Re: [OAUTH-WG] user impersonation protocol?

Bill Mills <wmills_92105@yahoo.com> Mon, 16 February 2015 17:14 UTC

Return-Path: <wmills_92105@yahoo.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9BD81A1BAF for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 09:14:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.509
X-Spam-Level:
X-Spam-Status: No, score=-1.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OBoMwQp76AZK for <oauth@ietfa.amsl.com>; Mon, 16 Feb 2015 09:14:29 -0800 (PST)
Received: from nm38-vm5.bullet.mail.bf1.yahoo.com (nm38-vm5.bullet.mail.bf1.yahoo.com [72.30.239.21]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F09B1A1B84 for <oauth@ietf.org>; Mon, 16 Feb 2015 09:14:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1424106868; bh=tvTJn+vFkHuyfXKndHbPMW1/FlOeTARt6UPq4tj/wZw=; h=Date:From:Reply-To:To:In-Reply-To:References:Subject:From:Subject; b=oNxVaH7V4kbnTVdKpdZIOO9lU5PfbNd7On6At8rw6/qlFARAvcZNIU+QXXdO1QKBCnArmgfxzuP7vx9CjaXZ/uqNa8FFBHl36qSPgfafmO54EG/lUn662tVeXbhPv79VXnVz5eJBxLuc3dzAYUd1kGk6WsiKgy1ad8bJu8azOZ+WhJhvbfa+cdAgt3XYcKDEWpcIlUKhYLxmTzqJq4CYzdKBKD1mbHAAwNJfVzMvPXTFFZd8QonLqM0CayxPrr7ChPR18qq0ZhPkjS3u0sPrOkO7FOrtk4ZhTmWbJvb8s/elq2bmHMAj/JPvl5xhfVc3F9DPPbO8ki+Ewe8eLA093g==
Received: from [66.196.81.173] by nm38.bullet.mail.bf1.yahoo.com with NNFMP; 16 Feb 2015 17:14:28 -0000
Received: from [98.139.212.230] by tm19.bullet.mail.bf1.yahoo.com with NNFMP; 16 Feb 2015 17:14:28 -0000
Received: from [127.0.0.1] by omp1039.mail.bf1.yahoo.com with NNFMP; 16 Feb 2015 17:14:28 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 718096.54443.bm@omp1039.mail.bf1.yahoo.com
X-YMail-OSG: C9Cb_5QVM1lY8gsX5uJ8doknb7MtCpx6qyIZ8UPrIGmKfrzSNt1RnKZSuC91szi nF1OHEsPkvz0gvPT6uNViy7fgSJRfG7Sb4Ml7pQ48l0aVyVE4vIy0K5bdPSkWsYtZPoFOolqOaaK TJ6MLlKR9dHYpRBQXg8FQt9eOce7XKBPWwivGSVLVnMgiklysLIovKsJPPKm.lVP938BQzEIZcDI ovdX03VX8Aa49Nclscm07hIblzoda2ZcXmTe2.3vZT0xjMoSQxZ46mmAWwXrWO3naVzdDINkcNbV qEunD.dljLH9Dw.qLnNBcJ9DPPaUCvoPd0wcu9jpbZ_fTivTZAHUg79yb0B112UMVPdYaYHtmOuJ 9Jf9unKKbJ7J2U3mXV0g.mcRm94coGrW0t0_sXFo1IL1rJp7X34L5oZniXwC8k7vBbIoHDW7gEkK jLVwcr1NsKebaUF_.IH2MqI6CTCNfuJDjzmTsrnLNxSIB5PTBsS3McrKH2zijwIyuLWVoyjX9ZjH .FsHH_OADyKBnyPD1pvdf4o.SHEETNKRddR2tUstkHMubpoATPXEKhejp2pxcIWbNFkp5WtYQ6_g 1NcgA2qaeN18CrIdxiOon1i4MoLq.5zIcwtinf2Gg
Received: by 76.13.27.196; Mon, 16 Feb 2015 17:14:28 +0000
Date: Mon, 16 Feb 2015 17:14:27 +0000 (UTC)
From: Bill Mills <wmills_92105@yahoo.com>
To: Justin Richer <jricher@mit.edu>, Bill Burke <bburke@redhat.com>, oauth <oauth@ietf.org>
Message-ID: <1903996086.7456583.1424106867491.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <cmqi3pab06ngvahbt6k3ee0u.1424100953077@email.android.com>
References: <cmqi3pab06ngvahbt6k3ee0u.1424100953077@email.android.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_7456582_934897397.1424106867486"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/kyJiqrT--hITv6jDrXEizoyxmJc>
Subject: Re: [OAUTH-WG] user impersonation protocol?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bill Mills <wmills_92105@yahoo.com>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Feb 2015 17:14:31 -0000

I don't think there is protocol work required.  IMO you can best support this with limited cookies or tokens that are not otherwise valid and the server then needs to support with the right behavior.  Might be a BCP doc I suppose, but I don't know if it's worth the effort. 

     On Monday, February 16, 2015 7:35 AM, Justin Richer <jricher@mit.edu> wrote:
   

 Another question is whether or not you can user rights delegation (ie vanilla OAuth) or if you really do need impersonation. You may be able to get the desired results with less complexity that way.

-- Justin
/ Sent from my phone /

-------- Original message --------
From: Bill Burke <bburke@redhat.com> 
Date:02/16/2015 10:20 AM (GMT-05:00) 
To: Bill Mills <wmills_92105@yahoo.com>om>, Justin Richer <jricher@mit.edu>du>, oauth <oauth@ietf.org> 
Cc: 
Subject: Re: [OAUTH-WG] user impersonation protocol? 

Yeah, I know its risky, but that's the requirement.  Was just wondering 
if there was any protocol work being done around it, so that we could 
avoid doing a lot of the legwork to make it safe/effective.  Currently 
for us, we need to do this between two separate IDPs, which is where the 
protocol work comes in...If it was just a single IDP managing 
everything, then it would just be an internal custom IDP feature.

Thanks all.



On 2/16/2015 12:37 AM, Bill Mills wrote:
> User impersonation is very very risky.  The legal aspects of it must be
> considered.  There's a lot of work to do to make it safe/effective.
>
> Issuing a scoped token that allows ready only access can work with the
> above caveats.  Then properties/componenets have to explicitly support
> the new scope and do the right thing.
>
>
> On Sunday, February 15, 2015 8:34 PM, Justin Richer <jricher@mit.edu> wrote:
>
>
> For this case you'd want to be very careful about who was able to do
> such impersonation, obviously, but it's doable today with custom IdP
> behavior. You can simply use OpenID Connect and have the IdP issue an id
> token for the target user instead of the "actual" current user account.
>
> I would also suggest considering adding a custom claim to the id token
> to indicate this is taking place. That way you can differentiate where
> needed, including in logs.
>
> -- Justin
>
> / Sent from my phone /
>
>
> -------- Original message --------
> From: Bill Burke <bburke@redhat.com>
> Date:02/15/2015 10:55 PM (GMT-05:00)
> To: oauth <oauth@ietf.org>
> Cc:
> Subject: [OAUTH-WG] user impersonation protocol?
>
> We have a case where we want to allow a logged in admin user to
> impersonate another user so that they can visit differents browser apps
> as that user (So they can see everything that the user sees through
> their browser).
>
> Anybody know of any protocol work being done here in the OAuth group or
> some other IETF or even Connect effort that would support something like
> this?
>
> Thanks,
>
> Bill
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth
>
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com