Hi Annabelle, We recently implemented PAR in a release. What security risks do AS users face if the clients encrypt to the same JWK set?
If there are general issues with that, do they also hold for clients? Because an OP / AS can potentially issue multiple types of encrypted JWTs at separate endpoints: * Encrypted ID tokens * Encrypted UserInfo * Encrypted authZ responses (JARM) * Encrypted introspection responses I like PAR because it was so easy and straightforward to explain to client developers, and the benefits of having an authZ request submitted directly to the AS were also easily understood (no limits on the size of the request and it remaining hidden from the front-channel, the client is authenticated before user auth / consent). Vladimir On 03/01/2020 23:43, Richard Backman, Annabelle wrote: > PAR introduces an added wrinkle for encrypted request objects: the PAR > endpoint and authorization endpoint may not have access to the same > cryptographic keys, even though they're both part of the "authorization > server." Since they're different endpoints with different roles, it's > reasonable to put them in separate trust boundaries. There is no way to > support this isolation with just a single "jwks_uri" metadata property. > > The two options that I see are: > > 1. Define a new par_jwks_uri metadata property. > 2. Explicitly state that this separation is not supported. > > I strongly perfer #1 as it has a very minor impact on deployments that don't > care (i.e., they just set par_jwks_uri and jwks_uri to the same value) and > failing to support this trust boundary creates an artificial limit on > implementation architecture and could lead to compatibility-breaking > workarounds. > > – > Annabelle Richard Backman > AWS Identity > > > On 12/31/19, 8:07 AM, "OAuth on behalf of Torsten Lodderstedt" > <oauth-boun...@ietf.org on behalf of > torsten=40lodderstedt....@dmarc.ietf.org> wrote: > > Hi Filip, > > > On 31. Dec 2019, at 16:22, Filip Skokan <panva...@gmail.com> wrote: > > > > I don't think we need a *_auth_method_* metadata for every endpoint the > client calls directly, none of the new specs defined these (e.g. device > authorization endpoint or CIBA), meaning they also didn't follow the scheme > from RFC 8414 where introspection and revocation got its own metadata. In > most cases the unfortunately named `token_endpoint_auth_method` and its > related metadata is what's used by clients for all direct calls anyway. > > > > The same principle could be applied to signing (and encryption) > algorithms as well. > > > > This I do not follow, auth methods and their signing is dealt with by > using `token_endpoint_auth_methods_supported` and > `token_endpoint_auth_signing_alg_values_supported` - there's no encryption > for the `_jwt` client auth methods. > > Unless it was meant to address the Request Object signing and > encryption metadata, which is defined and IANA registered by OIDC. PAR only > references JAR section 6.1 and 6.2 for decryption/signature validation and > these do not mention the metadata (e.g. request_object_signing_alg) anymore > since draft 07. > > Dammed! You are so right. Sorry, I got confused somehow. > > > > > PS: I also found this comment related to the same question about auth > metadata but for CIBA. > > Thanks for sharing. > > > > > Best, > > Filip > > thanks, > Torsten. > > > > > > > On Tue, 31 Dec 2019 at 15:38, Torsten Lodderstedt > <tors...@lodderstedt.net> wrote: > > Hi all, > > > > Ronald just sent me an email asking whether we will define metadata for > > > > pushed_authorization_endpoint_auth_methods_supported and > > pushed_authorization_endpoint_auth_signing_alg_values_supported. > > > > The draft right now utilises the existing token endpoint authentication > methods so there is basically no need to define another parameter. The same > principle could be applied to signing (and encryption) algorithms as well. > > > > What’s your opinion? > > > > best regards, > > Torsten. > > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
