Re: [OAUTH-WG] [EXT] Re: MITRE Updated Token Chaining Profile for Multi ICAM Ecosystems
Warren Parad <wparad@rhosys.ch> Tue, 26 July 2022 18:06 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C93BC1C9531 for <oauth@ietfa.amsl.com>; Tue, 26 Jul 2022 11:06:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZu7RnUme3Vc for <oauth@ietfa.amsl.com>; Tue, 26 Jul 2022 11:06:23 -0700 (PDT)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1230AC16ECD4 for <oauth@ietf.org>; Tue, 26 Jul 2022 11:06:22 -0700 (PDT)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-31f1d1c82c8so58321067b3.8 for <oauth@ietf.org>; Tue, 26 Jul 2022 11:06:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LSJmt46BsEWzhbDO//lY2FDvMhj+s1/Y4IU8/M9MCv8=; b=IMHfGmY2VT1eJwUGxkqU5o9PhfoHglp4RypKFHy3uHPBr8prp2JG0QPusfQY+BMFIf ZBCmQibL0zupTVdoHVtGYI2kHa35ehruWQ3ZXtvqHx1gdZcYgxRGClDx4jwzSeEoSrTV 7MW8K23TE2haZD76pTPM6g4HBUol4Q4Bo50oO8h+E5fMdJPksxK1ua/+/vQ/Ald4b2Jm v+qsm7/Tejw4uz+4ShydtserH/RYf4Sx2QOvPvLmDVTa4G8pjrYcgFO8QMkxX3xUATVl 2JO49ND8aGwM5WtdeGnN/tBJ1amJa2UL5zRtBkU10fVF2Jr/kWl6lcoSRFE5w4l/1C9H OHSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LSJmt46BsEWzhbDO//lY2FDvMhj+s1/Y4IU8/M9MCv8=; b=duACkRhqrZwc9l9ABcBRITJweMp3ihyQhCEHbcsQp6GwvDsYxd21253ZOwXJ1hiYVn aWc6C8H5nXw1RC9/Yw6kaJ+v0gGgKRUV5jeqxHJRavWRg1Qhl2B4ZOyPTpYA7Ir5hMfS bE0wkkIDejM6+8bYtuay4ufLCLNYyCYxww7+R9dpG2m3DCucQOldEFEzjbwKEVWsj1mK QMALFD1kgYOMkx2n5bM0YeJ5idik2r1GoE3b9tMGZjK3vvs4ayP+F6hlZg2mk+uysQ3u /M9pqpRTVw8/Glat6kdWXfjt92/Jr3nhAm9+vNCMzEElG/avHxgzYwRNKvbiBUppXjcv 7EDw==
X-Gm-Message-State: AJIora/YlaFPyq0zWS31kbY3faEe9a7xA/oFfGToriPtLe4jcVXJOCBH 3bFpX/EyVm9zLqOIdbXfPu45Eb14swIu+rih3uYf55mhS9Hb
X-Google-Smtp-Source: AGRyM1va/fQoVfxSP3byJ+uOhuJO0UHjDIs1CqeSs17tnJ/m6ZaDks4kxrKXzIU2H7ksa1Nz1EvijTk3L2rH0xzdzBc=
X-Received: by 2002:a81:5d41:0:b0:31d:d394:d6e2 with SMTP id r62-20020a815d41000000b0031dd394d6e2mr15635649ywb.466.1658858781249; Tue, 26 Jul 2022 11:06:21 -0700 (PDT)
MIME-Version: 1.0
References: <214A4822-C5A4-49B1-A5F5-636E566488BD@mitre.org> <7988_1656863644_62C1BB9B_7988_535_1_CAJot-L22Of4s0vX3zxch3MgHOELB3RmKM2u5ACtuvhCU+RWZRw@mail.gmail.com> <SA1PR09MB8142F8E93229E65E6A273D2CA7949@SA1PR09MB8142.namprd09.prod.outlook.com>
In-Reply-To: <SA1PR09MB8142F8E93229E65E6A273D2CA7949@SA1PR09MB8142.namprd09.prod.outlook.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Tue, 26 Jul 2022 20:06:10 +0200
Message-ID: <CAJot-L3q0zYuzyFM2JfnPb6GSw14jQ86TvA+LRW5PdFiwfD+fw@mail.gmail.com>
To: "Dr. Kelley W Burgin" <kburgin@mitre.org>
Cc: "oauth@ietf.org" <oauth@ietf.org>, Beth S Abramowitz <beth@mitre.org>
Content-Type: multipart/alternative; boundary="00000000000063a62905e4b9281d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9305xDeiuO8jhb4SkM_-VIUsAd8>
Subject: Re: [OAUTH-WG] [EXT] Re: MITRE Updated Token Chaining Profile for Multi ICAM Ecosystems
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2022 18:06:27 -0000
I think it wouldn't be complicated, and the complicated part is the choreography that you have between the individual AS that isn't OAuth standard anyway. But we are in a world now where we have lots of implementations of distributed consensus solutions. Potentially taking inspiration from one of those could solve that part of the problem. On Tue, Jul 26, 2022 at 6:16 PM Dr. Kelley W Burgin <kburgin@mitre.org> wrote: > Warren, > > > > My initial thought was that this would be too complicated, but now I’m > thinking that we could get what we want from profiling OAuth 2.0 Token > Exchange for our use cases while adding in new requirements from OAuth 2.1. > > > > For those of you who have seen my “Token and Identity Chaining Between > PRs” documents and/or presentation, do you think this is a viable option? > > > > Regards, > > Kelley > > > > *From: *Warren Parad <wparad@rhosys.ch> > *Date: *Sunday, July 3, 2022 at 11:54 AM > *To: *Dr. Kelley W Burgin <kburgin@mitre.org> > *Cc: *oauth@ietf.org <oauth@ietf.org>, Beth S Abramowitz <beth@mitre.org> > *Subject: *[EXT] Re: [OAUTH-WG] MITRE Updated Token Chaining Profile for > Multi ICAM Ecosystems > > It might be interesting to point out that there is actually an OAuth token > exchange paradigm that already exists. It could be valuable, if for some > reason it doesn't support what you are trying to do, to either piecemeal > add RFCs for additional claims or update the RFC to include additional use > cases. I'll leave this here: > > > > https://datatracker.ietf.org/doc/html/rfc8693 > > > > > > On Fri, Jul 1, 2022 at 9:37 PM Dr. Kelley W Burgin <kburgin@mitre.org> > wrote: > > Hi all, > > > > MITRE has an updated version of the “Token and Identity Chaining Between > OAuth Protected Resources in a Multiple ICAM Ecosystem Using OAuth Token > Exchange”. It is attached since we will not have time to go through the > process of publishing it to our website in time for the meetings at the end > of this month. > > > > We are seeking feedback from subject matter experts throughout the > community. > > > > Summary: This profile describes how to handle the situation where, in a > multiple ICAM ecosystem, a protected resource (PR1) may need to call a > second protected resource (PR2) in a different organization in order to > satisfy a query received from a client. PR1 cannot simply relay Token1 to > PR2 since PR2 trusts a different authorization server and the Enterprise > Mission Tailored OAuth 2.0 Profile ( > https://www.mitre.org/publications/technical-papers/enterprise-mission-tailored-oauth-20-and-openid-connect-profiles) > requires that the tokens be sender and/or audience constrained, so PR1 must > request a new access token, Token2, from an authorization server AS2 that > is trusted by PR2. This process of exchanging Token1 (which grants access > to PR1) to obtain a new access token, Token2 (which grants access to PR2) > is called token chaining. This profile additionally enables identity > chaining by ensuring that the identities of the user, client, and protected > resources are propagated in the exchanged tokens, so that each protected > resource can, as necessary, use the set of identities to make appropriate > access decisions. > > > > Note: To address issues in one of the two scenarios presented in the > document, we define a new OAuth claim “chained_id” (see Section 3.2.1.2) > that allows AS1 to communicate necessary information to AS2 so that AS2 can > populate the appropriate fields in Token2. > > > > Regards, > > Kelley > > _________________________ > > Kelley Burgin, Ph.D. > > Cybersecurity Engineer > > The MITRE Corporation > > (865) 255 - 6699 > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] MITRE Updated Token Chaining Profile f… Dr. Kelley W Burgin
- Re: [OAUTH-WG] MITRE Updated Token Chaining Profi… Warren Parad
- Re: [OAUTH-WG] [EXT] Re: MITRE Updated Token Chai… Dr. Kelley W Burgin
- Re: [OAUTH-WG] [EXT] Re: MITRE Updated Token Chai… Warren Parad