Should resource servers check the token issuer? #57
Comments
|
from https://datatracker.ietf.org/doc/draft-ietf-oauth-access-token-jwt/?include_text=1 Reviewing the mentions of https://tools.ietf.org/html/rfc8725#section-3.8 says to follow the |
|
Ok. So clearly the resource server needs to check that the 'iss' value matches the location that the public key is sourced from. The spec perhaps needs updating to indicate that:
For the case where multiple authorisation servers exist in a cluster, the spec could state that the 'iss' must be the same for them all, which would require them to share a common (aliased) hostname, but that rather breaks the 'priority' mechanism. An alternative would be that when resource servers validate tokens they should check if the 'iss' matches any of the hostnames currently listed via '_nmos-auth._tcp'. The challenge there is that if mDNS is being used (or a complex subdomain based unicast DNS setup) then the issuing auth server may not be visible either. |
|
From https://tools.ietf.org/html/rfc7523#section-3, we are allowed to have application specific match of the
This would help cover the scenario when a new Auth Server of higher priority comes on. Two resource servers with different auth servers would be able to validate each others token.
I think mDNS will be hard to fit under "MUST be an absolute URI" unless we specify it's the IP address to match the issuer. I would not expect to connect to the server over its The DNS should match the |
|
Having gone back over this I think my greatest concern is around large (potentially multi-site) deployments. If you had two sites, you may wish for the control system in site A to be able to adjust a subset of systems in site B. You could have one Auth Server serving both sites, but this wouldn't be very resilient to WAN link failures. In the case that each site had its own Auth Server they could use their own individual private keys, but both servers could be configured to distribute each other's public keys. If a Resource Server in site A receives a token from the Auth Server in site B, it can verify the token signature using the public keys it already has, but the If we assume that |
|
Couple of questions... Is it safe to assume we can require Auth Servers to use URL for Why would Resource Server in site A be able to request the Auth Server metadata from the remote site via its DNS name, but not be able to see its DNS-SD records? |
No, not unless we require it in the spec.
Good question. I was envisaging two subdomains which prevent the DNS-SD records leaking, but of course that prevents the A records leaking too. I guess the Auth Servers' A records could be in a third (global) subdomain. If the scenario seems a bit far fetched then that's fair enough, I'd just like to make sure we've considered how this may impact potential deployments. |
I was really asking whether it was reasonable for NMOS spec to limit this, when the actual deployed service may be a general-purpose Auth server. If this is something that is always configurable then OK :-) |
Posting this here so I don't forget as I still need to go back and read the RFCs again.
In a network with a single authorization server, the 'iss' in the token will always be the same and everything should be happy. If however you run more than one authorization server which happen to share keys, the value of 'iss' may vary. The spec needs to clearly indicate whether you should or should not check the value of 'iss' at the resource server end, and whether or not this value needs to be coordinated between distributed authorization server instances.
The text was updated successfully, but these errors were encountered: