IETF Logo Mail Archive

[OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens

"Fregly, Andrew" <afregly@verisign.com> Tue, 19 April 2016 16:18 UTC

Return-Path: <afregly@verisign.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4730F12DB66 for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 09:18:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGvKIHI9uVqT for <oauth@ietfa.amsl.com>; Tue, 19 Apr 2016 09:18:56 -0700 (PDT)
Received: from mail-qg0-x262.google.com (mail-qg0-x262.google.com [IPv6:2607:f8b0:400d:c04::262]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D44CD12D9C9 for <oauth@ietf.org>; Tue, 19 Apr 2016 09:18:55 -0700 (PDT)
Received: by mail-qg0-x262.google.com with SMTP id m8so2230470qgd.0 for <oauth@ietf.org>; Tue, 19 Apr 2016 09:18:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:thread-topic:thread-index:date:message-id :accept-language:content-language:user-agent:mime-version; bh=1T2bFaDNIWFEnMgZ7wYLrvxGEicJr7XBGlvmuO0hCDo=; b=CucTCwptlFK6911QDExJqc6XRoyFtp6DWjpWQMwodWNFJ8E+FXlr41K4N1pvFQYu1N 34U0fk3y9wELHQSn9Lxy+o4+cQ5cJJZMGrkRmCp1t50jy0Ggs9waIUyBma62K2GMNzl7 h97YPmVrwwQZAddzkVa8PlIeu28UwYF/0jVUi24zVrveXmLWvwwKD5YuiKBu69OyrJBx F7ZiZvBS1EJ4iTcl65ARYGlPBeTwQdBevMEtKuk6vXkLkPSTO0M3p3qKjHCzHnKH2hG9 M9whtKF/IkzW+gqtCt3NebQ613hwPntOoB3NYPjj6S+QuiR0tJkOz9ovh2/qbvrGx5b6 pF9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:user-agent:mime-version; bh=1T2bFaDNIWFEnMgZ7wYLrvxGEicJr7XBGlvmuO0hCDo=; b=BJXqb4gAf5nPY0WQeXGe93xKEAI5eIdaPaYb66icp6aWxmiD6fK61Ehd5zLYgQOQH3 Q022astjV5fQsGCD5PPjv+yc2jhLqLV5GapZEzC3PdpbLaAlEOnxfzDTtXM4W64al8S2 EEsmq3Mp/VSlcUwJSHBdM3AGbcew/2i0/t8Hfqbducv2RS5uLKVn95CqSz20Vp5chSyp NR14YCQE/pTyQNLa7YSaY3RaeidYdyO5iytGlfw6/esfmZwzLYcbiipU8hsDpI3SqZPj WHb+457FY+jP/0V6q+bgtmKL+/gmvmXDGGbxAhmVoz5GQk/TKN31jt0Nac0zVGlv5/Zf HUmw==
X-Gm-Message-State: AOPr4FXBRcbTduSAOFwFvGSVYhe0VbILvVIPHviYClJq02P4CFVtEW3Dax6UwN6KJNha063aQAtsDhv/wh1hFAvmUzKUrwHc
X-Received: by 10.140.91.194 with SMTP id z60mr3028760qgd.70.1461082734732; Tue, 19 Apr 2016 09:18:54 -0700 (PDT)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id y135sm8998253qky.9.2016.04.19.09.18.54 for <oauth@ietf.org> (version=TLS1 cipher=AES128-SHA bits=128/128); Tue, 19 Apr 2016 09:18:54 -0700 (PDT)
X-Relaying-Domain: verisign.com
Received: from brn1wnexcas01.vcorp.ad.vrsn.com (brn1wnexcas01 [10.173.152.205]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u3JGIsXS006978 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <oauth@ietf.org>; Tue, 19 Apr 2016 12:18:54 -0400
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by brn1wnexcas01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Tue, 19 Apr 2016 12:18:51 -0400
From: "Fregly, Andrew" <afregly@verisign.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
Thread-Index: AQHRmlcomE8l0QoCm0C5ZCXr0BuVzw==
Date: Tue, 19 Apr 2016 16:18:50 +0000
Message-ID: <FF8F219E-AB2E-48F5-AD90-DEA783343C1B@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/0.0.0.160212
x-originating-ip: [10.173.152.4]
Content-Type: multipart/alternative; boundary="_000_FF8F219EAB2E48F5AD90DEA783343C1Bverisigncom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/nXGJBRYnVqEKso4CFs5ChtzV0sk>
Subject: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Apr 2016 16:18:58 -0000

I have a use case where a client application needs to authenticate with a dynamically determined Identity Provider that is separate from the Authorization Service that will be used issue an access token to the client. The use case also requires that as part of authorization, the client provides to the Authorization Service an authentication token signed by an Identity Provider that the Authorization Service has a trust relationship with. The trust relationship is verifiable based on the Authorization Service having recorded the public keys or certificates of trusted Identity Providers in a trust store, this allowing the Authorization Service to verify an Identity Provider’s signature on an authentication token.

In looking at the various OAuth RFCs, particularly RFCs 7521, 7522, and 7523, I see that they get me close in terms of supporting the use case. What is missing is a means for solving the following problem. These RFCs require that the Identity Provider put an Audience claim in the authentication token. The problem with this is that I do not see in the RFCs how the Identity Provider can be told who the Audience is to put into the authentication token. This leads me to the title of this message. The draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” defines a mechanism for identifying the Audience for an STS to put into a token it generates. That would solve my problem except that the draft limits the type of STS to being Authorization Servers. What is needed is this same capability for interacting with an Identity Provider. This would enable RFCs 7521, 7522 and 7523 to be useful in situation where the Identity Provider needs to be told the identity of the Authorization Service.

I am new to interacting with the IETF. I also am not an expert on the RFCs or prior history of the OAuth group relative to this topic, so please point me to any existing solution if this is a solved problem. Otherwise, I would like to get feedback on my suggestion.

Thanks You,

Andrew Fregly
Verisign Inc.

v2.23.0 | Report a Bug | By Email