Re: [OAUTH-WG] Token Chaining Use Case

Brian Campbell <bcampbell@pingidentity.com> Wed, 08 July 2015 19:37 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAA561A21B7 for <oauth@ietfa.amsl.com>; Wed, 8 Jul 2015 12:37:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9mSXNqyStoew for <oauth@ietfa.amsl.com>; Wed, 8 Jul 2015 12:37:13 -0700 (PDT)
Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD1581A1BCF for <oauth@ietf.org>; Wed, 8 Jul 2015 12:37:12 -0700 (PDT)
Received: by igrv9 with SMTP id v9so207866472igr.1 for <oauth@ietf.org>; Wed, 08 Jul 2015 12:37:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=QcOC5zjGF1IbU9A7PtIPdOG8yxBk/GrHirY3TsU7k+M=; b=dFGCY9sG82FW4IhPDJHGW9u89gVW34J2cLILVvmfDeYhBv51YSA1VnoF3jbAJF0M25 RncyR0MiSw8bHCxzEGJTl+0jLxsiqvgfoHH90Gm3ExAY72HpnUqYhW+NH2e2a7zu08i0 Ivu/RKSOEjXAhgdxGa6Oe/7zABaFvmQWMSJjg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=QcOC5zjGF1IbU9A7PtIPdOG8yxBk/GrHirY3TsU7k+M=; b=ETAHqGxVvWGUArAvwPgwmZRWUhSQJzTUnR08ih5+weMec34N28dGq/2FC2ohnUTIk+ 5VR2AcGz/PW7p9apa9PGUeZ5vxsm0evN2/lFd7n+rCwYsi8+1IzynqXxiAlZMXDOqNiv jpmYGR/rIO2VLEaFGAAgF08MIrE+GQCk1mGid1wVNPNzqj/EViAYZbfq3bPbNAU0AcvV /AfNBcHplKv0p0CIo4Iklyxal3Q4ZtGk91MvnNanp33NvjHqmbUZfuil/88D/y+Zg+0Y HqdUqZd47aKcWW9g8p8Nm1qNlGKiLbLan4hTXyhNGYwtbt6tze2OVDPcxMoSnL7W3d6c gaew==
X-Gm-Message-State: ALoCoQnanwRb8nuGX2yGDybTHbRfl4YgtD6QvYyqlS57pXKslQemB8XV/Voax3aiABfMNwGCD+FI
X-Received: by 10.50.43.137 with SMTP id w9mr74315890igl.30.1436384232229; Wed, 08 Jul 2015 12:37:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.79.64.209 with HTTP; Wed, 8 Jul 2015 12:36:42 -0700 (PDT)
In-Reply-To: <77FAD7D3-A1E5-43D9-926B-0DED4B311F74@mit.edu>
References: <D0E09E09-A803-427A-ACA9-D9E3F3EF31E5@mit.edu> <CA+k3eCSgE0Df25kPiKVnyWkkvONke6ha_FrVmZiOYYTVGM6w_w@mail.gmail.com> <BY2PR03MB442F6D96703377B6673509AF5920@BY2PR03MB442.namprd03.prod.outlook.com> <826785C8-648D-4A1B-AD8D-E99D76117C67@mit.edu> <BY2PR03MB442AF9C598B811217B1161DF5910@BY2PR03MB442.namprd03.prod.outlook.com> <559CECB5.4000006@gmail.com> <77FAD7D3-A1E5-43D9-926B-0DED4B311F74@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 8 Jul 2015 13:36:42 -0600
Message-ID: <CA+k3eCTotozgBCD_Dk4tZUD3SXEdeZ-XAzdSPyvcR8Up6ygXSA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary=e89a8f8388f5ec6e8c051a624318
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ljI1hMGc4BMy4n16p04W9hvZo-M>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Token Chaining Use Case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 19:37:18 -0000

Probably goes without saying but I'm generally in agreement with Justin
here.

On Wed, Jul 8, 2015 at 5:40 AM, Justin Richer <jricher@mit.edu> wrote:

> The HTTP *request* should be able to be covered by a JWT signature, and
> that should be applicable to any interaction with the token endpoint. I’m
> aware that Nat’s draft is talking about the authorization endpoint, but the
> same logic could be applied here at the token endpoint. It could actually
> even be easier there because we could simply specify that the Content-Type
> of the input POST is application/jwt and the payload of said JWT simply
> contains all the parameters to the token endpoint. Orthogonal functionality
> that meshes well together.
>
> Brian’s draft puts everything as a parameter, including the input token
> (which can be arbitrary — the requester doesn’t need to know what’s in the
> tokens at all). This could easily be turned wholesale into an input JWT
> using the transform just described.
>
> The current draft is a weird halfway state where some input parameters are
> in a JWT that’s passed as an input parameter alongside other things that
> are outside the JWT. I don’t think that works particularly well, and I
> think there’s a better, simpler solution that solves all of these use cases
> and then some.
>
>  — Justin
>
>
> > On Jul 8, 2015, at 5:26 AM, Sergey Beryozkin <sberyozkin@gmail.com>
> wrote:
> >
> > Hi,
> > On 08/07/15 01:41, Mike Jones wrote:
> >> I’ll start by saying that if you compare
> >> https://tools.ietf.org/html/draft-campbell-oauth-sts-02 and
> >> https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-02,
> >> unsurprisingly, you’ll find a lot in common.  Both have requests and
> >> responses formatted using JSON objects, both have input and output
> >> tokens, both have security token type parameters describing their
> >> corresponding inputs and outputs.  Both can convey act_as and
> >> on_behalf_of tokens.  And despite what was written below, both define a
> >> new grant_type value that is used to make this new kind of request at
> >> the Token Endpoint.
> >>
> >> The primary thing that Brian’s draft is missing semantically is the
> >> ability for the requester to sign the set of input parameters.  This is
> >> critical to establishing proper trust to enable the exchange to occur in
> >> many use cases.  That’s why the WG draft uses a JWT as the request – so
> >> a signature can be applied to the request, when appropriate.  (And when
> >> it’s not needed, “alg”: “none” can be used.)
> >>
> >
> > The requester is a client talking to the token endpoint and this client
> needs to authenticate, why it needs to sign the token-exchange related
> parts too ?
> >
>
>
>
> > Thanks, Sergey
> >
> >> Justin, you’re right that the current WG draft doesn’t have a separate
> >> “input token” request parameter.  In the current draft, the (optionally)
> >> signed request **is** the input token.  Thinking some more about the
> >> token chaining use case you’re interested in, I see why you want to have
> >> that token to be a separate element in the request.  I believe the best
> >> way to accomplish that is to add an optional claim to the request that
> >> would contain that token.  (I think the closest equivalent in Brian’s
> >> draft is the possibility of using an access token or assertion as the
> >> client authentication mechanism, possibly passing it as defined in RFC
> >> 6750, although the draft doesn’t say that.)  Passing the input token as
> >> a claim lets it be part of the signed request.
> >>
> >> It’s completely up to us when using a different grant_type to define
> >> what the input and output parameters when using that grant_type are.
> >> (RFC 6749 already has different sets, depending upon the grant_type
> >> used.)  I personally find it cleaner to return the output security token
> >> that may not be an access token in a “security_token” parameter rather
> >> than repurposing the “access_token” parameter to hold something that’s
> >> not an access token, but now we’re more discussing syntax than
> >> semantics.  Still, if something is different, it’s probably less error
> >> prone to use a different syntax for it.
> >>
> >> I’m sympathetic to your comment about Nat’s signed requests draft,
> >> except that the requests that draft specifies are requests to the
> >> interactive Authorization Endpoint, whereas the requests we’re dealing
> >> with here are requests to the non-interactive Token Endpoint.  Still,
> >> thinking of the Token Exchange requests as signed requests to the Token
> >> Endpoint, just like Nat’s draft makes signed requests to the
> >> Authorization Endpoint, is probably a good unifying mental framework for
> >> all of us to consider applying to this problem space.
> >>
> >>                                                                 Best
> >> wishes,
> >>
> >>                                                                 -- Mike
> >>
> >> *From:*Justin Richer [mailto:jricher@mit.edu]
> >> *Sent:* Tuesday, July 07, 2015 4:47 PM
> >> *To:* Mike Jones
> >> *Cc:* Brian Campbell; <oauth@ietf.org>
> >> *Subject:* Re: [OAUTH-WG] Token Chaining Use Case
> >>
> >> This approach is not a good fit for my use cases, and it’s still not
> >>  OAuth-y at all. It requires a specially-formed security assertion on
> >> the way in, which the client must understand and generate. I still can’t
> >> take an arbitrary token I’ve been handed by someone else and pass it off
> >> to be pushed forward. The new “*_type” parameters seem to merely kick
> >> the can down the road instead of addressing the problems with the
> >> current specification.
> >>
> >> I think that Brian’s approach works much better. It unrolls important
> >> parameters, properly uses the token endpoint, and allows for arbitrarily
> >> formatted input tokens.
> >>
> >> When combined with Nat’s draft that specifies how to perform all generic
> >> OAuth requests as JWTs (or even some of the upcoming PoP work if we ever
> >> do that), you’ve pretty much got the draft below but with much more
> >> flexibility and power.
> >>
> >>  — Justin
> >>
> >>    On Jul 7, 2015, at 6:51 PM, Mike Jones <Michael.Jones@microsoft.com
> >>    <mailto:Michael.Jones@microsoft.com>> wrote:
> >>
> >>    As just updated <http://self-issued.info/?p=1412>, I believe that
> >>    the working group token exchange draft
> >>    https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-02 can
> >>    now also serve the “OAuthy” token exchange use cases, such as Justin
> >>    and Phil’s token chaining use case, as well as support general token
> >>    exchange, including exchange of JWT and SAML tokens.  The mechanism
> >>    would be the same one that Brian suggested below – defining security
> >>    token type values for OAuth 2.0 access tokens and refresh tokens –
> >>    enabling them to be used as inputs and outputs in any of the token
> >>    exchanges.
> >>
> >>    For instance, by using “access token” as the input security token
> >>    type, providing new scope values, and using “access token” as the
> >>    output security token type, token chaining is achieved.
> >>
> >>    Now, a question for the working group…  What should the security
> >>    token type values for access token and refresh token be?  Two
> >>    different choices seem to make sense.
> >>
> >>    (1)  Use the values “access_token” and “refresh_token”, which are
> >>    used in RFC 6749 token response values.
> >>
> >>    (2)  Define new URNs for this usage, such as
> >>    urn:ietf:params:oauth:token-type:access-tokenand
> >>    urn:ietf:params:oauth:token-type:refresh-token.
> >>
> >>    I’d personally be fine just using the short names in (1).
> >>
> >>    If people agree with this approach, we can document this usage in
> >>    the -03 draft and publish it as soon as the submission tool reopens
> >>    Monday morning during IETF 93.
> >>
> >>                                                                     --
> Mike
> >>
> >>    *From:*OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *Brian
> >>    Campbell
> >>    *Sent:* Thursday, March 26, 2015 3:15 PM
> >>    *To:* Justin Richer
> >>    *Cc:* <oauth@ietf.org <mailto:oauth@ietf.org>>
> >>    *Subject:* Re: [OAUTH-WG] Token Chaining Use Case
> >>
> >>    This kind of token exchange might involve exchanges other than
> >>    swapping an AT for another AT (and downscoping it). It might be an
> >>    AT for a structured JWT specifically targeted at one of the the
> >>    particular services that the original RS needs to call. Or an AT
> >>    might be exchanged for a SAML assertion to use with legacy SOAP
> >>    serveries.  A good general token exchange mechanism enables lots of
> >>    variations of cases like the one Justin mentioned. And more. In
> >>    fact, I think downscoping might be a minority use case where what
> >>    token exchange is often need for is translating tokens from what you
> >>    have into what the resource you need to call can deal with.
> >>
> >>    There need to be ways for the caller to tell the AS about the token
> >>    it's asking for - by type or by the address/identifier of where
> >>    it'll be used. There needs to be ways for the caller to authenticate
> >>    to the AS. And there needs to be some way of expressing this
> >>    delegation thing (though I'm still not totally convinced it couldn't
> >>    be just the token is about the user/principal and the caller/client
> >>    of the exchange is who is being delegated to).
> >>
> >>    I realize few (approaching zero) people have or are going to read it
> >>    but I have endeavored to cover all these things in the
> >>    http://tools.ietf.org/html/draft-campbell-oauth-sts-02 draft. It's
> >>    an early draft so not without it some rough edges but can provide
> >>    some guidance on what is needed and offers some protocol syntax for
> >>    expressing it. I believe Justin's use case would be covered by it
> >>    (defining a specific token type URI for an OAuth access token issued
> >>    by the AS in question might be needed) as are many others.
> >>
> >>    On Thu, Mar 26, 2015 at 1:31 PM, Justin Richer <jricher@mit.edu
> >>    <mailto:jricher@mit.edu>> wrote:
> >>
> >>    As requested after last night’s informal meeting, here is the token
> >>    chaining use case that I want to see represented in the token swap
> >>    draft.
> >>
> >>
> >>    [ Client ]  ->   [ A ] -> [ B ] -> [ C ]
> >>
> >>    An OAuth client gets an access token AT1, just like it always would,
> >>    with scopes [A, B, C] in order to call service A, which requires all
> >>    three scopes. Service A (an RS) accepts this token since it has its
> >>    scope, and then needs to call service B in turn, which requires
> >>    scopes [B, C]. It could just re-send the token it got in, AT1, but
> >>    that would give the downstream RS the ability to call services with
> >>    scope [ A ] and it should not be allowed to do that. To limit
> >>    exposure, service A calls a token swap at the AS to create AT2 with
> >>    scopes [ B, C ], effectively acting as an OAuth client requesting a
> >>    downscoped token based on AT1. Service A then acts as an OAuth
> >>    client to call service B, now acting as an RS to service A’s client,
> >>    and can fulfill the request. And it’s turtles all the way down:
> >>    Service B can also call service C, and now B acts as a client,
> >>    requesting AT3 with scope [ C ] based on AT2, and sending AT3 to
> >>    service C. This prevents C from being able to call B or A, both of
> >>    which would have been available if AT1 had been passed around. Note
> >>    that service A or the Client can also request a downscoped token
> >>    with [ C ] to call service C directly as well, and C doesn’t have to
> >>    care how it got there.
> >>
> >>
> >>    In other words, it lets the client software be very, very dumb. It
> >>    doesn’t have to do any special processing, doesn’t have to know
> >>    what’s in the token, it just follows the recipe of “I got a token, I
> >>    get another token based on this to call someone else”. It’s also
> >>    analogous to the refresh token flow, but with access tokens going in
> >>    and out. I’ve deployed this setup several times in different service
> >>    deployments. Even though there is a performance hit in the
> >>    additional round trips (as Phil brought up in another thread), in
> >>    these cases the desire to have the tokens hold least privilege
> >>    access rights (smallest set of scopes per service) outweighed any
> >>    performance hit (which was shown to be rather small in practice).
> >>
> >>    What I want is for the token swap draft to define or use a mechanism
> >>    that allows us to do this. I think we can do that pretty easily by
> >>    adjusting the token swap syntax and language, and explicitly calling
> >>    out the semantic processing portion (the current core of the
> >>    document) for what it is: a way for a token issuer to communicate to
> >>    a token service specific actions. At a high level, the spec would be
> >>    something like:
> >>
> >>
> >>
> >>    1. How to swap a token at an AS
> >>       1. Send a request to the token endpoint with a new grant type,
> >>    and a token (of any type/format/flavor) on the way in
> >>       2. Get back a new token in a token response
> >>    2. Communicating act as / on behalf of semantics via a JWT assertion
> >>       1. How to create (as an AS/RS/client/other issuer) a JWT with
> >>    act-as semantics
> >>       2. What to do (as an AS/RS) with a JWT with act-as semantics
> >>       3. How to create a JWT with on-behalf-of semeantics
> >>       4. What to do with a JWT with on-behalf-of-semantics
> >>       5. How to possibly represent these semantics with something other
> >>    than a JWT
> >>
> >>
> >>
> >>    Section 2 uses the syntax from section 1. Other applications, like
> >>    the one I laid out above, can use the syntax from section 1 as well.
> >>    This works for structured, unstructured, self-generated,
> >>    cross-domain, within-domain, and other tokens.
> >>
> >>
> >>      — Justin
> >>
> >>    _______________________________________________
> >>    OAuth mailing list
> >>    OAuth@ietf.org <mailto:OAuth@ietf.org>
> >>    https://www.ietf.org/mailman/listinfo/oauth
> >>
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >>
> >
> >
> > --
> > Sergey Beryozkin
> >
> > Talend Community Coders
> > http://coders.talend.com/
> >
> > Blog: http://sberyozkin.blogspot.com
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>