IETF Logo Mail Archive

Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens

John Bradley <ve7jtb@ve7jtb.com> Wed, 20 April 2016 14:37 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBC6012EF5A for <oauth@ietfa.amsl.com>; Wed, 20 Apr 2016 07:37:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LK9gZj79DAGi for <oauth@ietfa.amsl.com>; Wed, 20 Apr 2016 07:37:13 -0700 (PDT)
Received: from mail-qg0-x236.google.com (mail-qg0-x236.google.com [IPv6:2607:f8b0:400d:c04::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ACE112EF6E for <oauth@ietf.org>; Wed, 20 Apr 2016 07:37:13 -0700 (PDT)
Received: by mail-qg0-x236.google.com with SMTP id c6so29511114qga.1 for <oauth@ietf.org>; Wed, 20 Apr 2016 07:37:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=hB0hhlVg/eqyBjB8UGKtqYpsYeIEySXs6QW7puYDQTc=; b=WoEOZ5Yhq4CYb/cDwikf7i0VIQ302HpkEqrNBH++E4m/U5kNJwXDr57U5+qfdFXuIR sF1w/lSew9P1pJ5BaoIDh2hv6+2ZCMb5RDcMG8cbY5jPoshTQFTvZ1SP9Vb7XfYXn43d H8k0AqiClhJ4fw0MlGggC/sZ2ukyJCadps7EeB1Kjp+VNTweMkGDI+M/FRgnLwDPzPZK i0AWczJjT1D9iUcLyNz7fkD9Mjz2xNENtr4sZLlESU2zw0CMxXQJctyM1tUOkV8/hYBp JK/5qdnbLk1wTKkga0b5pLPwvdO7TNbBuTwJSWU4hciSFYxDHiXFaNox0f4CXc62EUnj cB8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=hB0hhlVg/eqyBjB8UGKtqYpsYeIEySXs6QW7puYDQTc=; b=FphSbBO4OOg5FMkVLSxaCUUK/VyjEC9nE32Lh5C9CP0NYYvqD63I65XxjFoBwWpsNC LW6hTG+9sUiFAM/BN9qDpGU9sF9EJ5OBl5fgNKTWXy+ybxdl9t6oGcA8foXfD6Mst0a6 8dBb1TKCOisdenCY5i+mOQDO1wDEk1ceFLObIXXbvtxJi+zcb0aV8Am6+NFxLZLxcL1r x/RwYNPgwasXTFUW8yCo2UibejN9cJbY6I1pgGekFILdY9kPzQZgJe5W6NQ+eyMdhzhP HP6BDny9rpuQBQIt/M5bZ0e8MHa1Q4SHmXP8B8pP5vbPmrOcMLPXkj0/7P2DFXZzBDuw 1aPw==
X-Gm-Message-State: AOPr4FXaCrWbcbcKTxUTYusZNxeiRtkpqKXgn4p0rOFFtUJy74b2PNn6y1QtgNxTUalVoA==
X-Received: by 10.140.96.100 with SMTP id j91mr4727774qge.10.1461163032282; Wed, 20 Apr 2016 07:37:12 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.34.28]) by smtp.gmail.com with ESMTPSA id m12sm12863698qke.30.2016.04.20.07.37.08 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Apr 2016 07:37:10 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_32819EE7-D6EB-4928-A0EE-65507C9B7D17"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <ACF4DECC-B69C-4E35-86D1-1FCDA0F56A5C@verisign.com>
Date: Wed, 20 Apr 2016 11:37:07 -0300
Message-Id: <05739E84-9CCA-44AC-A541-532B7E749047@ve7jtb.com>
References: <FF8F219E-AB2E-48F5-AD90-DEA783343C1B@verisign.com> <A85A7E53-1AE2-4141-B6AF-FE3E19DEBA75@ve7jtb.com> <8B748252-9AE2-4824-923B-00CD46CB8D68@verisign.com> <CABzCy2CWBE0=3ruXYdgnS3c_Ws8kn-=qZzRXxfWP6Grznv7OgQ@mail.gmail.com> <5958E90F-EF8C-4641-96C1-A9077B450D53@verisign.com> <CABzCy2B=8E3-irnDVdWK2J3A2s827Ec85s9OMPgUbsfz694n6A@mail.gmail.com> <ACF4DECC-B69C-4E35-86D1-1FCDA0F56A5C@verisign.com>
To: "Fregly, Andrew" <afregly@verisign.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/rU-hRXg38D8wE3lmTjNK0jxC780>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Apr 2016 14:37:17 -0000

For people using RFC 7521, 7522, 7523 they are taking an assertion and using a WS-* STS to transform it into one with the correct audience to use  in 7521.

I know that some people have just ignored the audience,  however that can have negative security consequences.  When exchanging the token you want to be certain that it is the entity that the token was issued to that is exchanging it.

The STS for the rest of us is a more general framework that should allow you to take a id_token or SAML assertion and securely exchange it for another assertion or access token.

I don’t understand the use case enough to say if that is the best thing for you, but yes that is the intent of that spec.

John B.

> On Apr 20, 2016, at 10:58 AM, Fregly, Andrew <afregly@verisign.com> wrote:
> 
> Thank you again of your input Nat. 
> 
> First of all, I apologize for confusing the situation by referencing the wrong RFCs in a prior email. I transposed two digits. The RFCs I meant to reference where 7521-7523 (see below).
> 
> I get that the original RFC for OAuth has the mechanism for client authentication being out of scope.  What is muddying the water for me is that RFCs 7521, 7522, and 7523 seem to specify the means by which a client can provide an authentication token to an Authorization Service. This purpose is stated at the top of the abstract for RFC 7521:
> 
> "The intent of this specification is to provide a common framework for OAuth 2.0 to interwork with other identity systems using assertions and to provide alternative client authentication mechanisms.”
> 
> In our use case, we need to have users authenticated against identity providers that organizations use internally as the means for authenticating clients accessing our service. We need this because we believe this is the best means for proving a user is still a member of an organization at the time they authenticate. Most, perhaps all of these organizations, will internally use an Identity Provider that provides SAML authentication assertions. This led me to looking for a way to use authentication tokens produced by internal Identity Providers as a means for proving a client had been authenticated by the organization. A bit of investigation in how this might be done led me to OAuth RFCs 7521, 7522 and 7523. They  almost get me there. They specify what needs to be in an Authentication token that is given by a client to an Authorization Service. The gotcha was that these RFCs require an audience claim in the authentication token. This audience claim is used to identify the specific Authorization Service the token is meant for. For this audience claim to get filled in by some arbitrary organization’s Identity Provider, it seems the Identity Provider will need to be told who the Authorization Service is by the client initiating the authentication. I have therefore been looking for a standard that specifies how a client can tell the Identity Provider the identity of the Authorization Service. I was stuck for a bit on how the IETF OAuth working group could address this issue since authentication seemed to be out of scope for the group. Then I found the  IETF draft "OAuth 2.0 Token Exchange: An STS for the REST of Us”. It defines a mechanism for telling a Security Token Service the audience for the token it is being asked to issue. I thought that would solve my problem since an intent of the draft seemed to be on generalizing the described approach to any type of Security Token Service. There was one gotcha in the draft though. It limited the type of STS to which the protocol applied to be just Authorization Services. For my use case, I needed the capability described in the draft, but applicable to Identity Providers too. If it were applicable to Identity Providers, there would then be a full set of existing RFCs and drafts that covered the functionality needed for our use case. 
> 
> There are a couple of possible actions that I have been contemplating relative to OAuth:
> Write extensions to RFCs 7521, 7522 and 7523 that eliminate the need for an audience claim in the authentication token if the Authorization Service has a trust relationship with the Identity Provider that issued the authentication token.
> Ask the authors of the “OAuth 2.0 Token Exchange: An STS for the REST of Us” to explicitly state that the the approach described there-in is applicable to both Identity Providers and Authorization services.
> Before doing either of these steps, I want to make sure that I am not missing something in existing RFCs and drafts that would address our use case. I have only been looking at this issue for a few weeks, so I thought it would be best to go to the experts to get advice. This led to this email chain. 
> 
> Thanks to all following this chain for your time and consideration on this!
> 
> Andy
> 
> From: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>
> Date: Tuesday, April 19, 2016 at 5:35 PM
> To: Andrew Fregly <afregly@verisign.com <mailto:afregly@verisign.com>>, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>, "oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org <mailto:oauth@ietf.org>>
> Subject: Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens
> 
>> Hi Andrew, 
>> 
>> In OAuth 2.0, the resource owner authentication /end user authentication is out of scope. What it deals with is "client authentication". They should not be mixed up. There is no end user identity nor authentication token in the OAuth. You cannot do end user authentication with pure OAuth. For that, you have to rely on something like OpenID Connect. 
>> 
>> As John noted, it is perfectly fine to chain the external authentication and the internal authorization. It is often done. It is just that the RFC6749 Authz server is an RP of OpenID Connect or SP of SAML. Nothing precludes it. 
>> 
>> If you really want to avoid the front channel re-auth with prompt=none, which is more secure and proper ways to do, but just to make sure that the user still exists in the authentication service, you can infer it by making a userinfo request to the userinfo endpoint of OpenID Connect. It would fail in various reasons, but would certainly fail if the user does not exist anymore. Other error conditions like the user revoked the access/refresh token etc. would cause the same invalid_token error though. 
>> 
>> Best, 
>> 
>> Nat
>> 
>> P.S. I do not see why the RFCs you sited are relevant here. I guess you are talking about RFC7521-7523 ;-)
>> 
>> RFC7251 AES-CCM Elliptic Curve Cryptography (ECC) Cipher Suites for TLS
>> RFC7252 The Constrained Application Protocol (CoAP)
>> RFC7253 The OCB Authenticated-Encryption Algorithm
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 2016年4月20日(水) 5:34 Fregly, Andrew <afregly@verisign.com <mailto:afregly@verisign.com>>:
>>> Thanks for your reply Nat.
>>> 
>>> Does your approach match with an IETF OAuth RFC or Draft describing how an Authorization Service can accept and verify an authentication token provided by a client during the authorization process? If so, please point me to that. The only RFCs I have seen  that address this are RFCs 7251, 7252 and 7253, and they all have a requirement that an “audience” claim corresponding to the Authorization Service is in the authentication token. Getting that claim into an authentication token provided by an Organization’s Identity provider seems to be my fundamental problem.
>>> 
>>> Thanks,
>>>       Andy
>>> 
>>> From: Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>>
>>> Date: Tuesday, April 19, 2016 at 4:13 PM
>>> To: Andrew Fregly <afregly@verisign.com <mailto:afregly@verisign.com>>, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>, "oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org <mailto:oauth@ietf.org>>
>>> 
>>> Subject: Re: [OAUTH-WG] Building on the protocol in the draft "OAuth 2.0 Token Exchange: An STS for the REST of Us" to include Authentication Tokens
>>> 
>>>> Get OpenID Connect id_token by the authentication request with prompt=none and verifying the sub to be the same with what you expected seem to suffice your needs. Am I missing something? 
>>>> On Wed, Apr 20, 2016 at 05:05 Fregly, Andrew <afregly@verisign.com <mailto:afregly@verisign.com>> wrote:
>>>>> Thanks for your response John. I also got a good response from Brian Campbell and appreciate that. I will respond separately to Brian’s response as I think it would keep things clearer to do that.
>>>>> 
>>>>> The problem we have for using OpenID Connect is that it combines the role of Authentication Service with the role of Authorization Service. Perhaps the following description of what we want to do will clarify why this won’t work for us:
>>>>> 
>>>>> The basic problem statement is that we need to have a client application authorized by a Service Provider based on proof that a user is currently a member of some organization. This assumes the organization has previously established some level of authorized access with the Service Provider. 
>>>>> 
>>>>> Here is an example: Suppose I am a member of SomeOrg Inc. Suppose SomeOrg Inc. is doing research that requires it to gather data over the Internet from a number of data providers. The data providers require authentication and proof of organizational membership in order to authorize various levels of access to their data. The data providers do not consider having an account with them or a Public Identity Provider to be suitable for proving that I am still a member of SomeOrg at time of authentication. They would have no way of knowing whether or not my relationship with SomeOrg still exists at that time. The data providers would therefore like the Client software to authenticate me against SomeOrgs Identity Provider. This would be good proof that I am still a member of SomeOrg at the time I authenticate. This authentication would enable the data providers Authorization Server to grant me access appropriate to a member of SomeOrg.  Note that as a prerequisite to all of this, SomeOrg will have used an out-of-band process to set up a trust relationship for SomeOrg's Identity Provider with the data provider’s Authorization Service, and will have negotiated authorization claims to be granted to SomeOrgs members.
>>>>> 
>>>>> What I am having difficulty with is in knitting together an approach based on the he OpenID Connect specifications, SAML specifications, and OAuth RFCs and drafts in a way that supports the above use case end-to-end. The OAuth RFCs and drafts almost get me there. What seems to be missing is a way of telling an Identity Provider the URL for the Authorization Service (the required Audience claim in an authentication assertion as defined in RFCs 7251, 7252 and 7253), and then a requirement that the Identity Providers put the supplied Audience Identifier into Authentication Tokens. Perhaps a little further back-and-forth with Brian will resolve this.
>>>>> 
>>>>> I can go into deeper detail if needed. If this is off-topic for the OAuth working group, let me know.
>>>>> 
>>>>> Thanks,
>>>>> Andrew Fregly
>>>>> Verisign Inc.
>>>>> 
>>>>> 
>>>>> From: John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
>>>>> Date: Tuesday, April 19, 2016 at 2:06 PM
>>>>> To: Andrew Fregly <afregly@verisign.com <mailto:afregly@verisign.com>>
>>>>> Cc: "oauth@ietf.org <mailto:oauth@ietf.org>" <oauth@ietf.org <mailto:oauth@ietf.org>>
>>>>> Subject: Re: [OAUTH-WG] Building on the protocol in the draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” to include Authentication Tokens
>>>>> 
>>>>>> Looking at OpenID Connect and it’s trust model for producing id_tokens that assert identity may help you.
>>>>>> http://openid.net/wg/connect/ <http://openid.net/wg/connect/>
>>>>>> 
>>>>>> Unfortunately I can’t quite make out what you are trying to do. 
>>>>>> 
>>>>>> It sort of sounds like you want an id_token from a idP and then have the client exchange that assertion for another token?
>>>>>> 
>>>>>> John B.
>>>>>>> On Apr 19, 2016, at 1:18 PM, Fregly, Andrew <afregly@verisign.com <mailto:afregly@verisign.com>> wrote:
>>>>>>> 
>>>>>>> I have a use case where a client application needs to authenticate with a dynamically determined Identity Provider that is separate from the Authorization Service that will be used issue an access token to the client. The use case also requires that as part of authorization, the client provides to the Authorization Service an authentication token signed by an Identity Provider that the Authorization Service has a trust relationship with. The trust relationship is verifiable based on the Authorization Service having recorded the public keys or certificates of trusted Identity Providers in a trust store, this allowing the Authorization Service to verify an Identity Provider’s signature on an authentication token. <>
>>>>>>>  
>>>>>>> In looking at the various OAuth RFCs, particularly RFCs 7521, 7522, and 7523, I see that they get me close in terms of supporting the use case. What is missing is a means for solving the following problem. These RFCs require that the Identity Provider put an Audience claim in the authentication token. The problem with this is that I do not see in the RFCs how the Identity Provider can be told who the Audience is to put into the authentication token. This leads me to the title of this message. The draft “OAuth 2.0 Token Exchange: An STS for the REST of Us” defines a mechanism for identifying the Audience for an STS to put into a token it generates. That would solve my problem except that the draft limits the type of STS to being Authorization Servers. What is needed is this same capability for interacting with an Identity Provider. This would enable RFCs 7521, 7522 and 7523 to be useful in situation where the Identity Provider needs to be told the identity of the Authorization Service.
>>>>>>>  
>>>>>>> I am new to interacting with the IETF. I also am not an expert on the RFCs or prior history of the OAuth group relative to this topic, so please point me to any existing solution if this is a solved problem. Otherwise, I would like to get feedback on my suggestion.
>>>>>>>  
>>>>>>> Thanks You,
>>>>>>> 
>>>>>>> Andrew Fregly
>>>>>>> Verisign Inc.
>>>>>>> _______________________________________________
>>>>>>> OAuth mailing list
>>>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>

v2.23.0 | Report a Bug | By Email