thanks and done On Thu, Sep 5, 2019 at 11:53 AM Benjamin Kaduk <ka...@mit.edu> wrote:
> On Wed, Sep 04, 2019 at 06:17:32PM -0600, Brian Campbell wrote: > > On Wed, Sep 4, 2019 at 5:55 PM Benjamin Kaduk <ka...@mit.edu> wrote: > > > > > On Wed, Sep 04, 2019 at 05:19:27PM -0600, Brian Campbell wrote: > > > > Thanks Ben, for the review and non-objectional ballot. > > > > > > > > On Wed, Sep 4, 2019 at 3:13 PM Benjamin Kaduk via Datatracker < > > > > nore...@ietf.org> wrote: > > > > > > > > > Benjamin Kaduk has entered the following ballot position for > > > > > draft-ietf-oauth-resource-indicators-05: No Objection > > > > > > > > > > Section 3 > > > > > > > > > > An access token that is audience restricted to a protected > resource > > > > > that obtains that token legitimately cannot be used to access > > > > > resources on behalf of the resource owner at other protected > > > > > resources. The "resource" parameter enables a client to > indicate > > > the > > > > > > > > > > nit: This sentence has a pretty strange construction. I think the > > > > > intent is to say that that a token, legitimately presented to a > > > > > resource, cannot then be taken by that resource server and > > > > > illegitimately present it somewhere else for access to other > resources. > > > > > But with the current wording we seem to be missing part of the part > > > > > where some entity obtains the token with intent for illegitimate > > > access. > > > > > > > > > > > > > Yes, despite the pretty strange construction, you have the correct > > > intent. > > > > I'll work on improving that sentence (borrowing heavily from your > words > > > > there). > > > > > > > > > > > > > > > > > Some servers may host user content or be multi-tenant. In > order to > > > > > avoid attacks that might confuse a client into sending an access > > > > > token to a resource that is user controlled or is owned by a > > > > > different tenant, it is important to use a specific resource URI > > > > > including a path component. This will cause any access token > issued > > > > > for accessing the user controlled resource to have an invalid > > > > > audience if replayed against the legitimate resource API. > > > > > > > > > > I'm not entirely sure what this is trying to say. What is the > > > > > "legitimate resource API"? Why would a token be issued for > accessing a > > > > > user-controlled resource if that's something we're trying to avoid > > > > > having confused clients access? > > > > > > > > > > > > > Um... so on rereading that I might say that it's also "pretty > strange". > > > > > > > > What it was trying to somehow say is similar to the previous nit > about > > > > audience-restricted not being usable at the resource for whom the > weren't > > > > intended. But saying so in the context of a multi-tenant environment. > > > > Basically it's trying to say that, in a multi-tenant environment, the > > > > resource URI and subsequent token audience need to have something > that > > > > identifies the tenant so as to prevent the token from being used by > one > > > > tenant to illegitimately access resources at a different tenant. I'll > > > work > > > > on trying to improve that text to better explain all that. > > > > > > Ah, yes, that's a very good point to make. I'm happy to look at some > draft > > > text if you want. > > > > > > > Thanks, here's what I've got now for this and the previous item in sec 3. > > Suggestions welcome. > > > > 3. Security Considerations > > > > An audience-restricted access token, legitimately presented to a > > resource, cannot then be taken by that resource to present it > > elsewhere for illegitimate access to other resources. The "resource" > > I think "by that resource and presented elsewhere" probbaly has a more > parallel flow. > > > parameter enables a client to indicate the protected resources where > > the requested access token will be used, which in turn enables the > > authorization server to apply the appropriate audience restrictions > > to the token. > > > > Some servers may host user content or be multi-tenant. In order to > > avoid attacks where one tenant uses an access token to illegitimately > > access resources owned by a different tenant, it is important to use > > a specific resource URI including any portion of the URI that > > identifies the tenant, such as a path component. This will allow > > access tokens to be audience-restricted in a way that identifies the > > tenant and prevent their use, due to an invalid audience, at > > resources owned by a different tenant. > > But other than the above nit, this all looks really good; thank you! > > -Ben > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
