Re: [OAUTH-WG] Token Chaining Use Case
"Donald F. Coffin" <donald.coffin@reminetworks.com> Thu, 26 March 2015 21:29 UTC
Return-Path: <donald.coffin@reminetworks.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90A151B2F50 for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 14:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.633
X-Spam-Level:
X-Spam-Status: No, score=0.633 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, MANGLED_PREMTR=2.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nByiVAS_TteO for <oauth@ietfa.amsl.com>; Thu, 26 Mar 2015 14:29:54 -0700 (PDT)
Received: from gproxy4-pub.mail.unifiedlayer.com (gproxy4-pub.mail.unifiedlayer.com [69.89.23.142]) by ietfa.amsl.com (Postfix) with SMTP id 9B6D21B2F3D for <oauth@ietf.org>; Thu, 26 Mar 2015 14:29:54 -0700 (PDT)
Received: (qmail 18352 invoked by uid 0); 26 Mar 2015 21:29:52 -0000
Received: from unknown (HELO cmgw2) (10.0.90.83) by gproxy4.mail.unifiedlayer.com with SMTP; 26 Mar 2015 21:29:52 -0000
Received: from host125.hostmonster.com ([74.220.207.125]) by cmgw2 with id 8MVj1q00n2is6CS01MVmVo; Thu, 26 Mar 2015 15:29:50 -0600
X-Authority-Analysis: v=2.1 cv=XvNpZz19 c=1 sm=1 tr=0 a=Ux/kOkFFYyRqKxKNbwCgLQ==:117 a=Ux/kOkFFYyRqKxKNbwCgLQ==:17 a=DsvgjBjRAAAA:8 a=f5113yIGAAAA:8 a=IkcTkHD0fZMA:10 a=UGkfVyPCAAAA:8 a=rE68L1KyjUoA:10 a=UMhCEPvdHqkA:10 a=emO1SXQWCLwA:10 a=20KFwNOVAAAA:8 a=48vgC7mUAAAA:8 a=CjxXgO3LAAAA:8 a=yPCof4ZbAAAA:8 a=gDjYkMfG9zmxRrQsgU4A:9 a=l0YRgQ7hvOVR0ibt:21 a=8ws3xclv8GnwhGqo:21 a=QEXdDO2ut3YA:10 a=3uZdkJafswoA:10 a=VQchPmBwTIUA:10 a=wNReZwrxAf8A:10
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=reminetworks.com; s=default; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:Date:Subject:In-Reply-To:References:Cc:To:From; bh=HIh3feKP3i3dD3aURDz6GUKlK3aO9FfX2vqAkl57WCU=; b=rMUknA4aBxLgsUhTmprvUADPPmY6GWl1/3NhjOCx2yUZw7BRkuIGrErU4gYwTqJgfGOxUD9XRVq3u7X5ancbdZDi9r0g8tho80RA/wWQMxIBuRoHa6adiSl70J6xDcCD;
Received: from [104.176.153.192] (port=52698 helo=HPPavilionElite) by host125.hostmonster.com with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.82) (envelope-from <donald.coffin@reminetworks.com>) id 1YbFLV-0001Bj-FQ; Thu, 26 Mar 2015 15:29:45 -0600
From: "Donald F. Coffin" <donald.coffin@reminetworks.com>
To: 'Pedro Igor Silva' <psilva@redhat.com>, 'Bill Mills' <wmills_92105@yahoo.com>
References: <002a01d06805$fa89e290$ef9da7b0$@reminetworks.com> <979394715.2988154.1427404385148.JavaMail.yahoo@mail.yahoo.com> <1580024392.3924957.1427405125772.JavaMail.zimbra@redhat.com>
In-Reply-To: <1580024392.3924957.1427405125772.JavaMail.zimbra@redhat.com>
Date: Thu, 26 Mar 2015 17:29:41 -0400
Organization: REMI Networks
Message-ID: <005101d0680b$fa30b750$ee9225f0$@reminetworks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQKXULkK545a8jxuwK2gxWt6ClypdAHc48gmAXz8Kg2bhqb8YA==
Content-Language: en-us
X-Identified-User: {1395:host125.hostmonster.com:reminetw:reminetworks.com} {sentby:smtp auth 104.176.153.192 authed with donald.coffin@reminetworks.com}
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/q2N4Yf_la5ZtvS1s7f4KfzPDF8o>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Token Chaining Use Case
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 21:29:56 -0000
Pedro, Although the registry could be changed to support the new type format, how is that any different than adding a new grant_type, such as grant_type=token_swap or grant_type=swap? Best regards, Don Donald F. Coffin Founder/CTO REMI Networks 2335 Dunwoody Crossing Suite E Dunwoody, GA 30338-8221 Phone: (949) 636-8571 Email: donald.coffin@reminetworks.com -----Original Message----- From: Pedro Igor Silva [mailto:psilva@redhat.com] Sent: Thursday, March 26, 2015 5:25 PM To: Bill Mills Cc: Donald F. Coffin; Phil Hunt; oauth@ietf.org Subject: Re: [OAUTH-WG] Token Chaining Use Case Couldn't be used a specific type of refresh_token ? Instead of using grant_type=refresh_token use a grant_type=urn:ietf:params:oauth:grant_type:redelegate (or something else) as an extension to refresh token flow ? Regards. Pedro Igor ----- Original Message ----- > From: "Bill Mills" <wmills_92105@yahoo.com> > To: "Donald F. Coffin" <donald.coffin@reminetworks.com>, "Phil Hunt" > <phil.hunt@oracle.com> > Cc: oauth@ietf.org > Sent: Thursday, March 26, 2015 6:13:05 PM > Subject: Re: [OAUTH-WG] Token Chaining Use Case > > The RS calling back to the AS won't be confused, the token it gets > would be it's refresh token. I don't see any reason why the AS can't > be smart enough to know that a token that looks like an access token > it issued is usable as a refresh token for limited purposes or downscoping. > > > > On Thursday, March 26, 2015 1:46 PM, Donald F. Coffin > <donald.coffin@reminetworks.com> wrote: > > > -1 > Although Justin’s point might be a bit pre-mature as far as a > standards discussion, the more critical reason IMHO is calling the > AS’s /Token endpoint with a grant_type of “refresh_token” but > providing an issued AT rather than an issued refresh_token (RT) will > definitely create a backwards compatibility issue for many implementations. > Best regards, > Don > Donald F. Coffin > Founder/CTO > REMI Networks > 2335 Dunwoody Crossing Suite E > Dunwoody, GA 30338-8221 > Phone: (949) 636-8571 > Email: donald.coffin@reminetworks.com > From: Phil Hunt [mailto:phil.hunt@oracle.com] > Sent: Thursday, March 26, 2015 4:22 PM > To: Bill Mills > Cc: <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Token Chaining Use Case > +1. We all have to change production code when non final specs evolve. > I particularly don't see this as a valid argument at the start of a > standards discussion. > > Phil > > On Mar 26, 2015, at 15:13, Bill Mills < wmills_92105@yahoo.com > wrote: > > > > By definition an access token is becoming a form of refresh token. The > "because my implementation didn't do it that way" isn't convincing me. > On Thursday, March 26, 2015 12:44 PM, Justin Richer < jricher@mit.edu > > > wrote: > Because many implementations (including mine which does support my old > token chaining draft) treat access tokens and refresh tokens > separately in terms of data store and structure. Additionally, the > refresh token is tied to the client and presented by the client. But > in this case it's someone downstream, an RS, presenting the token. So > unlike a refresh token being presented by the one it was issued to, > this token is being presented by someone it was presented to. > The feeling is close, but not quite the same in either development or > assumptions. > -- Justin > / Sent from my phone / > > > -------- Original message -------- > From: Bill Mills < wmills_92105@yahoo.com > > Date: 03/26/2015 2:24 PM (GMT-06:00) > To: Justin Richer < jricher@MIT.EDU >, "< oauth@ietf.org >" < > oauth@ietf.org > > > Subject: Re: [OAUTH-WG] Token Chaining Use Case So why can't the > access tokne simply be re-used as a refresh token? Why would it need a > new grant type at all? > On Thursday, March 26, 2015 11:31 AM, Justin Richer < jricher@MIT.EDU > > > wrote: > As requested after last night’s informal meeting, here is the token > chaining use case that I want to see represented in the token swap draft. > > > [ Client ] -> [ A ] -> [ B ] -> [ C ] > > An OAuth client gets an access token AT1, just like it always would, > with scopes [A, B, C] in order to call service A, which requires all > three scopes. Service A (an RS) accepts this token since it has its > scope, and then needs to call service B in turn, which requires scopes > [B, C]. It could just re-send the token it got in, AT1, but that would > give the downstream RS the ability to call services with scope [ A ] > and it should not be allowed to do that. To limit exposure, service A > calls a token swap at the AS to create AT2 with scopes [ B, C ], > effectively acting as an OAuth client requesting a downscoped token > based on AT1. Service A then acts as an OAuth client to call service > B, now acting as an RS to service A’s client, and can fulfill the > request. And it’s turtles all the way down: Service B can also call > service C, and now B acts as a client, requesting AT3 with scope [ C ] > based on AT2, and sending AT3 to service C. This prevents C from being > able to call B or A, both of which would have been available if AT1 > had been passed around. Note that service A or the Client can also > request a downscoped token with [ C ] to call service C directly as well, and C doesn’t have to care how it got there. > > > In other words, it lets the client software be very, very dumb. It > doesn’t have to do any special processing, doesn’t have to know what’s > in the token, it just follows the recipe of “I got a token, I get > another token based on this to call someone else”. It’s also analogous > to the refresh token flow, but with access tokens going in and out. > I’ve deployed this setup several times in different service > deployments. Even though there is a performance hit in the additional > round trips (as Phil brought up in another thread), in these cases the > desire to have the tokens hold least privilege access rights (smallest > set of scopes per service) outweighed any performance hit (which was shown to be rather small in practice). > > What I want is for the token swap draft to define or use a mechanism > that allows us to do this. I think we can do that pretty easily by > adjusting the token swap syntax and language, and explicitly calling > out the semantic processing portion (the current core of the document) > for what it is: a way for a token issuer to communicate to a token > service specific actions. At a high level, the spec would be something like: > > > > 1. How to swap a token at an AS > 1. Send a request to the token endpoint with a new grant type, and a > token (of any type/format/flavor) on the way in 2. Get back a new > token in a token response 2. Communicating act as / on behalf of > semantics via a JWT assertion 1. How to create (as an > AS/RS/client/other issuer) a JWT with act-as semantics 2. What to do > (as an AS/RS) with a JWT with act-as semantics 3. How to create a JWT > with on-behalf-of semeantics 4. What to do with a JWT with > on-behalf-of-semantics 5. How to possibly represent these semantics > with something other than a JWT > > > > Section 2 uses the syntax from section 1. Other applications, like the > one I laid out above, can use the syntax from section 1 as well. This > works for structured, unstructured, self-generated, cross-domain, > within-domain, and other tokens. > > > — Justin > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Token Chaining Use Case Justin Richer
- Re: [OAUTH-WG] Token Chaining Use Case Bill Mills
- Re: [OAUTH-WG] Token Chaining Use Case Justin Richer
- Re: [OAUTH-WG] Token Chaining Use Case Phil Hunt
- Re: [OAUTH-WG] Token Chaining Use Case Bill Mills
- Re: [OAUTH-WG] Token Chaining Use Case Justin Richer
- Re: [OAUTH-WG] Token Chaining Use Case Justin Richer
- Re: [OAUTH-WG] Token Chaining Use Case Phil Hunt
- Re: [OAUTH-WG] Token Chaining Use Case Phil Hunt
- Re: [OAUTH-WG] Token Chaining Use Case Bill Mills
- Re: [OAUTH-WG] Token Chaining Use Case Donald F. Coffin
- Re: [OAUTH-WG] Token Chaining Use Case Bill Mills
- Re: [OAUTH-WG] Token Chaining Use Case Donald F. Coffin
- Re: [OAUTH-WG] Token Chaining Use Case Pedro Igor Silva
- Re: [OAUTH-WG] Token Chaining Use Case Donald F. Coffin
- Re: [OAUTH-WG] Token Chaining Use Case Pedro Igor Silva
- Re: [OAUTH-WG] Token Chaining Use Case Bill Mills
- Re: [OAUTH-WG] Token Chaining Use Case Brian Campbell
- Re: [OAUTH-WG] Token Chaining Use Case Donald F. Coffin
- Re: [OAUTH-WG] Token Chaining Use Case Bill Mills
- Re: [OAUTH-WG] Token Chaining Use Case Mike Jones
- Re: [OAUTH-WG] Token Chaining Use Case Justin Richer
- Re: [OAUTH-WG] Token Chaining Use Case Anthony Nadalin
- Re: [OAUTH-WG] Token Chaining Use Case Mike Jones
- Re: [OAUTH-WG] Token Chaining Use Case Sergey Beryozkin
- Re: [OAUTH-WG] Token Chaining Use Case Justin Richer
- Re: [OAUTH-WG] Token Chaining Use Case Brian Campbell
- Re: [OAUTH-WG] Token Chaining Use Case Brian Campbell
- Re: [OAUTH-WG] Token Chaining Use Case Brian Campbell
- Re: [OAUTH-WG] Token Chaining Use Case John Bradley
- Re: [OAUTH-WG] Token Chaining Use Case Mike Jones