Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
Mike Jones <Michael.Jones@microsoft.com> Mon, 27 March 2017 13:48 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CFF712778E for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:48:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.02
X-Spam-Level:
X-Spam-Status: No, score=-2.02 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iv8XA4yR2Q_Q for <oauth@ietfa.amsl.com>; Mon, 27 Mar 2017 06:48:32 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0121.outbound.protection.outlook.com [104.47.40.121]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9AF512940A for <oauth@ietf.org>; Mon, 27 Mar 2017 06:48:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=fLPR3vp2otM55udD5q7ic+CNK3GM6ezLoWiyHEegALg=; b=H5ih+Cu+nQDSsJ6SJzBdBGNEuXBWgu/hCQ+JMNnJ/zaaD5cun/xTZnzgYvkmvXbD+kJ6we2B89SFrmiayeZ468pz+84qyKNHB75KrNcqVv/khF1g1hOQ3FPdFB8mU3Xb3x9kRMLrxINBfU4llaFqzUkwHlb+X58ie/k3mCVRpVw=
Received: from CY4PR21MB0504.namprd21.prod.outlook.com (10.172.122.14) by CY4PR21MB0502.namprd21.prod.outlook.com (10.172.122.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1019.0; Mon, 27 Mar 2017 13:48:30 +0000
Received: from CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) by CY4PR21MB0504.namprd21.prod.outlook.com ([10.172.122.14]) with mapi id 15.01.1019.002; Mon, 27 Mar 2017 13:48:30 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell@pingidentity.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
CC: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
Thread-Index: AQHSpmpvztgQVPNWLkiOErdrdaCr6qGos7OAgAAAu5A=
Date: Mon, 27 Mar 2017 13:48:30 +0000
Message-ID: <CY4PR21MB050479DBD8A7AB6342682209F5330@CY4PR21MB0504.namprd21.prod.outlook.com>
References: <148416124213.8244.5842562779051799977.idtracker@ietfa.amsl.com> <CA+k3eCTE1NM90QcZRFR0jATCqdeJWyTRUb6Ryp52n9FRg6aGpA@mail.gmail.com> <9199091B-5D7F-4D66-9EC5-CB0EF2D3CF6D@lodderstedt.net> <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com>
In-Reply-To: <CA+k3eCTjmifjsbec80vGTE5Hw4ws7oARuaatDk4RYOLK26-87Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: pingidentity.com; dkim=none (message not signed) header.d=none;pingidentity.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:67c:370:128:6105:54cc:dfb6:784e]
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0502; 7:1r1x7hyecr9jZpuc+6STlMyXPkBwCXDqb4wk8aaD7fVsBbQds1PJC8CfrP+z9zAn7Uj2PsR7R511vlHDgjUGm8dpf0p/aFdaR6rTB50fwPSAO3zm33v/8kx38n8bxicEAyQBGuB7D6AJXEnu5xZ7cIBrQiT7jfQJn7fwrbwmJd9j4qFbZjqEkvfJ+x4mKpAabUAqcvC6ieN28ROjNs2IrMepTp8Yl5mfe8PkaWoA01dO98UlidZqObh4SR9UR6lRCL63sPpYv/rtu0lYPT7p/AYsoJbU6mQdtgyIejkH15O+NPTZOIDSMWEaeSOspfu0WZLwBJfUitv9RPOW/ySu2J4Th7Q9UJvJ0T6p8qFcRdE=
x-ms-office365-filtering-correlation-id: 60aaed87-7311-4290-c5f6-08d47517f407
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423045)(201703031133051); SRVR:CY4PR21MB0502;
x-microsoft-antispam-prvs: <CY4PR21MB0502B92E7686714F273D6346F5330@CY4PR21MB0502.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040420)(601004)(2401047)(8121501046)(5005006)(10201501046)(93006021)(93001021)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123555025)(201703131423045)(201702281528045)(201703011903045)(201703061421045)(20161123558025)(20161123562025)(6072148); SRVR:CY4PR21MB0502; BCL:0; PCL:0; RULEID:; SRVR:CY4PR21MB0502;
x-forefront-prvs: 02596AB7DA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39850400002)(39450400003)(39860400002)(39410400002)(39840400002)(39400400002)(24454002)(22974007)(377424004)(51914003)(377454003)(77096006)(606005)(6506006)(6436002)(19609705001)(55016002)(10090500001)(99286003)(38730400002)(236005)(9686003)(54896002)(53936002)(14971765001)(7906003)(102836003)(122556002)(74316002)(8936002)(6116002)(790700001)(86362001)(3280700002)(10290500002)(6306002)(2950100002)(25786009)(189998001)(53546009)(81166006)(8676002)(230783001)(93886004)(33656002)(229853002)(2900100001)(3660700001)(5005710100001)(6246003)(7696004)(76176999)(50986999)(4326008)(2906002)(54356999)(5660300001)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0502; H:CY4PR21MB0504.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB050479DBD8A7AB6342682209F5330CY4PR21MB0504namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Mar 2017 13:48:30.2198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0502
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P2BWkYK91ocuatmMVHN4NMfJLG0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2017 13:48:35 -0000
For the same reason that the “aud” claim is multi-valued in JWTs, the audience needs to stay multi-valued in Token Exchange. Ditto for resources.
Thanks,
-- Mike
From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Brian Campbell
Sent: Monday, March 27, 2017 8:45 AM
To: Torsten Lodderstedt <torsten@lodderstedt.net>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
Thanks for the review and question, Torsten.
The desire to support multiple audience/resource values in the request came up during a review and discussion among the authors of the document when preparing the -03 draft. As I recall, it was said that both Salesforce and Microsoft had use-cases for it. I incorporated support for it into the draft acting in the role of editor.
From an individual perspective, I tend to agree with you that allowing for multiple audiences/resources adds a lot of complexity that's like not needed in many (or most) cases. And I would personally be open to making audience and resource mutual exclusive and single valued. A question for the WG I suppose.
The "invalid_target" error code that was added in -07 was intended to give the AS a standard way to deal with the complexity and reject request with multiple audiences/resources that it doesn't understand or is unwilling or unable to process. It was intended as a compromise, of sorts, to allow for the multiples but provide an easy out of saying it can't be supported based on whatever implementation or policy of the AS.
On Sun, Mar 26, 2017 at 9:00 AM, Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>> wrote:
Hi Brian,
thanks for the clarification around resource, audience and scope.
Here are my comments on the draft:
In section 2.1 it states: „Multiple "resource" parameters may be used to indicate
that the issued token is intended to be used at the multiple
resources listed.“
Can you please explain the rational in more detail? I don’t understand why there is a need to ask for access tokens, which are good for multiple resources at once. This is a request type more or less exclusively used in server to server scenarios, right? So the only reason I can think of is call reduction.
On the other side, this feature increases the AS's complexity, e.g. its policy may prohibit to issue tokens for multiple resources in general or the particular set the client is asking for. How shall the AS handles such cases?
And it is getting even more complicated given there could also be multiple audience values and the client could mix them:
"Multiple "audience" parameters
may be used to indicate that the issued token is intended to be
used at the multiple audiences listed. The "audience" and
"resource" parameters may be used together to indicate multiple
target services with a mix of logical names and physical
locations.“
And in the end the client may add some scope values to the „meal“, which brings us to
„Effectively, the requested access rights of the
token are the cartesian product of all the scopes at all the target
services."
I personally would suggest to drop support for multiple audience and resource parameters and make audience and resource mutual exclusive. I think this is sufficient and much easier to implement.
kind regards,
Torsten.
Am 11.01.2017 um 20:04 schrieb Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>:
Draft -07 of "OAuth 2.0 Token Exchange" has been published. The primary change in -07 is the addition of a description of the relationship between audience/resource/scope, which was a request or comment that came up during the f2f meeting in Seoul.
Excerpted from the Document History:
-07
o Fixed typo (desecration -> discretion).
o Added an explanation of the relationship between scope, audience
and resource in the request and added an "invalid_target" error
code enabling the AS to tell the client that the requested
audiences/resources were too broad.
---------- Forwarded message ----------
From: <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>>
Date: Wed, Jan 11, 2017 at 12:00 PM
Subject: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-07.txt
To: i-d-announce@ietf.org<mailto:i-d-announce@ietf.org>
Cc: oauth@ietf.org<mailto:oauth@ietf.org>
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol of the IETF.
Title : OAuth 2.0 Token Exchange
Authors : Michael B. Jones
Anthony Nadalin
Brian Campbell
John Bradley
Chuck Mortimore
Filename : draft-ietf-oauth-token-exchange-07.txt
Pages : 31
Date : 2017-01-11
Abstract:
This specification defines a protocol for an HTTP- and JSON- based
Security Token Service (STS) by defining how to request and obtain
security tokens from OAuth 2.0 authorization servers, including
security tokens employing impersonation and delegation.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-token-exchange/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-07
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-exchange-07
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exc… internet-drafts
- [OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-toke… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Mike Jones
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Torsten Lodderstedt
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Nat Sakimura
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token… Brian Campbell