Re: [OAUTH-WG] user impersonation protocol?

Mike Jones <Michael.Jones@microsoft.com> Mon, 16 February 2015 22:26 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C32F41A88B2 for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 14:26:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cd3WGy7vdIso for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 14:26:30 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0140.outbound.protection.outlook.com [207.46.100.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 601731A6ED9 for <oauth@ietf.org>; Mon, 16 Feb 2015 14:26:30 -0800 (PST)
Received: from CH1PR03CA005.namprd03.prod.outlook.com (10.255.156.150) by BLUPR03MB603.namprd03.prod.outlook.com (10.255.124.40) with Microsoft SMTP Server (TLS) id 15.1.87.18; Mon, 16 Feb 2015 22:26:29 +0000
Received: from BY2FFO11FD049.protection.gbl (10.255.156.132) by CH1PR03CA005.outlook.office365.com (10.255.156.150) with Microsoft SMTP Server (TLS) id 15.1.87.18 via Frontend Transport; Mon, 16 Feb 2015 22:26:28 +0000
Received: from mail.microsoft.com (131.107.125.37) by BY2FFO11FD049.mail.protection.outlook.com (10.1.15.186) with Microsoft SMTP Server (TLS) id 15.1.87.10 via Frontend Transport; Mon, 16 Feb 2015 22:26:28 +0000
Received: from TK5EX14MBXC290.redmond.corp.microsoft.com ([169.254.1.33]) by TK5EX14MLTC104.redmond.corp.microsoft.com ([157.54.79.159]) with mapi id 14.03.0224.003; Mon, 16 Feb 2015 22:25:56 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Bill Burke <bburke@redhat.com>, oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] user impersonation protocol?
Thread-Index: AQHQSf4/iGZiBeogw0O/wAb+y9wR0pzzxrwAgAACFACAABGs0A==
Date: Mon, 16 Feb 2015 22:25:55 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943A222C54D@TK5EX14MBXC290.redmond.corp.microsoft.com>
References: <CAAP42hDozEEdVXHhF9WEpjrGu_nZ_3nCj=yiNegGtYi6=eW+qw@mail.gmail.com> <1363965451.7820862.1424121634785.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <1363965451.7820862.1424121634785.JavaMail.yahoo@mail.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.79]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A222C54DTK5EX14MBXC290r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; redhat.com; dkim=none (message not signed) header.d=none;
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(438002)(51704005)(164054003)(24454002)(479174004)(377454003)(16236675004)(2950100001)(62966003)(15975445007)(102836002)(104016003)(19580395003)(19580405001)(2656002)(87936001)(6806004)(85806002)(86612001)(2900100001)(46102003)(2920100001)(77156002)(1720100001)(512874002)(50986999)(66066001)(76176999)(19617315012)(587094005)(86362001)(54356999)(106466001)(106116001)(92566002)(107886001)(16601075003)(84326002)(55846006)(19625305001)(19300405004)(33656002)(19625215002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB603; H:mail.microsoft.com; FPR:; SPF:Pass; MLV:sfv; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB603;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004); SRVR:BLUPR03MB603;
X-Forefront-PRVS: 0489CFBAC9
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB603;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Feb 2015 22:26:28.6317 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB603
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/9bAx4GmmJuQaubDJdrBMkwAahsU>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 22:26:33 -0000

The OAuth 2.0 Token Exchange http://tools.ietf.org/html/draft-ietf-oauth-token-exchange specification is designed for use cases such as yours.  Quoting from the abstract:
   This specification defines how to request and obtain Security Tokens
   from OAuth Authorization Servers, including enabling one party to act
   on behalf of another or enabling one party to delegate authority to
   another.

                                                                -- Mike

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Bill Mills
Sent: Monday, February 16, 2015 1:21 PM
To: William Denniss; Justin Richer; Bill Burke; oauth
Subject: Re: [OAUTH-WG] user impersonation protocol?

Straight impersonation with no limitations isn't a good solution in the long run.

On Monday, February 16, 2015 1:13 PM, William Denniss <wdenniss@google.com<mailto:wdenniss@google.com>> wrote:

I led a discussion on a related topic at a recent IIW (specifically exploring the "account sharing" use case), the notes are here: http://iiw.idcommons.net/Account_Sharing_at_the_IDP_(Identity_Provider).  It was an interesting discussion, the whole topic of impersonation certainly raises a lot of policy questions.

As for the technical implementation, our conclusion was that the simplest approach for impersonation would be to continue to supply an ID Token for the target user (i.e. 'sub' represents the user being impersonated), and add an additional JWT claim for the user doing the impersonation (e.g. 'ipb' meaning "impersonated by").

Thus, any relying party who doesn't understand this claim continues to work as before (oblivious to the fact the user is being impersonated), and those who understand the claim and care about impersonation can take action (e.g. log a better audit trail, limit some functionality or outright block the behavior).

If this approach sounds interesting to you, perhaps we could formally register & standardise the 'ipb' claim.  Of course, anyone can use this technique today via a private claim<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.3>.3>.


On Mon Feb 16 2015 at 7:36:23 AM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
Another question is whether or not you can user rights delegation (ie vanilla OAuth) or if you really do need impersonation. You may be able to get the desired results with less complexity that way.


-- Justin

/ Sent from my phone /


-------- Original message --------
From: Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>>
Date:02/16/2015 10:20 AM (GMT-05:00)
To: Bill Mills <wmills_92105@yahoo.com<mailto:wmills_92105@yahoo.com>>, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>>, oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
Cc:
Subject: Re: [OAUTH-WG] user impersonation protocol?

Yeah, I know its risky, but that's the requirement.  Was just wondering
if there was any protocol work being done around it, so that we could
avoid doing a lot of the legwork to make it safe/effective.  Currently
for us, we need to do this between two separate IDPs, which is where the
protocol work comes in...If it was just a single IDP managing
everything, then it would just be an internal custom IDP feature.

Thanks all.



On 2/16/2015 12:37 AM, Bill Mills wrote:
> User impersonation is very very risky.  The legal aspects of it must be
> considered.  There's a lot of work to do to make it safe/effective.
>
> Issuing a scoped token that allows ready only access can work with the
> above caveats.  Then properties/componenets have to explicitly support
> the new scope and do the right thing.
>
>
> On Sunday, February 15, 2015 8:34 PM, Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
>
>
> For this case you'd want to be very careful about who was able to do
> such impersonation, obviously, but it's doable today with custom IdP
> behavior. You can simply use OpenID Connect and have the IdP issue an id
> token for the target user instead of the "actual" current user account.
>
> I would also suggest considering adding a custom claim to the id token
> to indicate this is taking place. That way you can differentiate where
> needed, including in logs.
>
> -- Justin
>
> / Sent from my phone /
>
>
> -------- Original message --------
> From: Bill Burke <bburke@redhat.com<mailto:bburke@redhat.com>>
> Date:02/15/2015 10:55 PM (GMT-05:00)
> To: oauth <oauth@ietf.org<mailto:oauth@ietf.org>>
> Cc:
> Subject: [OAUTH-WG] user impersonation protocol?
>
> We have a case where we want to allow a logged in admin user to
> impersonate another user so that they can visit differents browser apps
> as that user (So they can see everything that the user sees through
> their browser).
>
> Anybody know of any protocol work being done here in the OAuth group or
> some other IETF or even Connect effort that would support something like
> this?
>
> Thanks,
>
> Bill
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com<http://bill.burkecentral.com/>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org<mailto:OAuth@ietf.org> <mailto:OAuth@ietf.org<mailto:OAuth@ietf.org>>
> https://www.ietf.org/mailman/listinfo/oauth

>
>

--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com<http://bill.burkecentral.com/>
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth