[OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
Atul Tulshibagwale <atul@sgnl.ai> Fri, 29 March 2024 17:39 UTC
Return-Path: <atul@sgnl.ai>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85F64C14F61C for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2024 10:39:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.074
X-Spam-Level:
X-Spam-Status: No, score=-2.074 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sgnl.ai
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tULpvRZpwZW for <oauth@ietfa.amsl.com>; Fri, 29 Mar 2024 10:39:21 -0700 (PDT)
Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EABFFC14E513 for <oauth@ietf.org>; Fri, 29 Mar 2024 10:39:21 -0700 (PDT)
Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-1e0d82c529fso19811615ad.2 for <oauth@ietf.org>; Fri, 29 Mar 2024 10:39:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgnl.ai; s=google; t=1711733960; x=1712338760; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=dDiiXxwHjDQWtZ3Hy3STIXhC280FNX66xT9gzMzpu0M=; b=rKDPpJ58vu7NxmtXF2yznHlLs8lQcLzyen1nISGKbGrrj8C1vGjgnUobGeO7WSdmlE EDvPGvcL/sCHIJpyAtx7UDYMiUfXmb7kcE67o/rfzErgE/01bQPSaYtcbFIQVHvlvgBu yVSONFfNoBfkU6QHzd/umAsTLlQ2D3Tt2HN7qC5rs7jKDJIx5X8oOM7eJ8NgDV7YScqL EgguE5tN6ZyKsQy4H0Sy4XlMGvW3L2ThiAZ55ypWPF2T9DHzZlh84+lHXrjm8QtBBIqq 7bMi86MTbqL8UJmBPCppzEtLnrwv/KrZK9EjTuxWAJZfNK12Jkpw+VxuEXgVnw5kQ1v2 0vyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711733960; x=1712338760; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=dDiiXxwHjDQWtZ3Hy3STIXhC280FNX66xT9gzMzpu0M=; b=osf9lLRNCEcSXdW9w1sCohJKihj4EmA36NEaTx2674hr+T2PZs04s4q8g+elkquUQ5 QGsE1p5q1AjqJFexv4c8l3OjK5GlcbFr5Li1/Fvl8uCM9qrVFh2jiinzhQtjT7P5jyRV 3ddL/o9B+RVGrYbB2s0Lj/2lQGFiNO1O0NmDjk7WQhrlwybayu5OWVwTSnTbPKVSUNGs WigQ9as0WEtb7zz07H1S85IQPE59aaa1sNQ6VrQL2cUpQY3ToHOGZl1OcCK1pBphXhyt 7iV4UBcpdkc9kSD1+RBbiMfCuOtG49QXOJN+g+2Jjw7f2h5qaVEM/1S//5gRWv258YUs S42Q==
X-Gm-Message-State: AOJu0YxMVLSO573ap4lwla98imNKpKDEngFWT4uZIuV5hqpUWsTz4bQZ QOv2BjgIQl3rGEGcD3uyI3yS26wwLm6lnLmhEGV2134p9zuqQx0OX9+Pd8d/jrgMPrYAdl5KxOt 2wgUSTC1zTnkMUVVEdW+YNyaAmgW8FV9bBAWAfVxM1RQHyGKc
X-Google-Smtp-Source: AGHT+IF3MxHQnujfdaF23Fl3qNgaZezci+WnoQ8QlEbj3aAMumEfGOzbZCcKZcjUiY+QaJXlh+soEH6ZAAnn6L66nSA=
X-Received: by 2002:a05:6a20:45d:b0:1a3:6864:9baa with SMTP id b29-20020a056a20045d00b001a368649baamr2256176pzb.57.1711733960144; Fri, 29 Mar 2024 10:39:20 -0700 (PDT)
MIME-Version: 1.0
From: Atul Tulshibagwale <atul@sgnl.ai>
Date: Fri, 29 Mar 2024 10:39:04 -0700
Message-ID: <CANtBS9djWszOjH_ArUTP8tCAaJJvSJ2Do26M99eU+1ayqwrjyw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a512d80614d01ee4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Zo40nEJIEaK-HCDQGGJW7fziK6E>
Subject: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 17:39:26 -0000
Hi all, We had a meeting today (notes here <https://hackmd.io/@rpc-sec-wg/HJNXYKkk0>) in which we discussed the question of what we should do if there is no incoming (external) token in the request to issue a Transaction Token <https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/> (TraT). We identified a few circumstances under which this can happen: - The requesting service is triggered by a non-OAuth based flow such as email or an internal trigger - The client of the requesting service uses means other than an access token to authorize the call (e.g. MTLS) We identified a few possibilities listed below. Please note that the Transaction Tokens draft assumes that the TraT Service trusts the requesting service, so all the possibilities below assume this. Here are some possibilities we discussed: 1. *Request Details*: Put the subject information in the request_details parameter of the TraT request, and the subject_token value is set to "N_A" 2. *Self-Signed Token*: The requester generates a self-signed JWT that has the subject information and puts that in the subject_token value 3. *Separate Separate Endpoint*: The TraT service exposes a separate endpoint to issue TraTs when there is no incoming token, and that endpoint can be defined such that the request does not have a subject_token parameter. This endpoint is not a profile of OAuth Token Exchange 4. *Separate Endpoint Only*: Extending the thought above, the requester can always extract the content of the incoming token into the "request_details" parameter, so why do we need the Token Exchange endpoint We would like to understand how the group feels about these choices, or if you have other suggestions / thoughts on this topic. Thanks, Atul -- <https://sgnl.ai> Atul Tulshibagwale CTO <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust> <atul@sgnl.ai>
- [OAUTH-WG] Transaction Tokens issuance in the abs… Atul Tulshibagwale
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Joseph Salowey
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Atul Tulshibagwale
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Dmitry Telegin
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Kai Lehmann
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Brian Campbell
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Atul Tulshibagwale
- Re: [OAUTH-WG] [External Sender] Re: Transaction … George Fletcher
- Re: [OAUTH-WG] [External Sender] Re: Transaction … Kai Lehmann
- Re: [OAUTH-WG] [External Sender] Re: Transaction … George Fletcher
- Re: [OAUTH-WG] [External Sender] Re: Transaction … Kai Lehmann