IETF Logo Mail Archive

Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item

Brian Campbell <bcampbell@pingidentity.com> Fri, 08 August 2014 17:55 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4A21A00D5 for <oauth@ietfa.amsl.com>; Fri, 8 Aug 2014 10:55:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.578
X-Spam-Level:
X-Spam-Status: No, score=-3.578 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bgb_2kVwNkE9 for <oauth@ietfa.amsl.com>; Fri, 8 Aug 2014 10:55:48 -0700 (PDT)
Received: from na3sys009aog123.obsmtp.com (na3sys009aog123.obsmtp.com [74.125.149.149]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E42C71A007D for <oauth@ietf.org>; Fri, 8 Aug 2014 10:55:47 -0700 (PDT)
Received: from mail-ig0-f181.google.com ([209.85.213.181]) (using TLSv1) by na3sys009aob123.postini.com ([74.125.148.12]) with SMTP ID DSNKU+UPI7G6dcFKJyz0sWFUeXULX8gFDg05@postini.com; Fri, 08 Aug 2014 10:55:47 PDT
Received: by mail-ig0-f181.google.com with SMTP id h3so1409113igd.8 for <oauth@ietf.org>; Fri, 08 Aug 2014 10:55:47 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=2UXUGuLwstN9IFhXLk7KYdoRE+yL6evuLOEQTikPoJA=; b=VEgxcKEpEH5CrFiAHP/fYuFCxY+ESRSsPevI9UIElvtffi9Wf49no9MqhiduAWflX0 9dFGEWbIgnUq9n1kK2Kw9gM2mDmnEfvtjJOi3NutH5oLrFsjl8kN664208zIYnK+L6hN nqxkgkqoK/6D81oM8gQsh3T3hkvMWGhG9v2oMdRs08p+299qjHCPFZ1VOp97x8k4VXFw yQNB1BQ465Kb/dnt+vcmtQUK3lqnvrbXm9xm33l0pAEnUF88wQBv68XUw6t4cEyoXx/C 2InpU0OG+X2X6Mf0pY/kmuW6UIOO0MsZnlEiY6At4o0rEyhqoVnpUOq7ag1PEQ4Yxbso QbaQ==
X-Gm-Message-State: ALoCoQkMsVDze5tHmhNfc38asDj5jvMJjk2DsYtSBzxN6Dz18poYqB26U8QBHodAJeBUve7a1wfOEmcaegexXdVxfs3QlsdANTMMc0Qpq88JE6vBCNTqukfkSoKzQQ+vvJRGP+2kE5bK
X-Received: by 10.51.17.66 with SMTP id gc2mr7593206igd.40.1407520547158; Fri, 08 Aug 2014 10:55:47 -0700 (PDT)
X-Received: by 10.51.17.66 with SMTP id gc2mr7593187igd.40.1407520547042; Fri, 08 Aug 2014 10:55:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.150.162 with HTTP; Fri, 8 Aug 2014 10:55:16 -0700 (PDT)
In-Reply-To: <42B66A8B-0F84-4AFC-A29A-2CD043ADFF76@ve7jtb.com>
References: <53D6896E.1030701@gmx.net> <CA+k3eCTJMAGGwt1xhOKuVrEJpQqUhTjXzUM6gx8f_XgHdXzH_A@mail.gmail.com> <42B66A8B-0F84-4AFC-A29A-2CD043ADFF76@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 08 Aug 2014 11:55:16 -0600
Message-ID: <CA+k3eCRNCvLof9wiNoJ28YAA-z1-xGbwHMOodFt8xqkE5GAU9w@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="001a1135f3a4389a45050021ea50"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/qwwATXElNyI842fF_qexGHy0zpY
Cc: "oauth-chairs@tools.ietf.org" <oauth-chairs@tools.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Confirmation: Call for Adoption of "OAuth 2.0 Token Exchange" as an OAuth Working Group Item
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Aug 2014 17:55:50 -0000

Absolutely agree that some examples are needed. There's a [[ TODO ]] in
there for it. I just hadn't gotten to it yet and wanted to get the I-D up
before the Aug 10 date that Hannes put out there. The example you outlined
is a good start, I think.

Yes, code and refresh tokens would/could be valid tokens. A previously
issued access token might also be. JWT & SAML too. The last paragraph of
http://tools.ietf.org/html/draft-campbell-oauth-sts-00#section-1 attempts
to state that the scope of the doc is only the framework for exchange and
that the "syntax, semantics and security characteristics of the tokens
themselves (both those presented to the are explicitly out of scope."  What
constitutes a valid token will depend on the deployment or additional
profiling.

"So how might sending an act_as token to the token endpoint as part of the
request impact the result." -> in general I was thinking it'd result in an
azp claim or something like that in the returned token.

"Do you see the act_as interacting with PoP to limit who can present the
resulting token. " -> Quite possibly. Though, honestly, I don't yet have a
complete concept of how PoP works in conjunction with all this.

"Is act_as simply duplicating the authentication portion of the current
assertion profile?" -> there is potential for duplication in some cases,
yes. But the motivation for act_as was to give additional flexibility by
allowing an additional party to be represented. Also to try and align with
draft-jones-oauth-token-exchange
<http://datatracker.ietf.org/doc/draft-jones-oauth-token-exchange/> to the
extent possible. I had toyed with the idea of only having one inbound token
for the subject and having the client (relying on client authentication) be
the actor. Then maybe a flag to indicate if delegation vs impersonation is
deserted in the returned token. But it seemed like there was a need (things
you'd said among others) for more than two parties to be represented.
There's some refinement to be done for sure though.

"Not having concrete answers at this point is not a problem, but we do need
to think all of this through." -> agree

"I think this document is also useful input." -> thanks

v2.14.0 | Report a Bug | By Email