DPoP and acceptance tokens

Comments (17)

1. 

   Oliver Terbu reporter

   IMO, the client must use the same DPoP key. For that reason, it might be worth rephrasing the current spec text that defines the `acceptance_token`.

   The current spec says:

   acceptance_token: OPTIONAL. A JSON string containing a token subsequently used to obtain a Credential. MUST be present when credential is not returned.
   

   I’d suggest to change the text, so that the `acceptance_token` becomes an Access Token for the deferred credential endpoint, so that it is compatible with the DPoP text. Are there any concerns with that?

   ‌

   • 2023-02-02T17:59:59+00:00
2. 

   Oliver Terbu reporter

   Alternatively, we could say that the acceptance_token becomes A new Access Token for all subsequent requests (including refresh) but then we would need to change more parts of the specification.

   • 2023-02-02T18:01:21+00:00
3. 

   Oliver Terbu reporter

   Alternatively, the client would still send the orginal access token and would send the acceptance token in the payload as a request parameter.

   • 2023-02-02T18:05:30+00:00
4. 

   Nikos Fotiou

   I agree that the client must use the same DPoP key, otherwise we may end up in a downgrade attack. In addition to what Oliver says, IMHO it should be mentioned something like “if an access token is bound to a public key, e.g, using a mechanisms described in Section 6 of https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop , then the acceptance_token MUST also be bound to the same key”.

   • 2023-02-17T23:39:20+00:00
5. 

   Kristina Yasuda

   Binding Acceptance token to the same DPoP key as Access Token (approach A) is I think the simplest approach and I agree with the text proposed by Nikos.

   Using `acceptance_token`as an Access Token for the deferred credential endpoint (approach B) does not really make sense to me it might add significant complexity..

   @Daniel Fett Are there any possible security concerns with either of the approacheds?

   ‌

   • 2023-02-23T16:50:23+00:00
6. 

   Torsten Lodderstedt

   I suggest to change the endpoint to use access tokens and turn the acceptance token into a ' transaction_id`. That way DPoP could be used to protect the deferred issuance as well. Here is an example:

   POST /credential_deferred HTTP/1.1
   Host: server.example.com
   Content-Type: application/x-www-form-urlencoded
   Authorization: BEARER czZCaGRSa3F0MzpnWDFmQmF0M2JW
   
   transaction_id=8xLOxBtZp8
   

   ‌

   • 2023-02-23T17:01:49+00:00
7. 

   Oliver Terbu reporter

   I agree with @tlodderstedt . That is also my preferred solution.

   • 2023-02-23T18:36:47+00:00
8. 

   Kristina Yasuda

   Assuming definition of acceptance_token and a transaction_id is the same, is the rationale of renaming to clarify its function?

   • 2023-02-23T20:36:20+00:00
9. 

   Kristina Yasuda

   to change the endpoint to use access tokens

   actually, if we do this, I would like to merge deferred endpoint functionality into the credential endpoint. Credential endpoint already supports access tokens.

   • 2023-02-23T20:37:43+00:00
10. 

    Kristina Yasuda

    Security Analysis seem to recommend using Access Token at the deferred endpoint: openid / connect / Pull Request #468: First draft of OpenID 4 VC Security Analysis — Bitbucket

    • 2023-02-28T06:20:08+00:00
11. 

    Kristina Yasuda

    Having read the security analysis PR, I am in strong favor of merging the deferred endpoint functionality into Credential/Batch Endpoints to decrease attack surface (mix-up attacks).

    • 2023-02-28T06:28:14+00:00
12. 

    Torsten Lodderstedt

    Can you please describe why merging the deferred endpoint reduces the attack surface?

    • 2023-03-02T16:10:08+00:00
13. 

    Kristina Yasuda

    this part in the security analysis.

    **ATTACK**: An attacker can configure Mix-Up 1a. The attacker receives

    an acceptance token from the Wallet's request to the deferred credential

    endpoint and uses it to obtain a credential from the deferred

    credential endpoint of the honest server. *Potential solution:* The

    credential endpoint and batch credential endpoint can only be accessed

    by using an access token. Can DPoP or MTLS be enforced for an acceptance

    token? Better to use access token instead.

    Mix-up 1a being :

    • `credential_issuer`: Attacker's Credential Issuer Identifier

    • `authorization_server`: Honest Issuer's Authorization Server

    • `credential_endpoint` Honest Issuer's Authorization Server

    • `batch_credential_endpoint`: Honest Issuer's Authorization Server

    • `deferred_credential_endpoint`: attacker-controlled.

    ‌

    • 2023-03-02T17:28:33+00:00
14. 

    Torsten Lodderstedt

    The recommendation is to require an access token, right? I did PR #472 to do so.

    • 2023-03-02T18:27:57+00:00
15. 

    Oliver Terbu reporter

    If we merge PR #472, this would solve this issue.

    • 2023-03-03T15:35:24+00:00
16. 

    Kristina Yasuda

    • changed status to open

    PR exists - have discussed during multiple SIOP calls

    • 2023-04-06T16:03:10+00:00
17. 

    Kristina Yasuda

    • changed status to resolved

    PR #472 merged

    • 2023-05-18T16:09:24+00:00
18. Log in to comment