[OAUTH-WG] Proposal for Tx token batching processing on draft-ietf-oauth-transaction-tokens-03
"Raut, Ashay" <asharaut@amazon.com> Sat, 27 July 2024 05:56 UTC
Return-Path: <prvs=931b68b07=asharaut@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEE54C18DB9F for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2024 22:56:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.251
X-Spam-Level:
X-Spam-Status: No, score=-2.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pBsrB_YkjmPU for <oauth@ietfa.amsl.com>; Fri, 26 Jul 2024 22:56:21 -0700 (PDT)
Received: from smtp-fw-6001.amazon.com (smtp-fw-6001.amazon.com [52.95.48.154]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10249C1840E9 for <oauth@ietf.org>; Fri, 26 Jul 2024 22:56:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1722059781; x=1753595781; h=from:to:cc:subject:date:message-id:mime-version; bh=ND8t9paS4m2lmJQKCi3vNfhIEBpwe/yRDPNaYeha6Vc=; b=ppA5czPtbcsDscTOJPKRnuwRXgpxJGwWlRAS8AKoZLxChJQDlwzSZj0d zpd8LeHAkG+l0E7+REvLw/39j79AsLcxiQomw3Daxk4KdQTySXZZp4iia SH12z2v9sUUWIWcZwANVU+wwdKz391bsYsY/0kvyAXK11AfU8LMJ0QPYm Q=;
X-IronPort-AV: E=Sophos;i="6.09,240,1716249600"; d="scan'208,217";a="413587668"
Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.2]) by smtp-border-fw-6001.iad6.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jul 2024 05:56:19 +0000
Received: from EX19MTAEUA002.ant.amazon.com [10.0.17.79:35471] by smtpin.naws.eu-west-1.prod.farcaster.email.amazon.dev [10.0.46.100:2525] with esmtp (Farcaster) id 1899c178-5b35-4da8-995f-897a4c4a0a63; Sat, 27 Jul 2024 05:56:17 +0000 (UTC)
X-Farcaster-Flow-ID: 1899c178-5b35-4da8-995f-897a4c4a0a63
Received: from EX19D005EUA004.ant.amazon.com (10.252.50.241) by EX19MTAEUA002.ant.amazon.com (10.252.50.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Sat, 27 Jul 2024 05:56:17 +0000
Received: from EX19D005EUA001.ant.amazon.com (10.252.50.159) by EX19D005EUA004.ant.amazon.com (10.252.50.241) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.34; Sat, 27 Jul 2024 05:56:16 +0000
Received: from EX19D005EUA001.ant.amazon.com ([fe80::4954:c29c:7fcc:9d95]) by EX19D005EUA001.ant.amazon.com ([fe80::4954:c29c:7fcc:9d95%3]) with mapi id 15.02.1258.034; Sat, 27 Jul 2024 05:56:16 +0000
From: "Raut, Ashay" <asharaut@amazon.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Proposal for Tx token batching processing on draft-ietf-oauth-transaction-tokens-03
Thread-Index: AQHa3+mxRIBk1tKynUaxhfclv4CEVA==
Message-ID: <B55FBFE3-A646-4D3B-8C52-D94B41673ADD@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.86.24062313
x-originating-ip: [10.252.50.216]
Content-Type: multipart/alternative; boundary="_000_B55FBFE3A6464D3B8C52D94B41673ADDamazoncom_"
MIME-Version: 1.0
X-MailFrom: prvs=931b68b07=asharaut@amazon.com
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0
Message-ID-Hash: EK675G2QAA54FNTBYRMW3ATHWRG2ECYI
X-Message-ID-Hash: EK675G2QAA54FNTBYRMW3ATHWRG2ECYI
X-Mailman-Approved-At: Sun, 28 Jul 2024 03:02:38 -0700
CC: "Raut, Ashay" <asharaut@amazon.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Proposal for Tx token batching processing on draft-ietf-oauth-transaction-tokens-03
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cMdeb45VXunwx_dhSIvQvjyak9Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Date: Sat, 27 Jul 2024 20:38:04 -0000
X-Original-Date: Sat, 27 Jul 2024 05:56:16 +0000
Hello All, I have raised a github issue describing my thoughts on how to generate and use transaction tokens in batch long running processes. Link: https://github.com/oauth-wg/oauth-transaction-tokens/issues/111 We already have established that Tx tokens must be short lived. However, the claims that the token carries are valid even for asynchronous/batch jobs that outlive the token lifetime. In these cases, there is need to securely obtain the Tx token as the batch process resumes after a pause or a consumer gets a message from message queue after a long delay. The core idea revolves around the concept of refresh token which is essentially a special type of signed token with longer lifetime (higher TTL) and issued by Tx token service. The token cannot be used for data access but only for obtaining a new Tx token. There are two operations the Tx token service have to support – getRefreshToken(TxToken) and getTxToken(RefreshToken). The refresh token will contain the encrypted claims from the token or it can a uniqueId generated by TxToken service and TxToken service stores claims against that uniqueId in a persistent store. The later adds overhead on Tx token service to maintain persistent store. Either way, with refresh token, if a workflow pauses for long duration, when it resumes it can use refresh token to obtain Tx Token. TxToken service must authenticate the calling service and can also do additional fine grained authorization if required before issuing Tx token. On similar lines, I have opened another github issue for updating guidance on replacement token lifetime to include that replacement token lifetime should be whatever is left on the original token used to obtain a new one. https://github.com/oauth-wg/oauth-transaction-tokens/issues/110 Regards, Ashay