Re: [OAUTH-WG] Following up on token exchange use case
Brian Campbell <bcampbell@pingidentity.com> Mon, 03 October 2016 19:44 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A6161294F4 for <oauth@ietfa.amsl.com>; Mon, 3 Oct 2016 12:44:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UnDGbIO1lZ8c for <oauth@ietfa.amsl.com>; Mon, 3 Oct 2016 12:44:28 -0700 (PDT)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 822291294ED for <oauth@ietf.org>; Mon, 3 Oct 2016 12:44:28 -0700 (PDT)
Received: by mail-it0-x232.google.com with SMTP id o19so107588850ito.1 for <oauth@ietf.org>; Mon, 03 Oct 2016 12:44:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kiPOliRZGiJ/HeAVPa/xb42GvbZIB6dkLvtBk6me8JY=; b=CLRSRJroaoeJ+bx619RLgAzJI9xHwt9kUZ8RljTDxaPvlIYbLu4JdLVkvoJMQVJgmt DvoqxnqsH3IkGDvhG/cPMMbde8SgVBRWXzoAvIi4700T50Q6S0eD/aZyPgBMN+dVR2Ww 3ZpaS4CkaWZj37MsWDvsdAJCrJugWTRBIsPZE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kiPOliRZGiJ/HeAVPa/xb42GvbZIB6dkLvtBk6me8JY=; b=I2apAbK30vKV/8RNXuQrLGL50VN20LmceY98hadOGkVuJhJqRppiioYvzFmE3cJnrq gK5WJ6KtHF4IAJHsqYDFlN85+38aMXKEP2vVcY2Eu0USjkVAk72iQVsR7h9KXxRhAM8Z Wbt3l5ryFWC4SIwCCjZnlIqrslRYIicOx4lhzxmpDqRidXC+nY51DpnMPeopw8BavhdK 5XS7GTXFDvP33mDZBr78LMjo41UM5iF7HenEEEw/zAywNHx6aZjbMo6HxmdfX4N8vbkb 7+3qwDWV6RGZKKw785q0UT7KUTD8xP1Qpq8pwn6YVIjWiqDBbXOFGxIxQpjapjDKO1F+ mA+Q==
X-Gm-Message-State: AA6/9RkUueolLNjQY7CJttZwEF+IS9bNX1/fg+d15xyXZ+5QaVe1dAdBz7U5g+0VFeu92JGucXUMz07ycfkuSCC8
X-Received: by 10.36.129.193 with SMTP id q184mr333224itd.35.1475523867758; Mon, 03 Oct 2016 12:44:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.6.141 with HTTP; Mon, 3 Oct 2016 12:43:57 -0700 (PDT)
In-Reply-To: <CA+k3eCQfU943iCpAm8GxJchddMhFmXi-uVdV_rF_BVf0HyuJBg@mail.gmail.com>
References: <CA+k3eCSKKYC1HTcUFSv7nMjksK-ny62YoZQm1qM6-kn3xwQCpg@mail.gmail.com> <CA+k3eCQ7XFya0stc4XP8r0FCc7vHtNpE5ESZL64n=2sujwvivg@mail.gmail.com> <F30FF116-4306-40CE-9D26-2F8E7EE6B635@mit.edu> <SN1PR0301MB2029A0BBD8C0E7AB3DB01A45A6FB0@SN1PR0301MB2029.namprd03.prod.outlook.com> <CA+k3eCQfU943iCpAm8GxJchddMhFmXi-uVdV_rF_BVf0HyuJBg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 03 Oct 2016 13:43:57 -0600
Message-ID: <CA+k3eCRrzErmGDBH4C=LPP+xyHPd4sbN1PwjEEY_R_-P_uGGyw@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c08bc7efefbe9053dfb2b2d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KKzaWRSdmqpVmjrZl6lqNw2Yzik>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Following up on token exchange use case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Oct 2016 19:44:31 -0000
Would your use-case be better accommodated by changing the requiredness of the request parameters so that it'd be sufficient to provide either the subject_token or the actor_token? I've always felt that it was simpler and more straightforward to always have the subject token. And that cases where the requesting system or server was the only entity involved could simply use the subject_token to represent themselves. But perhaps that's too narrow of a view. I'm trying to work with you on this. Are there opinions one way or the other from others in the WG? I'd like to, of course, get some level of consensus around this. I'd like to publish a -06 draft soon and move things forward. I've got a few other smallish changes queued up but this has been sitting for 3+ weeks. So I'm looking to get to a resolution. On Fri, Sep 9, 2016 at 2:14 PM, Brian Campbell <bcampbell@pingidentity.com> wrote: > Despite not fully following all of that, I would like to try and > understand if there are reasonable changes that could be made to > accommodate what you're looking for. > > What if we changed the subject_token parameter from REQUIRED to OPTIONAL > and then require at least one of subject_token or actor_token? That would > seem to allow for the 2 distinct functions you mention. > > On Thu, Sep 8, 2016 at 4:52 PM, Anthony Nadalin <tonynad@microsoft.com> > wrote: > >> Things have gotten so muddled not sure where to begin, the original goal >> of this draft was to provide the function that we use in daily high volume >> production of WS-Trust as we transition to Oauth. WS-Trust provided many >> options, one was ActAs and the other was OnBehalfOf, these were 2 distinct >> functions but could be combined (and thus the results are of a composite >> nature). There were also other options like delegateTo, Forwardable and >> Delegatable. So we have use cases for all these. >> >> >> >> So we have straight forward scenarios for (1) a token request to be on >> behalf of a given/specified token, we also have a straight forward scenario >> for (2) requesting a token based upon a specific token. We also have >> complex scenarios for combining the semantics of both (1) and (2) where >> the token request is on behalf of a specific token and the request is based >> upon a specific token, this happened a lot in our server to server >> scenarios for access to backend documents and services. Where we have >> chained services this is where the delegateTo, Forwardable and Delegatable >> options come into the scenario. >> >> >> >> The way that this current specification is structured and written the >> Subject is always required which is a not a good thing since there may not >> be a subject, as basic token requests don’t have to have subjects (just >> authentication credentials), thus you can’t get the semantics of (2) >> without (1). Now the semantics of combing (1) and (2) seem to be not >> understood and wanting to be removed. >> >> >> >> >> >> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Justin >> Richer >> *Sent:* Saturday, August 27, 2016 3:26 PM >> *To:* Brian Campbell <bcampbell@pingidentity.com> >> *Cc:* <oauth@ietf.org> <oauth@ietf.org> >> *Subject:* Re: [OAUTH-WG] Following up on token exchange use case >> >> >> >> No objections. Simplification is better, and this spec is already fairly >> convoluted with all the options turned on. >> >> >> >> — Justin >> >> >> >> On Aug 26, 2016, at 1:30 PM, Brian Campbell <bcampbell@pingidentity.com> >> wrote: >> >> >> >> Looking for two things here: >> >> 1) Any objections to removing the want_composite request parameter? >> Please explain, if so. I plan to remove it in the next draft barring an >> outpouring of support to keep it. >> >> 2) Tony to explain his use case and describe what changes would be needed >> to accommodate it. >> >> >> >> On Mon, Aug 1, 2016 at 2:00 PM, Brian Campbell < >> bcampbell@pingidentity.com> wrote: >> >> During the meeting in Berlin Tony voiced concern about a use case he had >> for token exchange. Honestly, it's still not entirely clear to me what that >> use case is or what would need to change in support of it. I'd like to >> better understand the use case and see if it's something that can >> reasonably be accommodated with Token Exchange. During the meeting Tony >> referred back to an earlier email where he said, "want_composite is not >> really the effect we are looking for since it provides for a single token, >> the use case we have is where you want the ability to use the subject_token >> and the actor_token in combination and not as a composite of only the >> claims." >> >> The want_composite parameter came about during some iterative work on the >> document (between I-D publications) last year. At first the client could >> express that it wanted a composite token, one containing delegation >> semantics, with the inclusion of the actor_token parameter. One of the >> other editors suggested, however, that the actor_token token might be >> necessary for authorization in cases even when the client wasn't asking for >> a composite token and that placing the desire for delegation semantics on >> it was overloading the parameter too much. I introduced the want_composite >> parameter to give the client such a signal independent of the actor_token >> parameter. My (admittedly incomplete) understanding of WS-Trust is that the >> client/requester can make such an indication and I was trying to follow >> that model. However, I'm not sure it's needed or even makes much much >> sense. Ultimately it's the server's decision about how to construct the >> issued token and what to include in it. It is the server's policy, not a >> client signal, which makes the determination. So the want_composite >> parameter is really just noise that makes the spec longer. And, from the >> quote above, seems might also lead some readers to incorrect conclusions >> about what can and cannot be returned in a token exchange. >> >> I'd propose then that the want_composite parameter be dropped from the >> document. >> >> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> > >
- [OAUTH-WG] Following up on token exchange use case Brian Campbell
- Re: [OAUTH-WG] Following up on token exchange use… Brian Campbell
- Re: [OAUTH-WG] Following up on token exchange use… Justin Richer
- Re: [OAUTH-WG] Following up on token exchange use… Anthony Nadalin
- Re: [OAUTH-WG] Following up on token exchange use… Brian Campbell
- Re: [OAUTH-WG] Following up on token exchange use… Brian Campbell