IETF Logo Mail Archive

Re: [OAUTH-WG] Token Chaining Use Case

Justin Richer <jricher@mit.edu> Thu, 26 March 2015 20:15 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 582A41B2E58 for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 13:15:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z4qmzXGhFD-s for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 13:15:43 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71C461B2E39 for <oauth@ietf.org>; Thu, 26 Mar 2015 13:15:43 -0700 (PDT)
X-AuditID: 12074425-f79ca6d000000e5e-df-551468edd8bd
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 8E.20.03678.DE864155; Thu, 26 Mar 2015 16:15:41 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t2QKFa9E007045; Thu, 26 Mar 2015 16:15:37 -0400
Received: from dhcp-b47c.meeting.ietf.org (dhcp-b47c.meeting.ietf.org [31.133.180.124]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2QKFXts029837 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 26 Mar 2015 16:15:35 -0400
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
Content-Type: multipart/signed; boundary="Apple-Mail=_2E2FD031-6213-4A06-9039-FBD98CEA9781"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.5b6
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <2574ED86-AC5F-4140-9A6D-0D4DEA0A2690@oracle.com>
Date: Thu, 26 Mar 2015 15:15:33 -0500
Message-Id: <91BF31B4-BDE5-4912-BFBE-C9FD8EB07A96@mit.edu>
References: <D0E09E09-A803-427A-ACA9-D9E3F3EF31E5@mit.edu> <2574ED86-AC5F-4140-9A6D-0D4DEA0A2690@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: Apple Mail (2.2070.6)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDKsWRmVeSWpSXmKPExsUixG6novs2QyTU4H+jmcXJt6/YLBbMb2R3 YPJYsuQnk8fHp7dYApiiuGxSUnMyy1KL9O0SuDIW/VQsuGJS8WzXApYGxudaXYycHBICJhJf /7QzQdhiEhfurWfrYuTiEBJYzCTx8tkFKGcjo8S3y/9ZIZwrTBKXLr1lA2kRFtCXWL69jxXE 5hUwkJh76gvYKGaBKYwS504qQoyVkmh6fYwRxGYTUJWYvqYFrIZTwE5iyftrzF2MHBwsQPHd /TUgJrOAukT7SReIiVYSy/qXs4OEhQRyJL5eAmsUEVCR+Hb1OiNIWEJAXqJnU/oERsFZSE6Y heQECFtbYtnC18wQtqbE/u7lLBC2vMT2t3Og4pYSi2fegIrbStzqWwA1x07i0bRFrAsYOVYx yqbkVunmJmbmFKcm6xYnJ+blpRbpWujlZpbopaaUbmIER4yL6g7GCYeUDjEKcDAq8fD+7BcO FWJNLCuuzD3EKMnBpCTKy5QoEirEl5SfUpmRWJwRX1Sak1p8iFEFaNejDasvMEqx5OXnpSqJ 8DrHAtXxpiRWVqUW5cOUSXOwKInzbvrBFyIkkJ5YkpqdmlqQWgSTleHgUJLgrUwHahQsSk1P rUjLzClBSDNxcB5ilODgARq+DaSGt7ggMbc4Mx0if4pRUUqc9wJIQgAkkVGaB9cLS3SvGMWB 3hLmlQKmPSEeYJKE634FNJgJaPC5fD6QwSWJCCmpBsZdOhNqXJccDFP2zr62O6i/bHrtz5/s 8SH1DFmzU/conJr0nz3tiiTjp6PydneTsrRsvgXdcbqfMPX7Du4t/6oOrTn4MaLCMPLCTafF XefX5970CLy+7+OqqeyCVycJ3Za2aP1wPFhQ7ly8f0Qud9nj1ad///tWvEBAMG7TrkfnD6iU r/vh+DFGiaU4I9FQi7moOBEA17CxCk8DAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/NzFHw_TWrZ1f_XsLd5UetffuZ04>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Chaining Use Case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 20:15:46 -0000

Your service layout will determine whether or not each bit calls the same AS that issued the original token, since you can easily do it across boundaries if your AS takes in cross domain tokens. That’s another benefit of having it be a generic token swap, you can build it out using the same mechanism and get both behaviors.

The AS could reject the swap for any number of conditions: wrong client asked, token is expired, scopes don’t align, bad token, etc.

You can always optimize your system such that you just send a high-powered token down the chain, in which case you’re not using token swapping. This is not for those cases, obviously. This is for the cases when you *are* doing token swapping and usually downscoping the privileges.

 — Justin

> On Mar 26, 2015, at 2:53 PM, Phil Hunt <phil.hunt@oracle.com> wrote:
> 
> What if A calls be with it’s own authorization token (server token ST1) and passes AT1 in another header e.g. on-behalf-of.
> 
> You save a call and can still check the scope downstream. Further, service B and C can each check whether ST1 and ST2 had the right to wield AT1 even when AT1’s POP proof is a proof of the external client.
> 
> The only reason I can think to call the AS is if there is some dynamic condition that might cause an AS to reject the swap.  If AT1 is valid, I can’t think of another reason why the answer isn’t already YES for all calls. If its no, its likely a permanent configuration problem not a dynamic decision.  In other words, B always expects A to call it on behalf of some one.  Likewise, C is always expecting B.
> 
> Phil
> 
> @independentid
> www.independentid.com
> phil.hunt@oracle.com
> 
>> On Mar 26, 2015, at 1:31 PM, Justin Richer <jricher@MIT.EDU> wrote:
>> 
>> As requested after last night’s informal meeting, here is the token chaining use case that I want to see represented in the token swap draft.
>> 
>> 
>> [ Client ]  ->   [ A ] -> [ B ] -> [ C ]
>> 
>> An OAuth client gets an access token AT1, just like it always would, with scopes [A, B, C] in order to call service A, which requires all three scopes. Service A (an RS) accepts this token since it has its scope, and then needs to call service B in turn, which requires scopes [B, C]. It could just re-send the token it got in, AT1, but that would give the downstream RS the ability to call services with scope [ A ] and it should not be allowed to do that. To limit exposure, service A calls a token swap at the AS to create AT2 with scopes [ B, C ], effectively acting as an OAuth client requesting a downscoped token based on AT1. Service A then acts as an OAuth client to call service B, now acting as an RS to service A’s client, and can fulfill the request. And it’s turtles all the way down: Service B can also call service C, and now B acts as a client, requesting AT3 with scope [ C ] based on AT2, and sending AT3 to service C. This prevents C from being able to call B or A, both of which would have been available if AT1 had been passed around. Note that service A or the Client can also request a downscoped token with [ C ] to call service C directly as well, and C doesn’t have to care how it got there.
>> 
>> 
>> In other words, it lets the client software be very, very dumb. It doesn’t have to do any special processing, doesn’t have to know what’s in the token, it just follows the recipe of “I got a token, I get another token based on this to call someone else”. It’s also analogous to the refresh token flow, but with access tokens going in and out. I’ve deployed this setup several times in different service deployments. Even though there is a performance hit in the additional round trips (as Phil brought up in another thread), in these cases the desire to have the tokens hold least privilege access rights (smallest set of scopes per service) outweighed any performance hit (which was shown to be rather small in practice).
>> 
>> What I want is for the token swap draft to define or use a mechanism that allows us to do this. I think we can do that pretty easily by adjusting the token swap syntax and language, and explicitly calling out the semantic processing portion (the current core of the document) for what it is: a way for a token issuer to communicate to a token service specific actions. At a high level, the spec would be something like:
>> 
>> 
>> 
>> 1. How to swap a token at an AS
>> 1. Send a request to the token endpoint with a new grant type, and a token (of any type/format/flavor) on the way in
>> 2. Get back a new token in a token response
>> 2. Communicating act as / on behalf of semantics via a JWT assertion
>> 1. How to create (as an AS/RS/client/other issuer) a JWT with act-as semantics
>> 2. What to do (as an AS/RS) with a JWT with act-as semantics
>> 3. How to create a JWT with on-behalf-of semeantics
>> 4. What to do with a JWT with on-behalf-of-semantics
>> 5. How to possibly represent these semantics with something other than a JWT
>> 
>> 
>> 
>> Section 2 uses the syntax from section 1. Other applications, like the one I laid out above, can use the syntax from section 1 as well. This works for structured, unstructured, self-generated, cross-domain, within-domain, and other tokens.
>> 
>> 
>> — Justin
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email