IETF Logo Mail Archive

Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

Rob Otto <robotto@pingidentity.com> Thu, 17 May 2018 12:16 UTC

Return-Path: <robertotto@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 360CA12D88E for <oauth@ietfa.amsl.com>; Thu, 17 May 2018 05:16:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BvYpRl_UwJ-o for <oauth@ietfa.amsl.com>; Thu, 17 May 2018 05:16:22 -0700 (PDT)
Received: from mail-pf0-x22a.google.com (mail-pf0-x22a.google.com [IPv6:2607:f8b0:400e:c00::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B16612D874 for <oauth@ietf.org>; Thu, 17 May 2018 05:16:22 -0700 (PDT)
Received: by mail-pf0-x22a.google.com with SMTP id a22-v6so2016151pfn.6 for <oauth@ietf.org>; Thu, 17 May 2018 05:16:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FglYiXzS4rncdyw0Axk88KxG/fQ32Qz/bg1LNOxppjQ=; b=jLpNBNMno5NHITM2b36ziYI/mRDESvcTRIkbT240BiU7mcrjr0/ONYc49Yuds9ZYzr bYQD6pOR4zlzjeFCb7C+D//wmV6Lu2MGIMqiBfNljrHLFyUaYyBJW7WSlyr0bFoLK2jX GT98qFDHn5XcnLHzf180B5Vc3HDp/5M3+kcn0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=FglYiXzS4rncdyw0Axk88KxG/fQ32Qz/bg1LNOxppjQ=; b=dhhoZ5UaaNc4Pa06p4z2clWg2xUcNkpzf94BEGCyizQTFfkXiIXp77bly4R0Dz8lWm w3Y7ktKj142gWwwbtKTcDOY7QwXcvCOXAT0jxwfNVXez5Nt8/nAHuHof5//+yWTUAUK2 NtqWiAUiGdMi2kwPq1Ro6WChIIPC0foPpY2UIaxdYHgZHVmVtNkoK0UkC61AmeGfnb3h ++0uVYsMcYDirLCis5+0jqX75XBS5k44sJ7fSuMa8QySXAdebFmJdmrTpYyf3JI68KWN UwqkF87aCNeBEKSQhM6kv0h28u1XeAAIaqOnPErgV62CaC5I2LCp1Y81kGlQGopl/IG0 jC9w==
X-Gm-Message-State: ALKqPwfStJsoExdFew80PoFlicg1uJzX0QmOjKAW80rwCA82ka9VNMQ1 dLmq4u0RwO2veTNaP2yKzCb7krdSuBBjUTAqhDHBLBD1iU/Aeca6qiJ0aQBh9kCsvK6ACvqJRC7 DiEl01MzWnnEQ3Q==
X-Google-Smtp-Source: AB8JxZrEMfExBah/ktOUgopvjwGjml5LFtyMXfDO87geMuxW8vWXprDQ1AnDva8gkQKUJjbl9c/ZzIyNS7GUGb7JZQw=
X-Received: by 2002:a63:6110:: with SMTP id v16-v6mr3920692pgb.292.1526559382007; Thu, 17 May 2018 05:16:22 -0700 (PDT)
MIME-Version: 1.0
References: <CABcZeBNQaqg3wFuo=w3h4k+bB44pEPnoR-zZYM+AR7YDA=O8Gg@mail.gmail.com> <CA+k3eCRDyn7-1KEVYai8b-G_bLQZGTgiS2VFG9W3NWy2Ttu-nw@mail.gmail.com> <ef06d115-b178-16c3-76ca-4693d273ae41@free.fr> <CA+k3eCTeBqPHTs_vUrFOcEOT3CHJptJN8m3_M3LDYyL=WrL5BA@mail.gmail.com> <CABRXCmxSY75_tSA6uE4jtMMeX4aXOGEzWBLhkKXOOgg9ZUNNuA@mail.gmail.com>
In-Reply-To: <CABRXCmxSY75_tSA6uE4jtMMeX4aXOGEzWBLhkKXOOgg9ZUNNuA@mail.gmail.com>
From: Rob Otto <robotto@pingidentity.com>
Date: Thu, 17 May 2018 13:16:04 +0100
Message-ID: <CABh6VRE53gtadPTa_+Cj+k1kcuAO2b74z6KzniU_v==GO_PfiA@mail.gmail.com>
To: Bill Burke <bburke@redhat.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b19a71056c65cdc2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ZtI53LAafnuDiz9HO3DKMUEzTEE>
Subject: Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 12:23:28 -0000

+1 to this.

Rob


On Thu, 17 May 2018 at 13:10, Bill Burke <bburke@redhat.com> wrote:

> My personal opinion is that I'm glad this actor stuff is optional.
> For one, none of our users have asked for it and really only do simple
> exchanges.  Secondly, the rules for who can exchange what for what is
> controlled and defined within our AS.  Makes things a lot simpler on
> the client.  I kind of wish the actor stuff would be defined in a
> separate specification.  I don't see us implementing it unless users
> start asking us to.
>
> On Wed, May 16, 2018 at 6:11 PM, Brian Campbell
> <bcampbell@pingidentity.com> wrote:
> > Well, it's already called the "actor claim" so the claimed part is kind
> of
> > implied. And "claimed actor claim" is a rather awkward. Really, all JWT
> > claims are "claimed something" but they don't include the "claimed" bit
> in
> > the name. RFC 7519, for example, defines the subject claim but not the
> > claimed subject claim.
> >
> > On Fri, Apr 20, 2018 at 11:38 AM, Denis <denis.ietf@free.fr> wrote:
> >>
> >> Brian,
> >>
> >> Eric said: "what is the RP supposed to do when they encounter it? This
> >> seems kind of under specified".
> >>
> >> After reading your explanations below, it looks like the RP can do
> >> anything he wants with the "actor".
> >> It is a "claimed actor" and, if we keep the concept, it should be called
> >> as such. Such a claim cannot be verified.
> >> A RP could copy and paste that claim in an audit log. No standard action
> >> related to the content of such a claim
> >> can be specified in the spec. If the content of a "claimed actor" is
> used
> >> by the RP, it should be only used as an hint
> >> and thus be subject to other verifications which are not specified in
> this
> >> specification.
> >>
> >> Denis
> >>
> >> Eric, I realize you weren't particularly impressed by my prior
> statements
> >> about the actor claim but, for lack of knowing what else to say, I'm
> going
> >> to kind of repeat what I said about it over in the Phabricator tool and
> add
> >> a little color.
> >>
> >> The actor claim is intended as a way to express that delegation has
> >> happened and identify the entities involved. Access control or other
> >> decisions based on it are at the discretion of the consumer of the token
> >> based on whatever policy might be in place.
> >>
> >> There are JWT claims that have concise processing rules with respect to
> >> whether or not the JWT can be accepted as valid. Some examples are "aud"
> >> (Audience), "exp" (Expiration Time), and "nbf" (Not Before) from RFC
> 7519.
> >> E.g. if the token is expired or was intended for someone or something
> else,
> >> reject it.
> >>
> >> And there are JWT claims that appropriately don't specify such
> processing
> >> rules and are solely statements of fact or circumstance. Also from RFC
> 7519,
> >> the "sub" (Subject) and "iat" (Issued At) claims are good examples of
> such.
> >> There might be application or policy specific rules applied to the
> content
> >> of those kinds of claims (e.g. only subjects from a particular
> organization
> >> are able to access tenant specific data or, less realistic but still
> >> possible, disallow access for tokens issued outside of regular business
> >> hours) but that's all outside the scope of a specification's definition
> of
> >> the claim.
> >>
> >> The actor claim falls into the latter category. It's a way for the
> issuer
> >> of the token to tell the consumer of the token what is going on. But any
> >> action to take (or not) based on that information is at the discretion
> of
> >> the token consumer. I honestly don't know it could be anything more. And
> >> don't think it should be.
> >>
> >> There are two main expected uses of the actor claim (that I'm aware of
> >> anyway) that describing here might help. Maybe. One is a human to human
> >> delegation case like a customer service rep doing something on behalf
> of an
> >> end user. The subject would be that user and the actor would be the
> customer
> >> service rep. And there wouldn't be any chaining or nesting of the
> actor. The
> >> other case is so called service chaining where a system might exchange a
> >> token it receives for a new token that it can use to call a downstream
> >> service. And that service in turn might do another exchange to get a new
> >> token suitable to call yet another downstream service. And again and so
> on
> >> and turtles all the way. I'm not necessarily endorsing that level of
> >> granularity in chaining but it's bound to happen somewhere/sometime. The
> >> nested actor claim is able to express that all that has happened with
> the
> >> top level or outermost one being the system currently using the token
> and
> >> prior systems being nested.. What actually gets done with that
> information
> >> is up to the respective systems involved. There might be policy about
> what
> >> system is allowed to call what other system that is enforced. Or maybe
> the
> >> info is just written to an audit log somewhere. Or something else. I
> don't
> >> know. But whatever it is application/deployment/policy dependent and not
> >> specifiable by a spec.
> >>
> >>
> >>
> >>
> >>
> >>
> >> On Fri, Apr 13, 2018 at 6:38 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> >>>
> >>> Hi folks,
> >>>
> >>> I've gone over draft-ietf-oauth-token-exchange-12 and things seem
> >>> generally OK. I do still have one remaining concern, which is about
> >>> the actor claim. Specifically, what is the RP supposed to do when they
> >>> encounter it? This seems kind of underspecified.
> >>>
> >>> In particular:
> >>>
> >>> 1. What facts am I supposed to know here? Merely that everyone in
> >>>    the chain signed off on the next person in the chain acting as them?
> >>>
> >>> 2. Am I just supposed to pretend that the person presenting the token
> >>>    is the identity at the top of the chain? Say I have the
> >>>    delegation A -> B -> C, and there is some resource which
> >>>    B can access but A and C cannot, should I give access?
> >>>
> >>> I think the first question definitely needs an answer. The second
> >>> question I guess we could make not answer, but it's pretty hard
> >>> to know how to make a system with this left open..
> >>>
> >>> -Ekr
> >>>
> >>>
> >>> _______________________________________________
> >>> OAuth mailing list
> >>> OAuth@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/oauth
> >>>
> >>
> >>
> >> CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged
> >> material for the sole use of the intended recipient(s). Any review, use,
> >> distribution or disclosure by others is strictly prohibited..  If you
> have
> >> received this communication in error, please notify the sender
> immediately
> >> by e-mail and delete the message and any file attachments from your
> >> computer. Thank you.
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> >
> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged
> > material for the sole use of the intended recipient(s). Any review, use,
> > distribution or disclosure by others is strictly prohibited..  If you
> have
> > received this communication in error, please notify the sender
> immediately
> > by e-mail and delete the message and any file attachments from your
> > computer. Thank you.
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>
>
>
> --
> Bill Burke
> Red Hat
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
Rob Otto
EMEA Field CTO - Ping Identity
+44 777 135 6092

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email