[OAUTH-WG] Use OAuth flows to separate authentication from AS

Thibault Normand <thibault.normand@gmail.com> Mon, 21 December 2020 14:51 UTC

Return-Path: <thibault.normand@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id AEA3A3A1158 for <oauth@ietfa.amsl.com>; Mon, 21 Dec 2020 06:51:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.421
X-Spam-Level: *
X-Spam-Status: No, score=1.421 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_IMAGE_ONLY_24=1.618, HTML_IMAGE_RATIO_06=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EhOenqLnbf9q for <oauth@ietfa.amsl.com>; Mon, 21 Dec 2020 06:51:24 -0800 (PST)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D6813A114A for <oauth@ietf.org>; Mon, 21 Dec 2020 06:51:23 -0800 (PST)
Received: by mail-ed1-x52f.google.com with SMTP id h16so9800842edt.7 for <oauth@ietf.org>; Mon, 21 Dec 2020 06:51:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=AMLc++E5AqKAzVVGIrxCWv9MiFYMwnrcyiBz3pYQXHk=; b=SjF9bq4W/zP1l2hyRmCse6xHzCEc1KwzGARxCLQuRd6xN3hJLFDF+tFJQ3t9L9woJE X6gJRV4wJKsgEf4Umpz7RMbivUTvRWK9JvSLHV3YPz6Qn1lkK2G4XFp4NBZq+9odSbvG oldJmvEFz3fHceEqgoQ8RaNvgCExp5Kxgxsme+W8vWLVM+uwREoT5JPPP1RbFrlurmW7 3f0HIHJoFQm0TYkfR74tHMFiefP1G82jSWx6sLTcmv0xEyJplszguEuRa9uJZmGBzDR+ uiKaMsXFcY/v4o/odyhNTKSIU2rDu9yUDdJAYFqTJQDyjUkLErmbe43zqC/zAvhmJacM nioQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=AMLc++E5AqKAzVVGIrxCWv9MiFYMwnrcyiBz3pYQXHk=; b=IXDr4wy8wBv1Syz4sbGqPJMWyjrU/FDMqVyfygvktWsQV28y4UsAiwd3hdGUwLB0as IUoGpxqGADcvvcABGXI71qC2SFbhFvGKYllOUmi90iSZiVoxR+sKvXwXhKYmpbneoWBK xyPodGAL3M9j/xJuTTrpIA+seE4TlDC3oxPlbdWMIbCcsviQmnfpxakmlCDXuHe/V2hz UAs/LwJ9+8TKFU5AU6+DsNe/2IW73aRourplRaj29QJL+NFD7PyyBi+yoaDZt8IAJo7o 4twsHVZ+UcM/KgedkWD6gXUYVf5iTWT99WNs5FHGl5AIvUUb2I86qJZ0zt4qh3fclH3i G/bA==
X-Gm-Message-State: AOAM531Zn8NZy3ziqiBfk9RwYVb61lrb0hP2LHtoV1lY7lQf/Bmijta/ kiXk8rvl0Ti2OkDqIF0Qem3z9MAk+N2NQXMFPeqSeHmoMnZUgg==
X-Google-Smtp-Source: ABdhPJyB9y5/n2K/MFb610kKMzVRz/elDatRy2VRNDG9eFUvcqyhBu9YCxIUZk7tm9ogCE2fkE3RUucAm3GI2gDOytA=
X-Received: by 2002:a05:6402:2710:: with SMTP id y16mr5819602edd.21.1608562280553; Mon, 21 Dec 2020 06:51:20 -0800 (PST)
MIME-Version: 1.0
From: Thibault Normand <thibault.normand@gmail.com>
Date: Mon, 21 Dec 2020 15:51:09 +0100
Message-ID: <CADMp+sL98UjSxE_dKD7SQCzEXkL=x8DVEnVx8vKLb5w7Oc1YoQ@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/related; boundary="00000000000055026905b6fa9742"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/sby05nD2Oksp39eHcn5JDMGMnyQ>
Subject: [OAUTH-WG] Use OAuth flows to separate authentication from AS
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Dec 2020 14:51:26 -0000

Hello All,

Merry Christmas, Happy new year!

I'm trying to separate the authentication from the authorization server as
a dedicated service. This will allow :
* to have better isolation of often customer-specific code
* to dispatch the load according to the authentication scheme used (Argon2,
* to be creative with the authentication process

The idea is to have an API contract based on the assertion flow, where the
assertion is the result of authentication, and authorization (role mapping,
scope expansion, etc.).
This assertion is exchanged using assertion grant type to get an Access
Token which is symbolically used as authentication by reference token.

During AuthCode dance, the user has to be logged in, if not he will be
redirected to the corresponding authentication provider, which will
generate the assertion and the access token.
The authentication provider returned the access token as parameter to the
initial authorization_code request, so that this access token is used to
retrieve the bound identity via an (internal) generic user info call that
we return the ID Token built on authentication phase.

[image: OATH AuthCode + External Login.png]
I saw multiple implementations of the external identity provider pattern,
but they use an additional API served by Authorization Server to handle the
identity binding to the authorization request.

I try to stick with OAuth already defined flows.

Some focus:

   - AccessToken in URL for identity binding => probably need to be
   - TokenExchange vs Assertion
   - Probably other things ...

Any thoughts?

Thank you ^^
Thibault Normand