OAuth 2.0 Authorization Server Issuer Identification
draft-ietf-oauth-iss-auth-resp-05
Yes
Roman Danyliw
No Objection
Erik Kline
John Scudder
Zaheduzzaman Sarker
(Martin Duke)
(Martin Vigoureux)
Note: This ballot was opened for revision 03 and is now closed.
Roman Danyliw
Yes
Erik Kline
No Objection
Francesca Palombini
(was Discuss)
No Objection
Comment
(2021-12-02 for -04)
Sent
Thank you for the work on this document, and for addressing my DISCUSS. Many thanks to Julian Reschke for the ART ART review: https://mailarchive.ietf.org/arch/msg/art/XfLbtK1eLb7s0Z6e_AqGgkoWny0/. Francesca
John Scudder
No Objection
Murray Kucherawy
No Objection
Comment
(2021-12-01 for -03)
Sent
I support Francesca's DISCUSS. I also concur with Eric's observations about the shepherd writeup. Those important details are missing. Please quote "iss" wherever you use it. Every time I ran into it, my first thought was that it's a typo and I had to re-parse it a couple of times.
Warren Kumari
No Objection
Comment
(2021-12-01 for -03)
Not sent
Thank you for this document, and also writing it in a manner that even someone unfamiliar with OAuth can understand :-) -- I use it, but the internals are very much a black box to me...
Zaheduzzaman Sarker
No Objection
Éric Vyncke
No Objection
Comment
(2021-11-29 for -03)
Sent
Thank you for the work put into this document. Special thanks to Rifaat Shekh-Yusef for the shepherd's write-up, but alas it does not include ANY comments about the WG consensus and this it the most important point in the write-up. I am trusting the responsible AD and the WG chairs about the consensus. I have no special comments to add: it looks Regards, -éric
Benjamin Kaduk Former IESG member
Yes
Yes
(2021-11-30 for -03)
Sent
Is the authorization endpoint the only one that would benefit from the added "iss" protection? Should we say anything about the utility of the "iss" parameter in other responses? Section 2 If the authorization server provides metadata as defined in [RFC8414], the value of the parameter iss MUST be identical to the authorization server metadata value issuer. Does it ever make sense to implement this document but not provide metadata as in RFC 8414? Should this document give any guidance (e.g., SHOULD or MUST) about also implementing RFC 8414 if this document is implemented? Section 2.1 Thank you for using a nice random code with 256 bits of entropy in the example :) Section 2.2 Should we use a different 'state' value for the example successful response and example error response? Section 2.3 * The issuer identifier included in the server's metadata value issuer MUST be identical to the iss parameter's value. I think we attempted to impose this requirement using the BCP 14 MUST keyword up in toplevel section 2 as well. Generally my advice is to only use the normative keywords in one place for any given requirement, to avoid any risk of conflicting guidance that could lead to different implementation behaviors. (In this case, putting the MUST here seems to make more sense, since it's an explicit listing of "the following rules apply".) NITS Section 2.4 If clients interact with both authorization servers supporting this specification and authorization servers not supporting this specification, clients MUST store the information which authorization server supports the iss parameter. Clients MUST reject authorization I think there's a missing word here, for "the information about" or even a broader rewording to "MUST retain state about whether each authorization server supports the iss parameter". support in their metadata. Local policy or configuration can determine whether to accept such responses and specific guidance is out of scope for this specification. I'd suggest s/whether/when/, since we already do give default guidance ("SHOULD discard") earlier.
Lars Eggert Former IESG member
No Objection
No Objection
(2021-11-29 for -03)
Sent
All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. Section 2.3. , paragraph 2, nit: > s by any other mechanism which is outside of the scope of this specification. > ^^^^^^^^^^ This phrase is redundant. Consider using "outside". Section 4. , paragraph 4, nit: > f alternative countermeasures are outside of the scope of this specification. > ^^^^^^^^^^ This phrase is redundant. Consider using "outside". These URLs in the document can probably be converted to HTTPS: * http://arxiv.org/abs/1508.04324 * http://www.iana.org/assignments/oauth-parameters * http://openid.net/specs/openid-connect-core-1_0.html
Martin Duke Former IESG member
No Objection
No Objection
(for -03)
Not sent
Martin Vigoureux Former IESG member
No Objection
No Objection
(for -03)
Not sent
Robert Wilton Former IESG member
No Objection
No Objection
(2021-11-30 for -03)
Sent
Hi, Thanks for this document, just one comment on a couple of sentences in the security section that I found unclear in this paragraph: There are also alternative countermeasures to mix-up attacks. When an authorization response already includes an authorization server's issuer identifier by other means, and this identifier is checked as laid out in Section 2.4, the use and verification of the iss parameter is not necessary and MAY be omitted. This is the case when OpenID Connect response types that return an ID token from the authorization endpoint (e.g., response_type=code id_token) or JARM response mode are used, for example. However, if a client receives an authorization response that contains multiple issuer identifiers, the client MUST reject the response if these issuer identifiers do not match. The details of alternative countermeasures are outside of the scope of this specification. I'm probably missing something but this seems to suggest both: - the use and verification of the iss parameter is not necessary and MAY be omitted. - if a client receives an authorization response that contains multiple issuer identifiers, the client MUST reject the response if these issuer identifiers do not match. These seems to conflict to me, but perhaps I'm misunderstanding their intent? Regards, Rob