Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
Atul Tulshibagwale <atul@sgnl.ai> Thu, 04 April 2024 22:02 UTC
Return-Path: <atul@sgnl.ai>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF18AC151084 for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2024 15:02:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.075
X-Spam-Level:
X-Spam-Status: No, score=-2.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sgnl.ai
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 703ceMtQkaqI for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2024 15:02:21 -0700 (PDT)
Received: from mail-pf1-x433.google.com (mail-pf1-x433.google.com [IPv6:2607:f8b0:4864:20::433]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6505AC14F6E3 for <oauth@ietf.org>; Thu, 4 Apr 2024 15:02:20 -0700 (PDT)
Received: by mail-pf1-x433.google.com with SMTP id d2e1a72fcca58-6e74aa08d15so1204753b3a.1 for <oauth@ietf.org>; Thu, 04 Apr 2024 15:02:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgnl.ai; s=google; t=1712268139; x=1712872939; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ouiL0Wfr/aYFpAJsHQrB+Ngk7f1eH0NDmZPJno4PZEE=; b=NtltHwz8OuQtRjB2GzUyo0DvMhd4qnoKUjbP2bbC2zXqzwika4hKuMVDcOD4ZFKeYU h68mN0OQgtCADHYWCt/5BpyikgWikrMxSDBrqvyXO0I0b3sSBnbd2XK5g7wER2YQAydC ZsW5KlXWM+MVFdulM076ylmwPhwSQ439e42MmnSHI3E8hxbMAgCXtqklYM93tEbaqb06 mbkdjmrSKOeTklGdCIjVXf+xMUJyUThisbQM4373l82ujS3FU7+m4tXmvKfnTX/lgGHa yphOTBf/gZ2SwPFsfJDAs+XbrtGu3uBOKW/UZLXRPwOqcXf6P5JIfRTA+S1EiL5jFRl+ iKKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712268139; x=1712872939; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ouiL0Wfr/aYFpAJsHQrB+Ngk7f1eH0NDmZPJno4PZEE=; b=Bav83rO1fgAJ9epTeNI+CzvxBlM/oeg8lgS0wZ469G21NKgzuHpRPQ9QbWJEVjJo0q aBWixnEaiGDSczh9XB8Lqz8ETeLEakAy9nwpFx0fS3GF7gSjCZIPsYTfRPJJVNgtnXhW 4z8AHTZbyJ5Fc2fyM3aTT0h0+fRLoZiWr1jxnJ3IqOSRKm64YVIZbQT9cO7iLx+oOFYI a+0cCZRLioRh4L7zwCmQIwhsofmtaD5biB/VJcWUWF2tPAqSaO2KGNRMv9zB47fdEeFb Pb3KT6OSfwndTzeu1JGyxjH03ZybTFmLnAI97AJlEOaVR+1AOKEhiGWwcidJy9zib/l/ NfNw==
X-Gm-Message-State: AOJu0YwtI3RfpB6aiMpHnVpJehryqUMHA9IEiTyr0v5+hPaxu4WSY0gx ayBbW1UlIXSWjM1JYNTlYPWeXYI0QT4S88n3ml3q0IePrQrWLNYD1sdtCEGVJzHMnnhmpLojIcn D90Bptx9SErpHFZjjsCY9AX4PHxCz091Cm9OMBsZtmDOxtYfp
X-Google-Smtp-Source: AGHT+IE12FAyedii9t2e8IKhLO5K+Eq39Bz9RD+Mmyyoeyzxyd4JmQ49bC5YL6oQwGnrY7wvPsKfEa7sWGNnA6NFGNI=
X-Received: by 2002:a05:6a20:4387:b0:1a3:cb50:b52d with SMTP id i7-20020a056a20438700b001a3cb50b52dmr1442767pzl.31.1712268139162; Thu, 04 Apr 2024 15:02:19 -0700 (PDT)
MIME-Version: 1.0
References: <CANtBS9djWszOjH_ArUTP8tCAaJJvSJ2Do26M99eU+1ayqwrjyw@mail.gmail.com> <CAOgPGoDGjiKYojnD6SAZgZnd6W8nPuqxg9qP=CHGZ8YJCJRerw@mail.gmail.com>
In-Reply-To: <CAOgPGoDGjiKYojnD6SAZgZnd6W8nPuqxg9qP=CHGZ8YJCJRerw@mail.gmail.com>
From: Atul Tulshibagwale <atul@sgnl.ai>
Date: Thu, 04 Apr 2024 15:02:03 -0700
Message-ID: <CANtBS9f2R3dhtwbp_4iP5D2gPRu8Agb1oNACFPm6M1TatZeQ9Q@mail.gmail.com>
To: joe@salowey.net
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000321d8206154c7e5e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/p95WDgoDwXf_AK85VJWrXYlmIaI>
Subject: Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 22:02:25 -0000
Thanks very much for your feedback, Joe! On Wed, Apr 3, 2024 at 10:16 AM Joseph Salowey <joe@salowey.net> wrote: > Hi Atul, > > I'm just starting to review the transaction tokens draft and have only a > minimal understanding of the token exchange document at this point so I'm > lacking a little background, but I have a few comments and questions below. > > On Fri, Mar 29, 2024 at 10:39 AM Atul Tulshibagwale <atul@sgnl.ai> wrote: > >> Hi all, >> We had a meeting today (notes here >> <https://hackmd.io/@rpc-sec-wg/HJNXYKkk0>) in which we discussed the >> question of what we should do if there is no incoming (external) token in >> the request to issue a Transaction Token >> <https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/> >> (TraT). We identified a few circumstances under which this can happen: >> >> - The requesting service is triggered by a non-OAuth based flow such >> as email or an internal trigger >> - The client of the requesting service uses means other than an >> access token to authorize the call (e.g. MTLS) >> >> [Joe] I think there will be a fair number of systems that support means > of authorizing non-oauth flows. > > > >> We identified a few possibilities listed below. Please note that the >> Transaction Tokens draft assumes that the TraT Service trusts the >> requesting service, so all the possibilities below assume this. >> >> > [Joe] yes, you are trusting another part of the system to perform some > authorization and inform the token service of the result. > > >> Here are some possibilities we discussed: >> >> 1. *Request Details*: Put the subject information in the >> request_details parameter of the TraT request, and the subject_token value >> is set to "N_A" >> 2. *Self-Signed Token*: The requester generates a self-signed JWT >> that has the subject information and puts that in the subject_token value >> >> [Joe] I like having signed tokens, but if this is really information just > exchanged between two endpoints it may be more work than necessary. > >> >> 1. *Separate Separate Endpoint*: The TraT service exposes a separate >> endpoint to issue TraTs when there is no incoming token, and that endpoint >> can be defined such that the request does not have a subject_token >> parameter. This endpoint is not a profile of OAuth Token Exchange >> 2. *Separate Endpoint Only*: Extending the thought above, the >> requester can always extract the content of the incoming token into the >> "request_details" parameter, so why do we need the Token Exchange endpoint >> >> [Joe] What do we gain by using token exchange? While it seems that there > is overlap between delegation/impersonation it seems that transaction > tokens are sort of a superset and contain additional information about the > context of the transaction. If it looks like token exchange is too > constraining then transaction tokens may just be a different use case. > With the understanding I currently have I'd either go with 4. Separate > Endpoint Only or 2. Self Signed token. Splitting the endpoints could be > valid, but it seems a bit weird for me, if we did decide to do that then > probably we wouldn't need to sign the information unless the request is > going to traverse multiple systems. > > > >> We would like to understand how the group feels about these choices, or >> if you have other suggestions / thoughts on this topic. >> >> Thanks, >> Atul >> >> -- >> >> <https://sgnl.ai> >> >> Atul Tulshibagwale >> >> CTO >> >> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust> >> <atul@sgnl.ai> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >
- [OAUTH-WG] Transaction Tokens issuance in the abs… Atul Tulshibagwale
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Joseph Salowey
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Atul Tulshibagwale
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Dmitry Telegin
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Kai Lehmann
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Brian Campbell
- Re: [OAUTH-WG] Transaction Tokens issuance in the… Atul Tulshibagwale
- Re: [OAUTH-WG] [External Sender] Re: Transaction … George Fletcher
- Re: [OAUTH-WG] [External Sender] Re: Transaction … Kai Lehmann
- Re: [OAUTH-WG] [External Sender] Re: Transaction … George Fletcher
- Re: [OAUTH-WG] [External Sender] Re: Transaction … Kai Lehmann