Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens
Nat Sakimura <sakimura@gmail.com> Tue, 19 April 2016 20:13 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07BA112DDA9 for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 13:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2D6pLYUdks7M for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 13:13:39 -0700 (PDT)
Received: from mail-qg0-x232.google.com (mail-qg0-x232.google.com [IPv6:2607:f8b0:400d:c04::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7AA812DD2C for <oauth@ietf.org>; Tue, 19 Apr 2016 13:13:38 -0700 (PDT)
Received: by mail-qg0-x232.google.com with SMTP id f52so16415343qga.3 for <oauth@ietf.org>; Tue, 19 Apr 2016 13:13:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=FLHN0NMnpPK3jbujStBPMh+/XcNvqgdQRWZofNILSaM=; b=PztzugNXWMTxdObxlbKGvBkfgDu/WhVsfzWETmttm8z8ySVVUdAQ5/he47OzWWT3sv LY2uTCupRYdJx+vMWU77WAXiIcijKCqzRpXZ0DiLtIFk99Q+pDashBHy30WEQegFpSOA tkVas39ari8eDKVwLKaXJcIE2TbanBq0647bAt0/PFUXixQAdDYT1xEO/44uQghoLRtN OwmWCApTBhsNkLJIm/MXa8frMhxsQYF71KxOZq1cJbMMIsdEgWAnsnniKO8mO/7rjxay GVyqde53gyec2dsbQ4LIHvohy5+dt3SrHjZGVJko0cCM3pC0TZQ+cOj+Fi9eZL/dLNlf 0C1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=FLHN0NMnpPK3jbujStBPMh+/XcNvqgdQRWZofNILSaM=; b=SWo8Gj/Odm/+JGJk1cwxBEhaVF2jkWCNAZvaN1HhA9VxEF2z++L2kZGqcZoUHW7/bS lMdFsHQh6W68ci8+PJDZmqnjvVJKEgI0RuTPSvSWSABJmrja5R+oQ0OpLmdSdzUd1RVg pB69u69aXG8JJMRjVv99zmXO7BPREE8bjAkGRJ31VHy2zFfM7yWRAV4JXP8HtFd7wejv 4LOtrch2ICqoSUBD1nldc8M2E8liQaZAvVkgVJnJdcxwYWy9zQbSNXYDtErD0UUTFQTs s8afo1nW66ONV4MaWMqfh4I+9/yk+M+0jjDr8AvSZBzbDJgTDo4aNZnkN3U6V/QAsz7a jaLg==
X-Gm-Message-State: AOPr4FU28HwsQqMBWkIoq2dOmA6p8E/rO+MGa1lME+wkN1NFzs8somJnOOpKKgLHiH7rO9Krgrmswm5FWaM5Kw==
X-Received: by 10.140.38.199 with SMTP id t65mr6097765qgt.64.1461096816792; Tue, 19 Apr 2016 13:13:36 -0700 (PDT)
MIME-Version: 1.0
References: <FF8F219E-AB2E-48F5-AD90-DEA783343C1B@verisign.com> <A85A7E53-1AE2-4141-B6AF-FE3E19DEBA75@ve7jtb.com> <8B748252-9AE2-4824-923B-00CD46CB8D68@verisign.com>
In-Reply-To: <8B748252-9AE2-4824-923B-00CD46CB8D68@verisign.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 19 Apr 2016 20:13:27 +0000
Message-ID: <CABzCy2CWBE0=3ruXYdgnS3c_Ws8kn-=qZzRXxfWP6Grznv7OgQ@mail.gmail.com>
To: "Fregly, Andrew" <afregly@verisign.com>, John Bradley <ve7jtb@ve7jtb.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c12c56bf5b940530dc1c5d"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Gauo2myEoiQpJ2ZmiSEEKNid3xE>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2016 20:13:42 -0000
Get OpenID Connect id_token by the authentication request with prompt=none and verifying the sub to be the same with what you expected seem to suffice your needs. Am I missing something? On Wed, Apr 20, 2016 at 05:05 Fregly, Andrew <afregly@verisign.com> wrote: > Thanks for your response John. I also got a good response from Brian > Campbell and appreciate that. I will respond separately to Brian’s response > as I think it would keep things clearer to do that. > > The problem we have for using OpenID Connect is that it combines the role > of Authentication Service with the role of Authorization Service. Perhaps > the following description of what we want to do will clarify why this won’t > work for us: > > The basic problem statement is that we need to have a client application > authorized by a Service Provider based on proof that a user is currently a > member of some organization. This assumes the organization has previously > established some level of authorized access with the Service Provider. > > Here is an example: Suppose I am a member of SomeOrg Inc. Suppose SomeOrg > Inc. is doing research that requires it to gather data over the Internet > from a number of data providers. The data providers require authentication > and proof of organizational membership in order to authorize various levels > of access to their data. The data providers do not consider having an > account with them or a Public Identity Provider to be suitable for proving > that I am still a member of SomeOrg at time of authentication. They would > have no way of knowing whether or not my relationship with SomeOrg still > exists at that time. The data providers would therefore like the Client > software to authenticate me against SomeOrgs Identity Provider. This would > be good proof that I am still a member of SomeOrg at the time I > authenticate. This authentication would enable the data providers > Authorization Server to grant me access appropriate to a member of > SomeOrg. Note that as a prerequisite to all of this, SomeOrg will have > used an out-of-band process to set up a trust relationship for SomeOrg's > Identity Provider with the data provider’s Authorization Service, and will > have negotiated authorization claims to be granted to SomeOrgs members. > > What I am having difficulty with is in knitting together an approach based > on the he OpenID Connect specifications, SAML specifications, and OAuth > RFCs and drafts in a way that supports the above use case end-to-end. The > OAuth RFCs and drafts almost get me there. What seems to be missing is a > way of telling an Identity Provider the URL for the Authorization Service > (the required Audience claim in an authentication assertion as defined in > RFCs 7251, 7252 and 7253), and then a requirement that the Identity > Providers put the supplied Audience Identifier into Authentication Tokens. > Perhaps a little further back-and-forth with Brian will resolve this. > > I can go into deeper detail if needed. If this is off-topic for the OAuth > working group, let me know. > > Thanks, > Andrew Fregly > Verisign Inc. > > > From: John Bradley <ve7jtb@ve7jtb.com> > Date: Tuesday, April 19, 2016 at 2:06 PM > To: Andrew Fregly <afregly@verisign.com> > Cc: "oauth@ietf.org" <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 > Token Exchange: An STS for the REST of Us” to include Authentication Tokens > > Looking at OpenID Connect and it’s trust model for producing id_tokens > that assert identity may help you. > http://openid.net/wg/connect/ > > Unfortunately I can’t quite make out what you are trying to do. > > It sort of sounds like you want an id_token from a idP and then have the > client exchange that assertion for another token? > > John B. > > On Apr 19, 2016, at 1:18 PM, Fregly, Andrew <afregly@verisign.com> wrote: > > I have a use case where a client application needs to authenticate with a > dynamically determined Identity Provider that is separate from the > Authorization Service that will be used issue an access token to the > client. The use case also requires that as part of authorization, the > client provides to the Authorization Service an authentication token signed > by an Identity Provider that the Authorization Service has a trust > relationship with. The trust relationship is verifiable based on the > Authorization Service having recorded the public keys or certificates of > trusted Identity Providers in a trust store, this allowing the > Authorization Service to verify an Identity Provider’s signature on an > authentication token. > > In looking at the various OAuth RFCs, particularly RFCs 7521, 7522, and > 7523, I see that they get me close in terms of supporting the use case. > What is missing is a means for solving the following problem. These RFCs > require that the Identity Provider put an Audience claim in the > authentication token. The problem with this is that I do not see in the > RFCs how the Identity Provider can be told who the Audience is to put into > the authentication token. This leads me to the title of this message. The > draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” defines a > mechanism for identifying the Audience for an STS to put into a token it > generates. That would solve my problem except that the draft limits the > type of STS to being Authorization Servers. What is needed is this same > capability for interacting with an Identity Provider. This would enable > RFCs 7521, 7522 and 7523 to be useful in situation where the Identity > Provider needs to be told the identity of the Authorization Service. > > I am new to interacting with the IETF. I also am not an expert on the RFCs > or prior history of the OAuth group relative to this topic, so please point > me to any existing solution if this is a solved problem. Otherwise, I would > like to get feedback on my suggestion. > > Thanks You, > > Andrew Fregly > Verisign Inc. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Building on the protocol in the draft … Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… Brian Campbell
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Nat Sakimura
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Nat Sakimura
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… John Bradley
- Re: [OAUTH-WG] Building on the protocol in the dr… George Fletcher
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Brian Campbell
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew
- Re: [OAUTH-WG] Building on the protocol in the dr… Justin Richer
- Re: [OAUTH-WG] Building on the protocol in the dr… Fregly, Andrew