Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange

Brian Campbell <> Fri, 08 December 2017 17:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 45588127077 for <>; Fri, 8 Dec 2017 09:41:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zBT4Hdyk5xy0 for <>; Fri, 8 Dec 2017 09:41:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C8405126DFB for <>; Fri, 8 Dec 2017 09:41:40 -0800 (PST)
Received: by with SMTP id b5so6459612itc.3 for <>; Fri, 08 Dec 2017 09:41:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+ybRA3YYnMcK3yKQH9Tb0aBGxlqb0CloVqNFZITBOWk=; b=Pgi9iohiWJ0s9OYWH2Ll5rsC51F+T6X7E7T7EGcaSeeErAQz+7SEWb14hTdTric38i jrRjcA8XJ7GyQk0xmBqkmt4jUoDGhM5drSHPKY84vum/ta6vt1Rl0Hn6LJ4L+5xZfINF GOPw6sRURcgXwDy1uhOlQaXwyocS0Mx8a415U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+ybRA3YYnMcK3yKQH9Tb0aBGxlqb0CloVqNFZITBOWk=; b=n7LfD8Ya5xzBxWLx/2mAL5O5plaIVY73XYpEqK+gpHcfj4S/yxLCHeWdBkxxggybk7 CWMzm0EpUv78mpmqFQ7bgqob/ukbOpxfvUA1BKUi2Az3cUUqBdQhb/mW1zounXkpN2fJ z77ZvV2isUq59L/S1mvrLHYFCGceypNAjHmyZftJ9TnzEmf0O8jjVL+2sET/9asoxrr1 wF7xOjY/Z2+FHIDwgONq0Litt8mWQBHv7fJOfq2dT0BzhcS2OR1SuozeeAxuS3IWzamw GGs5IgBlrjEJGE0PGgpq9QFgntveZXV+cSHm3Ndx19Nu8K4ArsgWT+X3/X927cWvI1fD 5POg==
X-Gm-Message-State: AJaThX7vmy1yl0+2wv7qOr1GJ5QEOJKEU1nuNMUHLA7ix7HNaHKHl56+ JinMyT7mbs5NP/m64WiziJvmgj3Bz977dlva9E3vf2N+8hL8VbJ7Ig/SfSTXswTe8Like3wBNnB 1LCVQ+Oncj50ILQU/
X-Google-Smtp-Source: AGs4zMYWOk0p7pEyrqDB+/E44FC9cEMOoDyBqgY2Q7SXlDimu2QbjmYK7fD4v6QVwlgBCOSRCxjVKkGOT79LiSTKcC4=
X-Received: by with SMTP id w188mr44230776iow.301.1512754899821; Fri, 08 Dec 2017 09:41:39 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Fri, 8 Dec 2017 09:41:09 -0800 (PST)
In-Reply-To: <>
References: <>
From: Brian Campbell <>
Date: Fri, 8 Dec 2017 10:41:09 -0700
Message-ID: <>
To: Bill Burke <>
Cc: OAuth WG <>
Content-Type: multipart/alternative; boundary="001a11444bfa6fd680055fd7b283"
Archived-At: <>
Subject: Re: [OAUTH-WG] [token-exchange] Parameters to support external token exchange
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Dec 2017 17:41:43 -0000

I guess I'm going to kind of restate some of what I said in that earlier
and a bit more. The access and refresh token URIs from the draft are
intended to indicate that such tokens are issued by the given authorization
server acting as the STS (perhaps this could be stated more clearly in the
doc). As such, there isn't direct explicit support for OAuth access token
to OAuth access token cross-domain type exchanges. That was intentional and
I think is appropriate as I don't believe this draft should delve into
pseudo federating access tokens and all the additional complexity and
security implications that entails. The assertion based authorization
grants (RFCs 7523 <> & 7522
<>) are intended to facilitate acquiring
an access token from an external or cross-domain AS and I prefer that more
explicit model for cross-domain than codifying a rather implicit way of
doing it in token exchange. A Facebook access token, for example, is issued
to a client for delegated access to Facebook APIs. It isn't for delegated
access to some other domain's APIs but an access token for access token
exchange effectively turns it into that. And in some situations that can
have problematic security implications. Big providers like Facebook have a
lot of apps (OAuth clients) that can get access tokens. An organization
might well be okay with an app it controls exchanging a Facebook access
token for an access token for its own APIs. But a 3rd party Facebook app
(like maybe a new viral rate my '80's hairdo app) doing the same thing
could be very problematic. It's not exactly the same thing but many of the
same potential issues arise as when using OAuth for User Authentication
<>. Standardization around access
token for access token exchange would, at a minimum, need some real
security analysis and recommendations/considerations.

The token exchange draft went thought WGLC some time ago and is currently
being written up by the document shepherd to send to the AD. It's close.
It's been a long time coming and I'd really object to derailing it by
making big additions to it at this late stage in the process.

If explicit support for directly swapping an access token from one AS for
an access token issued by a different AS is something this WG is interested
in working on, while admittedly I have my hesitations, I propose/suggest
that it be done in a new document. Such a document could but wouldn't
necessarily have to take the from of the additional extension parameters
you've mentioned. It could, for example, be a 'token profile' of sorts that
defines a new URI with an associated format that is some simple structure
that carries both the access token and issuer together. Something like
"urn:ietf:params:oauth:token-type:wrapped_foreign_access_token" and
- that's just spitballing but hopefully conveys the idea. The new document
would also have to cover the security considerations.

On Wed, Dec 6, 2017 at 2:31 PM, Bill Burke <> wrote:

> The Keycloak project (oss idp), has implemented [1] the token exchange
> draft (minus the actor token).  There's a couple of extensions we have
> made to allow external token exchange to work.  I'd like to get some
> consideration for these extensions to be added.  With proper
> configurations, clients are able to exchange between different domains
> and even social providers.  i.e. you can exchange a Facebook token for
> a token issued by the IDP.
> Here are the details:
> We added a 'subject_issuer' parameter.  Many OAuth IDPs have opaque
> access tokens and do not use JWTs for their access token (i.e.
> Facebook and Google).  If the 'subject_token_type' is
> 'urn:ietf:params:oauth:token-type:access_token' and the access token
> comes from an external provider, then the client must also pass a
> 'subject_issuer'.  The parameter value is something, anything that can
> the IDP can resolve to an external provider.  How the validation of
> this external token happens is implementation independent.
> As I stated a few months back in an earlier email thread, I do not
> think the 'audience' parameter would work for this type of external
> exchange.  It is just too overloaded.  Additionally, I think it is
> cleaner to specify an additional parameter rather than extracting
> issuer information from the 'subject_token_type'.  You could do this,
> but the spec would also have to define a URI scheme for
> 'subject_token_type' so that issuer information could be transmitted.
> We also added a 'requested_issuer' parameter.  This allows the client
> to request an external provider to obtain a token from.  Same reasons
> and rules as 'subject_token_type'.
> When 'requested_issuer' flow is done, user consent is often required
> before the request issuer can issue a token for the user.  When this
> is the case, a 400 response is returned with the following JSON
> document:
> {
>    "error" : "....",
>    "error_description" : "..."
>    "account-link-url" : "https://...."
> }
> The error claim will be either token_expired or not_linked.  The
> 'account-link-url' claim is a link that the client can forward an user
> agent to to obtain consent.  The client simply appends a
> 'redirect_uri' query parameter to this link and forwards the browser
> for consent.  This 'redirect_uri' must be a registered and valid
> redirect uri for the forwarding client.  After the redirect, the
> client can then make an exchange request.  For error conditions, the
> redirect_uri may by forwarded to with an additional 'error' query
> parameter depending on whether the IDP deams it safe to do so.
> Thanks,
> Bill
> [1]
> html#_token-exchange
> --
> Bill Burke
> Red Hat
> _______________________________________________
> OAuth mailing list

*CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you.*