IETF Logo Mail Archive

[OCM] Re: Token exchange is missing third party token validation

Micke Nordin <kano@sunet.se> Thu, 07 May 2026 15:00 UTC

Return-Path: <kano@sunet.se>
X-Original-To: ocm@mail2.ietf.org
Delivered-To: ocm@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 61E5AEA987A0 for <ocm@mail2.ietf.org>; Thu, 7 May 2026 08:00:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778166013; bh=W+b95YTnkrKvDEtP2osQoGqU0pJhDBYYCMB+rW0nrrs=; h=Date:Subject:To:References:From:In-Reply-To; b=PZqasYQ5cYMneltqP6ZKLBPNtxcFt2wZgzFJk4lkB7z25d0SqqKyux15DPXr0szUR PZc9grgA7vgpbafrV0xJW9+BICurYdxeH6mQd/d085IXhWxli8hchK5OZxom792yZ7 tsF8E0SCaIsJxsVWrQTnc0VvF5zjZmb5h39f/j6o=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -4.399
X-Spam-Level:
X-Spam-Status: No, score=-4.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=sunet.se
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gxHbVZ9IjCIF for <ocm@mail2.ietf.org>; Thu, 7 May 2026 08:00:08 -0700 (PDT)
Received: from mailfilter-ng-1.sunet.se (mailfilter-ng-1.sunet.se [192.36.171.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id D7DF2EA98749 for <ocm@ietf.org>; Thu, 7 May 2026 08:00:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sunet.se; s=halon; h=content-transfer-encoding:content-type:in-reply-to:from:references:to:subject: mime-version:date:message-id:from; bh=1+lZhVT1eLuc9Jh99+83o4KcU1r+taL6QExsgn96hAk=; b=HpcfpfTvglsIxF8LVzqUU3rAIb7DsTLmhII00/wFoa9Gus0czQUoJVHOZy4yaAaIhnO/YMqtHmIwu O/zFU79xhfr9JUWsCb0ioXOeKwa8Vr6PQq24t07VTduLIkwTiRmpcGgdupWL/tbeh8AfaTXdR1neDX 6HZvjUKFYpQKGox8bfPB/4rXFQR/Jx6qngUv8RA/71bAmrhxyA9BYg092pb720XfTftJj6K6J4sm5v zJZLMrsZlNNJdxS9tdVQOZ2mO/y1QsqftWadYCodpYkTpy+CdyseaM7dKJ/Ud4z9VxOvkF0oLEXzxF Dga5wWUViB0wRSVO4IfJ0YvbEcl8THg==
X-Halon-ID: 6f6b68a7-4a25-11f1-a81a-0050569a42e2
Received: from smtp2.sunet.drive.sunet.se (unknown [89.46.20.237]) by mailfilter-ng-1.sunet.se (Halon) with ESMTPS id 6f6b68a7-4a25-11f1-a81a-0050569a42e2; Thu, 07 May 2026 15:00:06 +0000 (UTC)
Received: from [192.168.50.207] (lb5.drive.sunet.se [130.242.126.199]) by smtp2.sunet.drive.sunet.se (Postfix) with ESMTPSA id C6FDD66560 for <ocm@ietf.org>; Thu, 7 May 2026 15:00:06 +0000 (UTC)
Message-ID: <b7afc5fb-2fc3-481a-a79a-ccff01d242f2@sunet.se>
Date: Thu, 07 May 2026 16:59:58 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: ocm@ietf.org
References: <C65610F0-91BB-4CB8-85A2-D16E6C8D3CE1@sunet.se> <764EFF5B-C317-49AB-A930-5A3130617DDE@opengeomesh.org> <8f3598cb-39ad-436d-a0b4-fb52ba3c2f42@cern.ch> <8A0E0551-6BF8-4D45-855E-01933ECFEFE1@opengeomesh.org> <29a02b81-4fa5-45f7-b6cd-fb5cfd7f409b@cern.ch>
Content-Language: en-US
From: Micke Nordin <kano@sunet.se>
In-Reply-To: <29a02b81-4fa5-45f7-b6cd-fb5cfd7f409b@cern.ch>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: W74G3XIIR2HWFG6MTJ2PCJRL427MBREW
X-Message-ID-Hash: W74G3XIIR2HWFG6MTJ2PCJRL427MBREW
X-MailFrom: kano@sunet.se
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OCM] Re: Token exchange is missing third party token validation
List-Id: "The Open Cloud Mesh (OCM) protocol enables sharing of resources such as files and applications across different cloud storage systems.," <ocm.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ocm/fwESs8yiGq4Abrg997GQqynfT0U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ocm>
List-Help: <mailto:ocm-request@ietf.org?subject=help>
List-Owner: <mailto:ocm-owner@ietf.org>
List-Post: <mailto:ocm@ietf.org>
List-Subscribe: <mailto:ocm-join@ietf.org>
List-Unsubscribe: <mailto:ocm-leave@ietf.org>

You can see my reply to Matthias for details, but let me state it more 
succinct here:

The third party authentication is something all webapp integrations will 
need to figure out, either by token introspection or JWT. If we 
prescribe it, all integrations of third party software (JupyterHub, 
Collabora, and friends) will automatically work with all OCM servers, 
rather than having to be integrated one by one, in slightly different 
ways. It is very little code, that you were going to write anyway, and 
it makes interoperability easier, not harder.


/Micke

On 5/7/26 3:25 PM, Giuseppe Lo Presti wrote:
> Now I see where you want to go: we don't need to _prescribe_ JWT, we 
> may still _recommend_ it in particular in the context of third-party 
> servers. But yes, it's an implementation detail after all.
>
> Giuseppe
>
>
> On 07.05.2026 15:16, Matthias Kraus wrote:
>> Hi,
>>
>> what I'm saying is, leave it open to the SendingServer implementation 
>> if it uses JWTs or something else. It should not affect the 
>> ReceivingServer. So I wouldn't specify it's contents, it's an 
>> implementation detail.
>>
>> I still agree JWTs are a good idea there, I just wouldn't force all 
>> implementations to use them, if it's not necessary for compatibility.
>>
>> Best
>> Matthias
>>
>> Am 7. Mai 2026 06:58:48 GMT-06:00 schrieb Giuseppe Lo Presti 
>> <Giuseppe.LoPresti=40cern.ch@dmarc.ietf.org>:
>>> Hi there,
>>>
>>> Thanks Micke for the proposal, as commented over chat I'd go for the 
>>> JWT route.
>>>
>>> And I definitely agree with Matthias, similarly to user or share 
>>> identifiers, the receiving end should make no assumptions whatsoever 
>>> on their format - as only the sending server would consume it 
>>> afterwards.
>>>
>>> Cheers,
>>> Giuseppe
>>>
>>>
>>> On 07.05.2026 14:47, Matthias Kraus wrote:
>>>> Hi,
>>>>
>>>> I would make sure the token is opaque to Receiving Servers. What it 
>>>> contains is up to the SendingServer Implementation, so the 
>>>> SendingServer is free to use anything, e.g. a JWT, to allow its 
>>>> Services to authenticate it.
>>>>
>>>> Then it's a implementation detail when the webapp service is 
>>>> configured to send tokens it gets to some (oidc?) authentication 
>>>> service or to validate the JWT.
>>>>
>>>> That way we minimize complexity across Implementations which would 
>>>> harm compatibility.
>>>>
>>>> I haven't implemented the token flow so far, so tell me if I've 
>>>> missed something.
>>>>
>>>> Best,
>>>> Matthias
>>>>
>>>>
>>>>
>>>> Am 6. Mai 2026 01:20:34 GMT-06:00 schrieb Micke Nordin 
>>>> <kano=40sunet.se@dmarc.ietf.org>:
>>>>
>>>>      In the so called "code flow" we specify a /token endpoint where
>>>>      you can exchange a sharedSecret for an opaque access token in the
>>>>      vain of OAUTH 2.
>>>>
>>>>      Now that we are starting to work on webapp sharing, I notice that
>>>>      we are missing the ability for third parties to validate an 
>>>> issued
>>>>      access token.
>>>>
>>>>      User X on Server A shares a webapp with User Y on Server B. 
>>>> Server
>>>>      B exchanges the sharedSecret for an access_token at Server A's
>>>>      token endpoint and posts this access_token into the webapp 
>>>> servers
>>>>      iframe. The webapp server of Server A is in this case not the OCM
>>>>      server itself, but rather a third party such as Jupyterhub or a
>>>>      wopi server. Now the webapp server needs to validate the
>>>>      access_token with Server A, but now with the current spec, we are
>>>>      stuck.
>>>>
>>>>      There are two ways to solve this:
>>>>
>>>>      1. We introduce a token introspection endpoint:
>>>> https://www.oauth.com/oauth2-servers/token-introspection-endpoint/
>>>>
>>>>      2. We use JWT profile for OAUTH access tokens
>>>>      https://datatracker.ietf.org/doc/html/rfc9068
>>>>
>>>>      Both of these have some drawbacks:
>>>>
>>>>      1. The introspection endpoint needs either be autheticated with
>>>>      basic auth, or hidden behind access lists.
>>>>
>>>>      2. If we go the JWT route, the token is no longer opaque.
>>>>
>>>>      To me it seems like using JWTs with content we can examine and
>>>>      verify signatures on are the simplest to implement and makes most
>>>>      sense to me. We already require servers that use the code flow to
>>>>      sign requests using http-sig so the key material we need is
>>>>      already there, so we only need to change the spec to specify the
>>>>      structure of the JWT access_token.
>>>>
>>>>      Whats do you think?
>>>>
>>>>      All the best,
>>>>      Micke
>>>>
>>>>
>>>> _______________________________________________
>>>> OCM mailing list -- ocm@ietf.org
>>>> To unsubscribe send an email to ocm-leave@ietf.org
>>> _______________________________________________
>>> OCM mailing list -- ocm@ietf.org
>>> To unsubscribe send an email to ocm-leave@ietf.org
>> _______________________________________________
>> OCM mailing list -- ocm@ietf.org
>> To unsubscribe send an email to ocm-leave@ietf.org
>
> _______________________________________________
> OCM mailing list -- ocm@ietf.org
> To unsubscribe send an email to ocm-leave@ietf.org

v2.43.4 | Report a Bug | By Email | System Status