Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt

Mike Jones <> Fri, 08 December 2017 20:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 807431272E1 for <>; Fri, 8 Dec 2017 12:55:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.039
X-Spam-Status: No, score=-1.039 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WrDClFlaAtTU for <>; Fri, 8 Dec 2017 12:55:55 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0346A126CC4 for <>; Fri, 8 Dec 2017 12:55:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=X37TBzPe27kToj+fVBKesluT0/rlOd8I93jdcGggfKs=; b=DoVe1SwZRxUbLPKy8zN0HEOJn3Tj0EWAj31LCvHYgT8n/WAYz+zxknPEE8MD/vwwbbEvhom24EzvfGg/ZHUW528o4foYEVvlRerXJPLWGvT+Fs+5IMmRISkJ0Zx/6czoqzk74r/aHcOAtd4Fkg1O0Y1AHIscMa0C+1bvs9HC8wU=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.1; Fri, 8 Dec 2017 20:55:53 +0000
Received: from ([]) by ([]) with mapi id 15.20.0323.001; Fri, 8 Dec 2017 20:55:53 +0000
From: Mike Jones <>
To: Denis <>, Brian Campbell <>
CC: oauth <>
Thread-Topic: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt
Thread-Index: AQHTajbUHynLN4CxSk61u85TcnP8RqMuy3kAgAsrogCAAAJWOg==
Date: Fri, 8 Dec 2017 20:55:53 +0000
Message-ID: <>
References: <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR21MB0278; 6:4s8OS+d7gbwhcNa0EdPpHIHEpw4pKdSgTedNMExKSCkuwjRLXhf3giGp8Hby5Z3StXSQEwPCBfXeL5BxSk/aYAlUlvr5V+A2L56650XyZVp1YM01ootr7nZSBUvyFwROR7XAUVDdOD8NsAx53+YVAZBe9P4rrgQ9LojjgVXaN+RrL2/rSxx5RfcB700LZaAOJJkYPCZLq3yK+NMr7qwpeUifMQQUUVJB8IVUpjKt0asZ01pLy2lHb4jF4Jz201obxaC55uB+XgCF8IMZ8foksuPLm35N/lA3pel+6+bfNFV9c69EH05eESP4qQA/zgiCC8MMkZLUrybsssYU9zQvAbwXzFR4b+pdkNM9phqG9EE=; 5:Ewjb65qJyql9sTVLzJmzI0kSw+DFqISQ+BCzbkaj4x2aou7JRRbAqj+8wfjVASpxJIlum+eTvJ7imky0Yv0O2vXeFNLeusbunVaJDE7STT1BGquUR9YMNPs+5q+A9edlSRdd+/58wFypcie+AnRv82ltZkOeR3OjY60nrrt99WI=; 24:ykmxLUKczsxZRx1eQ8LYx7h2MIoX2VhK2qzI5+4nFL2JZ3j2U+tNPF4/O+XXOtlN6Tw+5r5SVHi/vX5ZqDhFXibF9a4n/I5/x+hsxebugF4=; 7:61j2VIFy7rynFHCQ5TCi8zKXDJNEB7JJ1uJKzvAi9jpItrA1S9kp/aEePOe0NdkmO7TocijL7yDvIIa8e6LN0mWN8gDsifZkbxbjvI7VGySnjm/ioi7oRBIgXDwyaxAcaSNKvTPtRIYEpsUlxp4NOyW7Drm+fz2hQk/K09trSasb2pU9G+A1s8vwB7H4OXP0RW31jxIY05gJzGGvSJ8+Ec3XAfKN6eFtL/tFwVzJsU52gtkXw/mOGsh7py1zOV6d
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 24d41644-b4f6-49bd-74c5-08d53e7e1231
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(2017052603307); SRVR:CY4PR21MB0278;
x-ms-traffictypediagnostic: CY4PR21MB0278:
authentication-results: spf=none (sender IP is );
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(60795455431006)(191636701735510)(120809045254105)(192374486261705)(100405760836317);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(3002001)(3231022)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123564025)(6072148)(201708071742011); SRVR:CY4PR21MB0278; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:CY4PR21MB0278;
x-forefront-prvs: 0515208626
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(39860400002)(346002)(377424004)(24454002)(36304003)(189003)(199004)(25786009)(102836003)(76176011)(99286004)(8990500004)(6436002)(6506006)(53386004)(5890100001)(606006)(5660300001)(33656002)(4000630100001)(66066001)(81166006)(2906002)(8676002)(105586002)(81156014)(53936002)(3280700002)(2900100001)(6246003)(106356001)(2950100002)(110136005)(53546010)(966005)(7696005)(478600001)(4001150100001)(10090500001)(86612001)(3846002)(7736002)(86362001)(230783001)(77096006)(97736004)(74316002)(4326008)(8936002)(9686003)(68736007)(22452003)(229853002)(14454004)(10290500003)(6116002)(54896002)(236005)(316002)(55016002)(72206003)(3660700001)(6306002)(15866825006); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR21MB0278;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY4PR21MB05042AF4B393C14146411240F5300CY4PR21MB0504namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 24d41644-b4f6-49bd-74c5-08d53e7e1231
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Dec 2017 20:55:53.3263 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR21MB0278
Archived-At: <>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 08 Dec 2017 20:55:57 -0000

I believe the text would detract from the document.
From: OAuth <> on behalf of Brian Campbell <>
Sent: Friday, December 8, 2017 3:47:32 PM
To: Denis
Cc: oauth
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-exchange-10.txt

As an individual, I do not believe that the proposed text should be incorporated into the draft.

As one of the document editors, my responsibility is for the document to be of reasonable quality and to reflect the rough consensus of this Working Group. So I should ask the list more explicitly - are there other WG remembers who are in favor of the proposed text here (the text would have to be fixed up some too)?

On Fri, Dec 1, 2017 at 11:12 AM, Denis <<>> wrote:
Comments on draft-ietf-oauth-token-exchange-10
I propose the following rephrasing for sections 6 and 7:
6 . Security Considerations
All of the normal security issues that are discussed in [JWT],especially in relationship to comparing URIs
and dealing with unrecognized values, also apply here.  In addition, both delegation and impersonation introduce
unique security issues. Any time one user receives a token, the potential for abuse is a concern,
since that user might be willing to collude with another user so that other user could use the token.

Techniques like the binding of an access token to a TLS channel described elsewhere are ineffective since
the legitimate user would be able to perform all the cryptographic computations that the other user would need
to demonstrate the ownership of the token. The use of the "scp" claim is suggested to mitigate potential for
such abuse, as it restricts the contexts in which the token can be exercised.  If the issued access token scope
allows to unambiguously identify the user, then that user is likely to be reluctant to collude with another user.
However, if the issued access token scope only indicates that the user is over 18, then there is no risk
for the original user to be discovered and in such a context a collusion may easily take place.
This document does not specify techniques to prevent such a collusion to be successful.
7 . Privacy Considerations
Tokens typically carry personal information and their usage in Token Exchange may reveal details of the target services
being accessed. The resource and the audience parameters allow authorization servers to know where the issued access token
will be used.  This may be a privacy concern for some users. This document does not specify techniques to prevent
authorization servers to know where the access tokens they issue will be used.

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Web Authorization Protocol WG of the IETF.

        Title           : OAuth 2.0 Token Exchange
        Authors         : Michael B. Jones
                          Anthony Nadalin
                          Brian Campbell
                          John Bradley
                          Chuck Mortimore
        Filename        : draft-ietf-oauth-token-exchange-10.txt
        Pages           : 32
        Date            : 2017-11-30

   This specification defines a protocol for an HTTP- and JSON- based
   Security Token Service (STS) by defining how to request and obtain
   security tokens from OAuth 2.0 authorization servers, including
   security tokens employing impersonation and delegation.

The IETF datatracker status page for this draft is:

There are also htmlized versions available at:

A diff from the previous version is available at:

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at<>.

Internet-Drafts are also available by anonymous FTP at:

OAuth mailing list<>

OAuth mailing list<>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.