IETF Logo Mail Archive

Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

"Fregly, Andrew" <afregly@verisign.com> Tue, 19 April 2016 20:19 UTC

Return-Path: <afregly@verisign.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BF3512D863 for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 13:19:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGzbbprY2EDH for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 13:19:36 -0700 (PDT)
Received: from mail-qg0-x261.google.com (mail-qg0-x261.google.com [IPv6:2607:f8b0:400d:c04::261]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0756E12D8A8 for <oauth@ietf.org>; Tue, 19 Apr 2016 13:19:36 -0700 (PDT)
Received: by mail-qg0-x261.google.com with SMTP id a74so2810184qgf.2 for <oauth@ietf.org>; Tue, 19 Apr 2016 13:19:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language:user-agent :mime-version; bh=xadHeNSDhGhyznFuLyMgZzpT70WWgzVygZu27cbfLRw=; b=M/lOlHL48ywAWpTqQ1d9LQy3IMCE2Y+RHyilGQnKIEjSXsy3Bq0+WPfH+DzvYoT2F1 p/jOAU+TGRW509kU8/c6rMaXbSX3hFA/SuGJATvZlijNtncTow09n3NgDuUo5DulUdvs Sbo3/p6Q7zzFMBYewVODRHSfNaSW+OjAQBEsGJuqMiKLMklzYxPZj61q7dCNU/02y+iq NXl/qtPjArlW8xlw7gxzta1WBoBO7i6Ar/jH6WLlD+jUl6G3ZcraIOtBOclI/I6UIauh LUsCY+1kSxFm4hQ/WhO5tcXhKQ4hkUEUob+6aXo/jTNqticJqWkjFzxH3W1Dec4DpyST hy4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:thread-topic:thread-index :date:message-id:references:in-reply-to:accept-language :content-language:user-agent:mime-version; bh=xadHeNSDhGhyznFuLyMgZzpT70WWgzVygZu27cbfLRw=; b=HJb0v/9zOgEMQ/Duw9c257S17qd04ZEXLMlUCdBmMh7BQ+sSeW2XyqrQxYKUeXw9nl 7/du4xCUeSwuOuOIpoYWvV0FBkLetuZm5X+oQgnxZQSMDD4sew0qzwLZ2efUxEYZ25b4 W2auCDZdeJD1O4EshSl5SEZHer5qZh1Eh3WbR6j4le9WxeSD2qZH2647lZXclLIDZWJX HmUEiHMRNyKZmCjnkoMM4vwFNU946op7T1tK0YV+ZIXgHkPg103v8encEcTgXbDxxN4U eq66CWjezwxjcmJZEsOgJEc1sccPKyNaj+mH+Hr/EON2AeP0vV5yHp2HAKy/SunP8b3A bVTQ==
X-Gm-Message-State: AOPr4FXMTvMVvJ4pLD0LbXBVSgodBqJJNGnN0F5Sovv9Rn+6bAp6N+TZ2VL3ilUdMNo60ceO+Yg7MKMAtiwWArI6Aj/dlJ9I
X-Received: by 10.55.71.66 with SMTP id u63mr6450777qka.67.1461097175113; Tue, 19 Apr 2016 13:19:35 -0700 (PDT)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by smtp-relay.gmail.com with ESMTPS id 13sm1135174qkg.5.2016.04.19.13.19.34 (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 19 Apr 2016 13:19:35 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas02.vcorp.ad.vrsn.com (brn1wnexcas02 [10.173.152.206]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id u3JKJYxI015820 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 19 Apr 2016 16:19:34 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas02.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Tue, 19 Apr 2016 16:19:32 -0400
From: "Fregly, Andrew" <afregly@verisign.com>
To: Brian Campbell <bcampbell@pingidentity.com>, John Bradley <ve7jtb@ve7jtb.com>
Thread-Topic: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
Thread-Index: AQHRmmmltTMKsQ6A10ecv0+1vsUllp+RvLyA
Date: Tue, 19 Apr 2016 20:19:31 +0000
Message-ID: <97FB56BD-0990-4A46-AA98-B0E5C2A8994C@verisign.com>
References: <FF8F219E-AB2E-48F5-AD90-DEA783343C1B@verisign.com> <A85A7E53-1AE2-4141-B6AF-FE3E19DEBA75@ve7jtb.com> <CA+k3eCR21HWSVNgT6eGLkaCE3ekKdv++_HJtsqkJh4Pg1Xm1kQ@mail.gmail.com>
In-Reply-To: <CA+k3eCR21HWSVNgT6eGLkaCE3ekKdv++_HJtsqkJh4Pg1Xm1kQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/0.0.0.160212
x-originating-ip: [10.173.152.4]
Content-Type: multipart/alternative; boundary="_000_97FB56BD09904A46AA98B0E5C2A8994Cverisigncom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Su91Ma2k99ioCV-3PH3Jrh24_6g>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2016 20:19:41 -0000

Brian,

Once again, thank you for your input. Per my prior response to John Bradley, our use case has the Identity Provider being provided by a different organization than the organization providing the Authorization Service.

Thanks,
     Andy

From: Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>
Date: Tuesday, April 19, 2016 at 2:30 PM
To: John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>>
Cc: Andrew Fregly <afregly@verisign.com<mailto:afregly@verisign.com>>, "oauth@ietf.org<mailto:oauth@ietf.org>" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

The Token Exchange draft does put the Authorization Server (AS) in the role of STS because it's an extension of OAuth. But that shouldn't be viewed as limiting. An AS is often deployed as one part of an Identity Provider. OpenID Connect, as John mentioned, is one standard that combines the roles. And many products/services/deployments have an AS as part of their overall Identity Provider offering, which might also have OpenID Connect, SAML, etc.

On Tue, Apr 19, 2016 at 12:06 PM, John Bradley <ve7jtb@ve7jtb.com<mailto:ve7jtb@ve7jtb.com>> wrote:
Looking at OpenID Connect and it’s trust model for producing id_tokens that assert identity may help you.
http://openid.net/wg/connect/

Unfortunately I can’t quite make out what you are trying to do.

It sort of sounds like you want an id_token from a idP and then have the client exchange that assertion for another token?

John B.
On Apr 19, 2016, at 1:18 PM, Fregly, Andrew <afregly@verisign.com<mailto:afregly@verisign.com>> wrote:

I have a use case where a client application needs to authenticate with a dynamically determined Identity Provider that is separate from the Authorization Service that will be used issue an access token to the client. The use case also requires that as part of authorization, the client provides to the Authorization Service an authentication token signed by an Identity Provider that the Authorization Service has a trust relationship with. The trust relationship is verifiable based on the Authorization Service having recorded the public keys or certificates of trusted Identity Providers in a trust store, this allowing the Authorization Service to verify an Identity Provider’s signature on an authentication token.

In looking at the various OAuth RFCs, particularly RFCs 7521, 7522, and 7523, I see that they get me close in terms of supporting the use case. What is missing is a means for solving the following problem. These RFCs require that the Identity Provider put an Audience claim in the authentication token. The problem with this is that I do not see in the RFCs how the Identity Provider can be told who the Audience is to put into the authentication token. This leads me to the title of this message. The draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” defines a mechanism for identifying the Audience for an STS to put into a token it generates. That would solve my problem except that the draft limits the type of STS to being Authorization Servers. What is needed is this same capability for interacting with an Identity Provider. This would enable RFCs 7521, 7522 and 7523 to be useful in situation where the Identity Provider needs to be told the identity of the Authorization Service.

I am new to interacting with the IETF. I also am not an expert on the RFCs or prior history of the OAuth group relative to this topic, so please point me to any existing solution if this is a solved problem. Otherwise, I would like to get feedback on my suggestion.

Thanks You,

Andrew Fregly
Verisign Inc.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email