Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Thu, 07 February 2019 16:26 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48B3A1289FA; Thu, 7 Feb 2019 08:26:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zHqYa-Mb6sRq; Thu, 7 Feb 2019 08:26:47 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20050.outbound.protection.outlook.com [40.107.2.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 947C81271FF; Thu, 7 Feb 2019 08:26:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k+g+ZHYq3mmspbsH7xwIKl642TywmpGjbse/jagsVHM=; b=pmlqrJ4TtmwBBG1PrFGGHduFOpC2xyCsjcJRPidyCclwYdNQlARKCBn+vSndv8yjIBFKYW9FGX60zisrwsi/MFnPo9KOyNFJju5xbkS4j8OGpk142PHfu5VRm81x3tTWgFYwNyR+9YtAHp60c25MK5Nw07/0oTEpwlMglGaKvFg=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB1742.eurprd08.prod.outlook.com (10.168.67.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.22; Thu, 7 Feb 2019 16:26:43 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::3ce6:d8fa:3271:6019%8]) with mapi id 15.20.1580.019; Thu, 7 Feb 2019 16:26:43 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: George Fletcher <gffletch@aol.com>, Ludwig Seitz <ludwig.seitz@ri.se>, "ace@ietf.org" <ace@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
Thread-Index: AQHUt9StSyg3OJ6I2kOpeSIpgZ6iyqXUgBoQgAAOKYCAAAUdcA==
Date: Thu, 7 Feb 2019 16:26:42 +0000
Message-ID: <VI1PR0801MB21122F4357775349577965E6FA680@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <CAGL6epKeGW195z2SJdcXU-MyVBwTBDnsvGeo7mNJvn8UkAWmnw@mail.gmail.com> <DM5PR00MB0293B214D198F4D9DBD08814F5990@DM5PR00MB0293.namprd00.prod.outlook.com> <CAO_FVe6CecdCxtJ78FcZ6pFJZwu6dudomjFgVeLr_cHNFbUZXQ@mail.gmail.com> <199fa6bd-8103-b1b3-12a3-08b5e3aad925@aol.com> <CAGL6epKismmWSnNcca41HWHEGhaJG7XhOULUwAz9jd5AemvuOg@mail.gmail.com> <BL0PR00MB02920F6A16D28D1652F21B2DF59A0@BL0PR00MB0292.namprd00.prod.outlook.com> <CAGL6epKjUJQNZdyHjrsJYvXE_p8QvjqxhcxXVnax2_VJ3qMO6g@mail.gmail.com> <CA+k3eCT-dU96D+_LdCtZGMA2TJij2Jzc=BgzCDkbkBGf=jKWnA@mail.gmail.com> <55a0362e-e588-bce5-f65f-856a1e21e88e@aol.com> <BL0PR00MB029262B150B2D8F3C3792302F5960@BL0PR00MB0292.namprd00.prod.outlook.com> <CA+k3eCT+ndfChx1-tqsxyqg8kX5Sc=BDw6UJyu2VQU3MDs1ssQ@mail.gmail.com> <65a8e83e-c72f-bbf5-77fd-ea8540b7ddc3@aol.com> <848e0ab3-f95f-2885-d24e-69925ed7ab1c@ri.se> <a62553e1-0f04-4068-92fb-7be1fd086f80@aol.com> <VI1PR0801MB2112ABDD90AEB1208EC656CCFA680@VI1PR0801MB2112.eurprd08.prod.outlook.com> <d4081519-90dd-01a2-0df8-c78b9e29e088@aol.com>
In-Reply-To: <d4081519-90dd-01a2-0df8-c78b9e29e088@aol.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.122.55]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB1742; 6:IbnMhoroBCCZ4mRDP8oymHxMdoo1ug/1tyKmBVxgoAgveRWFPtSsujfSjKX2ebltON0ixh/idtGqYdC7GGlNx7MbWXjCTmnAFHqIx+fg9NlZaJOMBi8OZksueVY3DY2Js/0rPorlZJNKmJpdZ0HGD4IsE+65sO19fOQZXdlKWnhL/AuFEQgzyAeeEidu0kdi61CB16FFfl9ohp+on3rrb9GfyDTmWvuubgIfdm6uvjj9+69tTPQUE6cxKTqGbcDZ7nwWFOguF+FLOibG/g65sjX7Ka3LAN09+6Vi0iiB01NChcKGyuNoDyyfv7h7kkE63EJZkaF7Vb65pHEEINMm6QZbUwLuW3Ttq9iiG4gcU6tnjOHLpyJ2eCe/G1Lujndh5m+c3emOhxRkdNPgqBiN+IgdVLs80yX1Ipt8FUAIV36UYtBrB9WFCemnPvMQHSo6YXX8gPqr3SvP205M0c2yHg==; 5:dFUx782wGabtoPi5uKDBwP63DofUADv6U+kK3if2rkng3Xz8AMq6Q1iCaAqD+FGw8n4wCkRy6ARZdaDjuRaXZHYomhlP/Kow/EeakCLkHrDqAZ96pFZlf6N7ssv7F75JHBzV3Dyeu+psYySEo+ZLutn3iCmHq4354hxkV4mxeHDTeLvJDpP7wwPZpQ00q0tWveRSBV9c4C/PCIXj5l0jWA==; 7:WTCMnljlVYlQPTaMVZcYcz+9ytxn7B1X2PVQjvWS3qEGt0G8ngiN9kTW0ilhMI92Y8z7EhlioyEPYIzv9MDpn/7fJOFOUzOsq+59L2PmLYsyz8UXl1/oqQzIBIGrHj2tCiIexsZDkwNH5sEa7467Fg==
x-ms-office365-filtering-correlation-id: 24d45253-1cb3-4e97-88a4-08d68d190bce
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB1742;
x-ms-traffictypediagnostic: VI1PR0801MB1742:
x-ms-exchange-purlcount: 11
x-microsoft-antispam-prvs: <VI1PR0801MB174202B6847F13D243000A87FA680@VI1PR0801MB1742.eurprd08.prod.outlook.com>
x-forefront-prvs: 0941B96580
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(346002)(136003)(366004)(39860400002)(199004)(189003)(40434004)(6436002)(55016002)(7696005)(229853002)(76176011)(2201001)(478600001)(2501003)(110136005)(2906002)(966005)(14454004)(316002)(11346002)(790700001)(72206003)(476003)(86362001)(6246003)(33656002)(8936002)(6506007)(53546011)(102836004)(25786009)(81156014)(8676002)(81166006)(7736002)(71190400001)(74316002)(71200400001)(9686003)(99286004)(66066001)(6306002)(106356001)(6116002)(26005)(68736007)(186003)(3846002)(236005)(9326002)(54896002)(53936002)(486006)(446003)(105586002)(14444005)(256004)(5024004)(97736004)(93886005)(606006); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB1742; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: AZX/pdNMKh5lN0el6vbVSyaDS6lmWzEEvhOzpgSxqy6v+fduoQuMpsMcF+pXs85Dnzo8VpmwF83555pcwna9Cy5RZVLBZ0wFOmHWs0r1oN1PnE2asBDcqmyw3W6ScztTMt/HQyggXT1ifsstc2HQlYTqSgAU0w1PUd3KrQbzo+bSmUd8gvT11iHv1JDuaRdiU1eRmZkOJUMsK0W7UYqjS3vy3660+nu3W65l3Co96o4yu36/6bvCKYmElRJqhOec1PJw5lsydxWJ2ylHG2/2qaboe1M1h9DDYXiBbNl6XgB98+WuQFIypgiPO1iq3ZlJU4ahU0Hvut7X/eqEUJq7vdDXdjV1FN/+HngNDj4SugAeX9Z3O+hcJ8H27rkS9li0w0ltmJ+hucHZZtMr+wmNkA95aB4G4+e8rkMevMbrsXA=
Content-Type: multipart/alternative; boundary="_000_VI1PR0801MB21122F4357775349577965E6FA680VI1PR0801MB2112_"
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 24d45253-1cb3-4e97-88a4-08d68d190bce
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2019 16:26:42.9545 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB1742
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8UBbHMvcy33VpjZ1mrR6rKRb8lQ>
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Feb 2019 16:26:50 -0000

Hi George,

The IANA registry does not indicate in what context these parameters are supposed to be used. To me it feels totally normal to use the audience parameter instead of the resource parameter when I have a logical name.

Stuffing everything into a URI is possible but in certain scenarios may feel quite unnatural. It must have felt unnatural already to the group when working on the token exchange spec…

Ciao
Hannes

From: George Fletcher <gffletch@aol.com>
Sent: Donnerstag, 7. Februar 2019 17:06
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; Ludwig Seitz <ludwig.seitz@ri.se>se>; ace@ietf.org; oauth@ietf.org
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

This is true... however, to my knowledge there is no support for this parameter outside of the token-exchange spec. Just because it is documented as an OAuth parameter I don't consider it usable in other contexts unless spec'd to do so. If we want to use 'audience' for logical audience names when binding audiences to tokens, then we need a spec for that (or add it to the resource-indicators spec).

Personally, I see a lot of overlap even between the 'audience' and 'resource' parameters. I'd really prefer we just have one parameter that can be either logical or specific. As outlined in this thread, 'https://api.exampl.com' to me is a logical representation of the resource if the "real" endpoint(s) are "https://api.example.com/mail/user/inbox"<https://api.example.com/mail/user/inbox>, ...

Thanks,
George
On 2/7/19 10:16 AM, Hannes Tschofenig wrote:
Hi George,


  *   I believe that since the latest draft of the resource indicators spec [1] allows for abstract identifiers, and since a URN is also a URI, you could easily use a URN syntax to accomplish the use case outlined in your email.


After re-reading the token exchange draft I realized that we have already defined a separate parameter for “abstract”, or logical, names via the audience parameter. Here is the definition:

   audience
      OPTIONAL.  The logical name of the target service where the client
      intends to use the requested security token.  This serves a
      purpose similar to the "resource" parameter, but with the client
      providing a logical name rather than a location.  Interpretation
      of the name requires that the value be something that both the
      client and the authorization server understand.  An OAuth client
      identifier, a SAML entity identifier [OASIS.saml-core-2.0-os<https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16#ref-OASIS.saml-core-2.0-os>]s>], an
      OpenID Connect Issuer Identifier [OpenID.Core<https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16#ref-OpenID.Core>]e>], or a URI are
      examples of things that might be used as "audience" parameter
      values.  Multiple "audience" parameters may be used to indicate
      that the issued token is intended to be used at the multiple
      audiences listed.  The "audience" and "resource" parameters may be
      used together to indicate multiple target services with a mix of
      logical names and locations.

Ciao
Hannes


From: Ace <ace-bounces@ietf.org><mailto:ace-bounces@ietf.org> On Behalf Of George Fletcher
Sent: Dienstag, 29. Januar 2019 14:15
To: Ludwig Seitz <ludwig.seitz@ri.se><mailto:ludwig.seitz@ri.se>; ace@ietf.org<mailto:ace@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [Ace] [OAUTH-WG] Shepherd write-up for draft-ietf-oauth-resource-indicators-01

Thank you so much for the background!

I believe that since the latest draft of the resource indicators spec [1] allows for abstract identifiers, and since a URN is also a URI, you could easily use a URN syntax to accomplish the use case outlined in your email.

resource=urn:x-mydevices:temperatureSensorGroup4711

The spec currently outlines examples where the "resource identifier" is not a "single resource" in the context of a fully qualified API endpoint.

Another example, for an API like SCIM [RFC7644<https://tools.ietf.org/html/rfc7644>] that has

   multiple endpoints such as "https://apps.example.com/scim/Users"<https://apps.example.com/scim/Users>,

   "https://apps.example.com/scim/Groups"<https://apps.example.com/scim/Groups>, and

   "https://apps.example.com/scim/Schemas"<https://apps.example.com/scim/Schemas> The client would use

   "https://apps.example.com/scim/"<https://apps.example.com/scim/> as the resource so that the issued

   access token is valid for all the endpoints of the SCIM API.
Using "https://apps.example.com/scim"<https://apps.example.com/scim> is semantically equivalent to using "temperatureSensorGroup4711", at least to me:)

Thanks,
George

[1] https://tools.ietf.org/html/draft-ietf-oauth-resource-indicators-02
On 1/29/19 2:56 AM, Ludwig Seitz wrote:
On 28/01/2019 23:12, George Fletcher wrote:


I also don't know that this raises to the level of "concern" but I find the parameter name of "req_aud" odd. Given that the parameter in the resource-indicators spec is 'resource' why not use a parameter name of 'audience'. That said, I have not read the thread on the ACE working group list so there could be very good reasons for the chosen name:)

I do think that there is a lot of overlap (in most cases) between 'resource' and 'audience' and having two parameters that cover a lot of the same semantics is going to be confusing for developers. When calling an API at a resource server, the 'audience' and the 'resource' are pretty equivalent. Maybe in other use cases they are distinctly separate?

To give you all the background of "req_aud" from ACE (sorry for the long text):

Originally in ACE we had defined the "aud" parameter for requests to the token endpoint with the semantics that the client was requesting a token for a certain audience (i.e. requesting that the AS copy the "aud" parameter value into the "aud" claim value of the token).
We were then told that this collided with a use of "aud" in OAuth, that specifies the intended audience of Authorization Servers (if I remember correctly), so we decided to rename our parameter to "req_aud" for "requested audience".
Mike Jones then made us aware of the work on resource indicators, but upon closer examination I found the "resource" parameter to be more limited than the "req_aud", since resource specifically states:

"Its value MUST be an absolute URI ... the "resource" parameter URI value is an identifier representing the identity of the resource"

My interpretation of this is that "resource" refers to a single resource, which is more constrained than the definition of the "aud" claim from 7519, which uses a StringOrURI value.  For example my intent was to use "aud" and "req_aud" for group identifiers ("temperatureSensorGroup4711") and other non-uri strings (hash-of-public-key), which I cannot do with "resource".  We therefore decided to keep the "req_aud" parameter in draft-ietf-ace-oauth-params, even though is clearly overlaps with "resource".

Any comments and suggestions about that line of reasoning (especially from the OAuth point of view) are very welcome.

/Ludwig



IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.