openid / connect / issues / #1164 - insecure front-channel use of private_key_jwt client authentication — Bitbucket

Issue #1164 closed

Brian Campbell created an issue 2020-04-17

“At a minimum openid-connect-federation needs to acknowledge that it's misusing private_key_jwt and do something to mitigate the security problem.”

Please see https://github.com/oauthstuff/draft-oauth-par/issues/41 but particularly the comments at https://github.com/oauthstuff/draft-oauth-par/issues/41#issuecomment-615081283 and https://github.com/oauthstuff/draft-oauth-par/issues/41#issuecomment-615475230

‌

‌

‌

Comments (9)

Michael Jones
- changed status to open
This has received substantial on-list discussion and I believe Roland Hedberg has a plan of action.
- 2020-04-23T16:40:38+00:00
Michael Jones
- assigned issue to
  
  Roland Hedberg
- 2020-04-23T16:43:47+00:00
Michael Jones
- assigned issue to
  
  Roland Hedberg
- 2020-04-23T16:47:37+00:00
Brian Campbell reporter
that on-list discussion is here http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20200420/thread.html fwiw

‌
- 2020-07-08T12:08:19+00:00
Brian Campbell reporter
draft -12 https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.9.1.1.1 is now using the request object as one option. However, it requires ‘sub’ saying “The claim sub MUST contain the entity ID of the OpenID Connect provider.” I assume that’s a mistake and should have said it’s the the client identifier? That’d make more sense and is what the content of the example has. The same presumably erroneous text is there for ‘iss’ too.

But WHY is sub required? The same data would already be carried in the ‘iss’ claim and the ‘client_id’ claim and the ‘client_id’ parameter. Worse the ‘sub’ claim means that the request JWT could likely be used as a private_key_jwt in a token confusion type attack as discussed in https://github.com/oauthstuff/draft-oauth-par/issues/41#issuecomment-615475230 and subsequent comments. So the problem at the heart of this issue is still present.

‌
- 2020-07-08T12:56:34+00:00
Brian Campbell reporter
Also -12 references an old and expired PAR draft https://openid.net/specs/openid-connect-federation-1_0-12.html#PAR and https://openid.net/specs/openid-connect-federation-1_0-12.html#rfc.section.3.2 has “URL of the Authorization Server's Authorization Endpoint or the Authorization Server's entity_id” (note ‘entity_id’ isn’t used anywhere else) for the ‘aud’ of private_key_jwt, which isn’t consistent with the below text from https://www.ietf.org/id/draft-ietf-oauth-par-01.html#section-2 :

“Note that there's some potential ambiguity around the appropriate audience value to use when JWT client assertion based authentication is employed. To address that ambiguity the issuer identifier URL of the AS according to [RFC8414] SHOULD be used as the value of the audience. In order to facilitate interoperability the AS MUST accept its issuer identifier, token endpoint URL, or pushed authorization request endpoint URL as values that identify it as an intended audience.“

‌
- 2020-07-08T13:16:51+00:00
Roland Hedberg
Fixed the PAR reference.
- 2020-09-30T11:23:51+00:00
Roland Hedberg
Regarding the entity statement use for automatic client registration we now specify that ‘sub’ MUST NOT be part of the statement and that ‘aud’ MUST be the ASs authorization endpoint URL.
- 2020-09-30T11:28:03+00:00
Roland Hedberg
- changed status to closed
- 2021-04-02T06:37:08+00:00
Log in to comment

Assignee: Roland Hedberg

Type: bug

Priority: critical

Status: closed

Component: Federation

Milestone: –

Version: –

Votes: 0

Watchers: 5

Jira: the preferred issue tracker for Bitbucket. Join the team!