IETF Logo Mail Archive

Re: [OAUTH-WG] Token Chaining Use Case

Bill Mills <wmills_92105@yahoo.com> Thu, 26 March 2015 22:03 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A58E1B2F9C for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 15:03:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.791
X-Spam-Level:
X-Spam-Status: No, score=0.791 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, MANGLED_PREMTR=2.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XLK61IEaMNar for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 15:03:40 -0700 (PDT)
Received: from nm10-vm0.bullet.mail.bf1.yahoo.com (nm10-vm0.bullet.mail.bf1.yahoo.com [98.139.213.147]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA3121B2FAC for <oauth@ietf.org>; Thu, 26 Mar 2015 15:03:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1427407418; bh=VbPYHaDf7Xj9qV4yLXMP9vwg17TDRC6kpR//90YHLxI=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=uMwSqdOBW/R+0AaMaoeBhrfdAVcFUMhub9VP7EhaOdYJY9XAjJXEH52M6JoY+xsYEJ77/tu2jz/jYUnHZ6CNcXTNbl0eOMzQUR5Dx+a+dpl2bPIanFJ81BrOJ903LMKjtOrDUn2Iw4PLhjXU4uNjhuG1G7htbaB+/zj6dLUuYEvCpjv80NX6MDv+/50HBrijOFt27dN4DaBY0CdjcDZMteFfBxCKm+NEdzu/AB6zZu8HIvsu/iZlXiZFhWay01UerrZX+PmggEg/xikxLVUp3IyJes60cJh5cy+iS7cxFSt48pJQslKMQibJdm0uUMiGslaJBf2ZWCUp66ZlG+sEbQ==
Received: from [98.139.215.141] by nm10.bullet.mail.bf1.yahoo.com with NNFMP; 26 Mar 2015 22:03:38 -0000
Received: from [98.139.212.242] by tm12.bullet.mail.bf1.yahoo.com with NNFMP; 26 Mar 2015 22:03:38 -0000
Received: from [127.0.0.1] by omp1051.mail.bf1.yahoo.com with NNFMP; 26 Mar 2015 22:03:38 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 817304.24972.bm@omp1051.mail.bf1.yahoo.com
X-YMail-OSG: KR3R_ioVM1n0jkMWuZwe1r64ThGunMYpzqGZ6d.7SNAoXhl3o.Revsxn6r2HQ8_ BC9dJatnOHHkEd3VQmjKk7v7cyz3ovT2aKD8rFxwIkfXisSmb55yK5V7VW8DY7.c3B7frOYYoeBn lPGhuC69H1DXiIAaVnxY6T5dluZ2sGWW_4i_HpkEAS.BnUxgfKafjD8v58hcWdoorAK9MmeRY8OI vPOqQtm4nOqQPe_qvoxTCAcooyzxBpsjPNsheuwdO1z3UsgPfrRLpvuYECn5NDauHsAnjTPNix_X hsCooAHIBRXDMchuvzTRdCbxM0.OSGKPWr94R1uuaqBzfz4g.bNwfqZKR9_qYce.MGLYu4zG6VLF MC92fhpOHiQaUPL.CLDuY7soGHKW0kwU.up6gv4hWO9gZzvKNjfHC3N7ML7ou8.i0PxvTb3opJMn Ta3iuqm_LY8eg2ornJ.qBlBzNixqaBlyqor5izB0BtIJo2oEhb4A1pfJqH951zj7jwyaumXLv0Wz eLS_KgnZaN5b.bR2dE3jQs3TYHX1YeSzH1yHxnZje
Received: by 76.13.26.156; Thu, 26 Mar 2015 22:03:38 +0000
Date: Thu, 26 Mar 2015 22:03:37 +0000
From: Bill Mills <wmills_92105@yahoo.com>
To: Bill Mills <wmills_92105@yahoo.com>, "Donald F. Coffin" <donald.coffin@reminetworks.com>, 'Phil Hunt' <phil.hunt@oracle.com>
Message-ID: <2080364038.3010022.1427407417845.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <123611071.2969574.1427405738183.JavaMail.yahoo@mail.yahoo.com>
References: <004401d0680a$e57a65f0$b06f31d0$@reminetworks.com> <123611071.2969574.1427405738183.JavaMail.yahoo@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_3010021_1703895099.1427407417816"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/T97ijEV6ehDidLc9hgyP_vcaezY>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Chaining Use Case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 22:03:43 -0000


Again, I don't think requiring a call out to an internal token reissuer is a general solution.  That said...
The RS calls the token endpoint treating the AT as a refresh token in all cases and using the refresh_token grant type.  Desired scope is specified by the RS.  It's not in spec if there are derivative internal scopes not in the original scope list though.  This doesn't support internal scopes for partitioning that the AS doesn't know about. 
An internal AS providing chaining would need to understand the AT just as the RS does, and treat it as a refresh token.
-bill
     On Thursday, March 26, 2015 2:22 PM, Donald F. Coffin <donald.coffin@reminetworks.com> wrote:
   

 #yiv8232628268 -- filtered {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;}#yiv8232628268 filtered {font-family:Wingdings;panose-1:5 0 0 0 0 0 0 0 0 0;}#yiv8232628268 filtered {panose-1:2 4 5 3 5 4 6 3 2 4;}#yiv8232628268 filtered {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv8232628268 filtered {font-family:Cambria;panose-1:2 4 5 3 5 4 6 3 2 4;}#yiv8232628268 filtered {panose-1:3 6 8 2 4 4 6 7 3 4;}#yiv8232628268 p.yiv8232628268MsoNormal, #yiv8232628268 li.yiv8232628268MsoNormal, #yiv8232628268 div.yiv8232628268MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv8232628268 a:link, #yiv8232628268 span.yiv8232628268MsoHyperlink {color:blue;text-decoration:underline;}#yiv8232628268 a:visited, #yiv8232628268 span.yiv8232628268MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv8232628268 p.yiv8232628268MsoListParagraph, #yiv8232628268 li.yiv8232628268MsoListParagraph, #yiv8232628268 div.yiv8232628268MsoListParagraph {margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv8232628268 p.yiv8232628268msonormal, #yiv8232628268 li.yiv8232628268msonormal, #yiv8232628268 div.yiv8232628268msonormal {margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv8232628268 p.yiv8232628268msochpdefault, #yiv8232628268 li.yiv8232628268msochpdefault, #yiv8232628268 div.yiv8232628268msochpdefault {margin-right:0in;margin-left:0in;font-size:12.0pt;}#yiv8232628268 span.yiv8232628268msohyperlink {}#yiv8232628268 span.yiv8232628268msohyperlinkfollowed {}#yiv8232628268 span.yiv8232628268emailstyle17 {}#yiv8232628268 p.yiv8232628268msonormal1, #yiv8232628268 li.yiv8232628268msonormal1, #yiv8232628268 div.yiv8232628268msonormal1 {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;}#yiv8232628268 span.yiv8232628268msohyperlink1 {color:blue;text-decoration:underline;}#yiv8232628268 span.yiv8232628268msohyperlinkfollowed1 {color:purple;text-decoration:underline;}#yiv8232628268 span.yiv8232628268emailstyle171 {color:windowtext;font-weight:normal;font-style:normal;text-decoration:none none;}#yiv8232628268 p.yiv8232628268msochpdefault1, #yiv8232628268 li.yiv8232628268msochpdefault1, #yiv8232628268 div.yiv8232628268msochpdefault1 {margin-right:0in;margin-left:0in;font-size:10.0pt;}#yiv8232628268 span.yiv8232628268EmailStyle27 {color:windowtext;font-weight:normal;font-style:normal;text-decoration:none none;}#yiv8232628268 .yiv8232628268MsoChpDefault {font-size:10.0pt;}#yiv8232628268 filtered {margin:1.0in 1.0in 1.0in 1.0in;}#yiv8232628268 div.yiv8232628268WordSection1 {}#yiv8232628268 filtered {}#yiv8232628268 filtered {font-family:Symbol;}#yiv8232628268 filtered {}#yiv8232628268 filtered {font-family:Wingdings;}#yiv8232628268 filtered {font-family:Symbol;}#yiv8232628268 filtered {}#yiv8232628268 filtered {font-family:Wingdings;}#yiv8232628268 filtered {font-family:Symbol;}#yiv8232628268 filtered {}#yiv8232628268 filtered {font-family:Wingdings;}#yiv8232628268 ol {margin-bottom:0in;}#yiv8232628268 ul {margin-bottom:0in;}#yiv8232628268 Bill,  Can you clarify your thoughts on the following:  ·         What AS endpoint does the RS call and how does it present the AT he received?

·         What is the grant_type value the RS use in the above endpoint request?

·         What does the AS do if the AT was issued by another AS (which is possible using Justin’s use case)?  Best regards,DonDonald F. CoffinFounder/CTO  REMI Networks2335 Dunwoody Crossing Suite EDunwoody, GA 30338-8221  Phone:      (949) 636-8571Email:       donald.coffin@reminetworks.com  From: Bill Mills [mailto:wmills_92105@yahoo.com] 
Sent: Thursday, March 26, 2015 5:13 PM
To: Donald F. Coffin; 'Phil Hunt'
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Token Chaining Use Case  The RS calling back to the AS won't be confused, the token it gets would be it's refresh token.  I don't see any reason why the AS can't be smart enough to know that a token that looks like an access token it issued is usable as a refresh token for limited purposes or downscoping.      On Thursday, March 26, 2015 1:46 PM, Donald F. Coffin <donald.coffin@reminetworks.com> wrote:  -1 Although  Justin’s point might be a bit pre-mature as far as a standards discussion, the more critical reason IMHO is calling the AS’s /Token endpoint with a grant_type of “refresh_token” but providing an issued AT rather than an issued refresh_token (RT) will definitely create a backwards compatibility issue for many implementations. Best regards,DonDonald F. CoffinFounder/CTO REMI Networks2335 Dunwoody Crossing Suite EDunwoody, GA 30338-8221 Phone:      (949) 636-8571Email:       donald.coffin@reminetworks.com From: Phil Hunt [mailto:phil.hunt@oracle.com] 
Sent: Thursday, March 26, 2015 4:22 PM
To: Bill Mills
Cc: <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Chaining Use Case +1. We all have to change production code when non final specs evolve.  I particularly don't see this as a valid argument at the start of a standards discussion. 
Phil
On Mar 26, 2015, at 15:13, Bill Mills <wmills_92105@yahoo.com> wrote:
By definition an access token is becoming a form of refresh token.    The "because my implementation didn't do it that way" isn't convincing me.  On Thursday, March 26, 2015 12:44 PM, Justin Richer <jricher@mit.edu> wrote: Because many implementations (including mine which does support my old token chaining draft) treat access tokens and refresh tokens separately in terms of data store and structure. Additionally, the refresh token is tied to the client and presented by the client. But in this case it's someone downstream, an RS, presenting the token. So unlike a refresh token being presented by the one it was issued to, this token is being presented by someone it was presented to.  The feeling is close, but not quite the same in either development or assumptions. -- Justin / Sent from my phone /

-------- Original message --------
From: Bill Mills <wmills_92105@yahoo.com> 
Date: 03/26/2015 2:24 PM (GMT-06:00) 
To: Justin Richer <jricher@MIT.EDU>, "<oauth@ietf.org>" <oauth@ietf.org> 
Subject: Re: [OAUTH-WG] Token Chaining Use Case So why can't the access tokne simply be re-used as a refresh token?  Why would it need a new grant type at all?   On Thursday, March 26, 2015 11:31 AM, Justin Richer <jricher@MIT.EDU> wrote: As requested after last night’s informal meeting, here is the token chaining use case that I want to see represented in the token swap draft.


[ Client ]  ->  [ A ] -> [ B ] -> [ C ]

An OAuth client gets an access token AT1, just like it always would, with scopes [A, B, C] in order to call service A, which requires all three scopes. Service A (an RS) accepts this token since it has its scope, and then needs to call service B in turn, which requires scopes [B, C]. It could just re-send the token it got in, AT1, but that would give the downstream RS the ability to call services with scope [ A ] and it should not be allowed to do that. To limit exposure, service A calls a token swap at the AS to create AT2 with scopes [ B, C ], effectively acting as an OAuth client requesting a downscoped token based on AT1. Service A then acts as an OAuth client to call service B, now acting as an RS to service A’s client, and can fulfill the request. And it’s turtles all the way down: Service B can also call service C, and now B acts as a client, requesting AT3 with scope [ C ] based on AT2, and sending AT3 to service C. This prevents C from being able to call B or A, both of which would have been available if AT1 had been passed around. Note that service A or the Client can also request a downscoped token with [ C ] to call service C directly as well, and C doesn’t have to care how it got there.


In other words, it lets the client software be very, very dumb. It doesn’t have to do any special processing, doesn’t have to know what’s in the token, it just follows the recipe of “I got a token, I get another token based on this to call someone else”. It’s also analogous to the refresh token flow, but with access tokens going in and out. I’ve deployed this setup several times in different service deployments. Even though there is a performance hit in the additional round trips (as Phil brought up in another thread), in these cases the desire to have the tokens hold least privilege access rights (smallest set of scopes per service) outweighed any performance hit (which was shown to be rather small in practice).

What I want is for the token swap draft to define or use a mechanism that allows us to do this. I think we can do that pretty easily by adjusting the token swap syntax and language, and explicitly calling out the semantic processing portion (the current core of the document) for what it is: a way for a token issuer to communicate to a token service specific actions. At a high level, the spec would be something like:



1. How to swap a token at an AS
  1. Send a request to the token endpoint with a new grant type, and a token (of any type/format/flavor) on the way in
  2. Get back a new token in a token response
2. Communicating act as / on behalf of semantics via a JWT assertion
  1. How to create (as an AS/RS/client/other issuer) a JWT with act-as semantics
  2. What to do (as an AS/RS) with a JWT with act-as semantics
  3. How to create a JWT with on-behalf-of semeantics
  4. What to do with a JWT with on-behalf-of-semantics
  5. How to possibly represent these semantics with something other than a JWT



Section 2 uses the syntax from section 1. Other applications, like the one I laid out above, can use the syntax from section 1 as well. This works for structured, unstructured, self-generated, cross-domain, within-domain, and other tokens.


— Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth 

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
  

v2.23.0 | Report a Bug | By Email