IETF Logo Mail Archive

Re: [Txauth] Call for charter consensus - TxAuth WG

Torsten Lodderstedt <torsten@lodderstedt.net> Thu, 19 March 2020 18:08 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2949C3A0CB4 for <txauth@ietfa.amsl.com>; Thu, 19 Mar 2020 11:08:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJURMys4FdAU for <txauth@ietfa.amsl.com>; Thu, 19 Mar 2020 11:08:52 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BEA43A0CC1 for <txauth@ietf.org>; Thu, 19 Mar 2020 11:08:52 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id s1so4318793wrv.5 for <txauth@ietf.org>; Thu, 19 Mar 2020 11:08:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ikv7DK0vVhd6erm873KVQpwAl/UfijAB2FOqEb7ZxUo=; b=qGs2nIQOYWfgBMGK0k3uI1YP7TxRj68aX51ax330cjOyf78QxyNjprOjOahwmEMZwY nFVBcebk2TtPfcT6igK6LeowV5tuYH+lgLLs0DDY0CqwLWxpk6MeTRjMjSCFaoU/uOOX rE+lTkYV3Be+zjqN/bf31RH3WKepa54VF2kBkXWa6qHIHUgaQ6OoBgVsA8NLUQoWl6q4 xK23iQsktotR4l1eEQz23oTbt6rNdiEd2jWn3zZdDoGxIw604vhuQtSgGXPFGka6X7Xs 1oLn3l/fXLkXXrtIRTrqihuq+35XALZFa9xdomdUtcJPDN52UXLbtNUqBI8XqX8r+KV+ YwJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=ikv7DK0vVhd6erm873KVQpwAl/UfijAB2FOqEb7ZxUo=; b=jcTZkErrPX/DT+MkWpR0fgyLKQisDbJ47L9PCRz3Cq5N8KvAgIjvOpOv9nDK/AgJ37 vt6znokavSrNppNd2O+OQX73l+4CmdZcmWfe/fNShCrbcDVZs3JWY8RhJe4cMqMjXPIT rqX7RP6H4RibtHfXAXn9upTLwvmwxY0uJ5cBKLaGCg6RKFnqMfMDIS9Olthf+NSjtykZ +gPGxlu/EZUAgU3ocFZfLrjcB+xM5JSqbCfajrYZWQL/gYHRmc0UBLWwsV4xlVG7b0qS 0tq3FrczfbQl817m2LjrLl0ivLeGUlt6f86df2zpOlFdFHbrEWQvEnyIXRojJ1W7bf2W thyw==
X-Gm-Message-State: ANhLgQ3tFuuY11FpmQrno2a0g4bxm1qXsyx3Ll6xOAIEAdB12Yls2Z4p J72uHTu5orA5RJMsjD+DGRNRX4iRAQY=
X-Google-Smtp-Source: ADFU+vt5IpckP9IicZue50tJ+NmxRX5W3zriXUwDhzfb+ajPA2mF3wj8D8p639k7hQlo/DWJn4B9ug==
X-Received: by 2002:adf:f00f:: with SMTP id j15mr5746790wro.413.1584641329688; Thu, 19 Mar 2020 11:08:49 -0700 (PDT)
Received: from p200300eb8f2625b4c1842dc11ab64701.dip0.t-ipconnect.de (p200300EB8F2625B4C1842DC11AB64701.dip0.t-ipconnect.de. [2003:eb:8f26:25b4:c184:2dc1:1ab6:4701]) by smtp.gmail.com with ESMTPSA id o16sm4743478wrs.44.2020.03.19.11.08.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Mar 2020 11:08:48 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Torsten Lodderstedt <torsten@lodderstedt.net>
In-Reply-To: <c56ae52d-e858-8a21-ea2e-32f799d20e18@connect2id.com>
Date: Thu, 19 Mar 2020 19:08:47 +0100
Cc: Vladimir Dzhuvinov <vladimir@connect2id.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <11014BC4-4DA5-4A21-8D35-6F3B4698EC37@lodderstedt.net>
References: <MN2PR00MB0686B5459E642FE6E65686F7F5F60@MN2PR00MB0686.namprd00.prod.outlook.com> <CAGBSGjoMWjRE3zSsngwwpmzQ5D6JM29cHGj3A4ey7Q7gNvcHrQ@mail.gmail.com> <D2B641E1-131B-4E4B-83A6-214E223C3094@mit.edu> <CAKiOsZtV4oMC7QiDC1s20koc2f0Sjd8MzMEsWRf+KVsDN-8iKA@mail.gmail.com> <2D372D08-804D-4EF6-8C36-540CCA90244B@mit.edu> <44E06611-E67E-4ABA-B410-36D40FACF8B1@lodderstedt.net> <2F0CE6F6-DD9E-4DD4-99A0-E6CD78421D2B@mit.edu> <255028E2-8B99-438F-80DB-434B000114B1@lodderstedt.net> <A101613B-AB87-4335-8D82-57F996DC0DC2@mit.edu> <0CD3C061-D85F-45AC-898E-633682CF4C77@lodderstedt.net> <c56ae52d-e858-8a21-ea2e-32f799d20e18@connect2id.com>
To: txauth@ietf.org
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ZuhJqPYqdr81Vlg1_-M4YsX80Uc>
Subject: Re: [Txauth] Call for charter consensus - TxAuth WG
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 18:09:04 -0000

Hi all,

I suggest to add the following requirement to the charter:
	• Support for RS-specific access tokens in Multi-RS deployments 

I don’t mind HOW this requirement is supported in TXAuth. I want to make sure we try to build a protocol that serves the needs of a broad set of deployments. My concern is otherwise TXAuth will be not innovative enough to gain traction in the market rapidly. Speaking for myself, I realised in the last couple of days, mostly in conversations with Justin, that the result of this working group as envisioned now is not of particular interest to us (yes.com) because it does not solve our real problems. 

And here is my explanation: 

OAuth traditionally has the philosophy of a single access token. That’s fine for single service deployments, but it had reached its limits already before RFC6749 was published. There are a real implementations out there forcing clients to use different access tokens for different services, typically for privacy and security reasons. There is also an “ancient" technology called Kerberos that uses exactly this pattern and is well known for security, performance, and scalability. 

And there are even more examples today for multi API environments that would benefit from that feature: 
	• Open banking: most banks I worked with have multiple APIs, segregation between APIs is today achieved by maintaining different grants, basically resulting in the fact that the users cannot consent to different services at once. What a terrible UX!
	• Everyone is doing micro services today. Have you every thought about the coupling caused by a single token across micro services? This reminds me of how easy it is to test services independently using self-contained RS-specific tokens.
	• IoT - every device in a household is a potential RS (in my opinion). Conveying all necessary data in an access token needed to meet access control decisions locally would be a huge benefit in terms of performance and decoupling. Using symmetric cryptography for token integrity, authenticity and confidentiality would result in lower compute requirements.

Since we are preparing to define a completely new protocol for API access authorization and delegation, I think this new protocol should support this kind of scenarios. It will require significant work to get it right and simple, but if we just stick to the “a single access token is enough” mantra, we miss the chance to give implementers a broader range of design choices out of the box and we won’t success in achieving true interoperability.

Here are more advantages we can gain by supporting such a feature: 
	• Privacy:
		• A single access token can be used to track user across services.
		• RS-specific access tokens cannot.
		• RS-specific access tokens can also be encrypted to protect data confidentiality in transit.
	• Security: RS-specific access tokens have a baseline replay detection.
	• Performance: RS-specific access tokens allow the AS to convey all data required to authorize an API call in a token (e.g. a JWT) and to RS to meet the access control decision based on that data. This is a huge advantage in terms of performance, scalability and cost since there is no need for Token Introspection or other kinds of access to another services or database.

What do you think?

best regards,
Torsten. 

> On 19. Mar 2020, at 18:35, Vladimir Dzhuvinov <vladimir@connect2id.com> wrote:
> 
> 
> On 19/03/2020 19:11, Torsten Lodderstedt wrote:
>> On 19. Mar 2020, at 17:47, Justin Richer <jricher@mit.edu> wrote:
>>> Well, it’s in scope as much as describing any other aspect of what the token is for and what it represents is in scope. That is alongside things like the intended audience of the token, the access rights for the token, the presentation keys the token is bound to, etc. It could be information in the token text itself (like a JWT), it could be introspected from the AS, it could be referenced in some other way. So if we can define identity aspects in that, then we’re fine in covering it there. 
>>> 
>>> But here’s the thing: none of that has an impact on the core protocol. That is entirely up to the AS and the RS to agree on, and the client never sees or has any influence on it. That portion of the protocol is completely opaque to the client. Therefore, it doesn’t really affect the authorization and delegation portions of the client talking to the AS and the client talking to the RS.
>>> 
>>> This does raise the question of what our bar of interoperability is going to be with TxAuth: do we expect independent AS and RS implementations to talk to each other? That’s not something OAuth 2 was ever concerned with, though obviously JWT and introspection are both from the OAuth2 WG and solve that problem.
>> There are two aspects to it: interoperability and vendor support. 
>> 
>> Interoperability between AS and RS is important if deployments want to combine pre-packaged TXAuth and API implementations. I think that makes a lot of sense and should be included in the charter.
> 
> +1
> 
> The current OAuth 2.0 status quo of the largely unspecified relationship
> between AS and RS is also making the life of web & sec framework
> maintainers difficult. We witnessing this with people integrating the
> OAuth SDK into frameworks. Vittorio's recent work to put together a
> minimal interoperable JWT profile for access tokens is helpful, but it
> has come after the fact. And there is not agreement on things like
> authorising access to claims.
> 
> Integrating apps (RSs) with TxAuth should be straightforward and simple.
> 
> This can have a enormous effect on adoption.
> 
> 
>> Vendors support: vendor support when it comes to "what can go into an access token" and "what can be conveyed in a token introspection response” greatly deviates in my observation. This also means implementation use vendors specific features restricting their ability to use other solutions. TXAuth should aim at improving the situation.  
> 
> +1
> 
> 
>> I also think it is a good exercise for the group to think the whole process "from the end”. The purpose of TXAuth (and OAuth) is not to provide clients with access tokens. The purpose is to enable API request processing in a secure manner. What it really takes to achieve that goal is not obvious if the work always stops at the “you have your access token, good luck” stage. 
> 
> +1
> 
> Vladimir
> 
> 
> -- 
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email