Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange

Mike Jones <> Fri, 08 December 2017 20:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8BCCD128D2E for <>; Fri, 8 Dec 2017 12:06:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IUoJB63hUlnu for <>; Fri, 8 Dec 2017 12:05:57 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 2467E127076 for <>; Fri, 8 Dec 2017 12:05:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=vmkEpeiFEZvrwjKkWW9G21+3UlBVCakHvVUfB1bIJDs=; b=nzps4UpviJsNK4ePrBARTL8jdZIRS0Yz4K5MdBZqIJXtkkXnE33vvvxzkeaT8kKlpr84oPquXw12QG0hwewT+hhOpN85Fjy0paNu2jRSkdX/TmAA58IO0LJvZ8G5fc43RYIEtCENuXld5d0JnOWwC8QwhY2BGWqP8/un5JSHW30=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.0; Fri, 8 Dec 2017 20:05:55 +0000
Received: from ([]) by ([]) with mapi id 15.20.0323.001; Fri, 8 Dec 2017 20:05:55 +0000
From: Mike Jones <>
To: Brian Campbell <>, Rifaat Shekh-Yusef <>
CC: OAuth WG <>
Thread-Topic: [OAUTH-WG] [token-exchange] Parameters to support external token exchange
Thread-Index: AQHTbtmWBn8npBvFe0mAu+QoTNk9vaM5ucOAgAAOL4CAABpD6Q==
Date: Fri, 8 Dec 2017 20:05:55 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0181; 6:xe7KZiMz9aqVewNXYwlX0Zv1YlbahdilWY671zIqRveI9HkOh8NpTMK5bILIsTxOSIptBTHux6dAIpv+pjk6mxEM5gHOB5jIUM+WMhOmtGRgYJ3VBJxOual93rfKGAo0OyMioZY+e1r3iLAOVf790ABLw/hYzp1dryfHz/PCcWCw8LK+uxUBwr+A6WWZO2Ta703wLLMM9qBb0bJV5K4iqsz9PBecQotzVphakkgrlwGPCFZ3eo1C6a/cq9cieVC7OL2LMeYOcwnEsr+pcDktt/juVY9SQ6/o3tpAUU/GUWc6d71z1ClA85vNCj10VHRTovcj9kuS/bIYiEHKnOIWhfgiHqeHPV0y3naZNqgiB50=; 5:2L+yHL4oN1fFSD5K9oi6rOxYifld4QvB88Ceylz6pH+ADca2XC17SmeRSgsBjj42iz/cT/ubRq+cDKY9cYVoMJ0lchcRnzgYFEy25zC7SyE54WC3IkDMhdJuq9ZmN51AmxVcf/3j8wBPrCc15fCjxdXZKoUhzIfyv96EdX68jLo=; 24:oOPSpEKo04PX+kvIKw6hw0fDKjnSINYzoMmflINL3uG1TfkwNfEJJ0otJyxkMV9/svJQ/X4I1emqQMr4Mi/FfFZvejVAIdYUkvxPO0sY/vE=; 7:aWYv0w/Me+MQPNI5zsJGLrOnQaaBvLFXFqcREFAP0w630N0zBznMimw33BfUOv+OEYWi5JkKN1O8lV1UFm9Tvim/0eLdTqiPm3KVfaZycRIozp3I7QTi++v+RhOnOyeJBm1X9KU0dxEvfkY/KA6+8aO0Jo56MqjBx9egSyW3rJpLOpDzyCpYt58RZJO0ROcclkkjgK5X+ai4p3dQa4jA64JH06qoHknIvokfovUW5aakrCA2YFVDPp4bfNUPncAB
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 928c9bc6-cd07-4756-252f-08d53e77175d
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603307); SRVR:CY4PR21MB0181;
x-ms-traffictypediagnostic: CY4PR21MB0181:
authentication-results: spf=none (sender IP is );
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(277287716339344)(81227570615382)(201166117486090);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(2401047)(5005006)(8121501046)(3231022)(10201501046)(3002001)(93006095)(93001095)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123558100)(20161123555025)(6072148)(201708071742011); SRVR:CY4PR21MB0181; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:CY4PR21MB0181;
x-forefront-prvs: 0515208626
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(39860400002)(376002)(24454002)(11905935001)(36304003)(199004)(189003)(99286004)(14454004)(575784001)(105586002)(10290500003)(6246003)(347745004)(10090500001)(966005)(25786009)(16297215004)(19273905006)(7696005)(68736007)(4326008)(3660700001)(316002)(39060400002)(22452003)(110136005)(106356001)(3280700002)(33656002)(97736004)(2906002)(72206003)(76176011)(8936002)(478600001)(86362001)(8676002)(6306002)(5660300001)(54896002)(74316002)(6116002)(9686003)(8990500004)(2950100002)(5890100001)(3846002)(86612001)(102836003)(53936002)(81166006)(606006)(7736002)(81156014)(6506006)(229853002)(77096006)(53546010)(6436002)(66066001)(2900100001)(55016002)(236005); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0181;; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB0504591CF62D9F73A92C9E31F5300CY4PR21MB0504namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 928c9bc6-cd07-4756-252f-08d53e77175d
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Dec 2017 20:05:55.5397 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0181
Archived-At: <>
Subject: Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Dec 2017 20:06:00 -0000

I also agree that this additional functionality is out of scope for the Token Exchange specification.

-- Mike
From: OAuth <> on behalf of Rifaat Shekh-Yusef <>
Sent: Friday, December 8, 2017 1:31:55 PM
To: Brian Campbell
Cc: OAuth WG
Subject: Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange

Hi Bill,

I agree with Brian that an AS to AS token exchange is beyond the scope of this document.
I suggest that you send a separate email to start a discussion on this topic and see if there is interest in the WG to take this topic as a new work.

 Rifaat (as co-chair and document shepherd)

On Fri, Dec 8, 2017 at 12:41 PM, Brian Campbell <<>> wrote:
I guess I'm going to kind of restate some of what I said in that earlier thread<> and a bit more. The access and refresh token URIs from the draft are intended to indicate that such tokens are issued by the given authorization server acting as the STS (perhaps this could be stated more clearly in the doc). As such, there isn't direct explicit support for OAuth access token to OAuth access token cross-domain type exchanges. That was intentional and I think is appropriate as I don't believe this draft should delve into pseudo federating access tokens and all the additional complexity and security implications that entails. The assertion based authorization grants (RFCs 7523<> & 7522<>) are intended to facilitate acquiring an access token from an external or cross-domain AS and I prefer that more explicit model for cross-domain than codifying a rather implicit way of doing it in token exchange. A Facebook access token, for example, is issued to a client for delegated access to Facebook APIs. It isn't for delegated access to some other domain's APIs but an access token for access token exchange effectively turns it into that. And in some situations that can have problematic security implications. Big providers like Facebook have a lot of apps (OAuth clients) that can get access tokens. An organization might well be okay with an app it controls exchanging a Facebook access token for an access token for its own APIs. But a 3rd party Facebook app (like maybe a new viral rate my '80's hairdo app) doing the same thing could be very problematic. It's not exactly the same thing but many of the same potential issues arise as when using OAuth for User Authentication<>n/>. Standardization around access token for access token exchange would, at a minimum, need some real security analysis and recommendations/considerations.

The token exchange draft went thought WGLC some time ago and is currently being written up by the document shepherd to send to the AD. It's close. It's been a long time coming and I'd really object to derailing it by making big additions to it at this late stage in the process.

If explicit support for directly swapping an access token from one AS for an access token issued by a different AS is something this WG is interested in working on, while admittedly I have my hesitations, I propose/suggest that it be done in a new document. Such a document could but wouldn't necessarily have to take the from of the additional extension parameters you've mentioned. It could, for example, be a 'token profile' of sorts that defines a new URI with an associated format that is some simple structure that carries both the access token and issuer together. Something like "urn:ietf:params:oauth:token-type:wrapped_foreign_access_token" and {"issuer":"","token":"bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2"} - that's just spitballing but hopefully conveys the idea. The new document would also have to cover the security considerations.

On Wed, Dec 6, 2017 at 2:31 PM, Bill Burke <<>> wrote:
The Keycloak project (oss idp), has implemented [1] the token exchange
draft (minus the actor token).  There's a couple of extensions we have
made to allow external token exchange to work.  I'd like to get some
consideration for these extensions to be added.  With proper
configurations, clients are able to exchange between different domains
and even social providers.  i.e. you can exchange a Facebook token for
a token issued by the IDP.

Here are the details:

We added a 'subject_issuer' parameter.  Many OAuth IDPs have opaque
access tokens and do not use JWTs for their access token (i.e.
Facebook and Google).  If the 'subject_token_type' is
'urn:ietf:params:oauth:token-type:access_token' and the access token
comes from an external provider, then the client must also pass a
'subject_issuer'.  The parameter value is something, anything that can
the IDP can resolve to an external provider.  How the validation of
this external token happens is implementation independent.

As I stated a few months back in an earlier email thread, I do not
think the 'audience' parameter would work for this type of external
exchange.  It is just too overloaded.  Additionally, I think it is
cleaner to specify an additional parameter rather than extracting
issuer information from the 'subject_token_type'.  You could do this,
but the spec would also have to define a URI scheme for
'subject_token_type' so that issuer information could be transmitted.

We also added a 'requested_issuer' parameter.  This allows the client
to request an external provider to obtain a token from.  Same reasons
and rules as 'subject_token_type'.

When 'requested_issuer' flow is done, user consent is often required
before the request issuer can issue a token for the user.  When this
is the case, a 400 response is returned with the following JSON

   "error" : "....",
   "error_description" : "..."
   "account-link-url" : "https://...."

The error claim will be either token_expired or not_linked.  The
'account-link-url' claim is a link that the client can forward an user
agent to to obtain consent.  The client simply appends a
'redirect_uri' query parameter to this link and forwards the browser
for consent.  This 'redirect_uri' must be a registered and valid
redirect uri for the forwarding client.  After the redirect, the
client can then make an exchange request.  For error conditions, the
redirect_uri may by forwarded to with an additional 'error' query
parameter depending on whether the IDP deams it safe to do so.




Bill Burke
Red Hat

OAuth mailing list<>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
OAuth mailing list<>