IETF Logo Mail Archive

Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token

Atul Tulshibagwale <atul@sgnl.ai> Fri, 12 April 2024 16:10 UTC

Return-Path: <atul@sgnl.ai>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 402B4C14F71B for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2024 09:10:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.075
X-Spam-Level:
X-Spam-Status: No, score=-2.075 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_REMOTE_IMAGE=0.01, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sgnl.ai
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ga4aWysrL40T for <oauth@ietfa.amsl.com>; Fri, 12 Apr 2024 09:10:23 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB485C14F6B8 for <oauth@ietf.org>; Fri, 12 Apr 2024 09:10:23 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1e3ca4fe4cfso7375485ad.2 for <oauth@ietf.org>; Fri, 12 Apr 2024 09:10:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgnl.ai; s=google; t=1712938223; x=1713543023; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=bnz9YumnYcNkwdo1ERKoxpkcgc8fuftHjOa+/AcfmOM=; b=y+TMEThqbr2Ux05ybwekZ2XM/kbxBC4DAdii2UMewTqGrePTqnkROwe1giCz6JGhWQ UrQL3hjaFCSi+AK4USO6bU/jxOOjWCG1P38g7yI5gmIFbytOhA6T6kcKR5LJO2f3x/ZF CWFXLCGpzJ6EDbfQ9CmFd/m3ZCjGo/+s6eoczFhso751aQ0PCxcuuesNBQfGB7YLdvbJ DK0mjUfe8MB15U/Mg3WHjPCOQ4tKBw9nMDO6X5c01l/S93Vyy4j266GzsF6sbSl8P7B/ RYhlhPnq0FU2lUTYT9+YJIfOCc4zTUOQ/SJzsl5D489BtLcaIOiy+KtPXV9BIZ7tPAh5 idDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712938223; x=1713543023; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=bnz9YumnYcNkwdo1ERKoxpkcgc8fuftHjOa+/AcfmOM=; b=O0eBmCRapKApS+LARfMZNM4LQJ3qaq1IrTY3tqfKMz8i9RaOtNMoFT7iB7Hdto+HDA X0J+rD8+MdH6PrwTUsMQIcmBU7/RDCSC+LWSC9wGvB2a/6KUh/Rw31vJXcrCBr9DQdNF LJTrHigtBPFH6O8jW2gLKo7JfwHQ19pnS6MKh+B0/mLhwTKatFgE+xnaRHhiw8Ya5nhr 8fgnR6muTQ0BI7auHggETHbPL6tLPLri3UWDa+IX21erg1APu6wZx9W+SSxT2xTgvTdY zpaDqepaTV9E4VjrU+4JqZ8cF+Uer205qOsnxWUXQujJXpYNsj4DPwX9xlocuNnMAfhs cJIQ==
X-Forwarded-Encrypted: i=1; AJvYcCXr2lQ8zO0d0dwse9S/dKsX4S4DUVvPOzT050qFuGgm4003Y8Kne3As2akDORF0o+AQivRbY1TUvqcqhopANw==
X-Gm-Message-State: AOJu0YzUMLe+6xHqvsE9OqXaPzUAKi2bwgPaCi+YByypCQTmiLs2Z/hG 5DB21RFGgiNGq5jCSN5I4+tCurO6yg40uwF6lQF89wbluLcrIYR1rcw1KNVYWXSSP+P8P1Ro1Eg g+rNbAmcrNnkZskLU6emGZMfJ7nMJTnMtL6OdGA==
X-Google-Smtp-Source: AGHT+IH+10gVuT8KpEzGMKPq47fm3Q2owb+i+S60gxNvNcbJqTMHZN5tGkLUmO6mPdHk51RjMJftD3mHipy6ufpGx5c=
X-Received: by 2002:a17:902:8c97:b0:1e5:2ea7:a0b3 with SMTP id t23-20020a1709028c9700b001e52ea7a0b3mr2844461plo.62.1712938222508; Fri, 12 Apr 2024 09:10:22 -0700 (PDT)
MIME-Version: 1.0
References: <CANtBS9djWszOjH_ArUTP8tCAaJJvSJ2Do26M99eU+1ayqwrjyw@mail.gmail.com> <CAOgPGoDGjiKYojnD6SAZgZnd6W8nPuqxg9qP=CHGZ8YJCJRerw@mail.gmail.com> <CANtBS9f2R3dhtwbp_4iP5D2gPRu8Agb1oNACFPm6M1TatZeQ9Q@mail.gmail.com> <CAOtx8D=L8oY+b33aCJhNK4xHtaOet5g1m1DVGRH2jF0G7O=ATQ@mail.gmail.com> <BE16B049-6229-4594-B708-DC64E2FA2C86@1und1.de> <CA+k3eCQHFnGpb+Ff_gmXLMxh8OZ2FufCs1+CY3d_BKjeo9_Spw@mail.gmail.com>
In-Reply-To: <CA+k3eCQHFnGpb+Ff_gmXLMxh8OZ2FufCs1+CY3d_BKjeo9_Spw@mail.gmail.com>
From: Atul Tulshibagwale <atul@sgnl.ai>
Date: Fri, 12 Apr 2024 09:10:05 -0700
Message-ID: <CANtBS9dMUxqXCke7pBJ5rYAPo81tbekqLjfTQp6hi7R5RYexuA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Kai Lehmann <kai.lehmann=401und1.de@dmarc.ietf.org>, Dmitry Telegin <dmitryt=40backbase.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000467ca50615e88247"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ulFJcG064hXvN5gK5M1RBSK8E2s>
Subject: Re: [OAUTH-WG] Transaction Tokens issuance in the absence of incoming token
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2024 16:10:28 -0000

Thanks all, for your input. We discussed alternatives on a call last week
<https://hackmd.io/@rpc-sec-wg/BkdOgipkA>, and arrived at using self-signed
tokens with token exchange as a way forward.

On Fri, Apr 5, 2024 at 10:58 AM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> One potential benefit of keeping the use of Token Exchange is that some AS
> products/implementations have built a fair amount of configurability and
> extensibility into their Token Exchange support, which might allow for
> existing systems to be set up to do Transaction Tokens. Whereas a new
> endpoint or new grant type are more likely to require code changes to the
> core AS. Obviously this isn't universally true but something to consider
> nonetheless.
>
> On Fri, Apr 5, 2024 at 4:13 AM Kai Lehmann <kai.lehmann=
> 401und1.de@dmarc.ietf.org> wrote:
>
>> Hi,
>>
>>
>>
>> that is my thought as well. It does not necessarily be a Token Exchange
>> profile, but the Token endpoint makes sense as Tokens are issued. Defining
>> a specific Token grant with the necessary input parameters would fit nicely.
>>
>>
>>
>> Best regards,
>>
>> Kai
>>
>>
>>
>> *From: *OAuth <oauth-bounces@ietf.org> on behalf of Dmitry Telegin
>> <dmitryt=40backbase.com@dmarc.ietf.org>
>> *Date: *Friday, 5. April 2024 at 00:41
>> *To: *Atul Tulshibagwale <atul@sgnl.ai>
>> *Cc: *oauth <oauth@ietf.org>
>> *Subject: *Re: [OAUTH-WG] Transaction Tokens issuance in the absence of
>> incoming token
>>
>>
>>
>> Hello Atul,
>>
>>
>>
>> As an alternative to Token Exchange and separate (new) endpoint, have you
>> ever considered OAuth 2.0 Extension Grants
>> <https://datatracker.ietf.org/doc/html/rfc6749#section-4.5>? This could
>> give us more flexibility as will let us define our own set of input
>> parameters and validation rules (opposite to Token Exchange that restricts
>> us to subject_token and friends).
>>
>>
>>
>> Regards,
>>
>> Dmitry
>>
>>
>>
>> On Thu, Apr 4, 2024 at 11:02 PM Atul Tulshibagwale <atul@sgnl.ai> wrote:
>>
>> Thanks very much for your feedback, Joe!
>>
>>
>>
>> On Wed, Apr 3, 2024 at 10:16 AM Joseph Salowey <joe@salowey.net> wrote:
>>
>> Hi Atul,
>>
>>
>>
>> I'm just starting to review the transaction tokens draft and have only a
>> minimal understanding of the token exchange document at this point so I'm
>> lacking a little background, but I have a few comments and questions below.
>>
>>
>>
>> On Fri, Mar 29, 2024 at 10:39 AM Atul Tulshibagwale <atul@sgnl.ai> wrote:
>>
>> Hi all,
>>
>> We had a meeting today (notes here
>> <https://hackmd.io/@rpc-sec-wg/HJNXYKkk0>) in which we discussed the
>> question of what we should do if there is no incoming (external) token in
>> the request to issue a Transaction Token
>> <https://datatracker.ietf.org/doc/draft-ietf-oauth-transaction-tokens/>
>> (TraT). We identified a few circumstances under which this can happen:
>>
>>    - The requesting service is triggered by a non-OAuth based flow such
>>    as email or an internal trigger
>>    - The client of the requesting service uses means other than an
>>    access token to authorize the call (e.g. MTLS)
>>
>> [Joe] I think there will be a fair number of systems that support means
>> of authorizing non-oauth flows.
>>
>>
>>
>>
>>
>> We identified a few possibilities listed below. Please note that the
>> Transaction Tokens draft assumes that the TraT Service trusts the
>> requesting service, so all the possibilities below assume this.
>>
>>
>>
>>
>>
>> [Joe] yes, you are trusting another part of the system to perform some
>> authorization and inform the token service of the result.
>>
>>
>>
>> Here are some possibilities we discussed:
>>
>>    1. *Request Details*: Put the subject information in the
>>    request_details parameter of the TraT request, and the subject_token value
>>    is set to "N_A"
>>    2. *Self-Signed Token*: The requester generates a self-signed JWT
>>    that has the subject information and puts that in the subject_token value
>>
>> [Joe] I like having signed tokens, but if this is really information just
>> exchanged between two endpoints it may be more work than necessary.
>>
>>
>>    1. *Separate Separate Endpoint*: The TraT service exposes a separate
>>    endpoint to issue TraTs when there is no incoming token, and that endpoint
>>    can be defined such that the request does not have a subject_token
>>    parameter. This endpoint is not a profile of OAuth Token Exchange
>>    2. *Separate Endpoint Only*: Extending the thought above, the
>>    requester can always extract the content of the incoming token into the
>>    "request_details" parameter, so why do we need the Token Exchange endpoint
>>
>> [Joe] What do we gain by using token exchange? While it seems that there
>> is overlap between delegation/impersonation it seems that transaction
>> tokens are sort of a superset and contain additional information about the
>> context of the transaction.   If it looks like token exchange is too
>> constraining then transaction tokens may just be a different use case.
>> With the understanding I currently have I'd either go with 4. Separate
>> Endpoint Only or 2. Self Signed token.  Splitting the endpoints could be
>> valid, but it seems a bit weird for me, if we did decide to do that then
>> probably we wouldn't need to sign the information unless the request is
>> going to traverse multiple systems.
>>
>>
>>
>>
>>
>> We would like to understand how the group feels about these choices, or
>> if you have other suggestions / thoughts on this topic.
>>
>>
>>
>> Thanks,
>>
>> Atul
>>
>>
>>
>> --
>>
>> [image: Image removed by sender.] <https://sgnl.ai/>
>>
>> Atul Tulshibagwale
>>
>> CTO
>>
>> [image: Image removed by sender.] <https://linkedin.com/in/tulshi>[image:
>> Image removed by sender.] <https://twitter.com/zirotrust>[image: Image
>> removed by sender.] <atul@sgnl.ai>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*

v2.23.0 | Report a Bug | By Email