[OAUTH-WG] SUB and AUD configuration for web identity authentication
Warren Parad <wparad@rhosys.ch> Wed, 20 October 2021 08:48 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6C5C3A0860 for <oauth@ietfa.amsl.com>; Wed, 20 Oct 2021 01:48:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.714
X-Spam-Level:
X-Spam-Status: No, score=-1.714 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_XBL=0.375, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b-ULwrjGl0Sl for <oauth@ietfa.amsl.com>; Wed, 20 Oct 2021 01:48:00 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22DA93A084F for <oauth@ietf.org>; Wed, 20 Oct 2021 01:47:59 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id g6so13006135ybb.3 for <oauth@ietf.org>; Wed, 20 Oct 2021 01:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=/0m8QByrIWsExTMS4bFnDDqSGCAhwfKKCbIZXCz4OoU=; b=hDvw7iFBTDST6ERpj3czmAhdBe7y8Gs28tQU6hWRJ59RmXw/5svCUQGMd+0L9qbKN1 QoriDQ4QcmgrXC14b1tPcMEFmmWn+iH0dhfFRdWkK+Odi1ztqgBtxvTr/+oWdXh8M76o 3Is7Wy98fMvbXYXJmwahWUEU1kEnCAu32sn1GXNI9QRrIqMw/rqCx36n68+d6y1opnmZ 6Pxu7Sxh04SWEnkB+VBEB67biQlJUsOdIGEZ13njppqyyQaeFIWsOZTnSsoatBjw7MC+ gqI09nyc+gcWrx9gTiJkHQPIavX8g7hzRNtewxnpbkeQzpiAEa0KWSaiQNmlGBnNsuMr y5Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=/0m8QByrIWsExTMS4bFnDDqSGCAhwfKKCbIZXCz4OoU=; b=f+E3ZahKTDHap2/+TPaxBnNK4Y0jodK0K57eNFocy76jmTcADKIuqcE8sFtAemR7YW sZ4spS4CptuqdbsiCIPwlNsit1iNeUeUC0G/cmKvLvefnF5E97Hj96pJdCT4jHYgBUvp kIo9COAjmsgN98+2HdfV+LOZBerwEYlmL4KYkWLB7UFJIuUgIBJrD690YatkgUfJEp34 HbufWysKouzuGhRoRbmOjKuYWgGbGAZCXZICa+Kpz0+fpHlj2zUIHMeiacGaR5HG8Z9x cGMidwU+5F/wTimkTYoxIiFNaR/XPjMxdrSR8WxPGgZpMA0InmETw15kgRwtbprMZiKR c8HQ==
X-Gm-Message-State: AOAM532os/uXVAzVpFVj+mdUAptsXg2FOF3n0jGTOr0m9d9UZhDA0H7T qvh2aesbKAZFKzc3IaVAfPEjN8xPZmEQRKQag045i9D4rnBVXeQ=
X-Google-Smtp-Source: ABdhPJy4tXllENmrzHfV6h8HPwQm82lNd9MRWji3N23dV7ycUE+xpL+5zZU0pc4t/07ZUWne08x1tF3nZtyPBjwY1ic=
X-Received: by 2002:a25:e053:: with SMTP id x80mr46028813ybg.261.1634719678461; Wed, 20 Oct 2021 01:47:58 -0700 (PDT)
MIME-Version: 1.0
References: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com>
In-Reply-To: <SA2PR00MB100244DAAD267EBD2FF51678F5B79@SA2PR00MB1002.namprd00.prod.outlook.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Wed, 20 Oct 2021 10:47:47 +0200
Message-ID: <CAJot-L1y=8YUHe7hqwVRunQL0A2z2S=3sTd66uYTYwucSLmNqg@mail.gmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000be123505cec4d59c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/KaTqk6-qOq0gySg2xGWTFLxluJk>
Subject: [OAUTH-WG] SUB and AUD configuration for web identity authentication
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Oct 2021 08:48:05 -0000
There is a pattern, where a user configures one credentialed entity for access to a RS, but controls neither the credentialed entity nor the RS. I might say technically the user is acting as the AS, but it isn't clear to me. Concretely, CI/CD services such as GitHub and GitLab support runners that come with a JWT, whom this JWT should be issued to is not exactly clear. These tokens are intended to be used with third party RS such as AWS IAM to authenticate and access resources in AWS. (AWS reference <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc.html> ) Currently, GitLab is prototyping support for this access and wants to know what's a good meaningful value for the AUD to be. (GitLab context <https://gitlab.com/gitlab-org/gitlab/-/issues/216259#note_708055501>) Personally, while I'm able to specify who is the client, RS, and AS, it doesn't feel exactly like it's something directly supported by any RFC, but it does seem like it should be. (AWS = RS, gitlab job = user, gitlab server = AS) Due to the nature of what's available for configuration on both sides, it's likely they want to go with altering the AUD to point itself at the git repository url where the token comes from rather than the RS which would like be the AWS account. The closing thought I have is if we suspend for one moment expectations about who is authorization by whom, it's possible to also see that AWS is the AS, and the gitlab runner is a client using the jwt-bearer credentials grant. Is there anyone that wants to weigh in on this, it's a potentially great opportunity to drive the right practice at the right time. (I'm happy to relay any outcome back to the thread or feel free to post directly on the Gitlab issue <https://gitlab.com/gitlab-org/gitlab/-/issues/216259#note_708055501>. - Warren Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>.
- [OAUTH-WG] Authorization code reuse and OAuth 2.1 Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Aaron Parecki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Jeff Craig
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Sascha Preibisch
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Aaron Parecki
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Ash Narayanan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Pieter Kasselman
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Richard Backman, Annabelle
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Mike Jones
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Ash Narayanan
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Vittorio Bertocci
- Re: [OAUTH-WG] Authorization code reuse and OAuth… David Waite
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Neil Madden
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Warren Parad
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Filip Skokan
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Takahiko Kawasaki
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] Authorization code reuse and OAuth… Daniel Fett
- Re: [OAUTH-WG] [EXTERNAL] Re: Authorization code … Warren Parad
- [OAUTH-WG] SUB and AUD configuration for web iden… Warren Parad
- Re: [OAUTH-WG] SUB and AUD configuration for web … Ash Narayanan