IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Thu, 27 March 2014 22:04 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 851AE1A03D1 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 15:04:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.948
X-Spam-Level:
X-Spam-Status: No, score=-2.948 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LfZSqkT0rmoO for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 15:04:31 -0700 (PDT)
Received: from va3outboundpool.messaging.microsoft.com (va3ehsobe006.messaging.microsoft.com [216.32.180.16]) by ietfa.amsl.com (Postfix) with ESMTP id 40C871A0253 for <oauth@ietf.org>; Thu, 27 Mar 2014 15:04:31 -0700 (PDT)
Received: from mail133-va3-R.bigfish.com (10.7.14.246) by VA3EHSOBE002.bigfish.com (10.7.40.22) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 22:04:28 +0000
Received: from mail133-va3 (localhost [127.0.0.1]) by mail133-va3-R.bigfish.com (Postfix) with ESMTP id 7887C38016A for <oauth@ietf.org>; Thu, 27 Mar 2014 22:04:28 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:192.160.210.14; KIP:(null); UIP:(null); IPV:NLI; H:ct11msg02.am.mot-solutions.com; RD:ct11msg02.mot-solutions.com; EFVD:NLI
X-SpamScore: -20
X-BigFish: VPS-20(zz98dI9371Ic89bhe0eahc857hzz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1d7338h1de098h1033IL17326ah8275bh8275dh18c673h1c8fb4h1de097h186068hz2fh109h2a8h683h839hd24hf0ah1288h12a5h12bdh137ah1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1b0ah1bceh224fh1d07h1d0ch1d2eh1d3fh1de9h1dfeh1dffh1fe8h1ff5h20f0h2216h22d0h2336h2461h2487h24ach24d7h2516h2545h255eh25f6h2605h268bh9a9j1155h)
Received-SPF: pass (mail133-va3: domain of motorolasolutions.com designates 192.160.210.14 as permitted sender) client-ip=192.160.210.14; envelope-from=Adam.Lewis@motorolasolutions.com; helo=ct11msg02.am.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.240.85; KIP:(null); UIP:(null); (null); H:BL2PRD0410HT005.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail133-va3 (localhost.localdomain [127.0.0.1]) by mail133-va3 (MessageSwitch) id 139595786583821_8724; Thu, 27 Mar 2014 22:04:25 +0000 (UTC)
Received: from VA3EHSMHS010.bigfish.com (unknown [10.7.14.242]) by mail133-va3.bigfish.com (Postfix) with ESMTP id DAC964A0057 for <oauth@ietf.org>; Thu, 27 Mar 2014 22:04:24 +0000 (UTC)
Received: from ct11msg02.am.mot-solutions.com (192.160.210.14) by VA3EHSMHS010.bigfish.com (10.7.99.20) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 22:04:24 +0000
Received: from ct11msg02.am.mot-solutions.com (ct11vts02.am.mot.com [10.177.16.160]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RM4Nqm021074 for <oauth@ietf.org>; Thu, 27 Mar 2014 18:04:23 -0400 (EDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe002.messaging.microsoft.com [216.32.181.182]) by ct11msg02.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id s2RM4NOq021071 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Thu, 27 Mar 2014 18:04:23 -0400 (EDT)
Received: from mail71-ch1-R.bigfish.com (10.43.68.246) by CH1EHSOBE014.bigfish.com (10.43.70.64) with Microsoft SMTP Server id 14.1.225.22; Thu, 27 Mar 2014 22:04:22 +0000
Received: from mail71-ch1 (localhost [127.0.0.1]) by mail71-ch1-R.bigfish.com (Postfix) with ESMTP id 074CF4603F1 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 27 Mar 2014 22:04:23 +0000 (UTC)
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(428001)(189002)(199002)(377454003)(24454002)(83072002)(85852003)(56776001)(87266001)(74366001)(74706001)(74316001)(65816001)(63696002)(2656002)(66066001)(93516002)(80022001)(19300405004)(74662001)(76482001)(31966008)(20776003)(54316002)(56816005)(15202345003)(19609705001)(98676001)(87936001)(90146001)(16236675002)(85306002)(86362001)(92566001)(94946001)(15975445006)(54356001)(94316002)(46102001)(69226001)(50986001)(47976001)(81686001)(95666003)(81342001)(80976001)(47736001)(4396001)(49866001)(19580395003)(19580405001)(83322001)(81816001)(77982001)(97186001)(79102001)(76786001)(51856001)(53806001)(33646001)(74876001)(95416001)(93136001)(74502001)(97336001)(81542001)(76576001)(76796001)(47446002)(59766001)(18717965001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM2PR04MB734; H:DM2PR04MB735.namprd04.prod.outlook.com; FPR:AEFCD149.A736D8C0.F1D171BB.2E4BB21.2064C; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail71-ch1 (localhost.localdomain [127.0.0.1]) by mail71-ch1 (MessageSwitch) id 1395957859666261_31822; Thu, 27 Mar 2014 22:04:19 +0000 (UTC)
Received: from CH1EHSMHS015.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.243]) by mail71-ch1.bigfish.com (Postfix) with ESMTP id 9DECA2A004F; Thu, 27 Mar 2014 22:04:19 +0000 (UTC)
Received: from BL2PRD0410HT005.namprd04.prod.outlook.com (157.56.240.85) by CH1EHSMHS015.bigfish.com (10.43.70.15) with Microsoft SMTP Server (TLS) id 14.16.227.3; Thu, 27 Mar 2014 22:04:19 +0000
Received: from DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) by BL2PRD0410HT005.namprd04.prod.outlook.com (10.255.99.40) with Microsoft SMTP Server (TLS) id 14.16.423.0; Thu, 27 Mar 2014 22:04:19 +0000
Received: from DM2PR04MB735.namprd04.prod.outlook.com (10.141.177.17) by DM2PR04MB734.namprd04.prod.outlook.com (10.141.177.16) with Microsoft SMTP Server (TLS) id 15.0.898.11; Thu, 27 Mar 2014 22:04:17 +0000
Received: from DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) by DM2PR04MB735.namprd04.prod.outlook.com ([10.141.177.17]) with mapi id 15.00.0898.005; Thu, 27 Mar 2014 22:04:17 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: Tim Bray <tbray@textuality.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now
Thread-Index: Ac9JvWeAW+r7N2YsS96k1esZSJ97mAACGN8AAAeYdsAAAMyVAAAA2Z3gAAabrYAAAD7igAAALtaw
Date: Thu, 27 Mar 2014 22:04:17 +0000
Message-ID: <4087640a4a3042c485a3e8cca52720f0@DM2PR04MB735.namprd04.prod.outlook.com>
References: <c174791bb42e462d813b62a952ded267@DM2PR04MB735.namprd04.prod.outlook.com> <F9D7698F-9713-477D-9D14-BF97425CFF92@ve7jtb.com> <4fa46e94eca54ce0940162f8ef4101dd@DM2PR04MB735.namprd04.prod.outlook.com> <C300A03E-CDCB-48BF-B2A2-E519E017669E@ve7jtb.com> <2a2d0cadd4d445a9b148c8a2a6e06dc3@DM2PR04MB735.namprd04.prod.outlook.com> <C082266B-009B-481D-9224-7B1A05F2397F@ve7jtb.com> <CAHBU6itVGTZoCqJ2F4ezwcTcxzAwMdBBTOzJ5LgcjDYrLpU0nw@mail.gmail.com>
In-Reply-To: <CAHBU6itVGTZoCqJ2F4ezwcTcxzAwMdBBTOzJ5LgcjDYrLpU0nw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [50.179.150.36]
x-forefront-prvs: 01630974C0
Content-Type: multipart/alternative; boundary="_000_4087640a4a3042c485a3e8cca52720f0DM2PR04MB735namprd04pro_"
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%TEXTUALITY.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/2x9_udD05Df_T0FZzUyQ8XEAzJc
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 22:04:35 -0000

So the Google AS is doing for the RS what an IdP typically does for a third-party SP.  Interesting.  This is a pattern that I have thought useful in the past.

I recall at CIS last year Vittorio mentioning that the Azure OAuth AS was also putting that option out there as well, to see what RS’s might pick up on it.

Glad to know that is actually seeing some traction.

It’s not quite as flexible as using the id_token in the assertion flow to a 3rd-party AS since Google or Azure (or other) can’t know about scopes of third party RS, but it also enables smaller RS providers to pickup OAuth without having to deploy their own AS.

Now it would be interesting if Google or Azure or somebody else stood up an AS that enabled third-party AS’s to configure their own scopes on it.  Authorization Server as a Service (ASaaS), anybody?  :-)


Will be interesting to see how this all plays out …

adam

From: Tim Bray [mailto:tbray@textuality.com]
Sent: Thursday, March 27, 2014 4:48 PM
To: John Bradley
Cc: Lewis Adam-CAL022; oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now

I can’t give names or numbers but yeah, it’s happening. Especially for Android apps, it’s easy & straightforward to get an ID token, and cheap to validate on the server side.  Obviously, it only works for Google accounts.

On Thu, Mar 27, 2014 at 2:40 PM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
I don't know what clients are using the play API to get 3rd party tokens.

Perhaps Tim Bray can comment on scale of use if not specific clients.

John B.

On Mar 27, 2014, at 3:36 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com<mailto:Adam.Lewis@motorolasolutions.com>> wrote:


I get the idea, but I’m trying to get a feel for whether or not this model is being built upon and to what extent.

So if I rephrase … are there known 3rd party AS’s out there in the wild that are consuming the Google id_token?

Or any examples of a 3rd-party RS that is directly consuming it?

Looking for actual examples in the wild to point to.

adam

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Thursday, March 27, 2014 1:07 PM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now

Handing out a id_token with a 3rd party AS or RS as the audience is the standard way that Android apps that rely on Google as the source of identity work on Android using the Google Play Services.

This describes the API http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html

On Mar 27, 2014, at 2:46 PM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com<mailto:Adam.Lewis@motorolasolutions.com>> wrote:

Hi John,

With respect to Google Play handing out id_tokens, are any there any known instances of that being used?  Either to kick of an assertion flow with another (non-Google) AS, or to present directly to a non-Google RS?

adam

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Thursday, March 27, 2014 9:07 AM
To: Lewis Adam-CAL022
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now

Hi Adam,

3 is the most common today.  In the Salesforce case it has the additional benefit that when Domain 1 is federating to SalesForce via OpenID Connect it can provide access tokens for it's API to sales force scoped for that user for use in the SalesForce custom logic.

1 and 2 are similar and likely it is more of a deployment choice between them.
We do see examples of this currently with the Android play store providing third-party id_tokens/JWT assertions to OAuth clients.

The reason for doing 1 or 2 vs 3 probably comes down to connivence and security if  there is an agent for the user's  IdP on the device that can act as a confidential client to the IdP for security and provide a more consistent UI for the user.   That is what we are working on in the NAPPS WG at OIDF.

We have examples of 1/2 now, the problem is that they are not as universally applicable as 3 but hopefully with standardization for developers we will se more in the next year or so.

John B.

On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com<mailto:Adam.Lewis@motorolasolutions.com>> wrote:


I am curious it ping the thoughts of others on the list of how OAuth is going to continue to mature, especially with respect to enterprise federation scenarios.  This is something that I spend a whole lot of time thinking about.  Specifically, consider the following use case:

An end user in domain 1 downloads a native application to access an API exposed by domain 2, to access a protected resource in domain 2, under the administrative control of the domain 2 enterprise.


There are in my mind three basic means by which OAuth can federate, which I know I have discussed with some of you in the past:


1.       First option … End user in domain 1 requests a JWT-structured access_token from the OAuth provider in domain 1, and sends it in the HTTP header directly to the RS in domain 2.   The JWT access_token looks a whole lot like a OIDC id_token (maybe it even is one?).  The RS in domain 2 is able to make attributed-based access control decisions based on the contents of the JWT.  This is architecturally the simplest approach, but enterprises aren’t exactly setting up OAuth providers these days for the intent of accessing protected resources in foreign domains.  Anybody think this might be the case 5 years from now?


2.       Second option … similar to the first, but the JWT-structured access_token from domain 1 is sent to the OAuth provider in domain 2, ala the JWT assertion profile.  Domain 1 access token is exchanged for a domain 2 access token, and the native client uses the domain 2 access token to send to the protected resource in domain 2.  I like this slightly more than the first option, because the resources servers in domain 2 only need to understand the token format of their own AS.  But it still suffers from the same basic challenge of option 1, that enterprises don’t’ setup OAuth providers today for the purpose of federating, the way that setup SAML providers for WebSSO.


3.       Third option.  Native client contacts the OAuth provider in domain 2 directly.  The authorization endpoint is federation enabled (NASCAR or other) and the user in domain 1 selects their home IdP (SAML or OIDC) and does WebSSO to federated into the domain 2 OAuth provider.  I believe this is the model that Salesforce supports today, and it the most tactical, since enterprise that want to federate today run out and buy a SAML provider.

So option 3 is the most obvious approach today.  Does anybody foresee enterprises setting up an STS in the future to federate to foreign RS’s (the way they setup SAML providers today)?  Anybody think we will see options 1 or 2 in the future?


adam
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email