Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains
Bill Burke <bburke@redhat.com> Fri, 28 July 2017 21:27 UTC
Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBEF212FEE2 for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2017 14:27:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.922
X-Spam-Level:
X-Spam-Status: No, score=-6.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ryhrPwEU_IZ for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2017 14:27:07 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 022DC1321A6 for <oauth@ietf.org>; Fri, 28 Jul 2017 14:27:06 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9127E13739; Fri, 28 Jul 2017 21:27:05 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 9127E13739
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx03.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=bburke@redhat.com
Received: from ovpn-116-148.phx2.redhat.com (ovpn-116-148.phx2.redhat.com [10.3.116.148]) by smtp.corp.redhat.com (Postfix) with ESMTP id 26121600C2; Fri, 28 Jul 2017 21:27:05 +0000 (UTC)
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: oauth <oauth@ietf.org>
References: <1b5f403e-aa93-3cfe-ab39-a471cf864e5d@redhat.com> <46fff444-9107-7a43-1854-88c92aaccd90@redhat.com> <CA+k3eCQCKtBct-iqxJCscad3rkUDUyx-MDbGa0Ysb995wX2BUA@mail.gmail.com>
From: Bill Burke <bburke@redhat.com>
Message-ID: <fa2e98ad-cb95-a142-7989-4bfd422de06b@redhat.com>
Date: Fri, 28 Jul 2017 17:27:04 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CA+k3eCQCKtBct-iqxJCscad3rkUDUyx-MDbGa0Ysb995wX2BUA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DC6324D9DC0FEC124513F173"
Content-Language: en-US
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Fri, 28 Jul 2017 21:27:05 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/1V2e_-qMLkGh68aUmo9I_ll7DS0>
Subject: Re: [OAUTH-WG] [token-exchange] exchanging between issuers/domains
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jul 2017 21:27:10 -0000
Thanks for replying, The Introduction of the spec implies that inter-security-domain exchange is supported: " A Security Token Service (STS) is a service capable of validating and issuing security tokens, which enables clients to obtain appropriate access credentials for resources in heterogeneous environments or across security domains. " But with the current API if you want to exchange an external token to an internal one, there is no way for the STS to identify where the subject_token originated. Are you saying that an STS cannot accept tokens from an external domain? i.e subject_token: <opaque-string> subject_token_type: urn:ietf:params:oauth:token-type:access-token There's just no way for the STS to know where the subject_token came from because the subject_token can be completely opaque. Now, on the flip side, if you are converting from an internal token to an external one, the audience parameter is just too undefined. For example, how could you specify that you want a token for an external client of an external issuer. Client ids are opaque in OAuth, and issuer id isn't even something that is defined at all. In OpenID connect, an issuer id can be any URL. IMO, adding optional "subject_token_issuer" and "requested_issuer" parameters only clarifies and simplifies the cross-domain case. If you don't like "issuer" maybe "domain" is a better word? Thanks for replying, Bill On 7/28/17 4:39 PM, Brian Campbell wrote: > In general, an instance of an AS/STS can only issue tokens from > itself. The audience/resource parameters tell the AS/STS where the > requested token will be used, which will influence the audience of the > token (and maybe other aspects). But the issuer of the requested token > will be the AS/STS that issued it. A cross domain exchange could > happen by a client presenting a subject_token from a different > domain/issuer (that the AS/STS trusts) and receiving a token issued by > that AS/STS suitable for the target domain. > > > > On Fri, Jul 28, 2017 at 9:06 AM, Bill Burke <bburke@redhat.com > <mailto:bburke@redhat.com>> wrote: > > Should probably have a "subject_issuer" and "actor_issuer" as well > as the "requested_issuer" too. > > FYI, I'm actually applying this spec to write a token exchange > service to connect various product stacks that have different and > often proprietary token formats and architectures. > > > > On 7/26/17 6:44 PM, Bill Burke wrote: > > Hi all, > > I'm looking at Draft 9 of the token-exchange spec. How would > one build a request to: > > * exchange a token issued by a different domain to a client > managed by the authorization server. > > * exchange a token issued by the authorization server (the > STS) for a token of a different issuer and different client. > In other words, for a token targeted to a specific client in a > different authorization server or realm or domain or whatever > you want to call it. > > * exchange a token issued by a different issuer for a token of > a different issuer and client. > > Is the spec missing something like a "requested_issuer" > identifier? Seems that audience is too opaque of a parameter > for the authz server to determine how to exchange the token. > > Thanks, > > Bill > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > > > > /CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly > prohibited. If you have received this communication in error, please > notify the sender immediately by e-mail and delete the message and any > file attachments from your computer. Thank you./
- [OAUTH-WG] [token-exchange] exchanging between is… Bill Burke
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Bill Burke
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Brian Campbell
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Bill Burke
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Brian Campbell
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Bill Burke
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Brian Campbell
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Denis
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Brian Campbell
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Phil Hunt
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Denis
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Denis
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Brian Campbell
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Phil Hunt
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Denis
- Re: [OAUTH-WG] [token-exchange] exchanging betwee… Benjamin Kaduk