IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token

Dmitry Telegin <dmitryt@backbase.com> Thu, 04 April 2024 22:40 UTC

Return-Path: <dmitryt@backbase.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93F82C14F6AB for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2024 15:40:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.073
X-Spam-Level:
X-Spam-Status: No, score=-2.073 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=backbase.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id epxbTi0LN8mV for <oauth@ietfa.amsl.com>; Thu, 4 Apr 2024 15:40:36 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 309B2C14F6B9 for <oauth@ietf.org>; Thu, 4 Apr 2024 15:40:36 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id 38308e7fff4ca-2d4360ab3daso17488691fa.3 for <oauth@ietf.org>; Thu, 04 Apr 2024 15:40:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=backbase.com; s=google; t=1712270433; x=1712875233; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1bc+UfPP5LhIRDZn24l6EcNue2JkQnpSR3ietIe2e5U=; b=ZZg3OGBdSMkWH12mjArK9poMJrOW9mKG3bB0zFI9WYUAYrtpAG4kZwzMY6zjAGIaxB fvF9DacasK1mNYhYyDqOnA/uJ+FnuFat+3y010SWsmOk+jrFQwCRLMgLBTaxVnvPkW+L UrB9BZAY9DsXRC2Gyvf/b28ox1GVYvFq5021E1StnTRtqS200ySYNa3rfXcf3hmU009O R6V4C0p+YCRvwmI1BGqxlOqCNMaT2TPUhlsH1tnqjfphIiOL8ybNKU5LeuMnyAXSoGGw 8ZtfAEKUQK3tHkTVPwjEVQpCxicZL09bmIo79dg20t2rGZh7IFUxVy4LspiO1SY1hh/R Vvvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712270433; x=1712875233; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1bc+UfPP5LhIRDZn24l6EcNue2JkQnpSR3ietIe2e5U=; b=brSwIGU5nBL7f/N+vyvGunVdgjsYvX61L/eZG1Sx4tghPJcyLKVuw/wwaEM1k4QMTu vhEVI2Av9HzMuQBeh5yEK3tmxcCvyk675mhc9ijYBxq21aAhDeGCtNQ3OJnfYv4YGSEx kB9po267nW0QhsYYno/DAC18YowP/ezKDThktDOlpw41w4xvorJZ/qr032tR4n06PsLm tzrm3jnHtqX5nSBaVo4TEFyKKr9yv9od9ImGuRWwCGorjKbCyIDu0qZ1Cg/lOnol8V4l 33ssEJ9RFfL20Ue3Xe2zNDvz9HXU2EE3BJHn1Q49lsxADMOal9q+v1eCVtQ0qYB0rT/e FZew==
X-Forwarded-Encrypted: i=1; AJvYcCUeMNLLDT9ZfWtVfy+p0/EQiC+4Yy3VsB7H0+CJKNCbb7LL5frxX5IWf0j2KSfktJMEcxVYONN6MoXETrRbeg==
X-Gm-Message-State: AOJu0Yxx1sd3ua90AnDd8xRjSNC1QyvP1Eto+tzVXT0KZJI0KCaaYgCI bgTK0SAKaQkk2NmhemjjAyojhl0kZuFBiuX0ioidlsqMCXXMZKWApZILspqdr0u5X8VOM/R4lho pbWy1FC3dVFLV1+lVsspNv8UNuqTr6Bk1gnAR
X-Google-Smtp-Source: AGHT+IHg5hELonSyXRnwbl//p1pW+DYk3ymEWC9bCNyvyg0UqejBYAOZD5mQMdXWh6Pf2YvHTemKsiGT64Enk9ATAjg=
X-Received: by 2002:a05:651c:2109:b0:2d6:cb82:24e6 with SMTP id a9-20020a05651c210900b002d6cb8224e6mr486536ljq.37.1712270433305; Thu, 04 Apr 2024 15:40:33 -0700 (PDT)
MIME-Version: 1.0
References: <CANtBS9djWszOjH_ArUTP8tCAaJJvSJ2Do26M99eU+1ayqwrjyw@mail.gmail.com> <CAOgPGoDGjiKYojnD6SAZgZnd6W8nPuqxg9qP=CHGZ8YJCJRerw@mail.gmail.com> <CANtBS9f2R3dhtwbp_4iP5D2gPRu8Agb1oNACFPm6M1TatZeQ9Q@mail.gmail.com>
In-Reply-To: <CANtBS9f2R3dhtwbp_4iP5D2gPRu8Agb1oNACFPm6M1TatZeQ9Q@mail.gmail.com>
From: Dmitry Telegin <dmitryt@backbase.com>
Date: Thu, 04 Apr 2024 23:40:22 +0100
Message-ID: <CAOtx8D=L8oY+b33aCJhNK4xHtaOet5g1m1DVGRH2jF0G7O=ATQ@mail.gmail.com>
To: Atul Tulshibagwale <atul@sgnl.ai>
Cc: joe@salowey.net, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f047a506154d06db"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sTtna3ORZk1yb7zVaQE0ZmV9BJ4>
Subject: Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 22:40:40 -0000

Hello Atul,

As an alternative to Token Exchange and separate (new) endpoint, have you
ever considered OAuth 2.0 Extension Grants
<https://datatracker.ietf.org/doc/html/rfc6749#section-4.5>? This could
give us more flexibility as will let us define our own set of input
parameters and validation rules (opposite to Token Exchange that restricts
us to subject_token and friends).

Regards,
Dmitry

On Thu, Apr 4, 2024 at 11:02 PM Atul Tulshibagwale <atul@sgnl.ai> wrote:

> Thanks very much for your feedback, Joe!
>
> On Wed, Apr 3, 2024 at 10:16 AM Joseph Salowey <joe@salowey.net> wrote:
>
>> Hi Atul,
>>
>> I'm just starting to review the transaction tokens draft and have only a
>> minimal understanding of the token exchange document at this point so I'm
>> lacking a little background, but I have a few comments and questions below.
>>
>> On Fri, Mar 29, 2024 at 10:39 AM Atul Tulshibagwale <atul@sgnl.ai> wrote:
>>
>>> Hi all,
>>> We had a meeting today (notes here
>>> <https://hackmd.io/@rpc-sec-wg/HJNXYKkk0>) in which we discussed the
>>> question of what we should do if there is no incoming (external) token in
>>> the request to issue a Transaction Token
>>> <https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/>
>>> (TraT). We identified a few circumstances under which this can happen:
>>>
>>>    - The requesting service is triggered by a non-OAuth based flow such
>>>    as email or an internal trigger
>>>    - The client of the requesting service uses means other than an
>>>    access token to authorize the call (e.g. MTLS)
>>>
>>> [Joe] I think there will be a fair number of systems that support means
>> of authorizing non-oauth flows.
>>
>>
>>
>>> We identified a few possibilities listed below. Please note that the
>>> Transaction Tokens draft assumes that the TraT Service trusts the
>>> requesting service, so all the possibilities below assume this.
>>>
>>>
>> [Joe] yes, you are trusting another part of the system to perform some
>> authorization and inform the token service of the result.
>>
>>
>>> Here are some possibilities we discussed:
>>>
>>>    1. *Request Details*: Put the subject information in the
>>>    request_details parameter of the TraT request, and the subject_token value
>>>    is set to "N_A"
>>>    2. *Self-Signed Token*: The requester generates a self-signed JWT
>>>    that has the subject information and puts that in the subject_token value
>>>
>>> [Joe] I like having signed tokens, but if this is really information
>> just exchanged between two endpoints it may be more work than necessary.
>>
>>>
>>>    1. *Separate Separate Endpoint*: The TraT service exposes a separate
>>>    endpoint to issue TraTs when there is no incoming token, and that endpoint
>>>    can be defined such that the request does not have a subject_token
>>>    parameter. This endpoint is not a profile of OAuth Token Exchange
>>>    2. *Separate Endpoint Only*: Extending the thought above, the
>>>    requester can always extract the content of the incoming token into the
>>>    "request_details" parameter, so why do we need the Token Exchange endpoint
>>>
>>> [Joe] What do we gain by using token exchange? While it seems that there
>> is overlap between delegation/impersonation it seems that transaction
>> tokens are sort of a superset and contain additional information about the
>> context of the transaction.   If it looks like token exchange is too
>> constraining then transaction tokens may just be a different use case.
>> With the understanding I currently have I'd either go with 4. Separate
>> Endpoint Only or 2. Self Signed token.  Splitting the endpoints could be
>> valid, but it seems a bit weird for me, if we did decide to do that then
>> probably we wouldn't need to sign the information unless the request is
>> going to traverse multiple systems.
>>
>>
>>
>>> We would like to understand how the group feels about these choices, or
>>> if you have other suggestions / thoughts on this topic.
>>>
>>> Thanks,
>>> Atul
>>>
>>> --
>>>
>>> <https://sgnl.ai>
>>>
>>> Atul Tulshibagwale
>>>
>>> CTO
>>>
>>> <https://linkedin.com/in/tulshi> <https://twitter.com/zirotrust>
>>> <atul@sgnl.ai>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email