Re: [OAUTH-WG] [External Sender] Comments on draft-ietf-oauth-transaction-tokens-01
George Fletcher <george.fletcher@capitalone.com> Fri, 12 April 2024 18:03 UTC
Return-Path: <george.fletcher@capitalone.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA1ACC14F6A2 for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2024 11:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.642
X-Spam-Level:
X-Spam-Status: No, score=-11.642 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-2.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=capitalone.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLCJ5MG5uqqh for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2024 11:02:58 -0700 (PDT)
Received: from mx0b-001b4101.pphosted.com (mx0b-001b4101.pphosted.com [148.163.155.198]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08445C14F693 for <oauth@ietf.org>; Fri, 12 Apr 2024 11:02:57 -0700 (PDT)
Received: from pps.filterd (m0127381.ppops.net [127.0.0.1]) by mx0b-001b4101.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 43C8i0SJ024221 for <oauth@ietf.org>; Fri, 12 Apr 2024 14:02:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=capitalone.com; h=mime-version : references : in-reply-to : from : date : message-id : subject : to : cc : content-type; s=SM2048Mar2022; bh=hr1DKcONUP9VJaAFuVYe/BxoqB4oGkP/vWFgAXwhYD0=; b=vmFzKGhUdJkH7TooC8z5Wi1gymuorwbK8mHtONrSHT0vKXg2dS2ZlsYNQznZ0qJB1iCV 0q4oogFvuymJiSl/cyfCKVzh2SfcQaOQyD5S33Rfh0j4npELM8zT8ihj+DqtjTbRL4TG /XM8BYRT8YTaSvg2DjLZHR8bC+qZrZOMGhM+J09U9Z0m36DiTfZ5+FsFWGi7aVkU71lW OwDIW7U3J6g20MtpQfFo2A3BfcUPuXCrA8xo1UD0ihTymm9wJErSyzCPWfh9wP9UKO/D Kk6TQUFTB3aK/Jf5R4ZIHpkg22IQfq8R8ChqHfwJSYSiHwo638E3+WjM2rlKx/GEv9VX ww==
Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) by mx0b-001b4101.pphosted.com (PPS) with ESMTPS id 3xcmq8cfak-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=OK) for <oauth@ietf.org>; Fri, 12 Apr 2024 14:02:56 -0400
Received: by mail-ed1-f69.google.com with SMTP id 4fb4d7f45d1cf-56e242ec7ffso672413a12.3 for <oauth@ietf.org>; Fri, 12 Apr 2024 11:02:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712944974; x=1713549774; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7GAfiuE4HoH3ryIOQWhqZIxVbjQopjfllXXQvHH3LXc=; b=AaG76gXDdsLmrFr8zE4s5s9wJ/2cTgYkITapA4EoyoC3Sq7bxgMsDS3AZI9F1sWPHg LEp0G2FUWvbVTU5THER7/OCPtIUfk48o+8q1XgW94mKw5aIsPInGzhmmTE0lLF+JaNqE uSCXHnVzR5G6owR4qd5fvW5HX8nZqpRhrZIdXOzx2TGz77NkZiXD7xZvx5QNDIvFjrcC o0wKcOJjFJOcqBDit0/gmilxnBJC5Gczd1jSDiR2ORdVd291PlzjTC/QYeCeLW3dzY5X CldeJpJ4IbsdyuvKaeVqKMCjkbIqLJu5h5jj1UWj64/vpuS38uvg0Eu6vmE9LekeAESJ 3urg==
X-Gm-Message-State: AOJu0YxFN1NlACGCn64u+vdPibPwbqms/I55elV5CpVI/mIdBKgN/K0T zeP+02rBZE1uIIEMcc4R5ZgmoumVE40hVhlP/KqtG2/lqXv1lQXPb1B1/Rg91ht+7PeJCF7QFZk hpqiHBTz9fQRPbW6H7a4OIHlzfuJ2rVyC6j/xzE/ABvoSk++JrlTScgoYIuJVwwqcssrRywhyyE P0lwwBXrFqa/IJzJYKzusWrNAMbw==
X-Received: by 2002:a17:906:6a01:b0:a4e:a7a:84e0 with SMTP id qw1-20020a1709066a0100b00a4e0a7a84e0mr2741284ejc.34.1712944974398; Fri, 12 Apr 2024 11:02:54 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IH3JIybxXmJPh6sWzsy9Xteka0HywvEKMYXHlhJz0NHUxIyRKX7FlWGnnXgexEWITjPwAOsF+wzN/A5uAXBkM0=
X-Received: by 2002:a17:906:6a01:b0:a4e:a7a:84e0 with SMTP id qw1-20020a1709066a0100b00a4e0a7a84e0mr2741271ejc.34.1712944973822; Fri, 12 Apr 2024 11:02:53 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoB9M1ahVMw=B3AyrX2LUi5zby2iHfVArNw-V1peSgNe6g@mail.gmail.com>
In-Reply-To: <CAOgPGoB9M1ahVMw=B3AyrX2LUi5zby2iHfVArNw-V1peSgNe6g@mail.gmail.com>
From: George Fletcher <george.fletcher@capitalone.com>
Date: Fri, 12 Apr 2024 14:02:42 -0400
Message-ID: <CAJnLd9Lw+fSbBft6iVD3+gn4aU5j7CSm8JpXyt6V6xj5hsYHNQ@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000af5c780615ea1426"
X-Proofpoint-GUID: 4n8HeSe0fjeUqQowzy2sno6Oe-ysNF4Y
X-Proofpoint-ORIG-GUID: 4n8HeSe0fjeUqQowzy2sno6Oe-ysNF4Y
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-12_14,2024-04-09_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=1 phishscore=1 adultscore=0 suspectscore=0 malwarescore=0 mlxlogscore=999 bulkscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=forced scancount=1 engine=8.12.0-2404010000 definitions=main-2404120132
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cTs1tCrHPD0fAYtvbzJH95IdWac>
Subject: Re: [OAUTH-WG] [External Sender] Comments on draft-ietf-oauth-transaction-tokens-01
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 18:03:01 -0000
Hi Joe, Thanks so much for the review. Comments inline (I'm only addressing some in this email:) On Wed, Apr 10, 2024 at 11:44 PM Joseph Salowey <joe@salowey.net> wrote: > I have reviewed the Transaction Token document. In general I think it is > a needed document and I am glad there is work in this area. I have some > questions and comments below: > > 1. Section 4 defines Trust Domain and seems to point to RFC 7519. I > couldn't find any reference to trust domain in 7519. > > 2. Why would you not include a kid claim? it seems that key rotation > should be supported. Is there harm in requiring a kid? > gff: There is no harm in supporting kid and I don't believe it's explicitly excluded. It's probably useful to add some text around key rotation and use of kid. > > 3. From the text, I don't really understand what the purp: claim is for. > gff: The goal of the claim is to allow the transaction token to "downscope" the inbound token especially when it's from an external client. For example, if the client is a mobile app with OAuth scopes for readGroupMessaging and writeGroupMessaging (encapsulated in the access_token). Then if the purpose of the transaction is to "add a user to a group chat", then that can be explicitly codified in the Transaction Token reducing the authorization scope of the token and tailoring the transaction token to the purpose of the requested transaction. I need to add more context as you are not the first to ask about it :) > > 4. One of the things I expected to see in some txn-tokens is a > username/email, but I did not see that in any examples, while there are > privacy considerations here, is there a reason why it is not included? > Would this be in the rctx: or the azd: claim? It not clear when I would use > azd or rctx for a particular data value. > gff: the subject claim can contain any value as makes sense for the Trust domain. There is also no explicit restrictions on additional claims that can be added. Note that Yaron has provided feedback on moving back to the Security Event Token definition of sub_id which allows for more clear identification of the subject value and its type. > > 5. As discussed on the list I think there may be cases where there will > not be an Oauth token to exchange. THe decision is that this is out of > scope for this document, but the case should probably be mentioned. > gff: there is a pull request (#90 in github) covering this topic. The proposed text requires a self-signed access token (potentially using RFC 9068) for the subject_token. > > 6. Is it intended that a single transaction token service endpoint can > serve more than one trust domain? (it seems like the protocol supports, but > I am not sure if it is a design goal). > gff: I would say the original intent is that there would be a single transaction token service per trust domain. Happy to discuss that and the pros and cons. > > 7. For a replacement token 7.4 it says the replacement may not change the > rctx, but does not say anything about the azd. In section 5.2 it says > that azd: remains immutable during the call chain. It seems that these two > things do not line up and the replacement token needs something to change. > Perhaps azd is not immutable? What are the asserted values that may > change referred to in 7.4.1. > gff: Great catch!! Yes, that needs to be rectified. > > 8. Section 7.5 is referring to OAUTH client authentication? Should it > refer to RFC 8705 for mTLS/SPIFFE case? > gff: so from a non-normative perspective, we can give that as an example. Feel free to propose some text. The spec is intentionally silent on what mechanism is used for client authentication. > > 9. Section 9.1 it probably should be mentioned earlier in the document > that a transaction token cannot be issued based on a refresh token. > gff: I think I agree and that's something that hasn't been discussed previously. > > Once again, thanks for your work on this document, I think it will be very > useful. > > Joe > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > > https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/oauth__;!!FrPt2g6CO4Wadw!NrO-8pJTwTlsHifvL_LVyK8Mazovv7wSoS6xcnmxydwMzzrRSmc5WmBTQVtt8dekiooBnG0a26CP3XJcM0XI$ > ______________________________________________________________________ The information contained in this e-mail may be confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.
- [OAUTH-WG] Comments on draft-ietf-oauth-transacti… Joseph Salowey
- Re: [OAUTH-WG] [External Sender] Comments on draf… George Fletcher