Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token-exchange-14.txt> (OAuth 2.0 Token Exchange) to Proposed Standard
Brian Campbell <bcampbell@pingidentity.com> Mon, 27 August 2018 21:55 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF224124BE5 for <oauth@ietfa.amsl.com>; Mon, 27 Aug 2018 14:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WoRMqY6XdzhQ for <oauth@ietfa.amsl.com>; Mon, 27 Aug 2018 14:55:38 -0700 (PDT)
Received: from mail-it0-x241.google.com (mail-it0-x241.google.com [IPv6:2607:f8b0:4001:c0b::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1640130DDA for <oauth@ietf.org>; Mon, 27 Aug 2018 14:55:37 -0700 (PDT)
Received: by mail-it0-x241.google.com with SMTP id t69-v6so648098itb.4 for <oauth@ietf.org>; Mon, 27 Aug 2018 14:55:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cgzrXki5O6CLl+7FN0m7KIWh4RY/ZIcW4NMGZbYQBCA=; b=PoIagnbauJxn9HaKENUbv8HZfwa32qyR3dfchFQXGVCtL7fcMnp6RKZ6SDFGsC36MZ qSMqLB0YAGwuJCuxDdOquplwhS1UH/QAHUwlAgctemvDlKZD2eq8Q7Uq7mctDy5n2rqG NmSYS/W/UPfwymVksH6CyG3njGdzUr/vYBxQw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cgzrXki5O6CLl+7FN0m7KIWh4RY/ZIcW4NMGZbYQBCA=; b=CQIqxt+evIOgwpo1TmS6XMKC0gLSulDTYgRbCQkavwZnDoyOGNUj4nAHEc1+WydR95 11tm9ihYqkOjd2Npt4v4Tt/wN1SoW/XXHXe0Skg36Q8tYo1YowVlteQRy95FLc/J8iO0 uzGDvVfkn/j/nRelGZlNwp787LLPRA3bC8L1B53mLjLZ2RlIUPErYqnGe9OG4tRbUAiV wGOxpd1BKB7ut6Z4YcoLgPbx7NR4jd1xFGjcpuCRNQcueCpuAU9pBRx59/U9U257UEcF 8zGBu4l7XhPzPzCSlWn+xQilJWAYQVPl8JkyDiSwEE1DU3oqYtK/3+rqfXxutDEfxjt8 Uw2Q==
X-Gm-Message-State: APzg51BlEbeColEv1fBw5WObU4gbuooGIxYTJ0564aAxXnnf+nWipsml I6IxYNqP8wLh0i5Q1EPrKk5W9+ff4pr97V6gtVcKnI0QBLjnge33sBWcL0DLfs9uQUnDfyUh1Na 0gfICGpZguyCsiKbwGdI=
X-Google-Smtp-Source: ANB0Vdafm+OVHd5E6aZSS73CJw5QNlphXtPJSC3Y/VVoYu3Vo3C4CyY0TCmhjc2Pals+6n0cutiRT3ChR7b+8vxghF4=
X-Received: by 2002:a24:4703:: with SMTP id t3-v6mr8448556itb.54.1535406936982; Mon, 27 Aug 2018 14:55:36 -0700 (PDT)
MIME-Version: 1.0
References: <153235205852.20315.16316852302695725778.idtracker@ietfa.amsl.com> <CA+iA6ugcGiiN9maS+cp0oTxeh1v+udBg2UYa1qv_f76usNgh+w@mail.gmail.com>
In-Reply-To: <CA+iA6ugcGiiN9maS+cp0oTxeh1v+udBg2UYa1qv_f76usNgh+w@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 27 Aug 2018 15:55:08 -0600
Message-ID: <CA+k3eCR=cC_vFnpx63E7cbzoQKigZHv+T+COLFNOUiEuS94oyw@mail.gmail.com>
To: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Cc: draft-ietf-oauth-token-exchange@ietf.org, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000010b246057471c9c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/97_RRWsgiMXZ_WyIyG5NnTFqqug>
Subject: Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token-exchange-14.txt> (OAuth 2.0 Token Exchange) to Proposed Standard
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 21:55:42 -0000
Hi Hans, Yes, I suppose it's somewhat implicit (although the Terminology <https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-14#section-1.3> section does say that the term "client" is used as defined by RFC 6749) but the intent is that the client in a token exchange is an OAuth client and it authenticates to the token endpoint via whatever token endpoint authentication method it has configured/registered with the respective AS. And that includes being a be a public/unauthenticated client that would just send the client id. Also it could be an unidentified/anonymous client where no client id is sent at all. But whether or not to allow unauthenticated or unidentified clients to make token exchange requests is up to the AS, which might be configuration or deployment policy or might even be coded into the AS. I think the text from §2.1 copied below says that reasonably clearly. Client authentication to the authorization server is done using the normal mechanisms provided by OAuth 2.0. Section 2.3.1 <https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-14#section-2.3.1> of The OAuth 2.0 Authorization Framework [RFC6749 <https://tools.ietf.org/html/rfc6749>] defines password-based authentication of the client, however, client authentication is extensible and other mechanisms are possible. For example, [RFC7523 <https://tools.ietf.org/html/rfc7523>] defines client authentication using JSON Web Tokens (JWTs) [JWT <https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-14#ref-JWT>]. The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server. On Sun, Aug 26, 2018 at 9:00 AM Hans Zandbelt <hans.zandbelt@zmartzone.eu> wrote: > Hi all (and Brian :-)), > > Whilst implementing the client side of OAuth 2.0 Token Exchange into an > Apache module I ran into some questions wrt. authentication to the token > exchange endpoint as specified in section 2.1: > https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-14#section-2.1 > > 1. the spec talks about "client" but it does not explicitly state that a > token exchange client is in fact an OAuth 2.0 Client; IMHO this is done > only implicitly since section 2.1 does refer to OAuth 2.0 client > authentication methods (alternatively, if the spec editors believe that a > token exchange client is different from a "classic" OAuth 2..0 Client, that > should be made explicit) > 2. the spec leaves it open as to whether the client is actually forced to > authenticate (it is up to the authorization server's discretion); yet it is > not clear - in that case - whether or not a client_id should be added to > the token request (as in OAuth 2.0 token requests); alternatively one may > argue that token exchange for public clients makes no sense - I think I > favor that - because it makes it impossible to distinguish between the > presenter of the original token and the token exchange client > > Any comments to that? > > Hans. > > On Mon, Jul 23, 2018 at 3:22 PM The IESG <iesg-secretary@ietf.org> wrote: > >> >> The IESG has received a request from the Web Authorization Protocol WG >> (oauth) to consider the following document: - 'OAuth 2.0 Token Exchange' >> <draft-ietf-oauth-token-exchange-14.txt> as Proposed Standard >> >> The IESG plans to make a decision in the next few weeks, and solicits >> final >> comments on this action. Please send substantive comments to the >> ietf@ietf.org mailing lists by 2018-08-06. Exceptionally, comments may be >> sent to iesg@ietf.org instead. In either case, please retain the >> beginning of >> the Subject line to allow automated sorting. >> >> Abstract >> >> >> This specification defines a protocol for an HTTP- and JSON- based >> Security Token Service (STS) by defining how to request and obtain >> security tokens from OAuth 2.0 authorization servers, including >> security tokens employing impersonation and delegation. >> >> >> >> >> The file can be obtained via >> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ >> >> IESG discussion can be tracked via >> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/ballot/ >> >> >> No IPR declarations have been submitted directly on this I-D. >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > > -- > hans.zandbelt@zmartzone.eu > ZmartZone IAM - www.zmartzone.eu > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] Last Call: <draft-ietf-oauth-token-exc… The IESG
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token… Hans Zandbelt
- Re: [OAUTH-WG] Last Call: <draft-ietf-oauth-token… Brian Campbell