FAPI2 + dpop nonces
Issue #477
resolved
Is there a FAPI2baseline spec position on DPoP nonces as per section 8 / 9 of https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop-05#section-8 ?
Assuming there isn’t I presume the de facto position is that Authorization Servers/resource servers are free to require clients to support nonces, and that may then mean that the FAPI2Baseline client/RP certifications tests should require clients to implement dpop nonces correctly.
Comments (12)
-
-
reporter
Thanks Brian. Yeah, that sounds right, at least at the resource endpoint.
Think further about it, I can’t see any compelling reason [when used with FAPI] for the use of dpop nonces at the token endpoint, but I may have missed something and there’s nothing in the standards to prevent servers doing it there.
-
- changed status to open
In the Mar. 2 call, Daniel pointed out that not requiring nonce may open an attack surface.
-
There was discussion about maybe removing the requirement to support nonces for the next draft of FAPI2 - this reduces implementation complexity
If the security analysis comes back that we need the nonce, we can add it back in
-
reporter
Pull request opened: https://bitbucket.org/openid/fapi/pull-requests/326/fapi2base-disallow-dpop-nonces
-
If we go down the road of not including the nonce due to the requirement for synchronised clocks in FAPI, it is important to not only make a strong assertion that the nonce is not needed, but also explain how the equivalent freshness guarantees are being achieved. If this information is not included, the strong assertion that nonces should not be included may be taken out of context in environments where synchronised clocks are not available.
-
We discussed this yesterday, and decided that we should revert this change.
Part of the reason is that even though we only support confidential clients - these could still be clients on a user controlled device and therefore clocks may be out of sync.
Another reason is that we don’t want to cause fragmentation of the ecosystem with some clients supporting full DPoP and others only supporting DPoP without nonces.
A further reason is that the added complexity only happens if clients want to certify with DPoP, i.e. it is possible to certify just with mutual tls.
I will raise another issue for this to deal about clock sync re other parts of the spec (e.g. private_key_jwt)
-
reporter
As I mentioned briefly on yesterday’s call, I’d be keen to add a note/'MAY' clause/similar to FAPI just to draw attention to the nonces (e.g. “AS may use dpop nonces. Clients must support the dpop nonce mechanism.”. As the situation currently stands I suspect people are likely to develop clients that don’t send nonces (my gut feeling is most servers won’t require nonces for confidential clients), and only discover the complication of needing to support nonces when they certify or later try a server that does require nonces. This runs the risk of re-enforcing a “certification is difficult” myth.
-
@Joseph Heenan I concur. A note in the AS section and a new MUST in the client section could be drafted.
-
reporter
Filip removed the clauses about not using nonces here: https://bitbucket.org/openid/fapi/pull-requests/330
Dave is adding the extra clauses making the situation clear for developers here: https://bitbucket.org/openid/fapi/pull-requests/331
-
- changed status to resolved
PR merged
-
- changed component to FAPI2: Security Profile
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- resolved
- Component
- FAPI2: Security Profile
- Milestone
- –
- Votes
- 0
- Watchers
- 5
That de facto sounds about right to me. Which would likewise mean that AS certifications tests need to handle dpop nonces from AS and resources correctly.