Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
Brian Campbell <bcampbell@pingidentity.com> Wed, 20 April 2016 19:25 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5DCD12E3B3 for <oauth@ietfa.amsl.com>; Wed, 20 Apr 2016 12:25:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltq8HU4AnuOe for <oauth@ietfa.amsl.com>; Wed, 20 Apr 2016 12:25:36 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F79B12D97E for <oauth@ietf.org>; Wed, 20 Apr 2016 12:25:36 -0700 (PDT)
Received: by mail-ig0-x22b.google.com with SMTP id g8so59479425igr.0 for <oauth@ietf.org>; Wed, 20 Apr 2016 12:25:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IghX+hGSP9pNjcE9avFbQvWPoGM4YN9T8RnOnJ8waQ4=; b=eY0BtFKx/9rHDB2c/XE1YkERaSFP2CmA1k3y52cGvl6wJJeUS3T9F/gPeec1OdnVll zXr0pto4bqnqlEIEDSELS51a6vFI5P6cOEujUd/egZfax28KBj4mt6CzMECwyI3qzZhb mc3N6PLmlvO8TXSULS0CQHkfNNYsbVttLaBCg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IghX+hGSP9pNjcE9avFbQvWPoGM4YN9T8RnOnJ8waQ4=; b=SPZBia8DhYC+kqANr9w0o120hgE+Bb5c7cf3xokGi0QH1k7pcRJk+Jac3AZtieGWZC 1cpmn6y2mBUhGofn45ijQN5eaos8fRfpoTQZocuYZWuMWa1ba0TFMflMYOl5mhg+qufD UuCZOrgA2Zm4euy1zIfDKo4Ezu/D4bzW2OyDYnU8sBpSHL6miy4r/IafwQ1Je8WdqdSk 7s8hDnU4ezPdNZlAj3KJR17mmHNyMuhfQAacg15y1kh+KNfcgsLxcLfSI3pm64QMpNcv aaSQl8RdzXjL1pVnY/5zYzjXuovYVXCL5YDMMBJ9l13RJrL+o85uRaoPnQlBd9J6mKe6 stvw==
X-Gm-Message-State: AOPr4FVhKHsB2dmjjS8vNhX6o+ZQ8v015JjPyiFr5Tr/TpNgepzunYNjGZLEnGa02Bcd9pksE9wuRTrao/KEC6/c
X-Received: by 10.50.108.131 with SMTP id hk3mr5665909igb.15.1461180335593; Wed, 20 Apr 2016 12:25:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.77.215 with HTTP; Wed, 20 Apr 2016 12:25:06 -0700 (PDT)
In-Reply-To: <97FB56BD-0990-4A46-AA98-B0E5C2A8994C@verisign.com>
References: <FF8F219E-AB2E-48F5-AD90-DEA783343C1B@verisign.com> <A85A7E53-1AE2-4141-B6AF-FE3E19DEBA75@ve7jtb.com> <CA+k3eCR21HWSVNgT6eGLkaCE3ekKdv++_HJtsqkJh4Pg1Xm1kQ@mail.gmail.com> <97FB56BD-0990-4A46-AA98-B0E5C2A8994C@verisign.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 20 Apr 2016 13:25:06 -0600
Message-ID: <CA+k3eCQDGzvZNebb_i0+HN+DwpZ00pr__azP_+4sUYOXgkQqUQ@mail.gmail.com>
To: "Fregly, Andrew" <afregly@verisign.com>
Content-Type: multipart/alternative; boundary="f46d0402ddeedb724f0530ef8ed3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/AK9YjT7kvNPIXtjg9A9pCTgzDd0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 19:25:39 -0000
And that Identity Provider organization could also have it's own authorization server that could act as an STS. That's all I was trying to say. I'm not sure if that would help your case. On Tue, Apr 19, 2016 at 2:19 PM, Fregly, Andrew <afregly@verisign.com> wrote: > Brian, > > Once again, thank you for your input. Per my prior response to John > Bradley, our use case has the Identity Provider being provided by a > different organization than the organization providing the Authorization > Service. > > Thanks, > Andy > > From: Brian Campbell <bcampbell@pingidentity.com> > Date: Tuesday, April 19, 2016 at 2:30 PM > To: John Bradley <ve7jtb@ve7jtb.com> > Cc: Andrew Fregly <afregly@verisign.com>, "oauth@ietf.org" <oauth@ietf.org > > > Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 > Token Exchange: An STS for the REST of Us” to include Authentication Tokens > > The Token Exchange draft does put the Authorization Server (AS) in the > role of STS because it's an extension of OAuth. But that shouldn't be > viewed as limiting. An AS is often deployed as one part of an Identity > Provider. OpenID Connect, as John mentioned, is one standard that combines > the roles. And many products/services/deployments have an AS as part of > their overall Identity Provider offering, which might also have OpenID > Connect, SAML, etc. > > On Tue, Apr 19, 2016 at 12:06 PM, John Bradley <ve7jtb@ve7jtb.com> wrote: > >> Looking at OpenID Connect and it’s trust model for producing id_tokens >> that assert identity may help you. >> http://openid.net/wg/connect/ >> >> Unfortunately I can’t quite make out what you are trying to do. >> >> It sort of sounds like you want an id_token from a idP and then have the >> client exchange that assertion for another token? >> >> John B. >> >> On Apr 19, 2016, at 1:18 PM, Fregly, Andrew <afregly@verisign.com> wrote: >> >> I have a use case where a client application needs to authenticate with a >> dynamically determined Identity Provider that is separate from the >> Authorization Service that will be used issue an access token to the >> client. The use case also requires that as part of authorization, the >> client provides to the Authorization Service an authentication token signed >> by an Identity Provider that the Authorization Service has a trust >> relationship with. The trust relationship is verifiable based on the >> Authorization Service having recorded the public keys or certificates of >> trusted Identity Providers in a trust store, this allowing the >> Authorization Service to verify an Identity Provider’s signature on an >> authentication token. >> >> In looking at the various OAuth RFCs, particularly RFCs 7521, 7522, and >> 7523, I see that they get me close in terms of supporting the use case. >> What is missing is a means for solving the following problem. These RFCs >> require that the Identity Provider put an Audience claim in the >> authentication token. The problem with this is that I do not see in the >> RFCs how the Identity Provider can be told who the Audience is to put into >> the authentication token. This leads me to the title of this message. The >> draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” defines a >> mechanism for identifying the Audience for an STS to put into a token it >> generates. That would solve my problem except that the draft limits the >> type of STS to being Authorization Servers. What is needed is this same >> capability for interacting with an Identity Provider. This would enable >> RFCs 7521, 7522 and 7523 to be useful in situation where the Identity >> Provider needs to be told the identity of the Authorization Service. >> >> I am new to interacting with the IETF. I also am not an expert on the >> RFCs or prior history of the OAuth group relative to this topic, so please >> point me to any existing solution if this is a solved problem. Otherwise, I >> would like to get feedback on my suggestion. >> >> Thanks You, >> >> Andrew Fregly >> Verisign Inc. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >
- [OAUTH-WG] Building on the protocol in the draft … Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… Brian Campbell
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Nat Sakimura
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Nat Sakimura
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Brian Campbell
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Justin Richer
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew