Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt

Bill Burke <bburke@redhat.com> Thu, 17 May 2018 14:03 UTC

Return-Path: <bburke@redhat.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4971312EAF3 for <oauth@ietfa.amsl.com>; Thu, 17 May 2018 07:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FNnH04Hifc7b for <oauth@ietfa.amsl.com>; Thu, 17 May 2018 07:03:13 -0700 (PDT)
Received: from mail-vk0-f45.google.com (mail-vk0-f45.google.com [209.85.213.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40BD2126D0C for <oauth@ietf.org>; Thu, 17 May 2018 07:03:13 -0700 (PDT)
Received: by mail-vk0-f45.google.com with SMTP id t63-v6so2766556vkb.1 for <oauth@ietf.org>; Thu, 17 May 2018 07:03:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=3vklw4Hp0K+fIoJggCgtRD2lKAtIcxkAoMzpXZqvWzk=; b=s1C5MFdYMk8pDpCBYJJG/ZM8gcp/kGmE6lMoDD6R80cCYN9VGDKJDEMB5YKkVa6peA f24x7uZogrishu+NbOt6RPQfDfEVzUe29kVTsIKP/Mrlawr1Z7iTzHgidiLQhxxbmXFj UAltg4mp4itOMDxlhmkgLQyUtbh76360FQ1XZKdwBXegSW07Z0Zw/PRM3MrKjdObV4Jo q0JF7uzDYcrv8qrDgpoO8lU8+lD6WB6yg6Yj3cBDnPhyKMPixqQSWr5IS7D8vkDzcAcz 3otvkubUnyQ8EH+m6A7RLLbG1Kjslv3g0UTxpB9IDoh5nh1WHUZqrAfAnmWmSUs2XgEt jEjA==
X-Gm-Message-State: ALKqPweqZougthutjfP9iET4ni38eCEOanljD4/sy0pqd3zJIT1FhVSS ZHtmqARXwEOBMmwn3IMCC4V2R581fLpSQO48w2vvxQ==
X-Google-Smtp-Source: AB8JxZp43Pa31EQP67sz6PiedoWWmCEPWqDXXkYFv1bVM43GN6w6h8mVDqFbAkDGK9XexCkq1/V1WFwIitZ1zzUz1/Y=
X-Received: by 2002:a1f:a6cf:: with SMTP id p198-v6mr4095960vke.107.1526565792085; Thu, 17 May 2018 07:03:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.192.11 with HTTP; Thu, 17 May 2018 07:03:11 -0700 (PDT)
In-Reply-To: <SN6PR00MB03015D1AAF670587060EE199F5910@SN6PR00MB0301.namprd00.prod.outlook.com>
References: <CABcZeBNQaqg3wFuo=w3h4k+bB44pEPnoR-zZYM+AR7YDA=O8Gg@mail.gmail.com> <CA+k3eCRDyn7-1KEVYai8b-G_bLQZGTgiS2VFG9W3NWy2Ttu-nw@mail.gmail.com> <ef06d115-b178-16c3-76ca-4693d273ae41@free.fr> <CA+k3eCTeBqPHTs_vUrFOcEOT3CHJptJN8m3_M3LDYyL=WrL5BA@mail.gmail.com> <CABRXCmxSY75_tSA6uE4jtMMeX4aXOGEzWBLhkKXOOgg9ZUNNuA@mail.gmail.com> <SN6PR00MB03015D1AAF670587060EE199F5910@SN6PR00MB0301.namprd00.prod.outlook.com>
From: Bill Burke <bburke@redhat.com>
Date: Thu, 17 May 2018 10:03:11 -0400
Message-ID: <CABRXCmy8WnhSYGSz+wu2NQvz1E2Jr_Jx-=cH=tM_xVT0UaQp6g@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: Brian Campbell <bcampbell@pingidentity.com>, oauth <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ssd6V_7DVLovcfByXKnSokS40Vg>
Subject: Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 May 2018 14:03:16 -0000

This is an honest question: How important is the actor stuff to the
players involved?  Are people going to use it?  IMO, its an edge case
and I think more important areas, like external token exchange (realm
to realm, domain to domain) are being neglected.  I'm quite unfamiliar
how consensus is reached in this WG or the IETF, so I hope I'm not
sounding rude.  Just trying to provide some constructive feedback.



On Thu, May 17, 2018 at 9:26 AM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> Moving the actor claim to a separate specification would only make things more complicated for developers.  There already plenty of OAuth specs.  Needlessly adding another one will only make related things harder to find.
>
> Just like in the JWT [RFC 7519] spec itself in which use of all the claims is optional, use of the actor claim in this spec.  If you don't need it, don't use it.  Just because some won't use it is no better an argument for moving it to a different spec than the argument that JWT should have defined each of its claims in different specs.  That would have made things harder, not easier.
>
>                                 -- Mike
>
> -----Original Message-----
> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Bill Burke
> Sent: Thursday, May 17, 2018 2:11 PM
> To: Brian Campbell <bcampbell@pingidentity.com>
> Cc: oauth <oauth@ietf.org>
> Subject: Re: [OAUTH-WG] Followup on draft-ietf-oauth-token-exchange-12.txt
>
> My personal opinion is that I'm glad this actor stuff is optional.
> For one, none of our users have asked for it and really only do simple exchanges.  Secondly, the rules for who can exchange what for what is controlled and defined within our AS.  Makes things a lot simpler on the client.  I kind of wish the actor stuff would be defined in a separate specification.  I don't see us implementing it unless users start asking us to.
>
> On Wed, May 16, 2018 at 6:11 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>> Well, it's already called the "actor claim" so the claimed part is
>> kind of implied. And "claimed actor claim" is a rather awkward.
>> Really, all JWT claims are "claimed something" but they don't include
>> the "claimed" bit in the name. RFC 7519, for example, defines the
>> subject claim but not the claimed subject claim.
>>
>> On Fri, Apr 20, 2018 at 11:38 AM, Denis <denis.ietf@free.fr> wrote:
>>>
>>> Brian,
>>>
>>> Eric said: "what is the RP supposed to do when they encounter it?
>>> This seems kind of under specified".
>>>
>>> After reading your explanations below, it looks like the RP can do
>>> anything he wants with the "actor".
>>> It is a "claimed actor" and, if we keep the concept, it should be
>>> called as such. Such a claim cannot be verified.
>>> A RP could copy and paste that claim in an audit log. No standard
>>> action related to the content of such a claim can be specified in the
>>> spec. If the content of a "claimed actor" is used by the RP, it
>>> should be only used as an hint and thus be subject to other
>>> verifications which are not specified in this specification.
>>>
>>> Denis
>>>
>>> Eric, I realize you weren't particularly impressed by my prior
>>> statements about the actor claim but, for lack of knowing what else
>>> to say, I'm going to kind of repeat what I said about it over in the
>>> Phabricator tool and add a little color.
>>>
>>> The actor claim is intended as a way to express that delegation has
>>> happened and identify the entities involved. Access control or other
>>> decisions based on it are at the discretion of the consumer of the
>>> token based on whatever policy might be in place.
>>>
>>> There are JWT claims that have concise processing rules with respect
>>> to whether or not the JWT can be accepted as valid. Some examples are "aud"
>>> (Audience), "exp" (Expiration Time), and "nbf" (Not Before) from RFC 7519.
>>> E.g. if the token is expired or was intended for someone or something
>>> else, reject it.
>>>
>>> And there are JWT claims that appropriately don't specify such
>>> processing rules and are solely statements of fact or circumstance.
>>> Also from RFC 7519, the "sub" (Subject) and "iat" (Issued At) claims are good examples of such.
>>> There might be application or policy specific rules applied to the
>>> content of those kinds of claims (e.g. only subjects from a
>>> particular organization are able to access tenant specific data or,
>>> less realistic but still possible, disallow access for tokens issued
>>> outside of regular business
>>> hours) but that's all outside the scope of a specification's
>>> definition of the claim.
>>>
>>> The actor claim falls into the latter category. It's a way for the
>>> issuer of the token to tell the consumer of the token what is going
>>> on. But any action to take (or not) based on that information is at
>>> the discretion of the token consumer. I honestly don't know it could
>>> be anything more. And don't think it should be.
>>>
>>> There are two main expected uses of the actor claim (that I'm aware
>>> of
>>> anyway) that describing here might help. Maybe. One is a human to
>>> human delegation case like a customer service rep doing something on
>>> behalf of an end user. The subject would be that user and the actor
>>> would be the customer service rep. And there wouldn't be any chaining
>>> or nesting of the actor. The other case is so called service chaining
>>> where a system might exchange a token it receives for a new token
>>> that it can use to call a downstream service. And that service in
>>> turn might do another exchange to get a new token suitable to call
>>> yet another downstream service. And again and so on and turtles all
>>> the way. I'm not necessarily endorsing that level of granularity in
>>> chaining but it's bound to happen somewhere/sometime. The nested
>>> actor claim is able to express that all that has happened with the
>>> top level or outermost one being the system currently using the token
>>> and prior systems being nested.. What actually gets done with that
>>> information is up to the respective systems involved. There might be
>>> policy about what system is allowed to call what other system that is
>>> enforced. Or maybe the info is just written to an audit log
>>> somewhere. Or something else. I don't know. But whatever it is application/deployment/policy dependent and not specifiable by a spec.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Fri, Apr 13, 2018 at 6:38 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>>>
>>>> Hi folks,
>>>>
>>>> I've gone over draft-ietf-oauth-token-exchange-12 and things seem
>>>> generally OK. I do still have one remaining concern, which is about
>>>> the actor claim. Specifically, what is the RP supposed to do when
>>>> they encounter it? This seems kind of underspecified.
>>>>
>>>> In particular:
>>>>
>>>> 1. What facts am I supposed to know here? Merely that everyone in
>>>>    the chain signed off on the next person in the chain acting as them?
>>>>
>>>> 2. Am I just supposed to pretend that the person presenting the token
>>>>    is the identity at the top of the chain? Say I have the
>>>>    delegation A -> B -> C, and there is some resource which
>>>>    B can access but A and C cannot, should I give access?
>>>>
>>>> I think the first question definitely needs an answer. The second
>>>> question I guess we could make not answer, but it's pretty hard to
>>>> know how to make a system with this left open..
>>>>
>>>> -Ekr
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>
>>>
>>> CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s).
>>> Any review, use, distribution or disclosure by others is strictly
>>> prohibited..  If you have received this communication in error,
>>> please notify the sender immediately by e-mail and delete the message
>>> and any file attachments from your computer. Thank you.
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>>
>> CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly
>> prohibited..  If you have received this communication in error, please
>> notify the sender immediately by e-mail and delete the message and any
>> file attachments from your computer. Thank you.
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>
> --
> Bill Burke
> Red Hat
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth



-- 
Bill Burke
Red Hat