an access token and optionally a refresh token. If the request client authentication failed or is invalid, the authorization server returns an error response as described in Section 5.2 of [I-D.ietf-oauth-v2].
The authorization server MUST include the following parameters in a successful response, if it supports any of the profiles listed by the client.
For example:
HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
{
"access_token":"SlAV.....32hkKG",
"token_type":"hotk-sk",
"expires_in":3600,
"refresh_token":"8xLOxBtZp8",
"id":"client12345@example.com",
"key":"adijq39jdlaska9asud",
"profile":"jws"
}
The content of the 'access_token' MUST contain
the key identifier value in the 'hotk' element,
as shown in the example below.
{"typ":"JWT",
"alg":"HS256"
}
.
{"iss":"authorization-server-id",
"exp":1300819380,
"hotk":"client12345@example.com"
}
.
bbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZC
DISCUSSION: Should we put the encrypted key into the access token? This would make the mechanism more similar to a Kerberos-based scheme.
The key identifier, the key, and the profile name MUST NOT include characters other than:
%x20-21 / %x23-5B / %x5D-7E
; Any printable ASCII character except for <"> and <\>
In case an asymmetric key shall be bound to an access token then the following procedure is applicable. In the request message from the OAuth client to the authorization server the following parameters MUST be included:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA
&redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb
&token_type=hotk-pk
&pk_info=eZQQYbYS6WxS...lxlOB
whereby the content of the pk_info field represents the following
structure:
{"keys":
[
{"alg":"RSA",
"mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"exp":"AQAB",
"kid":"2011-04-29"}
]
}
For example, the client makes the following HTTP request using TLS (extra line breaks are for display purposes only):
If the access token request is valid and authorized, the authorization server issues an access token and optionally a refresh token. If the request client authentication failed or is invalid, the authorization server returns an error response as described in Section 5.2 of [I-D.ietf-oauth-v2].
The authorization server also places information about the public key used by the client into the access token to create the binding between the two. The new token type, called 'hotk-pk', is placed into the 'token_type' parameter.
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFE....jr1zCsicMWpAA",
"token_type":"hotk-pk",
"expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA"
}
whereby the content of the 'access_token' field, for example,
contains an encoded JWT with the following raw structure:
{"typ":"JWT",
"alg":"HS256"}
.
{"iss":"authorization-server-id",
"exp":1300819380,
"hotk": {"keys":
[
{"alg":"RSA",
"mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
"exp":"AQAB",
"kid":"2011-04-29"}
]
}
}
.
bbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZC
An example of a successful response is shown below:
Accessing a protected resource depends on the chosen credential type.
When a symmetric key was used as a holder-of-the-key then the client has to demonstrate possession of the key that corresponds to the key identifier found in the access token.
1) HTTP Request
POST /request?b5=%3D%253D&a3=a&c%40=&a2=r%20b&c2&a3=2+q HTTP/1.1
Host: example.com
2) JWS Document
{"typ":"HOTK-SK",
"alg":"HS256",
"kid":"client12345@example.com",
"timestamp":"2012-07-15T10:20:00.000-05:00" }
.
{"request":"POST/request?b5=%3D%253D&a3=a&c%40=&a2=r%20b&c2&a3=
2+qexample.com80"}
.
dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
This specification defines three ways for providing this proof of possession, which are indicated as profiles in Section 3.1.1:
Each element is followed by a new line character (%x0A) including the last element and even when an element value is an empty string. The resulting value MUST be put into the "request" element of a JSON document that is then subject to JWS processing
[I-D.ietf-jose-json-web-signature]. The resulting JWS structure is put into the body of the HTTP request. A receiving authorization server MUST use the value in the 'kid' structure to identify the shared key and then use that key to verify the keyed message digest. Additionally, the content of the 'request' field needs to be verified against the HTTP header information. If any of these verification steps fail then the request to the protected resource MUST fail with a "401 Unauthorized" error message back to the OAuth client.
The client accesses protected resources by presenting the access token to the resource server. It does so via a Transport Layer Security (TLS) secured channel. Since the client had previously bound a public key to an access token it selects this key for usage with TLS as described in [I-D.ietf-tls-oob-pubkey].
The resource server validates the access token and ensure it has not expired and that its scope covers the requested resource. Additionally, the resource server verifies that the public key presented during the TLS handshake corresponds to the public key that is contained in the access token.
Note that this step confirms that the client is in possession of the private key corresponding to the public key previously bound to the access token. Information about the client authentication may be contained in the token in case the authorization server added this information when it authenticated the client.
The following list presents several common threats against protocols utilizing some form of tokens. This list of threats is based on NIST Special Publication 800-63 [NIST800-63]. We exclude a discussion of threats related to any form of registration and authentication.
A large range of threats can be mitigated by protecting the contents of the access token by using a digital signature or a Message Authentication Code (MAC). Consequently, the token integrity protection MUST be sufficient to prevent the token from being modified.
To deal with token redirect, it is important for the authorization server to include the identity of the intended recipients (the audience), typically a single resource server (or a list of resource servers), in the token. Restricting the use of the token to a specific scope is also RECOMMENDED.
The authorization server MUST implement and use TLS. Which version(s) ought to be implemented will vary over time, and depend on the widespread deployment and known security vulnerabilities at the time of implementation. At the time of this writing, TLS version 1.2 [RFC5246] is the most recent version. The client MUST validate the TLS certificate chain when making requests to protected resources, including checking the Certificate Revocation List (CRL) [RFC5280].
For the interaction between the client and the resource server this specification requires a TLS extension for usage with out-of-band validation [I-D.ietf-tls-oob-pubkey] to be used that allows clients to present raw public keys for asymmetric holder-of-the-key usage.
With the usage of the holder-of-the-key concept it is not possible for any party other than the legitimate client to use an access token and to re-use it without knowing the corresponding asymmetric key pair. This mechanism prevents against token disclosure.
With the usage of the asymmetric holder-of-the-key concept the following deployment consideration needs to be taken into consideration. In some deployments, including those utilizing load balancers, the TLS connection to the resource server terminates prior to the actual server that provides the resource. This could leave the token unprotected between the front end server where the TLS connection terminates and the back end server that provides the resource.
Client implementations must be carefully implemented to avoid leaking the ephemeral credentials (either the private key from the asymmetric credential or the shared secret).
Token replay is also not possible since an eavesdropper will also have to obtain the corresponding private key or shared secret that is bound to the access token. Nevertheless, it is good practice to limit the lifetime of the access token and therefore the lifetime of associated key.
The following three items represent the main recommendations:
This document requires IANA to take the following actions.
This specification registers the following parameters in the OAuth Parameters Registry established by [I-D.ietf-oauth-v2].
[I-D.ietf-oauth-json-web-token] established the IANA JSON Web Token Claims registry for reserved JWT Claim Names and this document adds the 'hotk' name to that registry.
Section 11.1 of [I-D.ietf-oauth-v2] defines the OAuth Access Token Type Registry and this document adds another token type to this registry.
This document asks IANA to create a registry for profiles of symmetric key-based holder-of-the-key mechanisms. The policy for adding new entries to the registry is "Specification Required". IANA is asked to populate the registry with the following values:
The author would like to thank the OAuth working group and participants of the Internet Identity Workshop for their discussion input that lead to this document.
| [1] | Jones, M, Campbell, B and Y Goland, "OAuth 2.0 Assertion Profile", Internet-Draft draft-ietf-oauth-assertions-00, July 2011. |
| [2] | Jones, M, Hardt, D and D Recordon, "The OAuth 2.0 Protocol: Bearer Tokens", Internet-Draft draft-ietf-oauth-v2-bearer-08, July 2011. |
| [3] | Hammer-Lahav, E., "The OAuth 1.0 Protocol", RFC 5849, April 2010. |
| [4] | Burr, W., Dodson, D., Perlner, R., Polk, T., Gupta, S. and E. Nabbus, "NIST Special Publication 800-63-1, INFORMATION SECURITY", December 2008. |