IETF Logo Mail Archive

Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

"Fregly, Andrew" <afregly@verisign.com> Tue, 19 April 2016 21:07 UTC

Return-Path: <afregly@verisign.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB33D12E6EE for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 14:07:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MegzCyPl68Vb for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 14:07:53 -0700 (PDT)
Received: from mail-qg0-x264.google.com (mail-qg0-x264.google.com [IPv6:2607:f8b0:400d:c04::264]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 910F912E6A3 for <oauth@ietf.org>; Tue, 19 Apr 2016 14:07:53 -0700 (PDT)
Received: by mail-qg0-x264.google.com with SMTP id 7so2913584qgj.3 for <oauth@ietf.org>; Tue, 19 Apr 2016 14:07:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:user-agent :mime-version; bh=/jIoToO5c5umbUe0HrC4cBwlrV19aUyWTLJuTNztHqs=; b=yY+ltFjZn/kHYWa6UQilEI/X4fmFwCjR4VR751DPlpGEIgd955Rb9OX4eaPtJTZ5fN UcmA3ZezITYktU+8GEM4G/f7VKD5UYB+ZQeNTevyhAvVwgs7n6sQ+ecYLKgtpphJKPwS 5NuUn/Sjgiq1g+yuvTCBp6CFR/o+fEWC3OfqCbSqdlbY+IBmnaSn+Os0CqvSGvyP683U 9lWfehetCvgL5Hoe6ENoRc/Pkml+BFsMkm/JvKlGb+5Y2E2E82q/jINKDaPSyMw5Q1iI UK+zQckeLFT3iA7FJDLpHpHuWjHkmSmVYaRggtXquKda6nEX7rees8Gt40YdKIyb8wP2 hQ4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:user-agent:mime-version; bh=/jIoToO5c5umbUe0HrC4cBwlrV19aUyWTLJuTNztHqs=; b=LSH+ETpjdfKS1TzjTVJgePS8RUNa4gx7jmE30lKZFb/KYriIWfvyKd4Wjc/6bE3kOR waKD2Z++axRUiIZecxsmvn3BNGyn2V4TtcpePQXxKr/zIdooXs4nvkyIrb0LZS5gDttJ U5KgmyPoPP1rKgFlFeLYCgni0XvWWhl2/ZpZz3IzAWHIj34to3jhFuNuw0C76g3Ta0fT nNxXhoPY2bhS1A+VvrRXPMbfZFa1FISoNJEUUbU2VRty66f7Ct6QIDHPCBrsFOlrZTsy inDLZUc2vpy6UzoGeVIjU8eN7Whqa3PM2UKUwW3AHRiH7SzElh+bx4+CTy4UaLF5m1oI M+Dw==
X-Gm-Message-State: AOPr4FX11H5+QHVROPO4WMar7/NJgczSC5y2va+C4eFGp+g014RLNoVV69Pa9H84f/aWz6IAnfUSSyhU/VeFO+KYJ3boaXjg
X-Received: by 10.140.157.16 with SMTP id d16mr6741005qhd.89.1461100072500; Tue, 19 Apr 2016 14:07:52 -0700 (PDT)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id v131sm8982890qka.10.2016.04.19.14.07.52 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 19 Apr 2016 14:07:52 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u3JL7peL010050 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 19 Apr 2016 17:07:52 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Tue, 19 Apr 2016 17:07:49 -0400
From: "Fregly, Andrew" <afregly@verisign.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
Thread-Index: AQHRmlcomE8l0QoCm0C5ZCXr0BuVz5+R2qyA///eO4CAAEkiAP//yFeA
Date: Tue, 19 Apr 2016 21:07:48 +0000
Message-ID: <621AAD5E-FD50-4A2D-8B4C-2A10431FA55C@verisign.com>
References: <FF8F219E-AB2E-48F5-AD90-DEA783343C1B@verisign.com> <A85A7E53-1AE2-4141-B6AF-FE3E19DEBA75@ve7jtb.com> <8B748252-9AE2-4824-923B-00CD46CB8D68@verisign.com> <4382930D-CADD-466A-B078-B121B8E894E5@ve7jtb.com>
In-Reply-To: <4382930D-CADD-466A-B078-B121B8E894E5@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/0.0.0.160212
x-originating-ip: [10.173.152.4]
Content-Type: multipart/alternative; boundary="_000_621AAD5EFD504A2D8B4C2A10431FA55Cverisigncom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/3_0F0yLHhz6P56zgcePdGNJfN6I>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2016 21:07:56 -0000

Thanks John! I will provide a diagram tomorrow.

Andy

From: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Date: Tuesday, April 19, 2016 at 4:27 PM
To: Andrew Fregly <afregly@verisign.com<mailto:afregly@verisign.com>>
Cc: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

You can use connect just as a authentication service as you would SAML.

Lots of SaaS providers have a authorization service that chains to a external authentication service via SAML or Connect by use of a browser.

I am not getting what is front channel with the user and what is back channel.

Is the user authenticating with the service that provides the role info, or are you trying to do that in the back channel via a token exchange.

I probably need a diagram.

John B.
On Apr 19, 2016, at 5:05 PM, Fregly, Andrew <afregly@verisign.com<mailto:afregly@verisign.com>> wrote:

Thanks for your response John. I also got a good response from Brian Campbell and appreciate that. I will respond separately to Brian’s response as I think it would keep things clearer to do that.

The problem we have for using OpenID Connect is that it combines the role of Authentication Service with the role of Authorization Service. Perhaps the following description of what we want to do will clarify why this won’t work for us:

The basic problem statement is that we need to have a client application authorized by a Service Provider based on proof that a user is currently a member of some organization. This assumes the organization has previously established some level of authorized access with the Service Provider.

Here is an example: Suppose I am a member of SomeOrg Inc. Suppose SomeOrg Inc. is doing research that requires it to gather data over the Internet from a number of data providers. The data providers require authentication and proof of organizational membership in order to authorize various levels of access to their data. The data providers do not consider having an account with them or a Public Identity Provider to be suitable for proving that I am still a member of SomeOrg at time of authentication. They would have no way of knowing whether or not my relationship with SomeOrg still exists at that time. The data providers would therefore like the Client software to authenticate me against SomeOrgs Identity Provider. This would be good proof that I am still a member of SomeOrg at the time I authenticate. This authentication would enable the data providers Authorization Server to grant me access appropriate to a member of SomeOrg.  Note that as a prerequisite to all of this, SomeOrg will have used an out-of-band process to set up a trust relationship for SomeOrg's Identity Provider with the data provider’s Authorization Service, and will have negotiated authorization claims to be granted to SomeOrgs members.

What I am having difficulty with is in knitting together an approach based on the he OpenID Connect specifications, SAML specifications, and OAuth RFCs and drafts in a way that supports the above use case end-to-end. The OAuth RFCs and drafts almost get me there. What seems to be missing is a way of telling an Identity Provider the URL for the Authorization Service (the required Audience claim in an authentication assertion as defined in RFCs 7251, 7252 and 7253), and then a requirement that the Identity Providers put the supplied Audience Identifier into Authentication Tokens. Perhaps a little further back-and-forth with Brian will resolve this.

I can go into deeper detail if needed. If this is off-topic for the OAuth working group, let me know.

Thanks,
Andrew Fregly
Verisign Inc.


From: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Date: Tuesday, April 19, 2016 at 2:06 PM
To: Andrew Fregly <afregly@verisign.com<mailto:afregly@verisign.com>>
Cc: "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

Looking at OpenID Connect and it’s trust model for producing id_tokens that assert identity may help you.
http://openid.net/wg/connect/

Unfortunately I can’t quite make out what you are trying to do.

It sort of sounds like you want an id_token from a idP and then have the client exchange that assertion for another token?

John B.
On Apr 19, 2016, at 1:18 PM, Fregly, Andrew <afregly@verisign.com<mailto:afregly@verisign.com>> wrote:

I have a use case where a client application needs to authenticate with a dynamically determined Identity Provider that is separate from the Authorization Service that will be used issue an access token to the client. The use case also requires that as part of authorization, the client provides to the Authorization Service an authentication token signed by an Identity Provider that the Authorization Service has a trust relationship with. The trust relationship is verifiable based on the Authorization Service having recorded the public keys or certificates of trusted Identity Providers in a trust store, this allowing the Authorization Service to verify an Identity Provider’s signature on an authentication token.

In looking at the various OAuth RFCs, particularly RFCs 7521, 7522, and 7523, I see that they get me close in terms of supporting the use case. What is missing is a means for solving the following problem. These RFCs require that the Identity Provider put an Audience claim in the authentication token. The problem with this is that I do not see in the RFCs how the Identity Provider can be told who the Audience is to put into the authentication token. This leads me to the title of this message. The draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” defines a mechanism for identifying the Audience for an STS to put into a token it generates. That would solve my problem except that the draft limits the type of STS to being Authorization Servers. What is needed is this same capability for interacting with an Identity Provider. This would enable RFCs 7521, 7522 and 7523 to be useful in situation where the Identity Provider needs to be told the identity of the Authorization Service.

I am new to interacting with the IETF. I also am not an expert on the RFCs or prior history of the OAuth group relative to this topic, so please point me to any existing solution if this is a solved problem. Otherwise, I would like to get feedback on my suggestion.

Thanks You,

Andrew Fregly
Verisign Inc.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email