[Wimse] Re: Token Exchange design team update
Evan Gilman <evan@spirl.com> Sat, 13 July 2024 05:06 UTC
Return-Path: <evan@spirl.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A8C2C14F619 for <wimse@ietfa.amsl.com>; Fri, 12 Jul 2024 22:06:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spirl.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WuCIy1p9ZnEj for <wimse@ietfa.amsl.com>; Fri, 12 Jul 2024 22:06:16 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B549CC14F5E8 for <wimse@ietf.org>; Fri, 12 Jul 2024 22:06:16 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-a77c7d3e8bcso357031366b.1 for <wimse@ietf.org>; Fri, 12 Jul 2024 22:06:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spirl.com; s=google; t=1720847175; x=1721451975; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OAuEqAT4sWSvBabWp2vm+ag949aPfXGpPzdRx1BlC90=; b=Cfu6LRMqB36U01+1au0LXZFy+F1zvQba2XSISBc5ZNh+Wa8YF6sFO64+pfjYrxQ1PM LZUJV3Ut6/1EM8azPaS1Ml0WHM17c3RaA2Vvgo7IF7msRT2ZWxlxR+Tu1p+c4TLF8k6+ Ul+Ft3Ax+j0Snq75jzs+r8eTxMfOsPljCASo2H8ItbQNG3Tf8Mi7zroDrSEV8djje5Im DL1kim8l+3ZII+UfT+czh63bWxMFHo9U4V6NHfgxKxatdbuLZF8cm8v0RkJmD/AaRrOP IDpenF9BxyrZzPzHwuT3lHes/X1THBcUNWdml9aOWYhvHF8pf+kJK2dG0Q4ZBxDrhHN1 U9Og==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720847175; x=1721451975; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OAuEqAT4sWSvBabWp2vm+ag949aPfXGpPzdRx1BlC90=; b=Zeh/Jpx0hymiKn7QG8ZGEw0EWyYLCGILyUzeV6S37qnwTCs+DZDZiI56p7bUYMVILj nc0CcAdbGok7b27keuLCPvy6p+eddbwA2rUkAFegfA4vVgRCDwMsooNfuARgoM58v1wl +qobfcRhaGzcbsd7f+/IWgz1xM9wR05DZXJDLpxGzuRJ+PKknB5Dz0ozBZgO6HOdH1+6 DM2MOIhVBhYSjX6l1IG1LZMRvCgtSRxWUVQW6pdTaLQZH0/znjSEN8KRfEvD7zIAiPmG PwnIeqmMZqi6oqsf0qLkoPjTkjZTjstgsu60ESzZWbFxBPdXqCUYROa+mT+EOI1wqf0k iwwg==
X-Gm-Message-State: AOJu0YwymTtGLOzN1C49BGwvFM7PFCsvKTW6QDT/HSszfTtqxntlZ4HY 2Re7xxvHx0lk9eBBj9tYbo98CZYviEmemmlMc5vOgS4TsZ7nOItYJ2L/P/zbhxNr2Dt16ZmTIkd BHL7t9uoFXxoArZPLOeavJhBUcdphOiWrq278nw==
X-Google-Smtp-Source: AGHT+IGTkAgoj/vBn+voNQtNBDJAkJy9zBo6vrDuaZTCGTYoC3rhamo83NfnMiYsJKz0ooNZL75at06RPgRVvTS++Hc=
X-Received: by 2002:a17:907:94c5:b0:a72:6b08:ab24 with SMTP id a640c23a62f3a-a780b68a964mr1130086266b.14.1720847175147; Fri, 12 Jul 2024 22:06:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAMtubr2c=c=pE5xV4f1N84y8ACAk98nvf7=F1CCwp3PaQMU_bw@mail.gmail.com> <A6CC88F8-D289-4AA7-8F75-519EEEEFC9CD@amazon.com> <ff22af7d-1197-413d-9f84-df54b262b38a@gmail.com>
In-Reply-To: <ff22af7d-1197-413d-9f84-df54b262b38a@gmail.com>
From: Evan Gilman <evan@spirl.com>
Date: Fri, 12 Jul 2024 22:06:03 -0700
Message-ID: <CAOB-mKkLOm2yfCL4YSQaNWcv0hJ-XzinWqWOD9Qw3QgMmsiHFQ@mail.gmail.com>
To: John Kemp <stable.pseudonym@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000967e34061d19f435"
Message-ID-Hash: 7IQSNF6GVMDR7RL6LUSUCR3JNJJNABFB
X-Message-ID-Hash: 7IQSNF6GVMDR7RL6LUSUCR3JNJJNABFB
X-MailFrom: evan@spirl.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: wimse@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Token Exchange design team update
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/1RjxxJ6tX0QjGitWzDkq1GwF1Sc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
On Thu, Jun 13, 2024 at 12:08 PM John Kemp <stable.pseudonym@gmail.com> wrote: > Just an attempt to understand this concretely, I thought I'd use the > SPIRE-OIDC-AWSIAM example from the docs: > > 1. A SPIRE SVID JWT is issued to the workload at some point prior to the > use of AWS S3, just via the normal SPIRE mechanisms. > > 2. Once OIDC discovery + IdP in AWS is setup, via OIDC discovery, the > SPIRE OIDC provider provides an OpenID Connect ID Token to the AWS IdP, > representing the workload, with the SVID url as its 'sub'. So this has > been an actual token exchange (of a kind) from one format of JWT to > another (let's forget there's probably barely any translation needed > there). > A proper OpenID Connect ID Token never really exists. Communication between AWS and SPIRE OIDC provider is limited to fetching of half-baked OIDC well-known discovery doc and related JWKS. > 3. Once the token has been obtained by the client, it can be used to go > to S3, along with the request to 'assume role' based on that token. > Workload uses the JWT-SVID issued to it by SPIRE to directly call AWS STS AssumeRoleWithWebIdentity. This endpoint matches issuer to do validation (mentioned above), and can then apply policy against sub or other claims to determine what role(s) the workload may assume. > 4. The JWT is "translated" (and I think translation sounds more accurate > than "exchange" here) to an IAM role (which concretely means AWS > "temporary credentials" - but the client application never sees those > effectively, so there is no "exchange" as such. > > So the overall protocol requires both an actual token exchange (not > mediated by the client) and a translation. > There is only JWT-SVID issued to workload by SPIRE, and then resulting AWS temporary credentials after AssumeRoleWithWebIdentity. This is the same general pattern used for federated SPIFFE access into Azure, GCP, and more. I hope this clarification is helpful , I'm no OIDC expert, but I'm pretty sure it represents a departure from normal OIDC flows.
- [Wimse] Token Exchange design team update Yaroslav Rosomakho
- [Wimse] Re: Token Exchange design team update John Kemp
- [Wimse] Re: Token Exchange design team update Saxe, Dean
- [Wimse] Re: Token Exchange design team update Saxe, Dean
- [Wimse] Re: Token Exchange design team update Evan Gilman