[OAUTH-WG] public clients and token exchange

Bill Burke <bburke@redhat.com> Mon, 02 April 2018 22:55 UTC

Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4303212DA15 for <oauth@ietfa.amsl.com>; Mon, 2 Apr 2018 15:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 5QsAcIWK4ZWb for <oauth@ietfa.amsl.com>; Mon, 2 Apr 2018 15:55:22 -0700 (PDT)
Received: from mail-vk0-f52.google.com (mail-vk0-f52.google.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 533D31252BA for <oauth@ietf.org>; Mon, 2 Apr 2018 15:55:22 -0700 (PDT)
Received: by mail-vk0-f52.google.com with SMTP id m69so7151683vka.8 for <oauth@ietf.org>; Mon, 02 Apr 2018 15:55:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ictT4EaRRky7Md0BsGbNuQ9j9GaFHd2LJpaK2m6VMgM=; b=VAViRHAbVd8AvXG8GKDXsLqGKrpUIgt6LVYgaPvT7ltU/ndaiU6dt9IYi7vrVGeftU KspRdjC++45PkQgavTKTeVt5fCxbWwseYKvuJL4fmQLWko0VJJeackoXzNSwNtzjEApu /6dIL3G/tadxHTeyUm7dnKdiQQ44Iuh+S9wIsgZYVlsWdnXuMkNu1MkDP3/AS025QESi kBzwe00RjBNZPjMUqct5u179j4dH0ffGgiR8EwNDNmL9xE7YaRHMZY9bupthZco7R4h0 3Vs+ahwPEK/o1LMh9d1LfDd+o0IZJK+r1cvDd2kMT6rE1RaiJMjci35Fj4I9jEmD3Orc 5sUQ==
X-Gm-Message-State: ALQs6tA6ZS3oLt+7UTAsb8oW4KsVQ+o16iOUxrDo7gZT0vgzzE0hWLR6 mYMTWFeLIPlxC/QCcrUlRDLJzwQ6GPdqWzn7JXL/4A==
X-Google-Smtp-Source: AIpwx49w11yaum4GnHswoyTaoMR85WiciTogba/XO8v1MrQKycM+aOVkqrYLoGCMBSItnQHaM7FfnGT9UHL8FfRwijE=
X-Received: by with SMTP id o3mr4648015vke.76.1522709721073; Mon, 02 Apr 2018 15:55:21 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 2 Apr 2018 15:55:20 -0700 (PDT)
From: Bill Burke <bburke@redhat.com>
Date: Mon, 02 Apr 2018 18:55:20 -0400
Message-ID: <CABRXCmx9hiFRQtU-vCbOZodLYdNp=t1RQNoYRYmpUA9=BKkdWw@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OX3ziT1KbqD5odtk5LZwm_RfORk>
Subject: [OAUTH-WG] public clients and token exchange
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Apr 2018 22:55:24 -0000

We have a need for public clients to perform token exchanges.  Anybody
have any recommended policies for this?  I'm worried about untrusted
services obtaining a bearer token that they can exchange for upgraded
permissions.  The Auth Server has to put a lot of trust in the public
client to do the right thing.

What should be the initial access token the public client gets?

1) One approach is that it receives an access token devoid of
privileges.  This forces the public client to request an exchange
before invoking on anything.  Then what should be the validation
policy with teh Auth Server?  Do not allow upgrading of token unless
the token being exchanged has zero scopes/audiences?

2) Another approach is that the initial access token has all privilges
the public client needs and the public client downgrades the token
before performing invocations.  The auth server only needs to check
that the client is asking for a downgrade.

3) The last approach we are considering is a combination of #1 and to
only allow public clients to exchange a refresh token.  Being in
possession of a refresh token means that the public client has been
involved with a code to token flow, or a password credentials grant.
For code to token, this means the public client had a valid redirect
uri.  For password credentials grant, the client was trusted enough to
obtain user credentials.

Bill Burke
Red Hat