Internet-Draft | OAuth 2.0 Attestation-Based Client Authe | July 2023 |
Looker & Bastian | Expires 11 January 2024 | [Page] |
This specification defines a new method of client authentication for OAuth 2.0 [RFC6749] by extending the approach defined in [RFC7521]. This new method enables client deployments that are traditionally viewed as public clients to be able to authenticate with the authorization server through an attestation based authentication scheme.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://vcstuff.github.io/draft-looker-oauth-attestation-based-client-auth/draft-looker-oauth-attestation-based-client-auth.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-looker-oauth-attestation-based-client-auth/.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 January 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
[RFC7521] defines a way for a client to include an assertion in a token request to an authorization server for the purposes of client authentication. This specification uses this framework to define a new assertion type that provides a way for a client instance to authenticate itself with the authorization server through an assertion that is bound to a public key (for proof of possession). This assertion is designated with the name of Client Attestation in this draft.¶
The following diagram depicts the overall architecture and protocol flow.¶
(3) Generate Client Attestation +-------+ | | | \ / +---------------+ | | | | | Client | | Backend | | | | | +---------------+ / \ | | | (2) Request | | (4) Respond with Client | | generated Client Attestation | | Attestation for generated | | key | | | | | \ / +---------------+ +---------------+ | | | | +------->| |<------------------------>| | (1) Generate | | Client | (6) Interaction | Authorization | Attestation Key | | Instance | using Client | Server | +--------| | Attestation + PoP | | | | for authentication | | +---------------+ +---------------+ / \ | | | +-------+ (5) Generate Client Attestation PoP¶
The flow starts with the Authorization Server communicating its requirements for the client authentication to the client, made available in its metadata. A Client instance that wants to request an access token from this Authorization Server needs to obtain a Client Attestation JWT, for example, from its client backend first.¶
Therefore, the client generates a key (Client Instance Key) and (platform specific) attestations to prove its authenticity, integrity and security to the client backend (step 1). The Client instance sends this data to the client backend in request for a Client Attestation JWT (step 2). If the Client Backend successfully validates the Client Instance Key and further data, it generates a signed Client Attestation JWT (step 3). As the Client Attestation JWT is cryptographically bound to the Client Instance Key generated by the client, the attestation is bound to this particular client instance. The client backend responds to the client's request by sending the Client Attestation JWT (step 4).¶
The client can proceed now and generate a Client Attestation Proof of Possession (PoP) for the Client Instance Key (step 5). Lastly, the client sends both the Client Attestation JWT and the Client Attestation PoP with the Token Request to the Authorization Server. The Authorization Server validates the client attestation and thus authenticates the client. The Authorization Server may continue to issue sender-constrained access tokens using [DPOP].¶
Note that the protocol for steps 2 and 4 and how the client instance authenticates with the client backend is out of scope of this specification. Note also that this specification can be utilized without the client having a backend server at all; in this case, each client instance will perform the functions described as being done by the backend for itself.¶
This specification defines the format of the Client Attestation that a client instance uses to authenticate in its interactions with an authorization server, which is comprised of two key parts:¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
A JSON Web Token (JWT) generated by the client backend which is bound to a key managed by a client instance which can then be used by the instance for client authentication.¶
A Proof of Possession generated by the client instance using the key that the Client Attestation JWT is bound to.¶
A cryptographic, asymmetric key generated by the client instance and proven to the client backend. The public key is contained in the Client Attestation JWT and is used to sign the Client Attestation Proof of Possession.¶
To perform client authentication using this scheme, the client instance uses the following parameter values and encodings.¶
The value of the "client_assertion_type" is "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation".¶
The value of the "client_assertion" parameter contains two JWTs, separated by a '~' character. It MUST NOT contain more or less than precisely two JWTs seperated by the '~' character. The first JWT MUST be the client attestation JWT defined in Section 4.1.1, the second JWT MUST the client attestation PoP defined in Section 4.1.2.¶
The following example demonstrates client authentication using this scheme during the presentation of an authorization code grant in an access token request (with extra line breaks for display purposes only):¶
POST /token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3A client-assertion-type%3Ajwt-client-attestation& client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0. eyJpc3Mi[...omitted for brevity...]. cC4hiUPo[...omitted for brevity...]~eyJzI1NiIsImtphbGciOimtpZCI6IjIyIn0. IjIyIn0[...omitted for brevity...]. iOiJSUzI1[...omitted for brevity...]¶
In order to authenticate the client using this scheme, the authorization server MUST validate BOTH the JWTs present in the "client_assertion" parameter according to the criteria below.¶
It is RECOMMENDED that the authorization server validate the Client Attestation JWT prior to validating the Client Attestation PoP.¶
The following rules apply to validating the client attestation JWT. Application of additional restrictions and policy are at the discretion of the authorization server.¶
The following example is the decoded header and payload of a JWT meeting the processing rules as defined above.¶
{ "alg": "ES256", "kid": "11" } . { "iss": "https://client.example.com", "sub": "https://client.example.com", "nbf":1300815780, "exp":1300819380, "cnf": { "jwk": { "kty": "EC", "use": "sig", "crv": "P-256", "x": "18wHLeIgW9wVN6VD1Txgpqy2LszYkMf6J8njVAibvhM", "y": "-V4dS4UaLMgP_4fY4j8ir7cl1TXlFdAgcx55o7TkcSA" } } }¶
The following rules apply to validating the Client Attestation JWT. Application of additional restrictions and policy are at the discretion of the Authorization Server.¶
The following example is the decoded header and payload of a JWT meeting the processing rules as defined above.¶
{ "alg": "ES256" } . { "iss": "https://client.example.com", "aud": "https://as.example.com", "nbf":1300815780, "exp":1300819380, }¶
Implementers should be aware that the design of this authentication mechanism deliberately allows for a client instance to re-use a single Client Attestation JWT in multiple interactions/requests with an authorization server, whilst producing a fresh Client Attestation PoP JWT. Client deployments should consider this when determining the validity period for issued Client Attestation JWTs as this ultimately controls how long a client instance can re-use a single Client Attestation JWT.¶
Authorization servers issuing a refresh token in response to a token request using the "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation" client authentication method MUST bind the refresh token to the client instance, and NOT just the client as specified in section 6 [RFC6749]. To prove this binding, the client instance MUST authenticate itself to the authorization server when refreshing an access token using the "urn:ietf:params:oauth:client-assertion-type:jwt-client-attestation" authentication method. The client MUST also use the same Client Attestation that was used for authentication when the refresh token was issued.¶
This section registers the value "client-assertion-type:jwt-client-attestation" in the IANA "OAuth URI" registry established by "An IETF URN Sub-Namespace for OAuth" [RFC6755].¶
This section registers the value "attest_jwt_client_auth" in the IANA "OAuth Token Endpoint Authentication Methods" registry established by OAuth 2.0 Dynamic Client Registration Protocol [RFC7591].¶
This non-normative example shows a client attestations used as an wallet instance attestation in the context of eIDAS 2.0 [ARF], e.g. to secure a Type-1 configuration credential. The additional claims describe the wallet's device binding und user binding capabilities and the achievable level of assurance.¶
{ "typ": "wallet-attestation+jwt", "alg": "ES256", "kid": "1" } . { "iss": "https://wallet-provider.com", "sub": "https://wallet-provider.com/solution/wallet-1.6.0", "iat": 1541493724, "exp": 1516247022, "wallet_name": "human readable wallet name", "key_type" : "STRONGBOX", "user_authentication" : "SYSTEM_PIN", "attested_security_context" : "https://eu-trust-list.eu/asc/high", "cnf": { "jwk" : { "kty": "EC", "crv": "P-256", "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc", "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ" } } }¶
We would like to thank Michael B. Jones, Torsten Lodderstedt, and Kristina Yasuda for their valuable contributions to this specification.¶