[OAUTH-WG] oauth-adjacent: draft-thornburgh-fwk-dc-token-iss-00
Michael Thornburgh <mthornbu@adobe.com> Sun, 24 May 2020 00:12 UTC
Return-Path: <mthornbu@adobe.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B76F3A0F81 for <oauth@ietfa.amsl.com>; Sat, 23 May 2020 17:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=adobe.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMES6T0EY2ZS for <oauth@ietfa.amsl.com>; Sat, 23 May 2020 17:12:40 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2048.outbound.protection.outlook.com [40.107.220.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E14C3A0CF3 for <oauth@ietf.org>; Sat, 23 May 2020 17:12:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Vo+H4zOaNyglHnauPRD49MLJ3i87nvLIdvRjFrn/u8giSrXT5nCvNrd+2IpRw6t7YOYDlnciRsQXOxRiWQLZKGnbokHTWZD3fGUQMiT7fBJl+50qiwQoL6ViXhOlg3giORwWpNHalil3eukXck65d1BTz4c6+JpxrdGnEo3mHabu9b7rFyszk3nCk/6RzZTX5V7+u7ZaQp/9qlc5dmYKxP/Pq/6+3YoYZJiF+gjGa5v14Fv//Qe54dIGpy9o81tU1OWBSaS54WxZv1JkTi9/TwVsi5t01HqE+g8pVDnxSnMZJL8c+6dsd0tR10tC7HSuidryM6eS+g2/1tC58VlX5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=69PY4/94nILmbatkETk4Y0/UwCkOlGdrG5HTzd6N+wk=; b=LM1VJuABlaDjVT863yp7t2eZFX7KyXyWdgsWIoz7BSqdmfjYqbz0PPZCwH4C55KicYveHDOE/YXHf85kuu5SNPzn+ynrDXGFVBEUecKKt32FAixeIuCqNK+exEmXlelMxNmDjyQ00wndTS3BZpTrezy9GbKJ2rrsm3L9s8O9meUJdbSMkhb39IkK+I9a55lRFgdVaU4taT+sF1Z3pNdBp4/eFKPxt8MmOt1RgaZyDqb1p/vLDAXOniamdMRYl5lrgsZBZ/63tMOdJJX7fjWHmu7qliYkTAQt7T8KcNCWFqKtTd/NUR6NIwbfUYvxYB+p0PYyj1OyuGOH9LpKGJrnDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=adobe.com; dmarc=pass action=none header.from=adobe.com; dkim=pass header.d=adobe.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adobe.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=69PY4/94nILmbatkETk4Y0/UwCkOlGdrG5HTzd6N+wk=; b=Sf2YHE99/i3lUvtI/5ICcCn7sbI2XhBRXyilXsH4rXGKoV6Livpy5RHeuKJ7NYaJC5w1+WePTkpsnehEFaL5LBChofQxHY+wBJ6bv42HaQWDqwk60NqPGlC2AV6txhQxIMmqxQx98w+B4PtMDOynU2+1/O+u2w+Y3odD9ZjEWpY=
Received: from BYAPR02MB5286.namprd02.prod.outlook.com (2603:10b6:a03:61::11) by BYAPR02MB4263.namprd02.prod.outlook.com (2603:10b6:a03:5b::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.27; Sun, 24 May 2020 00:12:38 +0000
Received: from BYAPR02MB5286.namprd02.prod.outlook.com ([fe80::517c:732:6e91:f8c1]) by BYAPR02MB5286.namprd02.prod.outlook.com ([fe80::517c:732:6e91:f8c1%3]) with mapi id 15.20.3021.026; Sun, 24 May 2020 00:12:38 +0000
From: Michael Thornburgh <mthornbu@adobe.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: oauth-adjacent: draft-thornburgh-fwk-dc-token-iss-00
Thread-Index: AQHWMWAIPO1WERV3eEqhvRz0LfK5pA==
Date: Sun, 24 May 2020 00:12:37 +0000
Message-ID: <BYAPR02MB528631480E2DE15B6BFAC537CDB20@BYAPR02MB5286.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=adobe.com;
x-originating-ip: [2001:470:8192::2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 6600f966-bb35-4604-66c9-08d7ff772af1
x-ms-traffictypediagnostic: BYAPR02MB4263:
x-microsoft-antispam-prvs: <BYAPR02MB42635232A3D995CF544D3D42CDB20@BYAPR02MB4263.namprd02.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0413C9F1ED
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TH+4cDHIRrQWP6P4hj+zjSbOHYSLLQScyJVTF72opc/mMbb3kqsSp/KUtxjhh1ESB/as/hxVOu8t+OyDqKMuTO7A/fM3wYMiF+5JjaRWyHoVH5nJdPM9ej+tJAuVyWuumK7Tt8T+JRBXBaKSA2TJWtA+T4qEuGxMl7W4QfeGmWJCbcTVWmOxgyPHP2LW4QEtAZUGcJTkIvvVMPwkpFsBxzlyPxFuPl1PXqzQ/CPJuD3L+tNfCiHfC+B3uXrboCScDydv2gQvkhLIne/orzAXeg6ZIn77qfAHiMAgxl7fZ4TMkCEq3zQ7k29vrViiBT26DfyG7lqAP1nbVtIreCuF0zeWXaKgTbQYlIzxDnxpaqIPDlfv460vW/X/VegBQQ0w0RJcGBIrXAdXOnGF+HRXjA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BYAPR02MB5286.namprd02.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(396003)(346002)(366004)(136003)(376002)(86362001)(5660300002)(2906002)(8990500004)(33656002)(55016002)(6916009)(9686003)(66476007)(66946007)(76116006)(66556008)(66446008)(478600001)(64756008)(966005)(52536014)(8676002)(71200400001)(786003)(316002)(7696005)(8936002)(6506007)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: rc1Ygviu/4UGacuapIU/lY3wPM/JTniRjHeLOSETJ+Z6XBaoewijPuJRqlSwSXfYSuJY2YMUWF+fj3bWXv4beBH2Nd/a0SxhCxzr/MgDKNNYC20tKTLkB4KN2H3aIGPe43epSaB64kjbut8ONvpVFKl8KfzEwy4Q26hcrMdQ6nQ9/6esy7JpuzIkx+pbdmkNEBSDYETTtJl0ktdOpYagmMeLNiHWCorVpmu/CNusZACFcdwBVfPOm2tpZaa6JKclUHIVgV1J3kJSnuJq22/9gXX7AHUl+kFgyJ5lhqSPYIXT7dR94nUw6y1xkRgaI/U5RE31umx4u7TyX1iUKQ9SImxO9GQQB1IeLRdcOrkg7YoxbS7w2i2oeTwQkfECiwXT7OfCG7LZDsQRo1hCkT4pB1/WzwIcgaaFrjYII7yEjrXmv9MrZXmyDX+sRr3/LRjfD47IRyHvHDngVxFIt/rYfH2Sundldadqj4z5Sg8VRN9TCsJUmfnO3uiE76RI5lDp
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: adobe.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6600f966-bb35-4604-66c9-08d7ff772af1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2020 00:12:37.9841 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: fa7b1b5a-7b34-4387-94ae-d2c178decee1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: aka5+Bv0GTZuitpBInjDuPvl/tuMSLv1YhivNdjtTUkgqGMNbYG93I/X5XxRIZygeJmvT40zCe+24XeDIC3t8w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR02MB4263
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LDzRsK9G2WgHyoEdUd-UZ1zzBFo>
Subject: [OAUTH-WG] oauth-adjacent: draft-thornburgh-fwk-dc-token-iss-00
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 May 2020 00:12:43 -0000
hi WG. i'd like to bring to your attention my OAuth-adjacent draft, draft-thornburgh-fwk-dc-token-iss, for examination, comment, and maybe even consideration: - title: A Framework For Decentralized Bearer Token Issuance in HTTP - datatracker: https://datatracker.ietf.org/doc/draft-thornburgh-fwk-dc-token-iss/ - fancy-html: https://www.ietf.org/id/draft-thornburgh-fwk-dc-token-iss-00.html TL;DR: ------ * bearer tokens are (still) appropriate, and even beneficial, for many use cases. * OAuth has gaps (see for example TxAuth, draft-ietf-oauth-distributed), especially for the motivating case of decentralized identity systems and decentralized, independent RSes. * this draft proposes a general form to support the motivating use case, but is applicable in other cases as well (including some of DPoP's). the introduction section of the draft elaborates on the motivation and envisioned use cases. longer intro: ------------- my proposal was initially motivated by semantic and security problems i saw [1] in the Solid Project's [2] existing authentication system. that system is based on WebID, OIDC, and proof-of-possession. it addresses the decentralized identity problem (WebID + OIDC) and the decentralized, multiple, independent RS problem, where neither the client nor the user's OpenID Provider has prior knowledge of what RSes will be visited, and where the RS's authorization infrastructure is not (necessarily) the user's OpenID Provider. the system is especially intended to enable authenticated access without requiring the user to log in separately to each RS. other than its problems [1] it's pretty cool. my solution to the problems with Solid's existing system is (essentially) for the client to be able to discover where and how to get a bearer token from a competent AS for a new RS it's visiting. initial versions (pre-I-D) [5][3] were very WebID-specific, but while developing it a more general solution emerged. reading through past messages in this WG, i think my approach may be of interest to some here. there is a superficial similarity to Jpop (in that there is a nonce in the WWW-Authenticate), but it is otherwise substantially different. of particular note, at least one (but definitely not all) use cases for DPoP can also be addressed by this proposal. in particular, a client can prove current possession of a POP key to obtain a reusable bearer token constrained to one origin+realm, for an independent and arbitrarily short lifetime. i have an example/POC implementation of the "token_pop_endpoint" mechanism specifically for WebID and the Solid use case, in the form of an nginx ngx_auth_request_module, at [4]. full disclosure: at present the Solid Authentication Panel is leaning toward an approach that uses substantially the same semantics as their current system, but adapted to the syntax of DPoP. i am not in favor of this approach, but i am in the minority. this is long. thanks if you read this far. -michael thornburgh [1]: https://github.com/solid/authentication-panel/issues/1 [2]: https://solidproject.org/ [3]: https://github.com/zenomt/webid-auth-protocol [4]: https://github.com/zenomt/webid-auth-nginx [5]: https://github.com/solid/webid-oidc-spec/issues/25
- [OAUTH-WG] oauth-adjacent: draft-thornburgh-fwk-d… Michael Thornburgh
- Re: [OAUTH-WG] oauth-adjacent: draft-thornburgh-f… Francis Pouatcha