[OAUTH-WG] Fwd: [oauth-wg/oauth-transaction-tokens] Batch or long running processes and extending lifetime of a token (Issue #111)

Atul Tulshibagwale <atul@sgnl.ai> Thu, 05 September 2024 16:20 UTC

Return-Path: <atul@sgnl.ai>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14592C14F5F9 for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 09:20:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sgnl.ai
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eni075tn9fRL for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 09:20:49 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61ACCC14F6F3 for <oauth@ietf.org>; Thu, 5 Sep 2024 09:20:48 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id 41be03b00d2f7-7b0c9bbddb4so756625a12.3 for <oauth@ietf.org>; Thu, 05 Sep 2024 09:20:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sgnl.ai; s=google; t=1725553247; x=1726158047; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=a1LItHMb6M06PKdaSulFzKY6C6WVc1n2AEm86e9l7Qg=; b=oH5ZL9yaaMB5e/gpBFHULANXcuLac88jxCdBL5wtFkjEAvzlH9z27e7fAhvg6Lbl28 aRtn4cYe9wwoMjU6dKww16kk0crsPmIEYaA1QI3ahImSQ73Id5ziKl44o1KGO8LPTrfi +LUAuF3EZ2cl5+bbT09cxR2dXJWncVoqPS+x5yZ6A3tPRSXBxe0/RsKB5JVoM3X7qw5i J4LbYnLfhUmPW0ewHggdiq7tk6LyUAFGndJ+4LMxPn7XxuNWUJNv6GX0XhN6lo7tzJhT tXYTHkGyU5/qluc1Etm7pp1bF7mUL6uGWzTTOGePGXUZ8xh75L0SxWqmk0iDftCV+qDS c+zA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725553247; x=1726158047; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=a1LItHMb6M06PKdaSulFzKY6C6WVc1n2AEm86e9l7Qg=; b=c41yK04xUNG5zbJBv6IpyheKJBthj7KUwBCui1gmI0ywNhw2aSVrlSQRE7p5jfcciH eb8UAQiVZJY1h5kfyPLYeoMNAdzXAbWKseU4trFKURDumuNlM7wYC/Z/h2q++Ld+IAVW ASjn4Hm2eem7dC9Jwp/4krkG3DeYmxOS8u1xz1BGYOl9XdKrCxI05F+j6UfOFPImUWg0 ZAuwAownOFZJyWNnzxUTTWb0yMypZTKBNw+ZFwUkfJFGO2wWg04EvvNXEcY4pyntaGlo /Ij3+CWv/qSx+gxhERlK57fcQg6Hw8xd8kDveK8HTl9HAJOD5yRlKxz6qcHL8cUfJRuT ORSg==
X-Gm-Message-State: AOJu0YyIAZqsRlXmQ8bodZYr5AigPpAIK9o8l8V1AWdQK8ocyxuB42v1 QgCXndGb4SPFjK4v1b82ruJBMof0fJu4ywFL7ITGqMWgYRbA+DK9rrTzWYvGldKkwJJB8KvFzII WhUXK4cuqnAaCh1hC6Dpm0zOa2S4NCnZJW325GHl6K8pS2Hiq
X-Google-Smtp-Source: AGHT+IFRpSmKO3IhWBzmhYmBm1VymMwzuh8k/W1NZYfVx+pontTXioFZKMbPuyiGgKtpV9UbAEAikJmiOfE+T2/FhK0=
X-Received: by 2002:a17:90a:be17:b0:2d8:7804:b3a with SMTP id 98e67ed59e1d1-2d878040ba9mr23476723a91.26.1725553247398; Thu, 05 Sep 2024 09:20:47 -0700 (PDT)
MIME-Version: 1.0
References: <oauth-wg/oauth-transaction-tokens/issues/111@github.com> <oauth-wg/oauth-transaction-tokens/issues/111/2330558630@github.com>
In-Reply-To: <oauth-wg/oauth-transaction-tokens/issues/111/2330558630@github.com>
From: Atul Tulshibagwale <atul@sgnl.ai>
Date: Thu, 05 Sep 2024 09:20:31 -0700
Message-ID: <CANtBS9d5g4Lw=ZceKsQYESei7y2CohS1Qa_SWECrBT+WJ3Ffag@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005a48b7062161ac03"
Message-ID-Hash: ZDMOU3JMUUQSKXRR2N55W3AKFB2E6VGD
X-Message-ID-Hash: ZDMOU3JMUUQSKXRR2N55W3AKFB2E6VGD
X-MailFrom: atul@sgnl.ai
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Fwd: [oauth-wg/oauth-transaction-tokens] Batch or long running processes and extending lifetime of a token (Issue #111)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xViWoPG9c2T1urIfHadRHd9Y-3I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Since this discussion might create a whole new feature in the TraTs
service, I wanted to share this with the list. The issue discusses how one
can create short-lived TraTs for long-lasting batch processes.

---------- Forwarded message ---------
From: ashayraut <notifications@github.com>
Date: Wed, Sep 4, 2024 at 9:11 PM
Subject: Re: [oauth-wg/oauth-transaction-tokens] Batch or long running
processes and extending lifetime of a token (Issue #111)
To: oauth-wg/oauth-transaction-tokens <
oauth-transaction-tokens@noreply.github.com>
Cc: Atul Tulshibagwale <atul@sgnl.ai>, Comment <comment@noreply.github.com>


@gffletch <https://github.com/gffletch> You comment - "batch token is ONLY
valid at the Transaction Token Service (potentially encrypted such that
ONLY the Transaction Token Service can decrypt it)"

Ashay: Yes, you are right. Its' valid only in Tx token service. We can
encrypt it or but won't signature just suffice?

@gffletch <https://github.com/gffletch> About your comment - "I think this
'batch token' should also be sender constrained in some way."

Ashay: The way we implemented this is by creating a unique use case id or
you call it namespace. So, the problem is -> A requests a batch token which
it can pass to B but B would need some permissions to get Tx token back
from A's batch token. To solve it, when A onboards Tx Token issuer, it
creates a use case id unique to A which is registered with Tx token issuer.
Every time Tx Token issuer issues a 'batch token' to A, it will find the
usecaseId and put it in batch token. If B gets batch token from A (or
steals it somehow), then B will not be able to get a Tx token back from
issuer. Tx token issuer maintains an allowlist against each unique
usecaseId, for who is allowed to get token back for that use case it. To
get token back, B has to register itself to Tx token issuer against A's
usecaseId.

We call services like A, the "batch token initiator" and services like B
"the batch rehydrator" as it rehydates Tx token back from batch token.

Edge case - A can play both roles - initiator and rehydrator. This might
lead to problem of infinite exchanges. But not sure if its a problem. It
may be a problem for some use case. Tx token can also keep a counter in
batch token and Tx token to ensure only finite amount of exchanges are
allowed.

Overall, how does the proposal sound? I think we cannot write all this into
a complexity into RFC. For RFC, we can keep it simple that there can be
long lived batch token and Tx token must implement some sort of access
control to ensure only authorized services can convert the batch to Tx
token.

—
Reply to this email directly, view it on GitHub
<https://github.com/oauth-wg/oauth-transaction-tokens/issues/111#issuecomment-2330558630>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB55UG4OLSDISRJABCHOPHDZU7KXNAVCNFSM6AAAAABK2AEJHSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMZQGU2TQNRTGA>
.
You are receiving this because you commented.Message ID:
<oauth-wg/oauth-transaction-tokens/issues/111/2330558630@github.com>