Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
Justin Richer <jricher@mit.edu> Sat, 23 April 2016 13:56 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E19512DB70 for <oauth@ietfa.amsl.com>; Sat, 23 Apr 2016 06:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 775EK7FP1ukY for <oauth@ietfa.amsl.com>; Sat, 23 Apr 2016 06:55:57 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8272612DB5F for <oauth@ietf.org>; Sat, 23 Apr 2016 06:55:55 -0700 (PDT)
X-AuditID: 1209190d-fefff700000076cb-bf-571b7ee9f7dd
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 60.55.30411.9EE7B175; Sat, 23 Apr 2016 09:55:53 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id u3NDtqfd001920; Sat, 23 Apr 2016 09:55:53 -0400
Received: from [192.168.128.57] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u3NDtnKg024472 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 23 Apr 2016 09:55:51 -0400
To: "Fregly, Andrew" <afregly@verisign.com>, George Fletcher <gffletch@aol.com>, John Bradley <ve7jtb@ve7jtb.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <FF8F219E-AB2E-48F5-AD90-DEA783343C1B@verisign.com> <A85A7E53-1AE2-4141-B6AF-FE3E19DEBA75@ve7jtb.com> <8B748252-9AE2-4824-923B-00CD46CB8D68@verisign.com> <571692A1.5070000@aol.com> <6101D0EB-E04B-4574-8899-ED8F4E631D67@verisign.com> <57177AD0.1090300@aol.com> <C8795E07-F9D8-4CDE-A187-1EA7D9604E1F@verisign.com> <5717BE1E.8070007@aol.com> <8EE30392-36CD-4F5C-9010-D4793A80A0EF@verisign.com>
From: Justin Richer <jricher@mit.edu>
Message-ID: <571B7EDA.4090100@mit.edu>
Date: Sat, 23 Apr 2016 09:55:38 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <8EE30392-36CD-4F5C-9010-D4793A80A0EF@verisign.com>
Content-Type: multipart/alternative; boundary="------------000105000302090504090407"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrEKsWRmVeSWpSXmKPExsUixG6nrvuyTjrc4MlleYuTK5exWtzpWsFu cfLtKzaL1Xf/sjmweNzfvZLdY8mSn0wet29vZPHYtbmBLYAlissmJTUnsyy1SN8ugStj+9HT rAWX17NWbOxeztLA+G4xUxcjJ4eEgInEjG1bWEFsIYE2JolDnUJdjFxA9kZGid97zzNBOLeZ JFpXbGUFcYQFzjFK/Lg/DaxFRGAZo8T84xYQVYuYJSbdOcAOkmATUJWYvqYFbAevgJpEy/lu sAYWoPj2HfPYQGxRgRiJxgenoGoEJU7OfMICYnMKOEjMWH0brJ5ZIExi38rPbBMY+WYhKZuF JAVh20rcmbubGcKWl2jeOhvK1pVYtG0FO7L4Aka2VYyyKblVurmJmTnFqcm6xcmJeXmpRbpG ermZJXqpKaWbGEEBzynJu4Px312vQ4wCHIxKPLwfvkuFC7EmlhVX5h5ilORgUhLlnacsHS7E l5SfUpmRWJwRX1Sak1p8iFGCg1lJhPd8NVCONyWxsiq1KB8mJc3BoiTOG3PzaJiQQHpiSWp2 ampBahFMVoaDQ0mCd3ItUKNgUWp6akVaZk4JQpqJgxNkOA/Q8GkgNbzFBYm5xZnpEPlTjMYc +9bdWcvE8Wrew7VMQix5+XmpUuK8DSClAiClGaV5cNNASSvh7WHTV4ziQM8J874AqeIBJjy4 ea+AVjEBrfp3QRJkVUkiQkqqgVF0+9630hNnWJro1/feZ4ksKO8TmbVBsnO6hFDk3g6PuI9T 4ns3/85bq+0TO2/1ygh5Xivh20HryzkYG8+2/JSYfMyHUfSeS7Pvs5W3Zi1Y/9N8y679F4QO rY3gZnjOmX9I/Zb/oqAvBU73jf0WX/joX+3Uk67hrqD5z3jzxn7hx31Lb1svjFJiKc5INNRi LipOBABLJAdPNQMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/110mZhYXc6KylP4OG3QPYjKAFE8>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2016 13:56:02 -0000
OpenID Connect defines a third-party login endpoint for RP's, which is what the AS is acting as in this case: http://openid.net/specs/openid-connect-core-1_0.html#ThirdPartyInitiatedLogin -- Justin On 4/22/2016 10:50 AM, Fregly, Andrew wrote: > Hi George, > > You have the flow right for how I have been approaching the problem. > Note that the client doesn’t have to be a mobile app, but that > represents well what we are trying to solve. Per your recommendation, > what I am missing in my knowledge is a standard for how the AS could > be directed to use an external IdP for authentication. Not knowing > this, I have been assuming the flow you described as my “original > thinking" would be required. I will do some more research on the topic > and check back in. > > Thanks, > Andy > > > From: George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> > Organization: AOL LLC > Date: Wednesday, April 20, 2016 at 1:36 PM > To: "Fregly, Andrew" <afregly@verisign.com > <mailto:afregly@verisign.com>>, John Bradley <ve7jtb@ve7jtb.com > <mailto:ve7jtb@ve7jtb.com>>, "oauth@ietf.org <mailto:oauth@ietf.org>" > <oauth@ietf.org <mailto:oauth@ietf.org>> > Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth > 2.0 Token Exchange: An STS for the REST of Us” to include > Authentication Tokens > > Hi Andy, > > Glad I guessed correctly:) If there are network or other limitations > in how the client gets and uses tokens, that would be helpful in a > diagram sense. As John points out in his response, not having an > audience has possible security implications. > > If I'm following your original thinking... it goes something like this... > > 1. Mobile app asks users to authenticate at "their" IdP > 2. Mobile app gets back "authentication token" (likely some sort of > SAML assertion) > 3. Mobile app presents "authentication token" to Authorization Service > 4. Authorization Service validate "authentication token" and returns > an access_token > 5. Mobile app invokes data provider passing the access_token > 6. Data provider validates access_token (either locally or via an > introspection endpoint on the AS) > > In this flow there are really two tokens: the "authentication token" > and the access_token. There should be an audience for both tokens. The > audience of the "authentication token" should be the AS, and the > audience of the access_token should be the data provider the client is > going to use. > > So, if there are no network firewall type limitations, it seems much > simpler to just have the AS use the external IdPs as it's > authentication mechanisms and the rest is just default OpenID Connect. > Meaning that the Mobile app starts an OpenID Connect flow with the AS, > the AS get the user authenticated via the user's IdP, the AS provides > access and id tokens bask to the Mobile app (following the code or > other flow). > > Am I missing something? > > Thanks, > George > > On 4/20/16 10:31 AM, Fregly, Andrew wrote: >> Hi George, >> >> You fully captured one of the options we have been contemplating. I >> didn’t propose this flow because I was looking for a way to solve our >> our use case based on the existing RFCs and OpenID Connect >> specifications with minimal new specification required. That led me >> to the path described in the email response I sent out a little while >> ago to Nat Sakimura’s response. Please take a look at that email and >> see what you think. >> >> Given how well stated your summary of our needs was, do you still >> want me to provide a diagram? >> >> Thanks, >> Andy >> >> From: George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> >> Organization: AOL LLC >> Date: Wednesday, April 20, 2016 at 8:49 AM >> To: Andrew Fregly <afregly@verisign.com>, John Bradley >> <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>, "oauth@ietf.org" >> <oauth@ietf.org <mailto:oauth@ietf.org>> >> Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth >> 2.0 Token Exchange: An STS for the REST of Us” to include >> Authentication Tokens >> >> I should probably just wait for the diagram... but not wanting to >> wait... :) >> >> If I understand correctly, the user is going to use a client and >> the client will authenticate the user via some IdP using an >> existing method (SAML, LDAP (?), OpenID Connect, etc). The desire >> is to take that response and in some way present it to an >> "Authorization Server" which will validate the "authentication >> response" and return an access token for use at the data provider(s). >> >> What if the Authorization Server also took on the role of the >> OpenID Connect provider. This could work by having the client >> start an OpenID Connect flow with Authorization Server (hints >> could be provided as to which IdP the user wants to authenticate >> at). The AS would look at the "idp hint" and either start and SP >> SAML flow, or present UI for collecting LDAP credentials (I don't >> recommend this) or chain to any other proprietary IdP flow. Once >> the user successfully authenticates with the correct IdP, the AS >> will finish the OpenID Connect flow allowing the client to obtain >> an access token, refresh token and id_token. The AS could add to >> the id_token a claim specifying which IdP the user used during >> the authentication processed. >> >> The IdP the user used for authentication could also be encoded in >> the access_token (or returned as part of an introspection call). >> >> This way whether the data providers are validating the >> access_tokens locally or using introspection they can obtain the >> IdP the user used and apply their own authorization rules. >> >> The user is only required to do one authorization flow for the >> client that is managed by the Authorization Server. >> >> Thanks, >> George >> >> On 4/19/16 5:06 PM, Fregly, Andrew wrote: >>> Thank you for your response George. It points me to some more >>> research to do, such as looking at OpenID Connect support for >>> both distributed and aggregated claims. >>> >>> Below are replies to your questions/assertions based on my >>> current understanding of the various protocols. Further research >>> and advice will likely enrich this significantly. >>> >>> Yes, what is required is a verifiable claim that the user is >>> still a member of SomeOrg Inc. I have been operating under the >>> assumption that the only way this can be done would be to have >>> the user authenticated by the Identity Provider for SomeOrg. >>> Perhaps the research into OpenID Connect support for distributed >>> and aggregated claims will reveal an alternative. I foresee a >>> challenge in dealing with Identity Provider’s for organizations >>> using SAML assertions on top of Active Directory and LDAP, and >>> which are not going to do any updating to support our needs. >>> >>> We do not expect the user to first go to the data provider. We >>> anticipate that the client application would provide a >>> Authentication Token to an Authorization Service service that >>> then issues to the client an access token that the data provider >>> will trust. One of our reasons for doing it this way is that we >>> are trying to eliminate redirects to ease implementation of a >>> native client. We are therefore requiring the client to handle >>> authentication with the Identity Provider as a separate step >>> from authorization. >>> >>> It might help if I clarified that Verisign’s role in the >>> scenario I described is to be just one of many data providers. >>> >>> From: George Fletcher <gffletch@aol.com <mailto:gffletch@aol.com>> >>> Organization: AOL LLC >>> Date: Tuesday, April 19, 2016 at 4:18 PM >>> To: Andrew Fregly <afregly@verisign.com>, John Bradley >>> <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>, "oauth@ietf.org" >>> <oauth@ietf.org <mailto:oauth@ietf.org>> >>> Subject: Re: [OAUTH-WG] Building on the protocol in the draft >>> “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include >>> Authentication Tokens >>> >>> So if I understand this correctly, what is really required >>> is a verifiable claim that the user is still a member of >>> SomeOrg Inc. OpenID Connect supports both distributed and >>> aggregated claims that can be signed by the appropriate >>> Identity Provider. The point being that I'm not sure an >>> "authentication token" is required for this use case to >>> succeed, it's just one kind of token that can be used. >>> >>> Also, is the expected flow that the user will first go to >>> the data provider and then be directed else where from >>> there? If that is the case, the data provider can just be an >>> OpenID Connect relying party and give the user an option of >>> the list of supported IdPs to choose from. The user will >>> then be redirected to SomeOrg Inc. IdP, authenticate and the >>> data provider will have the authorization and recent >>> authentication they can validate. >>> >>> Is the user/data flow more complicated than this? >>> >>> Thanks, >>> George >>> >>> On 4/19/16 4:05 PM, Fregly, Andrew wrote: >>>> Thanks for your response John. I also got a good response >>>> from Brian Campbell and appreciate that. I will respond >>>> separately to Brian’s response as I think it would keep >>>> things clearer to do that. >>>> >>>> The problem we have for using OpenID Connect is that it >>>> combines the role of Authentication Service with the role >>>> of Authorization Service. Perhaps the following description >>>> of what we want to do will clarify why this won’t work for us: >>>> >>>> The basic problem statement is that we need to have a >>>> client application authorized by a Service Provider based >>>> on proof that a user is currently a member of some >>>> organization. This assumes the organization has previously >>>> established some level of authorized access with the >>>> Service Provider. >>>> >>>> Here is an example: Suppose I am a member of SomeOrg Inc. >>>> Suppose SomeOrg Inc. is doing research that requires it to >>>> gather data over the Internet from a number of data >>>> providers. The data providers require authentication and >>>> proof of organizational membership in order to authorize >>>> various levels of access to their data. The data providers >>>> do not consider having an account with them or a Public >>>> Identity Provider to be suitable for proving that I am >>>> still a member of SomeOrg at time of authentication. They >>>> would have no way of knowing whether or not my relationship >>>> with SomeOrg still exists at that time. The data providers >>>> would therefore like the Client software to authenticate me >>>> against SomeOrgs Identity Provider. This would be good >>>> proof that I am still a member of SomeOrg at the time I >>>> authenticate. This authentication would enable the data >>>> providers Authorization Server to grant me access >>>> appropriate to a member of SomeOrg. Note that as a >>>> prerequisite to all of this, SomeOrg will have used an >>>> out-of-band process to set up a trust relationship for >>>> SomeOrg's Identity Provider with the data provider’s >>>> Authorization Service, and will have negotiated >>>> authorization claims to be granted to SomeOrgs members. >>>> >>>> What I am having difficulty with is in knitting together an >>>> approach based on the he OpenID Connect specifications, >>>> SAML specifications, and OAuth RFCs and drafts in a way >>>> that supports the above use case end-to-end. The OAuth RFCs >>>> and drafts almost get me there. What seems to be missing is >>>> a way of telling an Identity Provider the URL for the >>>> Authorization Service (the required Audience claim in an >>>> authentication assertion as defined in RFCs 7251, 7252 and >>>> 7253), and then a requirement that the Identity Providers >>>> put the supplied Audience Identifier into Authentication >>>> Tokens. Perhaps a little further back-and-forth with Brian >>>> will resolve this. >>>> >>>> I can go into deeper detail if needed. If this is off-topic >>>> for the OAuth working group, let me know. >>>> >>>> Thanks, >>>> Andrew Fregly >>>> Verisign Inc. >>>> >>>> >>>> From: John Bradley <ve7jtb@ve7jtb.com> >>>> Date: Tuesday, April 19, 2016 at 2:06 PM >>>> To: Andrew Fregly <afregly@verisign.com> >>>> Cc: "oauth@ietf.org" <oauth@ietf.org <mailto:oauth@ietf.org>> >>>> Subject: Re: [OAUTH-WG] Building on the protocol in the >>>> draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” >>>> to include Authentication Tokens >>>> >>>> Looking at OpenID Connect and it’s trust model for >>>> producing id_tokens that assert identity may help you. >>>> http://openid.net/wg/connect/ >>>> >>>> Unfortunately I can’t quite make out what you are >>>> trying to do. >>>> >>>> It sort of sounds like you want an id_token from a idP >>>> and then have the client exchange that assertion for >>>> another token? >>>> >>>> John B. >>>>> On Apr 19, 2016, at 1:18 PM, Fregly, Andrew >>>>> <afregly@verisign.com> wrote: >>>>> >>>>> I have a use case where a client application needs to >>>>> authenticate with a dynamically determined Identity >>>>> Provider that is separate from the Authorization >>>>> Service that will be used issue an access token to the >>>>> client. The use case also requires that as part of >>>>> authorization, the client provides to the >>>>> Authorization Service an authentication token signed >>>>> by an Identity Provider that the Authorization Service >>>>> has a trust relationship with. The trust relationship >>>>> is verifiable based on the Authorization Service >>>>> having recorded the public keys or certificates of >>>>> trusted Identity Providers in a trust store, this >>>>> allowing the Authorization Service to verify an >>>>> Identity Provider’s signature on an authentication token. >>>>> In looking at the various OAuth RFCs, particularly >>>>> RFCs 7521, 7522, and 7523, I see that they get me >>>>> close in terms of supporting the use case. What is >>>>> missing is a means for solving the following problem. >>>>> These RFCs require that the Identity Provider put an >>>>> Audience claim in the authentication token. The >>>>> problem with this is that I do not see in the RFCs how >>>>> the Identity Provider can be told who the Audience is >>>>> to put into the authentication token. This leads me to >>>>> the title of this message. The draft “OAuth 2.0 Token >>>>> Exchange: An STS for the REST of Us” defines a >>>>> mechanism for identifying the Audience for an STS to >>>>> put into a token it generates. That would solve my >>>>> problem except that the draft limits the type of STS >>>>> to being Authorization Servers. What is needed is this >>>>> same capability for interacting with an Identity >>>>> Provider. This would enable RFCs 7521, 7522 and 7523 >>>>> to be useful in situation where the Identity Provider >>>>> needs to be told the identity of the Authorization >>>>> Service. >>>>> I am new to interacting with the IETF. I also am not >>>>> an expert on the RFCs or prior history of the OAuth >>>>> group relative to this topic, so please point me to >>>>> any existing solution if this is a solved problem. >>>>> Otherwise, I would like to get feedback on my suggestion. >>>>> Thanks You, >>>>> >>>>> Andrew Fregly >>>>> Verisign Inc. >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth >>> >> > > -- > Chief Architect > Identity Services Engineering Work:george.fletcher@teamaol.com > AOL Inc. AIM: gffletch > Mobile: +1-703-462-3494 Twitter:http://twitter.com/gffletch > Office: +1-703-265-2544 Photos:http://georgefletcher.photography > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Building on the protocol in the draft … Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… Brian Campbell
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Nat Sakimura
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Nat Sakimura
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Brian Campbell
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Justin Richer
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew