Re: [OAUTH-WG] user impersonation protocol?

William Denniss <wdenniss@google.com> Mon, 16 February 2015 21:21 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 788BD1A1BA9 for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 13:21:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mUJ6cQvG2qen for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 13:21:32 -0800 (PST)
Received: from mail-ob0-x22b.google.com (mail-ob0-x22b.google.com [IPv6:2607:f8b0:4003:c01::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFBC71A6FE6 for <oauth@ietf.org>; Mon, 16 Feb 2015 13:21:32 -0800 (PST)
Received: by mail-ob0-f171.google.com with SMTP id gq1so46484430obb.2 for <oauth@ietf.org>; Mon, 16 Feb 2015 13:21:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=tZj6d7DeXVwxO9vHvSFOqnUeCnhSrm6hhJewHk1h2Ys=; b=DbTxOzwp4xDM6wxa3DxlKM17jLxBFuPJykxVD/y+OFNNuzqEwzin2XyX2nhkF9tNs6 2MOL6y7S5dpg3Vh4WjIT65ysA4IfKzTkzWRYycX9tWU9yU/KI16MsOEzaqVTNq6BaiAG HiGPzzNguRXBQA8yl4rPu5i68RXsZLtMYFdae6tgFvKoGEhN8Z4SswzOXzSQywUN9lcw 2bZjkb/+qiyjlKrsSWE5JEv5Wl9FtMy1UlaPP5ei3KMgUK4CbUHQmodRtLs0RpaJmeCC L3fkTt7pr+s5YQWdqsfPShl6cZTUgYzLT/hpDohd385rc1IdEaX86tMpB4NbOAiDhuX5 rwxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type; bh=tZj6d7DeXVwxO9vHvSFOqnUeCnhSrm6hhJewHk1h2Ys=; b=MJyCa282782PZBSM8KsnUvsZUsxZOBE2iwnoeTB1UUaAOd3E/b4MTQBxdU9niOyc/x GB8MELsibTP6N8iUI8Oqh2zrA58US4EfJBDewL7VMCK3Q2CaliE5t758GYBUoTrucScP SPLVH314l7YkK6+nevDkosOEdEM35736f9buQmP6QHTtVCMR7o7fgEEricA2+bgEwiE+ XCOT9G2u3wT2z1CPOsuYNAQhnso4FOtQUoTpYnFIMO23ArUkWIf6IhGgcfw1+XuPmr4z eUlK/o70dO8G+LhD+OnpHKwKTqsGge7HPsz+bLjyTbQYJZbeOLuDoqVu6Xqio0jAFHu2 YHTA==
X-Gm-Message-State: ALoCoQle9s+vkUFn3hb2T9rcK8XuLRhSDtcDg036m8gByGciVJvEpeg8JOpbWAKjefOqVCjI5S66
X-Received: by 10.60.92.66 with SMTP id ck2mr16734766oeb.30.1424121209057; Mon, 16 Feb 2015 13:13:29 -0800 (PST)
MIME-Version: 1.0
Received: by 10.202.104.144 with HTTP; Mon, 16 Feb 2015 13:13:08 -0800 (PST)
In-Reply-To: <cmqi3pab06ngvahbt6k3ee0u.1424100953077@email.android.com>
References: <cmqi3pab06ngvahbt6k3ee0u.1424100953077@email.android.com>
From: William Denniss <wdenniss@google.com>
Date: Mon, 16 Feb 2015 13:13:08 -0800
Message-ID: <CAAP42hDozEEdVXHhF9WEpjrGu_nZ_3nCj=yiNegGtYi6=eW+qw@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>, Bill Burke <bburke@redhat.com>, Bill Mills <wmills_92105@yahoo.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=047d7b33ca00c89468050f3b0e1c
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/K4S8vVPMOEJy6zr-7f9zfywVBf8>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 21:21:35 -0000

I led a discussion on a related topic at a recent IIW (specifically
exploring the "account sharing" use case), the notes are here:
http://iiw.idcommons.net/Account_Sharing_at_the_IDP_(Identity_Provider).
It was an interesting discussion, the whole topic of impersonation
certainly raises a lot of policy questions.

As for the technical implementation, our conclusion was that the simplest
approach for impersonation would be to continue to supply an ID Token for
the target user (i.e. 'sub' represents the user being impersonated), and
add an additional JWT claim for the user doing the impersonation (e.g.
'ipb' meaning "impersonated by").

Thus, any relying party who doesn't understand this claim continues to work
as before (oblivious to the fact the user is being impersonated), and those
who understand the claim and care about impersonation can take action (e.g.
log a better audit trail, limit some functionality or outright block the
behavior).

If this approach sounds interesting to you, perhaps we could formally
register & standardise the 'ipb' claim.  Of course, anyone can use this
technique today via a private claim
<http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4.3>.


On Mon Feb 16 2015 at 7:36:23 AM Justin Richer <jricher@mit.edu> wrote:

> Another question is whether or not you can user rights delegation (ie
> vanilla OAuth) or if you really do need impersonation. You may be able to
> get the desired results with less complexity that way.
>
>
> -- Justin
>
> / Sent from my phone /
>
>
> -------- Original message --------
> From: Bill Burke <bburke@redhat.com>
> Date:02/16/2015 10:20 AM (GMT-05:00)
> To: Bill Mills <wmills_92105@yahoo.com>om>, Justin Richer <jricher@mit.edu>du>,
> oauth <oauth@ietf.org>
> Cc:
> Subject: Re: [OAUTH-WG] user impersonation protocol?
>
> Yeah, I know its risky, but that's the requirement.  Was just wondering
> if there was any protocol work being done around it, so that we could
> avoid doing a lot of the legwork to make it safe/effective.  Currently
> for us, we need to do this between two separate IDPs, which is where the
> protocol work comes in...If it was just a single IDP managing
> everything, then it would just be an internal custom IDP feature.
>
> Thanks all.
>
>
>
> On 2/16/2015 12:37 AM, Bill Mills wrote:
> > User impersonation is very very risky.  The legal aspects of it must be
> > considered.  There's a lot of work to do to make it safe/effective.
> >
> > Issuing a scoped token that allows ready only access can work with the
> > above caveats.  Then properties/componenets have to explicitly support
> > the new scope and do the right thing.
> >
> >
> > On Sunday, February 15, 2015 8:34 PM, Justin Richer <jricher@mit.edu>
> wrote:
> >
> >
> > For this case you'd want to be very careful about who was able to do
> > such impersonation, obviously, but it's doable today with custom IdP
> > behavior. You can simply use OpenID Connect and have the IdP issue an id
> > token for the target user instead of the "actual" current user account.
> >
> > I would also suggest considering adding a custom claim to the id token
> > to indicate this is taking place. That way you can differentiate where
> > needed, including in logs.
> >
> > -- Justin
> >
> > / Sent from my phone /
> >
> >
> > -------- Original message --------
> > From: Bill Burke <bburke@redhat.com>
> > Date:02/15/2015 10:55 PM (GMT-05:00)
> > To: oauth <oauth@ietf.org>
> > Cc:
> > Subject: [OAUTH-WG] user impersonation protocol?
> >
> > We have a case where we want to allow a logged in admin user to
> > impersonate another user so that they can visit differents browser apps
> > as that user (So they can see everything that the user sees through
> > their browser).
> >
> > Anybody know of any protocol work being done here in the OAuth group or
> > some other IETF or even Connect effort that would support something like
> > this?
> >
> > Thanks,
> >
> > Bill
> >
> > --
> > Bill Burke
> > JBoss, a division of Red Hat
> > http://bill.burkecentral.com
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org <mailto:OAuth@ietf.org>
> > https://www.ietf.org/mailman/listinfo/oauth
> >
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>