IETF Logo Mail Archive

Re: [OAUTH-WG] [External Sender] Re: Transaction Tokens issuance in the absence of incoming token

George Fletcher <george.fletcher@capitalone.com> Fri, 12 April 2024 17:50 UTC

Return-Path: <george.fletcher@capitalone.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A90E9C14F738 for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2024 10:50:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.533
X-Spam-Level:
X-Spam-Status: No, score=-16.533 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=capitalone.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFUO4T7oML1N for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2024 10:50:51 -0700 (PDT)
Received: from mx0b-001b4101.pphosted.com (mx0b-001b4101.pphosted.com [148.163.155.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFF87C14F6B8 for <oauth@ietf.org>; Fri, 12 Apr 2024 10:49:52 -0700 (PDT)
Received: from pps.filterd (m0127381.ppops.net [127.0.0.1]) by mx0b-001b4101.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 43CEZw3J006620 for <oauth@ietf.org>; Fri, 12 Apr 2024 13:49:52 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=capitalone.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=SM2048Mar2022; bh=mbMkc49gTrkVcTOdJ8dL5Fcm+7b0R6hEO+aZQIVguK8=; b=LDo+pL1SPSNiy/ZIoyHPW8UHSQTPwjBePmZWnylcgZ+b87sz5dVYTF4QIdYC3OX7L4Kk Zd/eQdmZY4NqPUTPAqDtPklir7+hcymOnv6sBaDWJDDTCniFqVQm3TkfvuGn2gRhe1Sf rvDMnmffw3lBZV+V4+yna9IxI3XU5KoFH29wAvJGpkK5BLNsLNpGW1L0cHri7mhIrl2E BUtuyUb07E7+RVbGnPc6Dt4PHaU+mV64NRsofSJYilQ9IsJVvtBMXzn8aqKwDVFExKzM yx3aK1RyvE95SXSJG9C3Nh2felj3kcz3uGblAzREY0bep+dOksSV6e7I0o8fqpOhjpII bA==
Received: from mail-lf1-f71.google.com (mail-lf1-f71.google.com [209.85.167.71]) by mx0b-001b4101.pphosted.com (PPS) with ESMTPS id 3xcmq8cck9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=OK) for <oauth@ietf.org>; Fri, 12 Apr 2024 13:49:51 -0400
Received: by mail-lf1-f71.google.com with SMTP id 2adb3069b0e04-516d6407352so1023339e87.0 for <oauth@ietf.org>; Fri, 12 Apr 2024 10:49:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712944189; x=1713548989; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VBLWNaC1f4szwViZ2iLtFGarOOmpCz5j0diN1YA0n+k=; b=d0cSnkGnhdESgN/18uHS3uwnQRAGekMKG92tefvuX75Gk6qgpa/XI0w1evlSSCkq1E xMMLpoX3hNLhqcQ9OWg0smrdiKO6iYuiN46QdBnT0YVocfMcD/IS2g1uhqT3JtWmCgXM ueSyKPZg5Cu49pNYPm1RLaV9CaHD/g6cirPOMtuvO1WJFeNtlsErHCdpRwJx2AzMmXWP XrRKWTNTxINajjvkJ/5jN+H5DASWapxKMuPPwrGAguKKoQrheR2x5+w/yeYGReVkgUR2 FZvCB6F36hZmxsCOaWL4Vf314qXz5VoFJrIam9QsAvTuREbWVWcfOC3KoSp8le3KT2U/ DiBw==
X-Forwarded-Encrypted: i=1; AJvYcCVBdIsqmVFx03rTUNvQt4kiPx5qIIE+ePpn483cpB1df8Go2pwdIDo5WoBJNdcNH1BOI2sKlu389tr8Ifqc9Q==
X-Gm-Message-State: AOJu0YwENdB6MLfIKXdv6GPSvN9TzI7jFm9dKC2pzOYqKKyq+RYXSNlg qQSL9mL1sFMiA50sUcpgTih+EsKQjm+MXKJvGVaMvD+GG7nPQ8nd6/jOJcepaNa/a4tB+HoL706 MHa2JSujUwasG8iXFEHzM0a81DmhOBS4fipFtY50k8sMF46ZX+i9Z0W2z2BgJxIgJe8HiooR9Z9 pkPV7JJLMjYhc84llvaw==
X-Received: by 2002:a19:ac01:0:b0:516:bef3:47ff with SMTP id g1-20020a19ac01000000b00516bef347ffmr1767043lfc.28.1712944189499; Fri, 12 Apr 2024 10:49:49 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IG3ArX44wUuR6h6tqQ0WoS098chVwFamYm+cHp8A7olL16P/1MP7l6VO9kS1u2NtiVthSVishxBhMGQBMLsAq8=
X-Received: by 2002:a19:ac01:0:b0:516:bef3:47ff with SMTP id g1-20020a19ac01000000b00516bef347ffmr1767033lfc.28.1712944189002; Fri, 12 Apr 2024 10:49:49 -0700 (PDT)
MIME-Version: 1.0
References: <CANtBS9djWszOjH_ArUTP8tCAaJJvSJ2Do26M99eU+1ayqwrjyw@mail.gmail.com> <CAOgPGoDGjiKYojnD6SAZgZnd6W8nPuqxg9qP=CHGZ8YJCJRerw@mail.gmail.com> <CANtBS9f2R3dhtwbp_4iP5D2gPRu8Agb1oNACFPm6M1TatZeQ9Q@mail.gmail.com> <CAOtx8D=L8oY+b33aCJhNK4xHtaOet5g1m1DVGRH2jF0G7O=ATQ@mail.gmail.com> <BE16B049-6229-4594-B708-DC64E2FA2C86@1und1.de> <CA+k3eCQHFnGpb+Ff_gmXLMxh8OZ2FufCs1+CY3d_BKjeo9_Spw@mail.gmail.com> <CANtBS9dMUxqXCke7pBJ5rYAPo81tbekqLjfTQp6hi7R5RYexuA@mail.gmail.com>
In-Reply-To: <CANtBS9dMUxqXCke7pBJ5rYAPo81tbekqLjfTQp6hi7R5RYexuA@mail.gmail.com>
From: George Fletcher <george.fletcher@capitalone.com>
Date: Fri, 12 Apr 2024 13:49:36 -0400
Message-ID: <CAJnLd9+O2276oOP8u4gXogSKkjyM+pFycax_m8-Sxs7qt_BuWQ@mail.gmail.com>
To: Atul Tulshibagwale <atul@sgnl.ai>
Cc: Brian Campbell <bcampbell@pingidentity.com>, Kai Lehmann <kai.lehmann=401und1.de@dmarc.ietf.org>, Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8018f0615e9e5dd"
X-Proofpoint-GUID: EZaCXWnE5ZJnLtlcbW9TL3PgUCJLV0JX
X-Proofpoint-ORIG-GUID: EZaCXWnE5ZJnLtlcbW9TL3PgUCJLV0JX
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-12_14,2024-04-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=1 phishscore=1 adultscore=0 suspectscore=0 malwarescore=0 mlxlogscore=999 bulkscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=forced scancount=1 engine=8.12.0-2404010000 definitions=main-2404120130
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/W7h0J_b5OlB6Rncj6RUi3Z3fs7w>
Subject: Re: [OAUTH-WG] [External Sender] Re: Transaction Tokens issuance in the absence of incoming token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 17:50:56 -0000

Atul has submitted this PR to address this issue.
https://github.com/oauth-wg/oauth-transaction-tokens/pull/90

On Fri, Apr 12, 2024 at 12:10 PM Atul Tulshibagwale <atul@sgnl.ai> wrote:

> Thanks all, for your input. We discussed alternatives on a call last week
> <https://urldefense.com/v3/__https://hackmd.io/@rpc-sec-wg/BkdOgipkA__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthSUvjiHD$>,
> and arrived at using self-signed tokens with token exchange as a way
> forward.
>
> On Fri, Apr 5, 2024 at 10:58 AM Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>> One potential benefit of keeping the use of Token Exchange is that some
>> AS products/implementations have built a fair amount of configurability and
>> extensibility into their Token Exchange support, which might allow for
>> existing systems to be set up to do Transaction Tokens. Whereas a new
>> endpoint or new grant type are more likely to require code changes to the
>> core AS. Obviously this isn't universally true but something to consider
>> nonetheless.
>>
>> On Fri, Apr 5, 2024 at 4:13 AM Kai Lehmann <kai.lehmann=
>> 401und1.de@dmarc.ietf.org> wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> that is my thought as well. It does not necessarily be a Token Exchange
>>> profile, but the Token endpoint makes sense as Tokens are issued. Defining
>>> a specific Token grant with the necessary input parameters would fit nicely.
>>>
>>>
>>>
>>> Best regards,
>>>
>>> Kai
>>>
>>>
>>>
>>> *From: *OAuth <oauth-bounces@ietf.org> on behalf of Dmitry Telegin
>>> <dmitryt=40backbase.com@dmarc.ietf.org>
>>> *Date: *Friday, 5. April 2024 at 00:41
>>> *To: *Atul Tulshibagwale <atul@sgnl.ai>
>>> *Cc: *oauth <oauth@ietf.org>
>>> *Subject: *Re: [OAUTH-WG] Transaction Tokens issuance in the absence of
>>> incoming token
>>>
>>>
>>>
>>> Hello Atul,
>>>
>>>
>>>
>>> As an alternative to Token Exchange and separate (new) endpoint, have
>>> you ever considered OAuth 2.0 Extension Grants
>>> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/rfc6749*section-4.5__;Iw!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthaF41vnj$>?
>>> This could give us more flexibility as will let us define our own set of
>>> input parameters and validation rules (opposite to Token Exchange that
>>> restricts us to subject_token and friends).
>>>
>>>
>>>
>>> Regards,
>>>
>>> Dmitry
>>>
>>>
>>>
>>> On Thu, Apr 4, 2024 at 11:02 PM Atul Tulshibagwale <atul@sgnl.ai> wrote:
>>>
>>> Thanks very much for your feedback, Joe!
>>>
>>>
>>>
>>> On Wed, Apr 3, 2024 at 10:16 AM Joseph Salowey <joe@salowey.net> wrote:
>>>
>>> Hi Atul,
>>>
>>>
>>>
>>> I'm just starting to review the transaction tokens draft and have only a
>>> minimal understanding of the token exchange document at this point so I'm
>>> lacking a little background, but I have a few comments and questions below.
>>>
>>>
>>>
>>> On Fri, Mar 29, 2024 at 10:39 AM Atul Tulshibagwale <atul@sgnl.ai>
>>> wrote:
>>>
>>> Hi all,
>>>
>>> We had a meeting today (notes here
>>> <https://urldefense.com/v3/__https://hackmd.io/@rpc-sec-wg/HJNXYKkk0__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthSyWxSbV$>)
>>> in which we discussed the question of what we should do if there is no
>>> incoming (external) token in the request to issue a Transaction Token
>>> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthe6t5FmT$>
>>> (TraT). We identified a few circumstances under which this can happen:
>>>
>>>    - The requesting service is triggered by a non-OAuth based flow such
>>>    as email or an internal trigger
>>>    - The client of the requesting service uses means other than an
>>>    access token to authorize the call (e.g. MTLS)
>>>
>>> [Joe] I think there will be a fair number of systems that support means
>>> of authorizing non-oauth flows.
>>>
>>>
>>>
>>>
>>>
>>> We identified a few possibilities listed below. Please note that the
>>> Transaction Tokens draft assumes that the TraT Service trusts the
>>> requesting service, so all the possibilities below assume this.
>>>
>>>
>>>
>>>
>>>
>>> [Joe] yes, you are trusting another part of the system to perform some
>>> authorization and inform the token service of the result.
>>>
>>>
>>>
>>> Here are some possibilities we discussed:
>>>
>>>    1. *Request Details*: Put the subject information in the
>>>    request_details parameter of the TraT request, and the subject_token value
>>>    is set to "N_A"
>>>    2. *Self-Signed Token*: The requester generates a self-signed JWT
>>>    that has the subject information and puts that in the subject_token value
>>>
>>> [Joe] I like having signed tokens, but if this is really information
>>> just exchanged between two endpoints it may be more work than necessary.
>>>
>>>
>>>    1. *Separate Separate Endpoint*: The TraT service exposes a separate
>>>    endpoint to issue TraTs when there is no incoming token, and that endpoint
>>>    can be defined such that the request does not have a subject_token
>>>    parameter. This endpoint is not a profile of OAuth Token Exchange
>>>    2. *Separate Endpoint Only*: Extending the thought above, the
>>>    requester can always extract the content of the incoming token into the
>>>    "request_details" parameter, so why do we need the Token Exchange endpoint
>>>
>>> [Joe] What do we gain by using token exchange? While it seems that there
>>> is overlap between delegation/impersonation it seems that transaction
>>> tokens are sort of a superset and contain additional information about the
>>> context of the transaction.   If it looks like token exchange is too
>>> constraining then transaction tokens may just be a different use case.
>>> With the understanding I currently have I'd either go with 4. Separate
>>> Endpoint Only or 2. Self Signed token.  Splitting the endpoints could be
>>> valid, but it seems a bit weird for me, if we did decide to do that then
>>> probably we wouldn't need to sign the information unless the request is
>>> going to traverse multiple systems.
>>>
>>>
>>>
>>>
>>>
>>> We would like to understand how the group feels about these choices, or
>>> if you have other suggestions / thoughts on this topic.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Atul
>>>
>>>
>>>
>>> --
>>>
>>> [image: Image removed by sender.]
>>> <https://urldefense.com/v3/__https://sgnl.ai/__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthWE6M_vP$>
>>>
>>> Atul Tulshibagwale
>>>
>>> CTO
>>>
>>> [image: Image removed by sender.]
>>> <https://urldefense.com/v3/__https://linkedin.com/in/tulshi__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthdcL8-tf$>[image:
>>> Image removed by sender.]
>>> <https://urldefense.com/v3/__https://twitter.com/zirotrust__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthbfiKcf_$>[image:
>>> Image removed by sender.] <atul@sgnl.ai>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthVWkx-Kq$>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthVWkx-Kq$>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>> <https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthVWkx-Kq$>
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!FrPt2g6CO4Wadw!IaritBR30A-OIqtvw3r5q6_aqkOROPghBPV4SoaRKASDbORVwY8WPRHKgkC7kPF3SIu2uOfYw3rthVWkx-Kq$
>

______________________________________________________________________



The information contained in this e-mail may be confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.

v2.23.0 | Report a Bug | By Email