IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Authorization

Neil Madden <neil.madden@forgerock.com> Tue, 23 July 2019 10:10 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA61D12019F for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 03:10:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J7hj4xFqSB08 for <oauth@ietfa.amsl.com>; Tue, 23 Jul 2019 03:10:17 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0462912018C for <oauth@ietf.org>; Tue, 23 Jul 2019 03:10:16 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id p17so42485480wrf.11 for <oauth@ietf.org>; Tue, 23 Jul 2019 03:10:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pkk1d9dhftwkPQgT1jXmfl15KNTiCZ3aW1nB0e4PaZ8=; b=VO4QFAPi1TlTFzqNsdSSPwn+oNRPXoolBpt/8KLL5N/7gmX5sL+SBKXDyOjdIXoj/X 2uxiQjEs8fppExpxNzcgibvEAKh4GWZOsj725Ip2PEl6bgNDYNtdrL/Dkndv+Mla2whN BZgRszZovSSmyfxMHpFlLw+CEKOra1otghrno=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=pkk1d9dhftwkPQgT1jXmfl15KNTiCZ3aW1nB0e4PaZ8=; b=j5Bh0N5FteaMrEG28ewdG1ATui5/dM70kocdpVIcmk7p1180As5QJ38/Jp4DiV0P8d tMtM0xPnAHjfb0R9lWsovxHVXY5xqCoQDa0TpERS8JGVaK7Vv64uT4mnb0AJee6yk8p0 e4LyF3JE3ICpZovdDhQqFvU0u6PVSfYm205ufqTc676dsCdZkDUKcVxBQgFPFXZbZEXY V+MLce+K97ltcmvn3fSn0+x5BPUaNsuGJbxUF39Uw4f5DJ0MCQZQ1R1huqU6HR3d022v EQG73f1ym59MQpLRRRJwNT1sC2A2ty4bOpJZhHYvzXIcnVCcmo9aePPg1hmAvKXWGcPm o9GQ==
X-Gm-Message-State: APjAAAV67ZF7LjAuVMHIVFpB4uMCUdk6G4MJoxZn8lgi9p8G9J5WMK+Q +Wcdb2JV9LynjyjncK72pVHJew==
X-Google-Smtp-Source: APXvYqxAyys14vvY4+mZQ7BYZozRdzt1LbcSUPVT3ClncjA1jQAgt5G5onRmdSp+mUTQpFmORMFtyA==
X-Received: by 2002:adf:f046:: with SMTP id t6mr2808280wro.307.1563876615183; Tue, 23 Jul 2019 03:10:15 -0700 (PDT)
Received: from [192.168.2.140] (77-44-110-214.xdsl.murphx.net. [77.44.110.214]) by smtp.gmail.com with ESMTPSA id s25sm32171829wmc.21.2019.07.23.03.10.14 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Jul 2019 03:10:14 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Neil Madden <neil.madden@forgerock.com>
In-Reply-To: <CAD9ie-uQGEwpOEhR2fVT_teCn=xXze2Hz5p23S4mY0GmuJJYkw@mail.gmail.com>
Date: Tue, 23 Jul 2019 11:10:11 +0100
Cc: Aaron Parecki <aaron@parecki.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3F6A8E4E-3574-4666-A561-D67D5D0B2EA9@forgerock.com>
References: <BD2D90C8-B629-4955-A22C-6E80E6390EEE@mit.edu> <CAGBSGjr+kfiavvzhPDF2SaBLDAjusoOGjvgTA85FadM+s_2u=A@mail.gmail.com> <E041DFD5-0501-471E-94B3-D1B36595F0BB@forgerock.com> <CAD9ie-smP4dyMPQAuMvD8AxXV1KNuLwBuYFRPtQDVCRBKkd-2A@mail.gmail.com> <06AF6986-B2D2-4B00-B8DA-0DB2F7C1FA8F@forgerock.com> <CAD9ie-uQGEwpOEhR2fVT_teCn=xXze2Hz5p23S4mY0GmuJJYkw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/9kT7aCacb02i-7g90vXwig3Fiy4>
Subject: Re: [OAUTH-WG] Transaction Authorization
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 10:10:19 -0000

If we follow the principle of least authority then a token should be scoped as narrowly as possible to a particular resource server/resource/time period/transaction. The security topics BCP has already gone quite far down this path in its recommendations: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.3 . Least privilege naturally leads to clients needing more tokens, so we should make obtaining (and using) multiple tokens as frictionless as possible.

For an example of this, see the work done by my colleagues to simplify juggling multiple access tokens for different resource servers - https://www.npmjs.com/package/appauthhelper . The library allows the developer to specify which scopes are used for which RS:

    resourceServers: {
        "https://login.example.com/oauth2/userinfo": "profile",
        "https://rs.example.com/": "rs_custom_scope"
    },

The library then takes care of making multiple requests to get appropriately-scoped access tokens and then attaching them to appropriate requests. But the more resource servers you need to access, the more tokens you need and the more requests you have to make. There is therefore currently a "tax" on least privilege use of access tokens as it is all on the client to juggle these requests, giving an incentive for clients to instead request Big Tokens that grant lots of authority in a single request/response.

-- Neil


> On 22 Jul 2019, at 22:46, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> Hi Neil
> 
> I see that you are looking at how to modify Justin's proposal, and I'm looking at what are the requirements.
> 
> Ignoring the specifics, is there a reason why multiple tokens need to be returned in the same request?
> 
> 
> On Mon, Jul 22, 2019 at 9:41 AM Neil Madden <neil.madden@forgerock.com> wrote:
> 
>> On 21 Jul 2019, at 22:22, Dick Hardt <dick.hardt@gmail.com> wrote:
>> 
>> Hi Neil, I agree that an access token that is usable across resources is problematic.
>> 
>> How are you thinking multiple access tokens would be returned?
> 
> Well there are lots of possible ways, e.g.:
> 
> {
> "tokens": [
>     { "resource": "https://res1", "access_token": "..." }, 
>     { "resource": "res2", ...}, ...
> ]
> }
> 
> I'm not particularly wedded to any format.
> 
>> Why do you think the request needs to return multiple tokens rather than making a separate request for each token? That would seem to simplify the request and response as context would only need to provided for the one access token.
> 
> Note that in Aaron's proposal we have a "user" section on (presumably) every access token response, which indicates a userinfo endpoint that itself needs an access token. So either the same access token is used to access that userinfo endpoint (which means that the RS can also access the userinfo endpoint), or else we already need to return a second access token in the same request, e.g.:
> 
> {
>       "access_token": {
>         "value": "UM1P9PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
>         "type": "bearer"
>       },
>       "user": {
>         "id": "5035678642",
>         "userinfo": "https://authorization-server.com/user/5035678642",
>         "userinfo_at": "b0Dl3KsXXOGc7tWfFLZYv7G5bXk"
>       }
>     }

v2.23.0 | Report a Bug | By Email