Enterprise Signing in OAuth
From IIW
Session: Tuesday, Session 2, Space I
Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes
Brian: "I'm really happy with Oaut2, except for the signing... Can we take section 5.3 of the spec and set it on fire?"
Problems seen:
- HMAC covers the situation where people don't want to do SSL, but requires the whole ugly key management thing. Brian proposes (with a long list of others interested) that we need public key signing.
- The signing is not extensible, you can't add additional fields to the signature. This seems to be a problem in the current spec.
- New protocol substrates.
- One signing choice doesn't seem enough. Extensibility seems key here, can we do this with some form of discovery?
Proposed fixes:
- Create a JSON blob we want signed.
-
- an example... does not require reconstruction of the string to be signed
- BUT how do you verify the signed stuff is part of the request?
- ALSO not great: duplication of data.
- We need key versioning
- Needs key discovery
- Can use something liek https://<app>.appspot.com/.well-known/oauth or some such.
- This might not work for folks that are white label, because there isn't a separate URL for all the entities that need to be discovered.
- There is a google group for the OAuth Key Discovery spec. See Brian's copy of the slides.
- It's worthwhile to join the OAuth2 mailing list to comment on this.
- This is a big discussion topic, I don't type that fast.
- XKMS is again, good reference reading for this.
Discussion:
- How does it work with firewalls -- in and out...
- XMLDSIG is very similar to this, it would be worthwhile to learn from that. Also CMS (Crypto Message Sig).
- Does have the whole PKI problem.
- Can we solve this with SSL? SSL with client certs? Maybe...
- Much discussion here about how key excahnge and key management should work.
- Comment -- If you want to sign arbitrary parts of an HTTP request then use SAML. you don't really want to duplicate that here.
- Need to make sure we get the key exchange right, if you try to put it in here people will get it wrong.
- KeyID/key discovery.
- comment: see XKMS for related reading.
- keyID probably belongs in the envelope and not the payload (from his modified example.