IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now

Paul Madsen <paul.madsen@gmail.com> Thu, 27 March 2014 14:15 UTC

Return-Path: <paul.madsen@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC45A1A0715 for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 07:15:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvALuVdm8mZI for <oauth@ietfa.amsl.com>; Thu, 27 Mar 2014 07:14:58 -0700 (PDT)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) by ietfa.amsl.com (Postfix) with ESMTP id 77C551A032B for <oauth@ietf.org>; Thu, 27 Mar 2014 07:14:58 -0700 (PDT)
Received: by mail-ig0-f170.google.com with SMTP id uq10so1510855igb.3 for <oauth@ietf.org>; Thu, 27 Mar 2014 07:14:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=I05jpVTlJhRlk2kPDXJnEyAKFyfQG+KeqzPhSrJJHRQ=; b=sw1TZ8yWkCFiya+IGSRdMMTDFgdrIuRSZKqX8ESsIdlooWdJVkuyVoYnkVDVkdBaOs nnL/wQjg5pw5g/Kueuc+lA1XEzg4+gGW70SDLU9tZItKT+wfNf9we3CeN/TaCliGqxH1 rB2ltbgfsavCb7OyI4CMJLnQ+viUhaNblpLT8mvna1PfPDrxtyNsPsq8dOOT3j3aLxLQ ub3on4FUE3chHkTi6kWgoXc9U7m42AN1hkQv8MTlqrzb5v32gh2Gq1To37OiTei99e21 BgefekNWKWghYKzW/EWMruTgUWPl0h2cprISBWLEpVpLAJTSIkNZT+f2St2RNZReKQ7a ckqQ==
X-Received: by 10.50.143.34 with SMTP id sb2mr4683379igb.11.1395929695581; Thu, 27 Mar 2014 07:14:55 -0700 (PDT)
Received: from [192.168.0.191] (CPE0022b0cb82b4-CMbc1401e98fa0.cpe.net.cable.rogers.com. [99.224.82.58]) by mx.google.com with ESMTPSA id b8sm5194471igx.3.2014.03.27.07.14.54 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 27 Mar 2014 07:14:55 -0700 (PDT)
Message-ID: <53343260.3030009@gmail.com>
Date: Thu, 27 Mar 2014 10:14:56 -0400
From: Paul Madsen <paul.madsen@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: John Bradley <ve7jtb@ve7jtb.com>, Adam Lewis <Adam.Lewis@motorolasolutions.com>
References: <c174791bb42e462d813b62a952ded267@DM2PR04MB735.namprd04.prod.outlook.com> <F9D7698F-9713-477D-9D14-BF97425CFF92@ve7jtb.com>
In-Reply-To: <F9D7698F-9713-477D-9D14-BF97425CFF92@ve7jtb.com>
Content-Type: multipart/alternative; boundary="------------010104050901040008030807"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/QWo6OuwrMi3HjhP1Duf2IY9tjXQ
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth & Enteprise federation ... 5 years from now
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Mar 2014 14:15:02 -0000

a variant I've seen proposed is to to have

1) the native app obtain tokens from AS1
2) the RS only accept tokens from AS2
3) have AS1 request tokens of AS2 on back-channel to meet reqs of #1 & #2

lots of ways to 'close the loop'

paul

On 3/27/14, 10:06 AM, John Bradley wrote:
> Hi Adam,
>
> 3 is the most common today.  In the Salesforce case it has the 
> additional benefit that when Domain 1 is federating to SalesForce via 
> OpenID Connect it can provide access tokens for it's API to sales 
> force scoped for that user for use in the SalesForce custom logic.
>
> 1 and 2 are similar and likely it is more of a deployment choice 
> between them.
> We do see examples of this currently with the Android play store 
> providing third-party id_tokens/JWT assertions to OAuth clients.
>
> The reason for doing 1 or 2 vs 3 probably comes down to connivence and 
> security if  there is an agent for the user's  IdP on the device that 
> can act as a confidential client to the IdP for security and provide a 
> more consistent UI for the user.   That is what we are working on in 
> the NAPPS WG at OIDF.
>
> We have examples of 1/2 now, the problem is that they are not as 
> universally applicable as 3 but hopefully with standardization for 
> developers we will se more in the next year or so.
>
> John B.
>
> On Mar 27, 2014, at 10:06 AM, Lewis Adam-CAL022 
> <Adam.Lewis@motorolasolutions.com 
> <mailto:Adam.Lewis@motorolasolutions.com>> wrote:
>
>> I am curious it ping the thoughts of others on the list of how OAuth 
>> is going to continue to mature, especially with respect to enterprise 
>> federation scenarios.  This is something that I spend a whole lot of 
>> time thinking about.  Specifically, consider the following use case:
>> An end user in domain 1 downloads a native application to access an 
>> API exposed by domain 2, to access a protected resource in domain 2, 
>> under the administrative control of the domain 2 enterprise.
>> There are in my mind three basic means by which OAuth can federate, 
>> which I know I have discussed with some of you in the past:
>>
>> 1.First option ... End user in domain 1 requests a JWT-structured 
>> access_token from the OAuth provider in domain 1, and sends it in the 
>> HTTP header directly to the RS in domain 2.   The JWT access_token 
>> looks a whole lot like a OIDC id_token (maybe it even is one?).  The 
>> RS in domain 2 is able to make attributed-based access control 
>> decisions based on the contents of the JWT.  This is architecturally 
>> the simplest approach, but enterprises aren't exactly setting up 
>> OAuth providers these days for the intent of accessing protected 
>> resources in foreign domains. Anybody think this might be the case 5 
>> years from now?
>>
>> 2.Second option ... similar to the first, but the JWT-structured 
>> access_token from domain 1 is sent to the OAuth provider in domain 2, 
>> ala the JWT assertion profile. Domain 1 access token is exchanged for 
>> a domain 2 access token, and the native client uses the domain 2 
>> access token to send to the protected resource in domain 2.  I like 
>> this slightly more than the first option, because the resources 
>> servers in domain 2 only need to understand the token format of their 
>> own AS. But it still suffers from the same basic challenge of option 
>> 1, that enterprises don't' setup OAuth providers today for the 
>> purpose of federating, the way that setup SAML providers for WebSSO.
>>
>> 3.Third option.  Native client contacts the OAuth provider in domain 
>> 2 directly.  The authorization endpoint is federation enabled (NASCAR 
>> or other) and the user in domain 1 selects their home IdP (SAML or 
>> OIDC) and does WebSSO to federated into the domain 2 OAuth provider.  
>> I believe this is the model that Salesforce supports today, and it 
>> the most tactical, since enterprise that want to federate today run 
>> out and buy a SAML provider.
>> So option 3 is the most obvious approach today.  Does anybody foresee 
>> enterprises setting up an STS in the future to federate to foreign 
>> RS's (the way they setup SAML providers today)?  Anybody think we 
>> will see options 1 or 2 in the future?
>> adam
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.29.0 | Report a Bug | By Email | System Status