Re: [OAUTH-WG] JWT Token on-behalf of Use case

Anthony Nadalin <tonynad@microsoft.com> Wed, 01 July 2015 18:00 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBF7A1B2E80 for <oauth@ietfa.amsl.com>; Wed, 1 Jul 2015 11:00:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNmP1fNP_8R1 for <oauth@ietfa.amsl.com>; Wed, 1 Jul 2015 11:00:21 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0128.outbound.protection.outlook.com [207.46.100.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6D761B2E7D for <oauth@ietf.org>; Wed, 1 Jul 2015 11:00:21 -0700 (PDT)
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com (10.161.207.22) by BN3PR0301MB1235.namprd03.prod.outlook.com (10.161.207.23) with Microsoft SMTP Server (TLS) id 15.1.201.16; Wed, 1 Jul 2015 18:00:19 +0000
Received: from BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) by BN3PR0301MB1234.namprd03.prod.outlook.com ([10.161.207.22]) with mapi id 15.01.0201.000; Wed, 1 Jul 2015 18:00:19 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Justin Richer <jricher@mit.edu>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] JWT Token on-behalf of Use case
Thread-Index: AdCvjKZzog4lHzdSReisaGHaz/hQ6gAARPxgAOj5XIAALgFuAAADlXeAAAvCDkA=
Date: Wed, 1 Jul 2015 18:00:19 +0000
Message-ID: <BN3PR0301MB1234E2A09942FB2928D2EC17A6A80@BN3PR0301MB1234.namprd03.prod.outlook.com>
References: <6B22D19DBF96664DBF49BC7B326402B42739A904@xmb-aln-x09.cisco.com> <BY2PR03MB442205D40E8F1ECD88082F2F5AE0@BY2PR03MB442.namprd03.prod.outlook.com> <55928DB3.7090300@gmail.com> <5593C270.7000008@gmail.com> <5593DA7D.80401@mit.edu>
In-Reply-To: <5593DA7D.80401@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;
x-originating-ip: [131.107.159.184]
x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1235; 5:Azom+X5/woZVx6V853HVyhFj7jICQK2gwguOgAh42Xf1/BKxtCmh56crVTzkY19oFTLjoKSn0w/6EmibzHZ0Zt74NSYn7jELXemtzoN1vOHdEUMuoYflscbfmBJXuuV69Dj3K069X0GWGCtkADlX0w==; 24:Zke34g3h4qfSgXpXCXbiUJvy/RW1DXWbV+UUn3JkSzgmhX9OrDtR7ryPs3ZM9+pTZ9vvgPiArHL4Zs61vx3ShjGGQvsOKjR5HSfCVyVujeM=; 20:vCf8sSDHMmfnUvi9zy1KgoN+lm57cso9bqLzf8g14/YWpRk3YL4LS1eAR/YG56oA2oNd6bbLcw+lT568QxKJnA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0301MB1235;
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <BN3PR0301MB1235811A273872B424574027A6A80@BN3PR0301MB1235.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401001)(5005006)(3002001); SRVR:BN3PR0301MB1235; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1235;
x-forefront-prvs: 0624A2429E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(24454002)(479174004)(53754006)(377454003)(51704005)(2900100001)(74316001)(15975445007)(2950100001)(102836002)(77096005)(76176999)(62966003)(122556002)(2501003)(50986999)(54356999)(40100003)(107886002)(76576001)(5001770100001)(66066001)(33656002)(46102003)(5003600100002)(93886004)(87936001)(5001960100002)(86612001)(2656002)(86362001)(19580405001)(19580395003)(2171001)(189998001)(5002640100001)(77156002)(92566002)(99286002)(42262002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1235; H:BN3PR0301MB1234.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Jul 2015 18:00:19.3590 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1235
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/7yr96eDGt06lddud9m1AfjB2DkA>
Subject: Re: [OAUTH-WG] JWT Token on-behalf of Use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2015 18:00:24 -0000

Not quite, the actual tokens are still opaque, the requestor is just asking for a token exchange , the requestor can specify the requested token type it's up to the server to determine the actual token it will delever

-----Original Message-----
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Justin Richer
Sent: Wednesday, July 1, 2015 5:18 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] JWT Token on-behalf of Use case

As it's written right now, it's a translation of some WS-* concepts into JWT format. It's not really OAuth-y (since the client has to understand the token format along with everyone else, and according to the authors the artifacts might not even be "OAuth tokens"), and that's my main issue with the document. Years ago, I proposed an OAuth-based token swap
mechanism:

https://tools.ietf.org/html/draft-richer-oauth-chain-00

This works without defining semantics of the tokens themselves, just like the rest of OAuth. I've proposed to the authors of the current draft that it should incorporate both semantic (using JWT) and syntactic (using a simple token-agnostic grant) token swap mechanisms, and that the two could be easily compatible.

  -- Justin

On 7/1/2015 6:35 AM, Sergey Beryozkin wrote:
> Hmm... perhaps the clue is in the draft title, token-exchange, so may 
> be it is a case of the given access token ("on_behalf_of" or "act_as"
> claim) being used to request a new security token. One can only guess 
> though, does not seem like the authors are keen to answer the newbie 
> questions...
>
> Cheers, Sergey
>
>
> On 30/06/15 13:38, Sergey Beryozkin wrote:
>> Hi,
>> Can you please explain what is the difference between On-Behalf-Of 
>> semantics described in the draft-ietf-oauth-token-exchange-01 and the 
>> implicit On-Behalf-Of semantics a client OAuth2 token possesses ?
>>
>> For example, draft-ietf-oauth-token-exchange-01 mentions:
>>
>> "Whereas, with on-behalf-of semantics, principal A still has its own 
>> identity separate from B and it is explicitly understood that while B 
>> may have delegated its rights to A, any actions taken are being taken 
>> by A and not B. In a sense, A is an agent for B."
>>
>> This is a typical case with the authorization code flow where a 
>> client application acts on-behalf-of the user who authorized this application ?
>>
>> Sorry if I'm missing something
>>
>> Cheers, Sergey
>> On 25/06/15 22:28, Mike Jones wrote:
>>> That's what
>>> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-01 is 
>>> about.
>>>
>>> Cheers,
>>>
>>> -- Mike
>>>
>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Vivek 
>>> Biswas -T (vibiswas - XORIANT CORPORATION at Cisco)
>>> *Sent:* Thursday, June 25, 2015 2:20 PM
>>> *To:* OAuth@ietf.org
>>> *Subject:* [OAUTH-WG] JWT Token on-behalf of Use case
>>>
>>> Hi All,
>>>
>>>    I am looking to solve a use-case similar to WS-Security 
>>> On-Behalf-Of 
>>> <http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust
>>> -1.4-errata01-os-complete.html#_Toc325658980>
>>>
>>>
>>> with OAuth JWT Token.
>>>
>>>    Is there a standard claim which we can define within the OAuth 
>>> JWT which denote the On-behalf-of User.
>>>
>>> For e.g., a Customer Representative trying to create token on behalf 
>>> of a customer and trying to execute services specific for that 
>>> specific customer.
>>>
>>> Regards,
>>>
>>> Vivek Biswas,
>>> CISSP
>>>
>>> *Cisco Systems, Inc <http://www.cisco.com/>*
>>>
>>> *Bldg. J, San Jose, USA,*
>>>
>>> *Phone: +1 408 527 9176*
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth