IETF Logo Mail Archive

Re: [OAUTH-WG] Report an authentication issue

Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com> Thu, 28 June 2012 22:35 UTC

Return-Path: <Adam.Lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 413F411E80D7 for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2012 15:35:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.466
X-Spam-Level:
X-Spam-Status: No, score=-0.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WiRWGMA2nqRW for <oauth@ietfa.amsl.com>; Thu, 28 Jun 2012 15:35:11 -0700 (PDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe003.messaging.microsoft.com [213.199.154.206]) by ietfa.amsl.com (Postfix) with ESMTP id BE3EF11E80E1 for <oauth@ietf.org>; Thu, 28 Jun 2012 15:35:10 -0700 (PDT)
Received: from mail103-am1-R.bigfish.com (10.3.201.226) by AM1EHSOBE004.bigfish.com (10.3.204.24) with Microsoft SMTP Server id 14.1.225.23; Thu, 28 Jun 2012 22:33:22 +0000
Received: from mail103-am1 (localhost [127.0.0.1]) by mail103-am1-R.bigfish.com (Postfix) with ESMTP id 32DEA46023A for <oauth@ietf.org>; Thu, 28 Jun 2012 22:33:22 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:129.188.136.16; KIP:(null); UIP:(null); IPV:NLI; H:il06gsg01.am.mot-solutions.com; RD:none; EFVD:NLI
X-SpamScore: -23
X-BigFish: VPS-23(zz98dI9371I936eIc85fhzz1202hzz1033IL8275bh8275dhz2fh2a8h683h839hd25hf0ah)
Received-SPF: pass (mail103-am1: domain of motorolasolutions.com designates 129.188.136.16 as permitted sender) client-ip=129.188.136.16; envelope-from=Adam.Lewis@motorolasolutions.com; helo=il06gsg01.am.mot-solutions.com ; olutions.com ;
X-Forefront-Antispam-Report-Untrusted: CIP:157.56.244.181; KIP:(null); UIP:(null); (null); H:CH1PRD0410HT001.namprd04.prod.outlook.com; R:internal; EFV:INT
Received: from mail103-am1 (localhost.localdomain [127.0.0.1]) by mail103-am1 (MessageSwitch) id 134092279944040_23169; Thu, 28 Jun 2012 22:33:19 +0000 (UTC)
Received: from AM1EHSMHS010.bigfish.com (unknown [10.3.201.237]) by mail103-am1.bigfish.com (Postfix) with ESMTP id 08C83C0047 for <oauth@ietf.org>; Thu, 28 Jun 2012 22:33:19 +0000 (UTC)
Received: from il06gsg01.am.mot-solutions.com (129.188.136.16) by AM1EHSMHS010.bigfish.com (10.3.207.110) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 28 Jun 2012 22:33:18 +0000
Received: from il06gsg01.am.mot-solutions.com (il06vts02.mot.com [129.188.137.142]) by il06gsg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q5SMR9cc021654 for <oauth@ietf.org>; Thu, 28 Jun 2012 18:27:09 -0400 (EDT)
Received: from am1outboundpool.messaging.microsoft.com (am1ehsobe005.messaging.microsoft.com [213.199.154.208]) by il06gsg01.am.mot-solutions.com (8.14.3/8.14.3) with ESMTP id q5SMR7NH021651 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for <oauth@ietf.org>; Thu, 28 Jun 2012 18:27:08 -0400 (EDT)
Received: from mail96-am1-R.bigfish.com (10.3.201.228) by AM1EHSOBE009.bigfish.com (10.3.204.29) with Microsoft SMTP Server id 14.1.225.23; Thu, 28 Jun 2012 22:33:15 +0000
Received: from mail96-am1 (localhost [127.0.0.1]) by mail96-am1-R.bigfish.com (Postfix) with ESMTP id 4B7BC260541 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 28 Jun 2012 22:33:15 +0000 (UTC)
Received: from mail96-am1 (localhost.localdomain [127.0.0.1]) by mail96-am1 (MessageSwitch) id 1340922792857535_31565; Thu, 28 Jun 2012 22:33:12 +0000 (UTC)
Received: from AM1EHSMHS004.bigfish.com (unknown [10.3.201.238]) by mail96-am1.bigfish.com (Postfix) with ESMTP id C57D2200043; Thu, 28 Jun 2012 22:33:12 +0000 (UTC)
Received: from CH1PRD0410HT001.namprd04.prod.outlook.com (157.56.244.181) by AM1EHSMHS004.bigfish.com (10.3.207.104) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 28 Jun 2012 22:33:12 +0000
Received: from CH1PRD0410MB369.namprd04.prod.outlook.com ([169.254.12.121]) by CH1PRD0410HT001.namprd04.prod.outlook.com ([10.255.147.36]) with mapi id 14.16.0164.004; Thu, 28 Jun 2012 22:34:58 +0000
From: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Report an authentication issue
Thread-Index: AQHNVW9j/6YrPtS2BEGxpaqkq9uhOpcQT5Kg
Date: Thu, 28 Jun 2012 22:34:58 +0000
Message-ID: <59E470B10C4630419ED717AC79FCF9A91A2D13C9@CH1PRD0410MB369.namprd04.prod.outlook.com>
References: <CAEEmcpEcNqNHwfVozD-NtfkruiB-v0MTszwNL4cob2rL=QQTSA@mail.gmail.com> <CABzCy2BZLff7EZoWaU+vmCWCgXUSSxn3x-evm-FwzKdnx7QeMA@mail.gmail.com> <1339792496.52712.YahooMailNeo@web125501.mail.ne1.yahoo.com> <CABzCy2APCsGU9N00K4XYoa4Scxno51b_E=8MKD9MzZk6zxtc1Q@mail.gmail.com> <BDF3CDE9-B411-4366-9C5F-C3EA17938C21@matake.jp> <C05B5190-B0B7-42AD-A6DB-FABF190D2674@gmail.com> <59E470B10C4630419ED717AC79FCF9A9108898EE@BL2PRD0410MB363.namprd04.prod.outlook.com> <4FE223E4.6060307@mitre.org> <4FE226BC.6010403@alcatel-lucent.com> <59E470B10C4630419ED717AC79FCF9A910889AB5@BL2PRD0410MB363.namprd04.prod.outlook.com> <CABzCy2CLe_DVcxiD1EasuhtG1_6+6tCtV5TckZ80fvqyjan_bA@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A917052BC8@SN2PRD0410MB370.namprd04.prod.outlook.com> <4FE37D38.1030407@gmail.com> <CABzCy2A_zJ3vaauoo6VwsmLWsTesdTujuQ4dHdVpc5Nh==iEFg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2C8949@CH1PRD0410MB369.namprd04.prod.outlook.com> <CABzCy2DzmNgmMALNfc1qp95fwD2WULb-49DkyLiZnjXngAmaPg@mail.gmail.com> <59E470B10C4630419ED717AC79FCF9A91A2D1309@CH1PRD0410MB369.namprd04.prod.outlook.com> <496AFB1D-A609-4188-B92D-2185E8880388@ve7jtb.com>
In-Reply-To: <496AFB1D-A609-4188-B92D-2185E8880388@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [184.78.105.93]
Content-Type: multipart/alternative; boundary="_000_59E470B10C4630419ED717AC79FCF9A91A2D13C9CH1PRD0410MB369_"
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%VE7JTB.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%GMAIL.COM$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-FOPE-CONNECTOR: Id%1294$Dn%IETF.ORG$RO%2$TLS%3$FQDN%msgate.mot-solutions.com$TlsDn%
X-CFilter-Loop: Reflected
X-OriginatorOrg: motorolasolutions.com
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Report an authentication issue
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2012 22:35:18 -0000

Hi John,

It may be semantics, but in my use cases, the AS is not "authorizing" anything.  It's 1) authenticating the user, and 2) issuing a structured JWT access_token which contains claims about the user (again, just like the id_token, but as you said, aud=RS).

The video client on the iPhone/Android uses this as a bearer token, and includes it an a request to the video server.  The video server uses the claims in the JWT access_token to authenticate the user, and then makes its own authorization decisions (e.g. maps user id to app-centric roles, etc.)

If you still feel this is within the spirit of OAuth, then great :-)

My concern is still that one of our customer's will read your blog and fire back at us ... "but John says OAuth is not for authentication"  ;)

This is why I would like to explore the idea of putting out an informational draft profiling OAuth for authentication, since everybody seems to at least agree that it can be profiled to do so.

Tx!
adam

From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: Thursday, June 28, 2012 3:48 PM
To: Lewis Adam-CAL022
Cc: Nat Sakimura; oauth@ietf.org
Subject: Re: [OAUTH-WG] Report an authentication issue

Adam,

This is getting tangled up in semantics.

The AS authenticates the user and Authorizes the client (native App) to access the protected resource (video server) via issuing it a access token, or a authorization code that it can trade at a token endpoint for a refresh_token and access_token.

At that point the client has no notion of who the user is unless a openID Connect id_token was also sent.  I suspect that the video player app may not care who the person, only what it can access.

The App then uses its access token to prove that it was delegated access to the server by some person (Resource owner in OAuth speak).
In your STS example you call this Authentication, but in OAuth it is Authorization.  The client is the one being authenticated to the resource via the token.
The User is Authenticated to the AS.   The same trust chain exists it just uses different terms.

That token can be structured like the id_token is, but there is an important difference.  The access token's audience is the resource server and the id_token's audience is the client.
That is one of the reasons they are separate.

This looks like a relatively strait forward OAuth use case to me,  you can probably also use opaque tokens with a AS STS and some caching logic at the RS if you want to keep the token size down.

John B.


On 2012-06-28, at 4:13 PM, Lewis Adam-CAL022 wrote:


Hi Nat,

Starting from a standalone use case would be good.
My impression (I may be wrong) is that your requirement is to be able to

(1) Log the user identifier of the person who is accessing the resource at the resource server for the audit etc. purposes.

<acl> yes ... that *and* to authenticate the user in the first place.  So again, my access_token will actually look like the Connect id_token.  I would even prefer to use the id_token, except that it violate the spirit of Connect to pass the id_token to the RS (e.g. it was only meant for consumption by the client).

My problem space can be distilled to something very simple.


-          We come from a SOAP API world where we use WS-Trust to secure the SOAP API calls.  WS-Trust makes it very simple for a WS-* client to collect the user's primary credentials, exchange it for a (SAML) bearer token via the STS, and embed that bearer token in SOAP-based API calls to the WS-* server. This is most definitely *authentication*


-          We are moving to a RESTful API world.  I just want to be able to do the same thing as above. How do I enable my REST-based client to collect the user's password, exchange it for a (JWT) bearer token via the STS, and embed that bearer token in RESTful API calls to the REST-based server, such that the REST-based server can *authenticate* the client?


(2) Do the holder of the key so that the RS is sure that the person accessing with the access token
     is really the person.

<acl> that would be nice, but most of my users will be using passwords in the beginning, so this is not an option.  I'm using the literal definition of bearer token here, taken straight out of the OAuth bearer token spec, e.g. "Any party in possession of a bearer token (a "bearer") can use it to get
access to the associated resources (without demonstrating possession of a cryptographic key)."

(3) In addition, the RS may not be able to talk to AS directly.
     [Well, this is one of my use case anyways.]

<acl> Right ... this is why I am now looking at structured JWTs.

(4) In some cases, the client may not be able to communicate with AS directly at the time of RS access. [ditto]

<acl> Right again, we have disaster scenarios to think about where the AS might not be reachable.  but this is a use case for next steps.  Trying to walk before we fly here :-)
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.29.0 | Report a Bug | By Email | System Status