Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token encryption cannot replace TLS. See #64 #127

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Token encryption cannot replace TLS. See #64 #127

wants to merge 1 commit into from

Conversation

ioggstream
Copy link
Contributor

@ioggstream ioggstream commented Jul 21, 2022
edited
Loading

This PR

  • token encryption can't replace TLS unless similar requirements are implemented (integrity, privacy, authenticity) ;
  • suggest using TLS along the way, even when using TLS terminators;
  • MUST does not define here a specific requirement

Note

Some mitigation measure express strict requirements (e.g. MUST NIT store in insecure cookies). IMHO that's ok, but in this case it's more than mitigation, since an implementation that does not respect these is non conformant.

tlodderstedt
tlodderstedt requested changes Dec 19, 2024
View reviewed changes
draft-ietf-oauth-v2-1.md
such deployments, sufficient measures MUST be employed to ensure
confidentiality of the access token between the front-end and back-end
servers; encryption of the token is one such possible measure.
When an OAuth server sits behind a reverse proxy
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that token encryption is not a replacement for TLS. Encryption should be used to prevent any party along the way from AS to RS to inspect the data in the token, including the client.
Similar, signatures protect the integrity and authenticity of self-contained tokens along the way, especially at the client.
Lack of TLS protection from datacenter edge to RS could cause only problems with sender constrained access tokens bound to a TLS certificate. I think the suitable solution would be to use DPoP instead of Client TLS authentication in such cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tlodderstedt tlodderstedt tlodderstedt requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ioggstream @tlodderstedt