Re: [OAUTH-WG] JWT Token on-behalf of Use case

Justin Richer <jricher@mit.edu> Wed, 01 July 2015 12:18 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 691951A1E0F for <oauth@ietfa.amsl.com>; Wed, 1 Jul 2015 05:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sVQsDSvdU3Y9 for <oauth@ietfa.amsl.com>; Wed, 1 Jul 2015 05:18:14 -0700 (PDT)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B5861A1DBC for <oauth@ietf.org>; Wed, 1 Jul 2015 05:18:13 -0700 (PDT)
X-AuditID: 1209190c-f79296d000000622-cf-5593da846321
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-1.mit.edu (Symantec Messaging Gateway) with SMTP id B1.77.01570.48AD3955; Wed, 1 Jul 2015 08:18:12 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t61CICTi021969 for <oauth@ietf.org>; Wed, 1 Jul 2015 08:18:12 -0400
Received: from [192.168.128.56] (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t61CI9tE031639 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 1 Jul 2015 08:18:12 -0400
Message-ID: <5593DA7D.80401@mit.edu>
Date: Wed, 01 Jul 2015 08:18:05 -0400
From: Justin Richer <jricher@mit.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <6B22D19DBF96664DBF49BC7B326402B42739A904@xmb-aln-x09.cisco.com> <BY2PR03MB442205D40E8F1ECD88082F2F5AE0@BY2PR03MB442.namprd03.prod.outlook.com> <55928DB3.7090300@gmail.com> <5593C270.7000008@gmail.com>
In-Reply-To: <5593C270.7000008@gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMIsWRmVeSWpSXmKPExsUixG6nrttya3KowaonJhYn375ic2D0WLLk J1MAYxSXTUpqTmZZapG+XQJXxomPk9gKFkhX9Oy+wNbAOF+si5GDQ0LAROLk3uguRk4gU0zi wr31bF2MXBxCAouZJGb1zmKHcI4ySkxoWcIC4bxnknj7tIMRpIVXQEXi55xeZhCbRUBVonny ASYQmw3Inr6mBcwWFYiSmPp4HQtEvaDEyZlPwGwRASGJ5zv7wGqEBcwltjTtZ4RYcJVR4seb y+wgCU4BTYk/zz+zgtjMArYSd+buZoaw5SWat85mnsAoMAvJ3FlIymYhKVvAyLyKUTYlt0o3 NzEzpzg1Wbc4OTEvL7VI11AvN7NELzWldBMjKCw5JXl2ML45qHSIUYCDUYmHV0BscqgQa2JZ cWXuIUZJDiYlUV7Gm0AhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrxfpgLleFMSK6tSi/JhUtIc LErivJt+8IUICaQnlqRmp6YWpBbBZGU4OJQkeCeDDBUsSk1PrUjLzClBSDNxcIIM5wEaPhek hre4IDG3ODMdIn+KUVFKnHctSEIAJJFRmgfXC0sbrxjFgV4R5v1yA6iKB5hy4LpfAQ1mAhr8 0n4SyOCSRISUVAOj+0O1DB+Vx/qFJqJOQZ/qWnpzy1h3/nh/7VNv2aWX4r8fm/r/972ZG77y vmWsSWSF51sn0a+X7Fw5HMxkc89wB2sfv/y2U9Vr1XQ7X7XYk89cZuiyzg/5vTNyq9ppkfol nz133g+q3DajdtGn5MSSy0pTlTT2rNvfrbKYP29xaYe53/PoT5ZKLMUZiYZazEXFiQBSuFb3 9gIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/KK63txR7OyoFu_XUR01R6d1nPeA>
Subject: Re: [OAUTH-WG] JWT Token on-behalf of Use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2015 12:18:16 -0000

As it's written right now, it's a translation of some WS-* concepts into 
JWT format. It's not really OAuth-y (since the client has to understand 
the token format along with everyone else, and according to the authors 
the artifacts might not even be "OAuth tokens"), and that's my main 
issue with the document. Years ago, I proposed an OAuth-based token swap 
mechanism:

https://tools.ietf.org/html/draft-richer-oauth-chain-00

This works without defining semantics of the tokens themselves, just 
like the rest of OAuth. I've proposed to the authors of the current 
draft that it should incorporate both semantic (using JWT) and syntactic 
(using a simple token-agnostic grant) token swap mechanisms, and that 
the two could be easily compatible.

  -- Justin

On 7/1/2015 6:35 AM, Sergey Beryozkin wrote:
> Hmm... perhaps the clue is in the draft title, token-exchange, so may 
> be it is a case of the given access token ("on_behalf_of" or "act_as" 
> claim) being used to request a new security token. One can only guess 
> though, does not seem like the authors are keen to answer the newbie 
> questions...
>
> Cheers, Sergey
>
>
> On 30/06/15 13:38, Sergey Beryozkin wrote:
>> Hi,
>> Can you please explain what is the difference between On-Behalf-Of
>> semantics described in the draft-ietf-oauth-token-exchange-01 and the
>> implicit On-Behalf-Of semantics a client OAuth2 token possesses ?
>>
>> For example, draft-ietf-oauth-token-exchange-01 mentions:
>>
>> "Whereas, with on-behalf-of semantics, principal A still has its own
>> identity separate from B and it is explicitly understood that while B
>> may have delegated its rights to A, any actions taken are being taken by
>> A and not B. In a sense, A is an agent for B."
>>
>> This is a typical case with the authorization code flow where a client
>> application acts on-behalf-of the user who authorized this application ?
>>
>> Sorry if I'm missing something
>>
>> Cheers, Sergey
>> On 25/06/15 22:28, Mike Jones wrote:
>>> That’s what
>>> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-01 is 
>>> about.
>>>
>>> Cheers,
>>>
>>> -- Mike
>>>
>>> *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Vivek 
>>> Biswas
>>> -T (vibiswas - XORIANT CORPORATION at Cisco)
>>> *Sent:* Thursday, June 25, 2015 2:20 PM
>>> *To:* OAuth@ietf.org
>>> *Subject:* [OAUTH-WG] JWT Token on-behalf of Use case
>>>
>>> Hi All,
>>>
>>>    I am looking to solve a use-case similar to WS-Security On-Behalf-Of
>>> <http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658980> 
>>>
>>>
>>> with OAuth JWT Token.
>>>
>>>    Is there a standard claim which we can define within the OAuth JWT
>>> which denote the On-behalf-of User.
>>>
>>> For e.g., a Customer Representative trying to create token on behalf of
>>> a customer and trying to execute services specific for that specific
>>> customer.
>>>
>>> Regards,
>>>
>>> Vivek Biswas,
>>> CISSP
>>>
>>> *Cisco Systems, Inc <http://www.cisco.com/>*
>>>
>>> *Bldg. J, San Jose, USA,*
>>>
>>> *Phone: +1 408 527 9176*
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth