IETF Logo Mail Archive

Re: [Txauth] Client bound user assertions

Tobias Looker <tobias.looker@mattr.global> Fri, 20 March 2020 21:31 UTC

Return-Path: <tobias.looker@mattr.global>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A42763A0DC5 for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:31:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mattr-global.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHe39P6_EBS4 for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 14:31:57 -0700 (PDT)
Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 990253A0EC3 for <txauth@ietf.org>; Fri, 20 Mar 2020 14:31:56 -0700 (PDT)
Received: by mail-qk1-x72c.google.com with SMTP id d8so8670577qka.2 for <txauth@ietf.org>; Fri, 20 Mar 2020 14:31:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mattr-global.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8cFqRJGSN2AF26tSvd04kwfmtOI06gqXF79suUwV20o=; b=B2eMRaisr3JLP72DXzOY2gPjWHRN6IF/mN+PgKh+mUlmy5riDeRo5uuvDlec5efARo jhUgduvTNV6xh6az+OsCv4zyIiVYFm71oU8hKE7sR++Rqr22yu2Iu35RNNetWrL4piAO 3osQ/ZzRMOIuW0IPgQaDubcsDUSISi3DQQbSXNtZf/FiYnQ70FzpVUZZ3aFn/hAsBmhf smS8JhRpA8SG5W2E8qbFAqmm+j8S4Caf9JdEtx8CbUVumK/IQ0ZqoFVAyk5oG0O6y+xJ Ja+DJq3RUQauB5tcVRWtpz6jNyoY3fWhgQ2nMa2RDk5P+qVQT0fsJydoLXydvT1uhhTL d4GA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8cFqRJGSN2AF26tSvd04kwfmtOI06gqXF79suUwV20o=; b=cLrckc1rcTcDnHYJBipYGexLOp4u20Ov1b8mfTZ2UCpvjObihnT4N5KCqoUVHPubtJ YMnMIwopD/OAWbG09s43BxswMP33WKfMsRJjIweIhvpIgl5Sl0nlvWzpNRdDgoPNKXZ6 7xTQbnOqvRTxZcmhEnJ147UEhPVzJx8A8hpjQjaSX54ZwWGhL9wE3Sn0Vi0QYgFUyaXw T1Bim9xNbRe7Wo14SxAEYpKvRNp4oCU2vc036KJLsmP2Ce8OVUoAfwtaSzC5jQozxBNW hMSOxsHLGMups+s/winTKVJ3TyrLzsyB1voPdRYr8UzgYSC0kYEJ1FEQxTPbdbvkfupW fyrg==
X-Gm-Message-State: ANhLgQ3wFxXioCe/rjU1CGYV3toHbRiH2vkhZUL4Eqfp70IsfgaRDfNU c6jeLvArlGL46ps542ZkIEe3Kxux27ViuFI8BNqTVoYM4PGPtEvq4kmwSpwIZwWfvo0Q4guwxGo XejIeT1rUlG+qR6/d7w==
X-Google-Smtp-Source: ADFU+vuU1v5bRIkgbUpZApKW3jUB3IlgJsGa12MQ2DxKfRM4k54Vac8WfinqNtPQOnj3VLg2bG22BZ4lL5bu4XUtfZ0=
X-Received: by 2002:a37:844:: with SMTP id 65mr9634367qki.15.1584739914805; Fri, 20 Mar 2020 14:31:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAJmmfSRscNKCYbv75wDrL06Z4VZ3gNWLVqx2bce1fCqHLnPv0g@mail.gmail.com> <CAD9ie-vvXLHPGQciTr6uO4ANRB8fCRobCe27EsAqAgT-+ze=fg@mail.gmail.com>
In-Reply-To: <CAD9ie-vvXLHPGQciTr6uO4ANRB8fCRobCe27EsAqAgT-+ze=fg@mail.gmail.com>
From: Tobias Looker <tobias.looker@mattr.global>
Date: Sat, 21 Mar 2020 10:31:43 +1300
Message-ID: <CAJmmfSTSSzvvwKmZ=+FuBCX_0SNPo6wnjmLtrfaahGe-cz6Q0A@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: txauth@ietf.org
Content-Type: multipart/related; boundary="000000000000af253105a1500301"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/T_9XjDVqUpzqAYcKb1XaokhyhUM>
Subject: Re: [Txauth] Client bound user assertions
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 21:32:00 -0000

Hi Dick,

Yes that's correct.

Thanks,
Tobias


On Sat, 21 Mar 2020, 08:48 Dick Hardt, <dick.hardt@gmail.com> wrote:

> Hi Tobias
>
> Let me see if I understand the end goal.
>
> The Client presents a assertion about the user created by the AS, when
> their are interacting with to a relying party.
>
> Correct?
>
> There are a number of ways to solve this, but in my opinion, creating the
> missing features for this to be done would be in scope of TxAuth.
>
>
>
> On Thu, Mar 19, 2020 at 3:23 PM Tobias Looker <tobias.looker@mattr.global>
> wrote:
>
>> Hi,
>>
>> I'm unsure of the best way to articulate this idea on this forum, but see
>> my below explanation for an attempt. I'm also aware that it as a discussion
>> topic is dependent on how "identity" fits into TxAuth in general.
>>
>> With OpenID connect today the format of the user assertions we get are
>> often bound to the client (or a small audience) mainly by the issuer using
>> the audience field in the id_token to communicate who it is for (e.g this
>> is for client x) which gives all parties a way to determine whether they
>> are the intended audience of the assertion. However, this does not enable a
>> client to authenticate as the intended audience of the user assertion to
>> other parties. If a client was instead able to authenticate as the rightful
>> audience of a user assertion then they would be able to onward disclose the
>> user assertion to a relying party, such that the relying party would be
>> able to authenticate both the original issuer of the assertion and the
>> client now presenting the assertion.
>>
>> See below for a simple example.
>>
>> Here the client obtains a user assertion from the OP or Authorization
>> server that is suitably bound to the client in an authenticatable way.
>>
>> [image: Screen Shot 2020-03-12 at 10.05.15 AM.png]
>>
>> The relying party now makes a request to the client who is in possession
>> of the assertion from the authorization server and the client can respond,
>> presenting the assertion. In this flow, with regards to OIDC, the client is
>> essentially taking a similar role to that of a self issued openid connect
>> provider.
>>
>> [image: Screen Shot 2020-03-12 at 10.05.20 AM.png]
>>
>> How this could be realized in TxnAuth?
>>
>> If the client strongly authenticates at the start of an authorization
>> transaction e.g by signing the original authorization request with either
>> an ephemeral or static key, the resulting assertion could be bound to this
>> key enabling the client to authenticate as the rightful audience of the
>> assertion to other relying parties. Similar to how DPOP for access_tokens
>> works.
>>
>> Why is this interesting and what use cases does it enable?
>>
>> Being able to obtain user assertions that can be bound to the client such
>> that the client can onward disclose them enables new opportunities around
>> how users can manage different sources of their identity information
>> through a single client. This can help to eliminate things like the nascar
>> problem and presentations to relying parties that require aggregating
>> assertions from multiple authorization servers.
>>
>> Thanks,
>> [image: Mattr website] <https://mattr.global>
>> *Tobias Looker*
>> Mattr
>> +64 (0) 27 378 0461
>> tobias.looker@mattr.global
>> [image: Mattr website] <https://mattr.global> [image: Mattr on LinkedIn]
>> <https://www.linkedin.com/company/mattrglobal> [image: Mattr on Twitter]
>> <https://twitter.com/mattrglobal> [image: Mattr on Github]
>> <https://github.com/mattrglobal>
>> This communication, including any attachments, is confidential. If you
>> are not the intended recipient, you should not read it - please contact me
>> immediately, destroy it, and do not copy or use any part of this
>> communication or disclose anything about it. Thank you. Please note that
>> this communication does not designate an information system for the
>> purposes of the Electronic Transactions Act 2002.
>>
>> This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
>>
>> --
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>

-- 
This communication, including any attachments, is confidential. If you are 
not the intended recipient, you should not read it - please contact me 
immediately, destroy it, and do not copy or use any part of this 
communication or disclose anything about it. Thank you. Please note that 
this communication does not designate an information system for the 
purposes of the Electronic Transactions Act 2002.

v2.23.0 | Report a Bug | By Email