IETF Logo Mail Archive

Re: [OAUTH-WG] Token Chaining Use Case

Justin Richer <jricher@mit.edu> Thu, 26 March 2015 19:44 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE7A1B2DEA for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 12:44:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYzgAly32oUB for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 12:44:49 -0700 (PDT)
Received: from dmz-mailsec-scanner-6.mit.edu (dmz-mailsec-scanner-6.mit.edu [18.7.68.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6B991A92AB for <oauth@ietf.org>; Thu, 26 Mar 2015 12:44:31 -0700 (PDT)
X-AuditID: 12074423-f79536d000000e74-95-5514619d80d5
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-6.mit.edu (Symantec Messaging Gateway) with SMTP id 88.BC.03700.D9164155; Thu, 26 Mar 2015 15:44:29 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t2QJiSdh016664; Thu, 26 Mar 2015 15:44:29 -0400
Received: from [IPv6:2607:fb90:1c31:ca00:0:32:1b33:dd01] ([172.56.7.16]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t2QJh8hH019032 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Thu, 26 Mar 2015 15:44:25 -0400
Date: Thu, 26 Mar 2015 14:42:36 -0500
Message-ID: <9c1sdvnf558khwgomc9by3ys.1427398956170@email.android.com>
Importance: normal
From: Justin Richer <jricher@mit.edu>
To: Bill Mills <wmills_92105@yahoo.com>, "<oauth@ietf.org>" <oauth@ietf.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.android.email_3904120130544920"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrFIsWRmVeSWpSXmKPExsUixG6nrjs3USTU4NlKfYuTb1+xWXzrus7s wOSxZMlPJo9Zsw4zBTBFcdmkpOZklqUW6dslcGXMXniUteBHScWj6deYGhgfFHYxcnJICJhI rFv+hBXCFpO4cG89WxcjF4eQwGImiXOnXzFDOBsZJY7P+84K4Rxlkvh69wULSAuLgKrExoPH wWxhAX2J5dv7gIo4OHgF3CRWzy8FMTkFhCS6dkmAVLABVU9f08IEYosI+EhceHOPEcTmFRCU ODnzCdgUZoFQieZn/UwTGHlnIUnNQpKCsNUl/sy7xAxhK0pM6X7IPgtoG7OAmsSyViVk4QWM bKsYZVNyq3RzEzNzilOTdYuTE/PyUot0zfRyM0v0UlNKNzGCg9RFeQfjn4NKhxgFOBiVeHh/ 9AuHCrEmlhVX5h5ilORgUhLlPRYhEirEl5SfUpmRWJwRX1Sak1p8iFGCg1lJhNc5FijHm5JY WZValA+TkuZgURLn3fSDL0RIID2xJDU7NbUgtQgmK8PBoSTBOz8BqFGwKDU9tSItM6cEIc3E wQkynAdoeBFIDW9xQWJucWY6RP4Uo6KUOG8fSEIAJJFRmgfXC0sirxjFgV4R5p0IUsUDTEBw 3a+ABjMBDT6XzwcyuCQRISXVwLjrvd8s8wcrv58Quu/0btVr4UMJH0rZ67e6tD7XiwzU2et7 c0v40nWcr0QbEj4syXvcnMIY7iJddubx1BOXk3+sWvfv/jTmQwvfzT0ropwqFpnMptx96KDO lrP8qlt0uQRjNvaLLaoX+7993sSJhfKrngbMvHibcY/hgcvspfbFD594qqdE6YgqsRRnJBpq MRcVJwIA631T5v0CAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/_t-wBiQFAL3uU6SPAcNPyXRLdQY>
Subject: Re: [OAUTH-WG] Token Chaining Use Case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 19:44:55 -0000

    
Because many implementations (including mine which does support my old token chaining draft) treat access tokens and refresh tokens separately in terms of data store and structure. Additionally, the refresh token is tied to the client and presented by the client. But in this case it's someone downstream, an RS, presenting the token. So unlike a refresh token being presented by the one it was issued to, this token is being presented by someone it was presented to. 
The feeling is close, but not quite the same in either development or assumptions.
-- Justin
/ Sent from my phone /

-------- Original message --------
From: Bill Mills <wmills_92105@yahoo.com> 
Date: 03/26/2015  2:24 PM  (GMT-06:00) 
To: Justin Richer <jricher@MIT.EDU>, "<oauth@ietf.org>" <oauth@ietf.org> 
Subject: Re: [OAUTH-WG] Token Chaining Use Case 

So why can't the access tokne simply be re-used as a refresh token?  Why would it need a new grant type at all?
  


     On Thursday, March 26, 2015 11:31 AM, Justin Richer <jricher@MIT.EDU> wrote:
    

 As requested after last night’s informal meeting, here is the token chaining use case that I want to see represented in the token swap draft.


[ Client ]  ->   [ A ] -> [ B ] -> [ C ]

An OAuth client gets an access token AT1, just like it always would, with scopes [A, B, C] in order to call service A, which requires all three scopes. Service A (an RS) accepts this token since it has its scope, and then needs to call service B in turn, which requires scopes [B, C]. It could just re-send the token it got in, AT1, but that would give the downstream RS the ability to call services with scope [ A ] and it should not be allowed to do that. To limit exposure, service A calls a token swap at the AS to create AT2 with scopes [ B, C ], effectively acting as an OAuth client requesting a downscoped token based on AT1. Service A then acts as an OAuth client to call service B, now acting as an RS to service A’s client, and can fulfill the request. And it’s turtles all the way down: Service B can also call service C, and now B acts as a client, requesting AT3 with scope [ C ] based on AT2, and sending AT3 to service C. This prevents C from being able to call B or A, both of which would have been available if AT1 had been passed around. Note that service A or the Client can also request a downscoped token with [ C ] to call service C directly as well, and C doesn’t have to care how it got there.


In other words, it lets the client software be very, very dumb. It doesn’t have to do any special processing, doesn’t have to know what’s in the token, it just follows the recipe of “I got a token, I get another token based on this to call someone else”. It’s also analogous to the refresh token flow, but with access tokens going in and out. I’ve deployed this setup several times in different service deployments. Even though there is a performance hit in the additional round trips (as Phil brought up in another thread), in these cases the desire to have the tokens hold least privilege access rights (smallest set of scopes per service) outweighed any performance hit (which was shown to be rather small in practice).

What I want is for the token swap draft to define or use a mechanism that allows us to do this. I think we can do that pretty easily by adjusting the token swap syntax and language, and explicitly calling out the semantic processing portion (the current core of the document) for what it is: a way for a token issuer to communicate to a token service specific actions. At a high level, the spec would be something like:



1. How to swap a token at an AS
  1. Send a request to the token endpoint with a new grant type, and a token (of any type/format/flavor) on the way in
  2. Get back a new token in a token response
2. Communicating act as / on behalf of semantics via a JWT assertion
  1. How to create (as an AS/RS/client/other issuer) a JWT with act-as semantics
  2. What to do (as an AS/RS) with a JWT with act-as semantics
  3. How to create a JWT with on-behalf-of semeantics
  4. What to do with a JWT with on-behalf-of-semantics
  5. How to possibly represent these semantics with something other than a JWT



Section 2 uses the syntax from section 1. Other applications, like the one I laid out above, can use the syntax from section 1 as well. This works for structured, unstructured, self-generated, cross-domain, within-domain, and other tokens.


 — Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email