Category: OAuth Page 1 of 11

Aaron Parecki and I have updated the “OAuth 2.0 Protected Resource Metadata” specification in preparation for presentation and discussions at IETF 118 in Prague. The updates address comments received during the discussions at IETF 117 and afterwards. As described in the History entry, the changes were:

• Renamed scopes_provided to scopes_supported
• Added security consideration for scopes_supported
• Use BCP 195 for TLS recommendations
• Clarified that resource metadata can be used by clients and authorization servers
• Added security consideration recommending audience-restricted access tokens
• Mention FAPI Message Signing as a use case for publishing signing keys
• Updated references

The specification is available at:

• https://www.ietf.org/archive/id/draft-ietf-oauth-resource-metadata-01.html

The OAuth 2.0 Demonstrating Proof of Possession (DPoP) specification has been published as RFC 9449! As Vittorio Bertocci wrote, “One of the specs with the highest potential for (positive) impact in recent years.” I couldn’t agree more!

The concise abstract says it all:

This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.

As I described in my 2022 Identiverse presentation on DPoP it’s been a Long and Winding Road to get here. Efforts at providing practical proof of possession protection for tokens have included:

• SAML 2.0 Holder-of-Key Assertion Profile – Not exactly OAuth
• OAuth 1.0 used PoP – But message signing too complicated
• OAuth 2.0 MAC draft – Used similarly complicated signing
• OAuth 2.0 HTTP Signing draft – Abandoned due to complexity
• TLS Token Binding – Some browsers declined to ship it
• OAuth 2.0 Mutual TLS – Client certs notoriously difficult to use
• OAuth 2.0 DPoP – Today’s RFC aimed at simply and practically solving this important problem

As they say, I think this one’s the one! Implement, deploy, and enjoy!

In collaboration with Aaron Parecki, the ability for OAuth 2.0 protected resource servers to return their resource identifiers via WWW-Authenticate has been added to the OAuth 2.0 Protected Resource Metadata specification. This enables clients to dynamically learn about and use protected resources they may have no prior knowledge of, including learning what authorization servers can be used with them.

This incorporates functionality originally incubated in draft-parecki-oauth-authorization-server-discovery-00. Aaron and I had been asked to merge the functionality of our two drafts during an OAuth working group session at IETF 116. We’re both happy with the result!

The specification is available at:

• https://www.ietf.org/archive/id/draft-jones-oauth-resource-metadata-04.html

The OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) specification was approved by the IESG and is now in the hands of the RFC Editor in preparation for publication as an RFC. In a related development, the multiple IANA registrations requested by the specification are already in place.

As Vittorio Bertocci wrote, “One of the specs with the highest potential for (positive) impact in recent years.” I couldn’t agree more!

The latest version of the specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-16.html

Implement and deploy early and often!

Following the IETF-wide publication request, we’ve published another DPoP draft that addresses additional review comments received to date. This version is destined for the IESG Telechat on April 13, 2023.

Recent changes as described in the history log are:

• Add sec considerations sub-section about binding to client identity
• Explicitly say that nonces must be unpredictable
• Change to a numbered list in ‘Checking DPoP Proofs’
• Editorial adjustments
• Incorporated HTTP header field definition and RFC 8792 ‘\’ line wrapping suggestions by Mark Nottingham

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-14.html

This week Brian Campbell published an updated OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) draft addressing the Area Director review comments received. Thanks to Roman Danyliw for his useful review!

As Brian wrote, updates in this version of the specifiation were:

• Updates from Roman Danyliw’s AD review
• DPoP-Nonce now included in HTTP header field registration request
• Fixed section reference to URI Scheme-Based Normalization
• Attempt to better describe the rationale for SHA-256 only and expectations for how hash algorithm agility would be achieved if needed in the future
• Elaborate on the use of multiple WWW-Authenticate challenges by protected resources
• Fix access token request examples that were missing a client_id

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-12.html

Brian Campbell published an updated OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP) draft addressing the shepherd review comments received. Thanks to Rifaat Shekh-Yusef for his useful review!

Following publication of this draft, Rifaat also created the shepherd write-up, obtained IPR commitments for the specification, and requested publication of the specification as an RFC. Thanks all for helping us reach this important milestone!

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-11.html

The editors have applied some minor updates to the OAuth DPoP specification in preparation for discussion at IETF 113 in Vienna. Updates made were:

• Renamed the always_uses_dpop client registration metadata parameter to dpop_bound_access_tokens.
• Clarified the relationships between server-provided nonce values, authorization servers, resource servers, and clients.
• Improved other descriptive wording.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-06.html

A new draft of the OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) specification has been published that addresses four months’ worth of great review comments from the working group. Refinements made were:

• Added Authorization Code binding via the dpop_jkt parameter.
• Described the authorization code reuse attack and how dpop_jkt mitigates it.
• Enhanced description of DPoP proof expiration checking.
• Described nonce storage requirements and how nonce mismatches and missing nonces are self-correcting.
• Specified the use of the use_dpop_nonce error for missing and mismatched nonce values.
• Specified that authorization servers use 400 (Bad Request) errors to supply nonces and resource servers use 401 (Unauthorized) errors to do so.
• Added a bit more about ath and pre-generated proofs to the security considerations.
• Mentioned confirming the DPoP binding of the access token in the list in (#checking).
• Added the always_uses_dpop client registration metadata parameter.
• Described the relationship between DPoP and Pushed Authorization Requests (PAR).
• Updated references for drafts that are now RFCs.

I believe this brings us much closer to a final version.

The specification is available at:

• https://tools.ietf.org/id/draft-ietf-oauth-dpop-05.html