IETF Logo Mail Archive

Re: [OAUTH-WG] Token Chaining Use Case

Brian Campbell <bcampbell@pingidentity.com> Thu, 26 March 2015 22:15 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 075E41A014C for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 15:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q0GLSu9xBfNK for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 15:15:56 -0700 (PDT)
Received: from na3sys009aog106.obsmtp.com (na3sys009aog106.obsmtp.com [74.125.149.77]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3E171A0174 for <oauth@ietf.org>; Thu, 26 Mar 2015 15:15:55 -0700 (PDT)
Received: from mail-ig0-f176.google.com ([209.85.213.176]) (using TLSv1) by na3sys009aob106.postini.com ([74.125.148.12]) with SMTP ID DSNKVRSFG9hxmmQVCnnmucCWmNQOgCHKlKFh@postini.com; Thu, 26 Mar 2015 15:15:55 PDT
Received: by igbqf9 with SMTP id qf9so5080541igb.1 for <oauth@ietf.org>; Thu, 26 Mar 2015 15:15:54 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Twb/EQDAkwaJBEbiFOyR9h5k3QuImf+VZZzLd6GS4gU=; b=TUnxKyc97yLWt9VIcarC9WODewx5yiCezopC0e5iL/0vSh/Pf2Mxtnb6pY3aTNi5Mq I+6FhOQsiIIHicellxVJckjOxLWSVMi8+9wrUztufAeYJCpJYsDzb6ixWH/4ELEatQEe bEhkco1nZgGg2DGhBsU+YNM/KTmmDnEPuzwoQxN2p+8NqMZBMIYkEpyp8AlY8x4C3/2v F1okOxIdtMngCxYIOsbz5DUqkyhTWM0iXyzx9eA79ZqNt8qx8A6ICBTzSkLOS4Mt7qn/ pTYz9Zl/ANsq1swSHN0mdQDiCKdAWwUdXbx5bxbj95W2v/aaAfw/p/n4VqhlwXkSnczt 2IrQ==
X-Gm-Message-State: ALoCoQkevAZEvOYITwoIKg+7TtDtU6NYKbujuomRK74K00/+kwY1UyVhbiLb7D3nCHDN1PrZBAlLSxYJrJJbntlI8zffUplcM4FgcSLuySVrVKpgyXig6Kma6RA61drr2tM39JPVo0Yj
X-Received: by 10.107.135.212 with SMTP id r81mr25305075ioi.38.1427408154706; Thu, 26 Mar 2015 15:15:54 -0700 (PDT)
X-Received: by 10.107.135.212 with SMTP id r81mr25305063ioi.38.1427408154560; Thu, 26 Mar 2015 15:15:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.7.193 with HTTP; Thu, 26 Mar 2015 15:15:23 -0700 (PDT)
In-Reply-To: <D0E09E09-A803-427A-ACA9-D9E3F3EF31E5@mit.edu>
References: <D0E09E09-A803-427A-ACA9-D9E3F3EF31E5@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 26 Mar 2015 17:15:23 -0500
Message-ID: <CA+k3eCSgE0Df25kPiKVnyWkkvONke6ha_FrVmZiOYYTVGM6w_w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="001a113ec85a009ad20512385c21"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HMdRXmPeO5-0JIt6Mg9_HxdXUvE>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Chaining Use Case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 22:15:59 -0000

This kind of token exchange might involve exchanges other than swapping an
AT for another AT (and downscoping it). It might be an AT for a structured
JWT specifically targeted at one of the the particular services that the
original RS needs to call. Or an AT might be exchanged for a SAML assertion
to use with legacy SOAP serveries.  A good general token exchange mechanism
enables lots of variations of cases like the one Justin mentioned. And
more. In fact, I think downscoping might be a minority use case where what
token exchange is often need for is translating tokens from what you have
into what the resource you need to call can deal with.

There need to be ways for the caller to tell the AS about the token it's
asking for - by type or by the address/identifier of where it'll be used.
There needs to be ways for the caller to authenticate to the AS. And there
needs to be some way of expressing this delegation thing (though I'm still
not totally convinced it couldn't be just the token is about the
user/principal and the caller/client of the exchange is who is being
delegated to).

I realize few (approaching zero) people have or are going to read it but I
have endeavored to cover all these things in the
http://tools.ietf.org/html/draft-campbell-oauth-sts-02 draft. It's an early
draft so not without it some rough edges but can provide some guidance on
what is needed and offers some protocol syntax for expressing it. I believe
Justin's use case would be covered by it (defining a specific token type
URI for an OAuth access token issued by the AS in question might be needed)
as are many others.

On Thu, Mar 26, 2015 at 1:31 PM, Justin Richer <jricher@mit.edu> wrote:

> As requested after last night’s informal meeting, here is the token
> chaining use case that I want to see represented in the token swap draft.
>
>
> [ Client ]  ->   [ A ] -> [ B ] -> [ C ]
>
> An OAuth client gets an access token AT1, just like it always would, with
> scopes [A, B, C] in order to call service A, which requires all three
> scopes. Service A (an RS) accepts this token since it has its scope, and
> then needs to call service B in turn, which requires scopes [B, C]. It
> could just re-send the token it got in, AT1, but that would give the
> downstream RS the ability to call services with scope [ A ] and it should
> not be allowed to do that. To limit exposure, service A calls a token swap
> at the AS to create AT2 with scopes [ B, C ], effectively acting as an
> OAuth client requesting a downscoped token based on AT1. Service A then
> acts as an OAuth client to call service B, now acting as an RS to service
> A’s client, and can fulfill the request. And it’s turtles all the way down:
> Service B can also call service C, and now B acts as a client, requesting
> AT3 with scope [ C ] based on AT2, and sending AT3 to service C. This
> prevents C from being able to call B or A, both of which would have been
> available if AT1 had been passed around. Note that service A or the Client
> can also request a downscoped token with [ C ] to call service C directly
> as well, and C doesn’t have to care how it got there.
>
>
> In other words, it lets the client software be very, very dumb. It doesn’t
> have to do any special processing, doesn’t have to know what’s in the
> token, it just follows the recipe of “I got a token, I get another token
> based on this to call someone else”. It’s also analogous to the refresh
> token flow, but with access tokens going in and out. I’ve deployed this
> setup several times in different service deployments. Even though there is
> a performance hit in the additional round trips (as Phil brought up in
> another thread), in these cases the desire to have the tokens hold least
> privilege access rights (smallest set of scopes per service) outweighed any
> performance hit (which was shown to be rather small in practice).
>
> What I want is for the token swap draft to define or use a mechanism that
> allows us to do this. I think we can do that pretty easily by adjusting the
> token swap syntax and language, and explicitly calling out the semantic
> processing portion (the current core of the document) for what it is: a way
> for a token issuer to communicate to a token service specific actions. At a
> high level, the spec would be something like:
>
>
>
> 1. How to swap a token at an AS
>   1. Send a request to the token endpoint with a new grant type, and a
> token (of any type/format/flavor) on the way in
>   2. Get back a new token in a token response
> 2. Communicating act as / on behalf of semantics via a JWT assertion
>   1. How to create (as an AS/RS/client/other issuer) a JWT with act-as
> semantics
>   2. What to do (as an AS/RS) with a JWT with act-as semantics
>   3. How to create a JWT with on-behalf-of semeantics
>   4. What to do with a JWT with on-behalf-of-semantics
>   5. How to possibly represent these semantics with something other than a
> JWT
>
>
>
> Section 2 uses the syntax from section 1. Other applications, like the one
> I laid out above, can use the syntax from section 1 as well. This works for
> structured, unstructured, self-generated, cross-domain, within-domain, and
> other tokens.
>
>
>  — Justin
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email