[OAUTH-WG] Rotating client secret
Amarendra Godbole <ag@broadcom.com> Mon, 13 July 2020 20:28 UTC
Return-Path: <ag@broadcom.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC2B63A08B1 for <oauth@ietfa.amsl.com>; Mon, 13 Jul 2020 13:28:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=broadcom.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idiQw9HLBwhU for <oauth@ietfa.amsl.com>; Mon, 13 Jul 2020 13:28:40 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCBD13A086F for <oauth@ietf.org>; Mon, 13 Jul 2020 13:28:39 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id e18so6545592pgn.7 for <oauth@ietf.org>; Mon, 13 Jul 2020 13:28:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; h=from:mime-version:subject:message-id:date:to; bh=0kPInzd5Wk/tqiJO0KA06pi+OSzJdFT7QMxf7u2viAA=; b=PqzVVWcEi4P5pZHB3m43rZxtDTt0XJ1h+EJWlW9/lyFCxAWfbQvBc44NF7K/mJ8Eba nqYZcWAtP9oVyQ48Kt8kYTTx1c1pxTwAN7cPDce/YnSIDjrizKhpw1IfVc+W2hayX85g mJNBWpbbZPLbCXuUsXmUjMiWRMAc726c+T31w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=0kPInzd5Wk/tqiJO0KA06pi+OSzJdFT7QMxf7u2viAA=; b=klRkDIko6CksF6E9QrLWKMcMmP+ghmAL2xAGVDMsyzGBVXQbdwAMly7Q86WKMe9RLl Uda11L4Gn1LTmk+VDUgKkrVovk/SX6ZswMECgedUqmGsOjFnkKXF6tROUMygH3RTnyKl mKvsRLYCLWGJMBRjLawFnpKHFnuWlno17KDjv+/CGsNWfJeB6ZFUsRWX8I0PlmhRz7/B gZuZ/SFF+AoNjXdC+RBkhowrGviUqt5pghg5RIxWB5HK/MYGouKcl+E1IkwC3bgUwjLK 9t9uWCsTaIoeIaTl16EAcfWLa+BbPuzQ78/NClNxbmKF1yj9x7U19220dudbCvJ1PTHc Qalg==
X-Gm-Message-State: AOAM5329263xag8Ehxhq4vSS8rLuqcajRuXm5WPQDXAcEHBX83hQlyRD fTdJ8QQsxW+B1raUldXY6SMCvR4jgd/0538la1PY5JJ1d1DYbp3XKIN3HwIdHkfihNTcSHGvHdF YbrFU0V6IT3iC/DXjaTpuNFQO0OjLyw/FVyWXP4bc5j2y7tr/
X-Google-Smtp-Source: ABdhPJx79Ki4Xef/U67cUY68OLAsQ6s6oW54TCXBVa/zvAXlRtRntQOzzzgPk4dn0ZRUmNFKrCE9lg==
X-Received: by 2002:a63:225d:: with SMTP id t29mr754025pgm.374.1594672118199; Mon, 13 Jul 2020 13:28:38 -0700 (PDT)
Received: from c02w42tjhtdd.lan (c-98-248-136-122.hsd1.ca.comcast.net. [98.248.136.122]) by smtp.gmail.com with ESMTPSA id r6sm15461138pfl.142.2020.07.13.13.28.37 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 13 Jul 2020 13:28:37 -0700 (PDT)
From: Amarendra Godbole <ag@broadcom.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C328C8AF-3E1F-4367-A08A-EB752DED6263"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3601.0.4\))
Message-Id: <7619889F-6A75-4179-B4A8-DEAAC359E5EB@broadcom.com>
Date: Mon, 13 Jul 2020 13:28:36 -0700
To: oauth@ietf.org
X-Mailer: Apple Mail (2.3601.0.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9ACM2NK_yS2f-rn3-nrqPMP9Ul4>
Subject: [OAUTH-WG] Rotating client secret
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 20:34:50 -0000
Hi All, First post to the list, and hopefully I am articulate enough to describe the problem I am facing — did OAuth ever consider an ability to dynamically rotate client secret (part of the “client credentials” authorization grant)? I stumbled across rfc7591 (OAuth 2.0 Dynamic Client Registration Protocol), but the OAuth 2.0 implementation I am looking at [1], does not support it. I also found some previous reference to client secret rotation [2], but it does not discuss my use case. We operate a SaaS application A, which is supposed to talk with another SaaS application B. Our customers subscribe to both, our application A as well as application B. However, the teams adminstering A and B are separate teams within the same organization, though we cannot assume the level of trust between them. Let’s call them Tenant Admin A and Tenant Admin B. In our usecase, application A is the client for application B, and application B provides OAuth 2.0 authorization workflows. Now, Tenant Admin A has to provision the "client credentials” authorization grant — in order to do that, Tenant Admin B generates the client_id and client_secret, and sends them to Tenant Admin B. There is the problem — as I earlier stated, we cannot assume the level of trust between Tenant Admin A and Tenant Admin B, and exchanging client_id and client_secret now means the circle of trust for application B includes individuals who may or may not be trusted. One thought that occured to me was a provision in OAuth 2.0’s client credentials grant flow was the ability to “bootstrap” a client application — basically the client_secret is one-time-use-and-timebound-only, and allows the client to exchange it for a different client_secret. In our case, this can be handled by the SaaS application backend, thus making sure the Tenant Admin A no longer have access to it once they provision the client. This can be generalized, such that the authZ server can periodically trigger client_secret rotation, and won’t require manual intervention [3]. As I stated earlier, rfc7591 talks about this, but but in the context of dynamic registration. Having the client secret rotation a part of the protocol exchange messages, maybe a bootstrap, would be the ideal solution for our usecase. Or the bigger question: Did I misinterpret it all? Looking for guidance from this list. Thanks in advance. -Amarendra [1] Microsoft Azure https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types <https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types> [2] https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ <https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/> [3] Auth0 rotate client secret: https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret <https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret>
- [OAUTH-WG] Rotating client secret Amarendra Godbole
- Re: [OAUTH-WG] Rotating client secret Warren Parad
- Re: [OAUTH-WG] Rotating client secret Amarendra Godbole
- Re: [OAUTH-WG] Rotating client secret Dick Hardt
- Re: [OAUTH-WG] Rotating client secret Warren Parad
- Re: [OAUTH-WG] Rotating client secret Amarendra Godbole