Re: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions
Brian Campbell <bcampbell@pingidentity.com> Wed, 16 September 2015 16:28 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FB81B350C for <oauth@ietfa.amsl.com>; Wed, 16 Sep 2015 09:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d8H1nbvxdGNz for <oauth@ietfa.amsl.com>; Wed, 16 Sep 2015 09:28:02 -0700 (PDT)
Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AF671B34CB for <oauth@ietf.org>; Wed, 16 Sep 2015 09:28:02 -0700 (PDT)
Received: by qgt47 with SMTP id 47so175805614qgt.2 for <oauth@ietf.org>; Wed, 16 Sep 2015 09:28:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=GL2P67RXgiaTGN3xbP0qe6Ng4UjL4vXCaIcOk7BytBk=; b=GEJX6XfOeY4WjKuldly++tiFb07UzusHofcKPFzHaxq6m3eFbE+dDQZB6VskG6E0Jv 3BUt9CjNGRUwhmsIn2JAmIYMSxyORIAuFBKiJEJXzBCmEsIDI41kaZITGDFOvclWfb8l R7TnRyX3aWXWVY1pf8U6yeH1Z/rdHt9ppZxVU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=GL2P67RXgiaTGN3xbP0qe6Ng4UjL4vXCaIcOk7BytBk=; b=YIm84hXbAB0q62QyiJ6zOsKn/fd7OjfMg6Vw/7KHKAQkzn/11seGSzlLq4vPEBgjeG AmNCGJni2Wkdv7QVoAiQ0Emvu14RFa6ZvreaZXpqvrBknP+RRqhbdmDa+/JwX+hBWg3A +RcPwrU+hjnml28h8S2TysOkNTWxEGwqinTHe6LW+MFmHgM0Ab3LbhkLidvwL9FtVwQS ztwMbQURo409C30M9PSu/UekhvuLvYBi695c3fr+8VKQIA28jzQAoyhbgpjgbvD0Gk+X nRTtmtsjDQ9sC55NK3YhccvDWi3VBbiwGtqAej89OREUg69Ld3VNNk9B2qTgrhQGyMDK Ys6g==
X-Gm-Message-State: ALoCoQkr4etqQC4Tn5qL/t9xSsoLRBL96J0etd5JCWS/hNDpRMV+XRMcnLLgfu97HYEKLtSu4dF6
X-Received: by 10.140.231.76 with SMTP id b73mr9937427qhc.87.1442420881402; Wed, 16 Sep 2015 09:28:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.108.227 with HTTP; Wed, 16 Sep 2015 09:27:31 -0700 (PDT)
In-Reply-To: <15EEB79E-5003-4CC1-892D-96357CB0B89B@mit.edu>
References: <55F85EF5.5080609@aol.com> <15EEB79E-5003-4CC1-892D-96357CB0B89B@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 16 Sep 2015 10:27:31 -0600
Message-ID: <CA+k3eCQOsjSAeE0QJz-Ch-_it4nCjEsTyVDkt5HHdYeEeXN1iw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="001a11c130ee40dafc051fdfc858"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HL8gQpmw6kenPgsJm7BLRnb4mKE>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2 2 legged flows with JWT client assertions
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Sep 2015 16:28:05 -0000
Yeah, when a client wants to get an access token for itself, the
client_credentials grant_type with client_assertion_type/client_assertion.
We attempted to call this out in the assertion framework (RFC 7521) in a
discussion of "Common Scenarios
<http://tools.ietf.org/html/rfc7521#section-6>" with the section "Client
Acting on Behalf of Itself <http://tools.ietf.org/html/rfc7521#section-6.2>"
but, despite good intentions, inheritance in specs is often overlooked.
When a client is accessing resources on behalf of itself, it does so
in a manner analogous to the Client Credentials Grant defined in
Section 4.4 <http://tools.ietf.org/html/rfc7521#section-4.4> of
OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>]. This is a
special case that
combines both the authentication and authorization grant usage
patterns. In this case, the interactions with the authorization
server should be treated as using an assertion for Client
Authentication according to Section 4.2
<http://tools.ietf.org/html/rfc7521#section-4.2>, while using the
"grant_type"
parameter with the value "client_credentials" to indicate that the
client is requesting an access token using only its client
credentials.
The following example demonstrates an assertion being used for a
client credentials access token request, as defined in Section
4.4.2 <http://tools.ietf.org/html/rfc7521#section-4.4.2>
of OAuth 2.0 [RFC6749 <http://tools.ietf.org/html/rfc6749>] (with
extra line breaks for display purposes
only):
POST /token HTTP/1.1
Host: server.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth
%3Aclient-assertion-type%3Asaml2-bearer&
client_assertion=PHNhbW...[omitted for brevity]...ZT
On Tue, Sep 15, 2015 at 2:41 PM, Justin Richer <jricher@mit.edu> wrote:
> That’s how we’ve implemented it, but I’ve seen others pass the JWS for the
> token directly using the assertion grant type. Personally I find that a
> little confusing, since it’s still the client making the swap, but maybe
> there’s something useful there anyway. It honestly feels a bit too much
> like WS-*, and one can hope that we’ve learned from the mistakes of the
> past by now.
>
> I think the difference may be who makes the JWS. If the client is making
> the JWS and using it to swap for a new token, then that’s a case for using
> client credentials and authenticating using the JWS. If the JWS is coming
> from a third party and being handed to the client, and the client’s using
> that as-is to swap for a new token, then that’s a case of using the JWS as
> an assertion directly to the AS and getting a token there.
>
> But I agree that it’s confusing that there are two similar mechanisms here.
>
> — Justin
>
> On Sep 15, 2015, at 2:09 PM, George Fletcher <gffletch@aol.com> wrote:
>
> Hi,
>
> I just want to verify my reading of RFC 7523[1] for the use case where a
> client wants to get an access token for itself to use as authorization for
> future API calls. This is effectively exchanging a JWS for a "short lived"
> access token.
>
> My understanding of section 2.2 of RFC 7523, is that the
> 'client_assertion_type' and 'client_assertion' replace the default [OAuth2
> (RFC 6749)] client authentication mechanism of client_id and client_secret.
>
> Therefore the correct way to implement this 2 legged flow is to use the
> OAuth2 (RFC 6749) client_credentials grant_type (Section 4.4) with the JWT
> Bearer defined client_assertion_type and client_assertion.
>
> This would look something like (line breaks added for readability)
>
> POST /token HTTP/1.1
> Host: server.example.com
> Content-Type: application/x-www-form-urlencoded
>
> grant_type=client_credentials&
>
> client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&
> client_assertion=<encoded JWS>&
> scope="myscopes"
>
> Is there a different industry standard for this use case? I'm checking as I find that multiple AS implementations do this differently:)
>
> Thanks,
> George
>
> [1] https://tools.ietf.org/html/rfc7523
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
- [OAUTH-WG] OAuth2 2 legged flows with JWT client … George Fletcher
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… Justin Richer
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… Brian Campbell
- Re: [OAUTH-WG] OAuth2 2 legged flows with JWT cli… George Fletcher