Re: [OAUTH-WG] user impersonation protocol?

Justin Richer <jricher@mit.edu> Mon, 16 February 2015 15:36 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD9451A88BD for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 07:36:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGiOAFpS_XUG for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 07:36:08 -0800 (PST)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E74E1A1BF6 for <oauth@ietf.org>; Mon, 16 Feb 2015 07:35:58 -0800 (PST)
X-AuditID: 12074423-f79066d0000058b8-08-54e20e5d8d6e
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 12.DC.22712.D5E02E45; Mon, 16 Feb 2015 10:35:57 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id t1GFZuZw020214; Mon, 16 Feb 2015 10:35:57 -0500
Received: from [IPv6:2607:fb90:e13:ba92:0:1d:88d0:f001] ([172.56.23.249]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t1GFZrGZ015180 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 16 Feb 2015 10:35:55 -0500
Date: Mon, 16 Feb 2015 10:35:53 -0500
Message-ID: <cmqi3pab06ngvahbt6k3ee0u.1424100953077@email.android.com>
Importance: normal
From: Justin Richer <jricher@mit.edu>
To: Bill Burke <bburke@redhat.com>, Bill Mills <wmills_92105@yahoo.com>, oauth <oauth@ietf.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_337188575429600"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKIsWRmVeSWpSXmKPExsUixG6nohvL9yjE4GaLskXv1p2MFiffvmKz +NZ1ndmB2WPJkp9MHu/3XWXzmDXrMFMAcxSXTUpqTmZZapG+XQJXxumtP9gLPnpVzJv9hLWB 8aFHFyMnh4SAicTzFf3sELaYxIV769m6GLk4hAQWM0n8fPWAGcLZyCjRtnYXE4Szm0li79TV LCAtLAKqEodffmUCsYWBRp2d+YUNxOYVcJP48e0AYxcjBwengJBE1y4JkDAbUPn0NS1g5SIC GRJNX44wQ5QLSpyc+QRsJLNAiMSceafYJzDyzkKSmoUkBWGrS/yZd4kZwlaUmNL9ECjOAWSr SSxrVUIWXsDItopRNiW3Sjc3MTOnODVZtzg5MS8vtUjXTC83s0QvNaV0EyM4dF2UdzD+Oah0 iFGAg1GJh/eF7MMQIdbEsuLK3EOMkhxMSqK8c7kehQjxJeWnVGYkFmfEF5XmpBYfYpTgYFYS 4V32HqicNyWxsiq1KB8mJc3BoiTOu+kHX4iQQHpiSWp2ampBahFMVoaDQ0mCdwUP0FDBotT0 1Iq0zJwShDQTByfIcB6g4adBaniLCxJzizPTIfKnGBWlxHmvgCQEQBIZpXlwvbDU8opRHOgV Yd5fIFU8wLQE1/0KaDAT0OBM5vsgg0sSEVJSDYxiX1yMNxrNWC8060XgrnXpXNnc5r5+sYru 0v9XNjQ4CS45kJOpnym6qV/jl7tH7n9GKcVv210f2xhJ7lN6dvfhcZETvA0MazvaGjzL5K4s n8z+gutCjPhZ/0/P7e/JWMye4GGRM23J0eVbQu2nvtinekM74tHLn4tF/G4fTCueqX7o256n C3cqsRRnJBpqMRcVJwIA35uI7AgDAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/NzPtkpn6P47oVXTwMGqzQZrMxMA>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 15:36:11 -0000

Another question is whether or not you can user rights delegation (ie vanilla OAuth) or if you really do need impersonation. You may be able to get the desired results with less complexity that way.


-- Justin

/ Sent from my phone /


-------- Original message --------
From: Bill Burke <bburke@redhat.com> 
Date:02/16/2015  10:20 AM  (GMT-05:00) 
To: Bill Mills <wmills_92105@yahoo.com>, Justin Richer <jricher@mit.edu>, oauth <oauth@ietf.org> 
Cc:  
Subject: Re: [OAUTH-WG] user impersonation protocol? 

Yeah, I know its risky, but that's the requirement.  Was just wondering 
if there was any protocol work being done around it, so that we could 
avoid doing a lot of the legwork to make it safe/effective.  Currently 
for us, we need to do this between two separate IDPs, which is where the 
protocol work comes in...If it was just a single IDP managing 
everything, then it would just be an internal custom IDP feature.

Thanks all.



On 2/16/2015 12:37 AM, Bill Mills wrote:
> User impersonation is very very risky.  The legal aspects of it must be
> considered.  There's a lot of work to do to make it safe/effective.
>
> Issuing a scoped token that allows ready only access can work with the
> above caveats.  Then properties/componenets have to explicitly support
> the new scope and do the right thing.
>
>
> On Sunday, February 15, 2015 8:34 PM, Justin Richer <jricher@mit.edu> wrote:
>
>
> For this case you'd want to be very careful about who was able to do
> such impersonation, obviously, but it's doable today with custom IdP
> behavior. You can simply use OpenID Connect and have the IdP issue an id
> token for the target user instead of the "actual" current user account.
>
> I would also suggest considering adding a custom claim to the id token
> to indicate this is taking place. That way you can differentiate where
> needed, including in logs.
>
> -- Justin
>
> / Sent from my phone /
>
>
> -------- Original message --------
> From: Bill Burke <bburke@redhat.com>
> Date:02/15/2015 10:55 PM (GMT-05:00)
> To: oauth <oauth@ietf.org>
> Cc:
> Subject: [OAUTH-WG] user impersonation protocol?
>
> We have a case where we want to allow a logged in admin user to
> impersonate another user so that they can visit differents browser apps
> as that user (So they can see everything that the user sees through
> their browser).
>
> Anybody know of any protocol work being done here in the OAuth group or
> some other IETF or even Connect effort that would support something like
> this?
>
> Thanks,
>
> Bill
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com