The OAuth 2.0 Authorization Framework: Holder-of-the-Key Token UsagePing Identityve7jtb@ve7jtb.comOracle Corporationphil.hunt@yahoo.comMicrosofttonynad@microsoft.comNokia Siemens NetworksLinnoitustie 6Espoo02600Finland+358 (50) 4871445Hannes.Tschofenig@gmx.nethttp://www.tschofenig.priv.atInternet-DraftOAuthSecurityPublic KeyHolder-of-the-KeyOAuth 2.0 deployments currently rely on bearer tokens for securing access to protected resources. Bearer tokens require Transport Layer Security to be used between an OAuth client and the resource server when presenting the access token. The security model is based on proof-of-possession: access token storage and transfer has to be done with care to prevent leakage.There are, however, use cases that require a more active involvement of the OAuth client for an increased level of security, particularly to secure against token leakage. This document specifies an OAuth security framework using the holder-of-the-key concept, which requires the OAuth client when presenting an OAuth access token to also demonstrate knowledge of keying material that is bound to the token.
At the time of writing the OAuth 2.0 and accompanying protocols offer one main security mechanism to
access protected resources, namely the bearer token. In a
bearer token is defined as
A security token with the property that any party in possession of
the token (a "bearer") can use the token in any way that any other
party in possession of it can. Using a bearer token does not
require a bearer to prove possession of cryptographic key material.The bearer token meets the security needs of number of use cases OAuth had been designed for. There are, however, scenarios that require stronger security properties and ask for active participation of the OAuth client software in form of cryptographic computations when presenting an access token to a resource server.
This specification defines a new security mechanism for usage with OAuth that combines various
existing specifications to offer enhanced security properties for OAuth. The incredients for this
security solution are:
A mechanism for dynamic key distribution. Data elements to bind emphemeral keying material to an access token. For the access token we assume a JSON Web Token (JWT) in this specification to specify a complete solution. Future specifications may make this functionality available to other access token formats as well.A mechanism to allow the OAuth client to demonstrate a proof of possession.The rest of the document describes how these different components work together.The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in this
specification are to be interpreted as described in .To describe the architecture of the proposed security mechanism it is best to start by looking
at the main OAuth 2.0 protocol exchange sequence.
shows the abstract OAuth 2.0 protocol exchanges graphically. The exchange in this document will
focus on two interactions, namely
to allow the client to obtain the ephemeral asymmetric credentails in step (D)to use the obtained asymmetric credentials for the interaction with the resource server in step (E)OAuth 2.0 offers different ways to obtain an access token, namely
using authorization grants and using a refresh token. The core OAuth
specification defines four authorization grants, see Section 1.3 of , and
adds an assertion-based authorization grant to that list.This document extends the communication with the token endpoint. The token
endpoint, which is described in Section 3.2 of , is used with every authorization grant except for the implicit grant type. In the implicit grant type the access token is issued directly. Two types of keying material can be bound to an access token, namely symmetric keys and asymmetric keys, and we explain them in separate sub-sections. In case a symmetric key shall be bound to an access token then the following procedure is applicable. In the request message from the OAuth client to the authorization server the following parameters MUST be included:
REQUIRED. For the symmetric holder-of-the-key variant the value MUST be set to "hotk-sk".
REQUIRED. The profile parameter provides information about what mechanisms the client supports to provide proof of possession of the key towards a resource server. The value MUST be taken from the algorithm registry created in . Algorithm names are case-sensitive. If the client supports more than one profile then each individual value MUST be separated by a comma.
For example, the client makes the following HTTP request using TLS
(extra line breaks are for display purposes only):
If the access token request is valid and authorized, the
authorization server issues an access token and optionally a refresh
token. If the request client authentication failed or is invalid, the authorization server returns
an error response as described in Section 5.2 of .The authorization server MUST include the following
parameters in a successful response, if it supports any of the profiles listed by the client.
REQUIRED. An ephemeral and unique key identifier. The authorization server MUST NOT select the same key identifier twice within the lifetime of the access token, which is indicated by the 'expires_in' parameter.
REQUIRED. A fresh and unique shared symmetric secret with sufficient entrophy.
REQUIRED. The profile parameter provides further information about how the client has to provide proof of possession of the key with the resource server. The authorization server chooses a value from the list of supported mechanisms supported by the client.
DISCUSSION: Should we put the encrypted key into the access token? This would make the mechanism more similar to a Kerberos-based scheme.In case an asymmetric key shall be bound to an access token then the following procedure is applicable. In the request message from the OAuth client to the authorization server the following parameters MUST be included:
REQUIRED. For the asymmetric holder-of-the-key variant the value MUST be set to "hotk-pk".
REQUIRED. This field contains information about the public key the client would like to bind to the access token in the JSON Web Key format. The public key is "application/x-www-form-urlencoded" encoded.
For example, the client makes the following HTTP request using TLS
(extra line breaks are for display purposes only):
If the access token request is valid and authorized, the
authorization server issues an access token and optionally a refresh
token. If the request client authentication failed or is invalid, the authorization server returns
an error response as described in Section 5.2 of .The authorization server also places information
about the public key used by the client into the access token to create the
binding between the two. The new token type, called 'hotk-pk', is placed into the 'token_type' parameter. An example of a successful response is shown below:
Accessing a protected resource depends on the chosen credential type.When a symmetric key was used as a holder-of-the-key then the client has to demonstrate possession of the key that corresponds to the key identifier found in the access token.This specification defines three ways for providing this proof of possession, which are indicated as profiles in :
When the 'jws' profile is chosen then the client MUST compute the following string by concatenating together, in order, the
following HTTP request elements: The HTTP request method in upper case. For example: "HEAD",
"GET", "POST", etc. The HTTP request-URI as defined by Section 5.1.2 of . The hostname included in the HTTP request using the "Host"
request header field in lower case. The port as included in the HTTP request using the "Host" request
header field. If the header field does not include a port, the
default value for the scheme MUST be used (e.g., 80 for HTTP and
443 for HTTPS). The value of the "ext" "Authorization" request header field
attribute if one was included in the request, otherwise, an empty
string.
Each element is followed by a new line character (%x0A) including the
last element and even when an element value is an empty string. The resulting value MUST be put into the "request" element of a JSON document that is then subject to JWS processing . The resulting JWS structure is put into the body of the HTTP request. A receiving authorization server MUST use the value in the 'kid' structure to identify the shared key and then use that key to verify the keyed message digest. Additionally, the content of the 'request' field needs to be verified against the HTTP header information. If any of these verification steps fail then the request to the protected resource MUST fail with a "401 Unauthorized" error message back to the OAuth client.
The following example shows and the corresponding encoding in a JWS structure:
When the 'mac' profile is chosen then the client MUST follow the description in .The client accesses protected resources by presenting the access
token to the resource server. It does so via a Transport Layer Security
(TLS) secured channel. Since the client had previously bound a public
key to an access token it selects this key for usage with TLS as described
in .The resource server validates the
access token and ensure it has not expired and that its scope covers
the requested resource. Additionally, the resource server verifies that the
public key presented during the TLS handshake corresponds to the public key
that is contained in the access token.Note that this step confirms that the client is in possession of the private key corresponding to the
public key previously bound to the access token. Information about the client authentication may be
contained in the token in case the authorization server added this information when it authenticated
the client.The following list presents several common threats against protocols utilizing some form of tokens. This list of threats is based on NIST Special Publication 800-63 . We exclude a discussion of threats related to any form of registration and authentication. An attacker may craft a fake token or modify the token content (such as the authentication or attribute statements), causing a resource server to grant inappropriate access to the attacker. For example, an attacker may modify the token to extend the validity period or the scope to have extended access to information.Tokens may contain authentication and attribute statements that include sensitive information.An attacker uses a token generated for consumption
by one resource server to gain access to a different resource
server that mistakenly believes the token to be for it. An attacker attempts to use a token that has already
been used with that resource server in the past.A large range of threats can be mitigated by protecting the contents
of the access token by using a digital signature or a Message Authentication
Code (MAC). Consequently, the token integrity protection MUST be sufficient
to prevent the token from being modified.To deal with token redirect, it is important for the authorization
server to include the identity of the intended recipients (the
audience), typically a single resource server (or a list of resource
servers), in the token. Restricting the use of the token to a
specific scope is also RECOMMENDED.The authorization server MUST implement and use TLS. Which version(s) ought
to be implemented will vary over time, and depend on the widespread
deployment and known security vulnerabilities at the time of
implementation. At the time of this writing, TLS version 1.2
is the most recent version. The
client MUST validate the TLS certificate chain when making requests
to protected resources, including checking the Certificate Revocation
List (CRL) . For the interaction between the client and the resource server this specification requires a TLS extension for usage with
out-of-band validation to be used that allows clients to present raw public keys for asymmetric holder-of-the-key usage.
With the usage of the holder-of-the-key concept it is not possible for any party
other than the legitimate client to use an access token and to re-use it without knowing the
corresponding asymmetric key pair. This mechanism prevents against token disclosure.With the usage of the asymmetric holder-of-the-key concept the following deployment
consideration needs to be taken into consideration.
In some deployments, including those utilizing load balancers, the
TLS connection to the resource server terminates prior to the actual
server that provides the resource. This could leave the token
unprotected between the front end server where the TLS connection
terminates and the back end server that provides the resource.Client implementations must be carefully implemented to avoid leaking the ephemeral
credentials (either the private key from the asymmetric credential or the shared secret).Token replay is also not possible since an eavesdropper will also have to obtain
the corresponding private key or shared secret that is bound to the access token.
Nevertheless, it is good practice to limit the lifetime of the access token and therefore the lifetime
of associated key.
The following three items represent the main recommendations:
Client implementations MUST ensure that
the ephemeral private key / shared secret is not leaked to third parties, since those will
be able to use the access token together with the keying material to gain access to protected resources.
Clients can at any time create a new ephemeral credential and associate it with an access token. For example, a client presents
a new public key when requesting an access token with the help of a refresh
token. Nevertheless, the lifetime of these access token may be longer than the
lifetime of bearer tokens.Token servers SHOULD issue bearer tokens
that contain an audience restriction, scoping their use to the
intended relying party or set of relying parties.This document requires IANA to take the following actions.This specification registers the following parameters in the OAuth Parameters Registry established by . pk_info token request IETF [[ this document ]] None token_type token request, token response, authorization response IETF [[ this document ]] None profile token request, token response, authorization response IETF [[ this document ]] None id token response, authorization response IETF [[ this document ]] None key token response, authorization response IETF [[ this document ]] None established the IANA JSON Web Token Claims
registry for reserved JWT Claim Names and this document adds the 'hotk' name to that registry.
Section 11.1 of defines the OAuth Access Token Type Registry and
this document adds another token type to this registry. hotk (none) Holder of the key confirmation using TLS IETF [[ this document ]]This document asks IANA to create a registry for profiles of symmetric key-based holder-of-the-key mechanisms.
The policy for adding new entries to the registry is "Specification Required". IANA is asked to populate the registry with the following values:
Profile name: jws
Change controller: IETF
Specification document(s): [[ this document ]]
Profile name: mac
Change controller: IETF
Specification document(s): [[ this document ]]
The author would like to thank the OAuth working group and participants of the
Internet Identity Workshop for their discussion input that lead to this document.
NIST Special Publication 800-63-1, INFORMATION SECURITYNISTNISTNISTNISTNISTNIST