Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
Kai Lehmann <kai.lehmann@1und1.de> Fri, 05 April 2024 10:13 UTC
Return-Path: <kai.lehmann@1und1.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 103FCC14F6B5; Fri, 5 Apr 2024 03:13:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.164
X-Spam-Level:
X-Spam-Status: No, score=-2.164 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.08, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=1und1.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id heSBQ5reetzk; Fri, 5 Apr 2024 03:13:30 -0700 (PDT)
Received: from moint.1and1.com (moint.1and1.com [212.227.15.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 537C7C14F6EC; Fri, 5 Apr 2024 03:13:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=1und1.de; s=corp1; h=MIME-Version:Message-ID:Date:Subject:CC:To:From:sender:reply-to; bh=XMkEtxZM9yw6Y9Wvs0rylqsOuGINQ9fQKbNs+94w1Gk=; b=vHaM4O1oLB0fEAa+xGXcFyWbr VPCLodhUKg/AV+QSdtU+Nlf4W3NnoGNpntyGAxR7bD2XC3ITDag68ojbYOq1+0+mwVIBmSVZvjt9L mX23J2J9svjq58hvmgxAJvJJcYb4WwB54fxtnRp7MNilqkRX/QHTyrCoEy5MAb89TN3vBhFFT/Ne9 7lDCAFEdl+EstLmVHbtrwSUWLKuvUsKaGElNJi3WWOkCM25v7XOEk3e5kRmev7aNV3tVxpxovjVCw eOQo6FEac1Mzamear5MOH30DJdxHUItC2d4YplX/GjZ+bKtQVDLMKKiW/RNzfmgRJZW+GnMc2TCMe Anc79V3lA==;
Received: from [10.98.28.6] (helo=KAPPEX021.united.domain) by mrint.1and1.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <kai.lehmann@1und1.de>) id 1rsgZF-0000q7-CK; Fri, 05 Apr 2024 12:13:05 +0200
From: Kai Lehmann <kai.lehmann@1und1.de>
To: Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>, Atul Tulshibagwale <atul@sgnl.ai>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
Thread-Index: AQHaggAx7BRgvGYV7EmM/IFoFYRyHbFWr7IAgAHiOYCAAAq1AIAA4xEA
Date: Fri, 05 Apr 2024 10:13:04 +0000
Message-ID: <BE16B049-6229-4594-B708-DC64E2FA2C86@1und1.de>
References: <CANtBS9djWszOjH_ArUTP8tCAaJJvSJ2Do26M99eU+1ayqwrjyw@mail.gmail.com> <CAOgPGoDGjiKYojnD6SAZgZnd6W8nPuqxg9qP=CHGZ8YJCJRerw@mail.gmail.com> <CANtBS9f2R3dhtwbp_4iP5D2gPRu8Agb1oNACFPm6M1TatZeQ9Q@mail.gmail.com> <CAOtx8D=L8oY+b33aCJhNK4xHtaOet5g1m1DVGRH2jF0G7O=ATQ@mail.gmail.com>
In-Reply-To: <CAOtx8D=L8oY+b33aCJhNK4xHtaOet5g1m1DVGRH2jF0G7O=ATQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.83.24033013
x-originating-ip: [10.98.29.55]
Content-Type: multipart/alternative; boundary="_000_BE16B04962294594B708DC64E2FA2C861und1de_"
MIME-Version: 1.0
X-Virus-Scanned: ClamAV@mvs-ha-bs
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MGLp2nDqjhGoAOGXfCIjhZ07jNo>
Subject: Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 10:13:34 -0000
Hi, that is my thought as well. It does not necessarily be a Token Exchange profile, but the Token endpoint makes sense as Tokens are issued. Defining a specific Token grant with the necessary input parameters would fit nicely. Best regards, Kai From: OAuth <oauth-bounces@ietf.org> on behalf of Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org> Date: Friday, 5. April 2024 at 00:41 To: Atul Tulshibagwale <atul@sgnl.ai> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token Hello Atul, As an alternative to Token Exchange and separate (new) endpoint, have you ever considered OAuth 2.0 Extension Grants<https://datatracker.ietf.org/doc/html/rfc6749#section-4.5>? This could give us more flexibility as will let us define our own set of input parameters and validation rules (opposite to Token Exchange that restricts us to subject_token and friends). Regards, Dmitry On Thu, Apr 4, 2024 at 11:02 PM Atul Tulshibagwale <atul@sgnl.ai<mailto:atul@sgnl.ai>> wrote: Thanks very much for your feedback, Joe! On Wed, Apr 3, 2024 at 10:16 AM Joseph Salowey <joe@salowey.net<mailto:joe@salowey.net>> wrote: Hi Atul, I'm just starting to review the transaction tokens draft and have only a minimal understanding of the token exchange document at this point so I'm lacking a little background, but I have a few comments and questions below. On Fri, Mar 29, 2024 at 10:39 AM Atul Tulshibagwale <atul@sgnl.ai<mailto:atul@sgnl.ai>> wrote: Hi all, We had a meeting today (notes here<https://hackmd.io/@rpc-sec-wg/HJNXYKkk0>) in which we discussed the question of what we should do if there is no incoming (external) token in the request to issue a Transaction Token<https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/> (TraT). We identified a few circumstances under which this can happen: * The requesting service is triggered by a non-OAuth based flow such as email or an internal trigger * The client of the requesting service uses means other than an access token to authorize the call (e.g. MTLS) [Joe] I think there will be a fair number of systems that support means of authorizing non-oauth flows. We identified a few possibilities listed below. Please note that the Transaction Tokens draft assumes that the TraT Service trusts the requesting service, so all the possibilities below assume this. [Joe] yes, you are trusting another part of the system to perform some authorization and inform the token service of the result. Here are some possibilities we discussed: 1. Request Details: Put the subject information in the request_details parameter of the TraT request, and the subject_token value is set to "N_A" 2. Self-Signed Token: The requester generates a self-signed JWT that has the subject information and puts that in the subject_token value [Joe] I like having signed tokens, but if this is really information just exchanged between two endpoints it may be more work than necessary. 1. Separate Separate Endpoint: The TraT service exposes a separate endpoint to issue TraTs when there is no incoming token, and that endpoint can be defined such that the request does not have a subject_token parameter. This endpoint is not a profile of OAuth Token Exchange 2. Separate Endpoint Only: Extending the thought above, the requester can always extract the content of the incoming token into the "request_details" parameter, so why do we need the Token Exchange endpoint [Joe] What do we gain by using token exchange? While it seems that there is overlap between delegation/impersonation it seems that transaction tokens are sort of a superset and contain additional information about the context of the transaction. If it looks like token exchange is too constraining then transaction tokens may just be a different use case. With the understanding I currently have I'd either go with 4. Separate Endpoint Only or 2. Self Signed token. Splitting the endpoints could be valid, but it seems a bit weird for me, if we did decide to do that then probably we wouldn't need to sign the information unless the request is going to traverse multiple systems. We would like to understand how the group feels about these choices, or if you have other suggestions / thoughts on this topic. Thanks, Atul -- [Image removed by sender.]<https://sgnl.ai/> Atul Tulshibagwale CTO [Image removed by sender.]<https://linkedin.com/in/tulshi>[Image removed by sender.]<https://twitter.com/zirotrust>[Image removed by sender.]<mailto:atul@sgnl.ai> _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Transaction Tokens issuance in the abs… Atul Tulshibagwale
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Joseph Salowey
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Atul Tulshibagwale
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Dmitry Telegin
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Kai Lehmann
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Brian Campbell
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Atul Tulshibagwale
- Re: [OAUTH-WG] [External Sender] Re: Transaction … George Fletcher
- Re: [OAUTH-WG] [External Sender] Re: Transaction … Kai Lehmann
- Re: [OAUTH-WG] [External Sender] Re: Transaction … George Fletcher
- Re: [OAUTH-WG] [External Sender] Re: Transaction … Kai Lehmann