[Wimse] Next Steps: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Pieter Kasselman <pieter.kasselman@microsoft.com> Thu, 15 August 2024 15:27 UTC
Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63669C14F6A5 for <wimse@ietfa.amsl.com>; Thu, 15 Aug 2024 08:27:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GUmnIf44TYVF for <wimse@ietfa.amsl.com>; Thu, 15 Aug 2024 08:27:34 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2113.outbound.protection.outlook.com [40.107.21.113]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FF15C14F69E for <wimse@ietf.org>; Thu, 15 Aug 2024 08:27:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=no1GZIOcNLIcG6aSbOCecVLYG4BzCOl6P9FofH9INq5r9FU5yjRt8bn1TEbQRaZ9xZTcJn149LOc53rCX1dk34QbM2ZV+GdhSTq7gPue0fQHKiVj+0YNVtcB3P3OZmVuS4pxBSfvJMW0VLaEVY2UZLOeTGoDFrPBqHQfH6IidGgkGyDlf6isYKkjXYnzdUKMK20PKZv8iN+qxNG4obScJvW4xI4zYGthR5M0yGzhLv3+l2pQlaa/oTrF7XsUmhQLuuyC1b+r6HANybJ2GU35AAQWQfZueLg1lmhFci+D9+ThUG9WHtGuhZhjO4t8juY++Q344oDQEOo6hhJ5GXBL2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uRuy0X1BFQ3xmGNTcUyZNNHkMCh1Yj8Y//J68RWDubs=; b=a/N6zcFXpQLnc6WINNIVbk9bxGhwR/3lBPwEOHhD7N44AqyHOOGKxNjc3Y3PucAySg0Kpx5cpQ3F0JClls0S3oVl9Xou2C1tVqbowQ8/LbLfLonmiFwiG0/u8zRFkcAS+X76w5R8MMV6TlIIDDHjI5sVeOvGE57u5NhXYEms+5ehH2sJ/aqNzBDjllJlkoocdPgAmyva2usGyITmq/KJYzAzUo1LgYCBhPRgvVojuTlbj6k7T7mLf/hP0IP9dcCCMpacF5Yt1w3S8xVU4yEs51pqMqjKL6ovk3EvuMiPhObOWVOpcMAwsLOdeinWkVqUwX0mKrqKAttfyIM2G6lRBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uRuy0X1BFQ3xmGNTcUyZNNHkMCh1Yj8Y//J68RWDubs=; b=Y9wCZEJd4Ie1Hsv0n9BnS9hr9CTZjOFVIvI3Rg3ezXGkJv2xw8P07NpMZ2AbNNJC/rnHjm3vxeTsCKZIf4YF1SE+2IAn2qjXMwnCXfWC/C6fVIyx/QXQ27K+czuL1ZVfYIIDzolCbWspvyEYleIEqNHOZ1/OPolf4AKXgT3S2+c=
Received: from PR3PR83MB0441.EURPRD83.prod.outlook.com (2603:10a6:102:76::18) by VI2PR83MB0718.EURPRD83.prod.outlook.com (2603:10a6:800:270::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7897.10; Thu, 15 Aug 2024 15:27:31 +0000
Received: from PR3PR83MB0441.EURPRD83.prod.outlook.com ([fe80::d76c:55be:e63:4085]) by PR3PR83MB0441.EURPRD83.prod.outlook.com ([fe80::d76c:55be:e63:4085%5]) with mapi id 15.20.7897.009; Thu, 15 Aug 2024 15:27:31 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: Next Steps: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Thread-Index: AdrvJ1oL8X+5L3nZSaeLVpvOjovXgw==
Date: Thu, 15 Aug 2024 15:27:30 +0000
Message-ID: <PR3PR83MB0441A9ACBEC993AC0239398991802@PR3PR83MB0441.EURPRD83.prod.outlook.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=4cda6d46-6fbd-442b-bdf7-6e9843178e44;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-08-15T15:24:21Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PR3PR83MB0441:EE_|VI2PR83MB0718:EE_
x-ms-office365-filtering-correlation-id: 83511cfb-e9e6-4bdf-085d-08dcbd3ec74f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: Gou8tsNGKsYs+tSWIUKlfXSqUQtmB+7Ias8WOYAbdNfmYAjunrHE+Q3Uy7ULUq3p0d6bPDYX9xXsLHAMzcI2nt4PDxNlKNSGzbLOlL9wKZZ+mXr/IXxy9ZVS5uy8Yt06XfTP9NVMV3MiSZtQTA8BLB2xYf5Nqly7KrSW/VF9JQvrE/Olx57iY5TPzvPvKvT7hI3Q3cEKlLas4WoUDbzSnnLvgD8B5/zd17bGz/F+tkIKSJYFhr/uxvq48/aP7T4wbD9nZPC6kXs3BnOoHh9l3vJ9RPn/fSLrK7YgsRnH0wcuGVUmPxCqQpvgbYUrEAAoo581QN6s0TwGaAKdbh55M963TkPPwa7uhFJBewHv0jL1yfw/3vvdRFcP2KWQ7bdh2b5iL68ulmn/HUELsk2L2pP6jfFqqLZpkLQmwINRQhUEOygCykQFGSbs4zzIC+EQNezvP/mFnO0vWOFC09Cqdiu7kWhzDcLNqVv4UxkQwjFFuLCdSGO29JuLGu3aXksyXoTJOGP8ysln/uiLpl55gbLhxjtJ0Oj2qeTKoEICfaEPxZoa6UGqTU5lL/IxvFwKlQBAqZqwyfOW/ZAK13cn+edAOkdcHuHGCo5k7NSgVDDSbU/ao+IoB9PYrLJ3YXQrnDA8Is7bY+BKSBdoJPm6P+v/9wQOziy5RjMGTTd/54WD+HAL15WJsLUhlmTbv+VLfoRN4DTY0bMzAKLp7OAFcBTc1JvTFZLLzlWXo6Vd+2PDqSlvQEnDpfcZYWO3Uc8imhmty8OzdWaeQWY1YBMrOmJZOwpDc3+4npE81o0V141Y5bAuMzfEAQy0EWFtW6SmzmokA7ns2M+AfWdytTwNnst9+IFZm0jGV1tU80xHjTTpWkFqT76CdJUG6G7/MQw90lXZfY7wwDfvYiqcjLTQ+7kqbK0zHQmBCSK+SuMcnZFEnEhKXWcOCmZKGdqElAEm7C9dRJPUwqhHdlUihgPnYzx+s9vlZQeilOyqvQz/OAGTsu8R4FZnpHH3PFuNtKEhB6M1IbRkYF8oBvjaXvNjblL/3AoCOqCXCXJOJHrcGjFLlD0x7SnnRDD6wurRQ6Dvn2Z/xg0ZET/c0XqZMfdfopA6XMmMEmzkSQ2ShsxIp1vo2UO+2jvufy/rXGfroyN7mw0pQfhRwbJXSJALjHROhn+m5JRB8wPvFNaGZSlx19891eo6emaqEBGDDkbqfot8e03ca40017lIhllxnzSzSSjvWw1qtrfLfE1rSDkTU8I/BdXJ2ZjQzTiTkF2diir9Nange+fiTTJ/TuDtQD2k19AvTv1hMIFjLgxsSzmMwR4UAxFlm+9qFywGc442RrhwxjL6bk2V047nvvdOMc+jd2p39Jttuk9l+XHaXess5qE2/QTPhrSjSfquuC9q4HTlL3FHuLth6P6mdSPvWnCYkw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PR3PR83MB0441.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: RRepiUUhHJdB1bx84/fO69cSadCUGutXTHcqSWiKxmbDYziKS28mhqzEozFYNEeEFRLW0lOy8XdwtHPOk7ayc4FV/v437uK2QMCqn1lfz17JvOeJiDTjHEGQopH0NXzT15683Y73zZYLndbfjTmvsgFoGyUEjBc3IXAkhTvjzBI6KcZf56PJ+tTDdQvTOOhq5u5rk+DHpRXH5nb7od8nM6DBJGebmnYTST5H7kofurim9JotPStiDhGBe6RKRtS5VIKBwNsWbWCFua8kfHNLQ6rZ5mDdakDRV+j0FYC7XDNNnnE28ripBPNaiKZFsFHDF3KS0kc7Hsl7u/zXbT31DCSItdERsddtmzO3A89PQ5nmDkltguFpZZLcAcgm29zifZOybHK5oPWT3By5FQizUKdndZ02ytk+KSsPizHmS4Fuj63hbK2sa5zPBg+VWdGp/pYvrSOGuUtU6QBwXsMQyTpmKDBESFkjZkuZJiyj3RvXB0kKYwpqBfmzrT1tCrELvFyOPndqNFJKW750pJy1iMHj24tQO1qXHDawOwHppCUEE5lkFSFnZIZBAB6fe82RUqZ1MtveMsSIHX/6rZlsgDHmeb1BPSUQ76i/K7vFnCa4pU9Mlf0c28D4DyHMqEnUVzrRD/Pxe5KWpJZ1XiWXHPnwmY3GvYbEhPpb9ncmHxKYs1ju99jLqApJMAUG10vJxWt8hen91aigD9L+9Im5UbnZQ6K1OnwzXhfdekyjqPecpWnHOZF4sCbEMcqZUvNsw814d5sGcJepDAOOQ/TR7gz+FNs/PkpzX5xRyQy1laa24+EbaY/cW3DAmqIaE96V5O0jGPEm4/WkXD6Sj9L5cVoXnjudbB9nzKwGvWIVOmla47Z21BQC1WhxyspmL9BHBdnnJqJRlWRGavoLBfdxUqhUtIpmxkI1wV+YzhJHOKK+BxXTbZQ4FgzdPpaDO8/ILz1rP21q1pGuuYEZT6piD+6TjOZsuFuQLcLGr1ngewOCmCKnSftG7SQn/s2jykRe5f5Rxc1p5bfBVhP7CI11YFk5UuU+LYX8vaKHYH+sZbVKS01CoTZ8os2EexYxvjO6Duxv0j331vUt7cyd4sIxWu5C44uFr+2R120CjdqqTxKbn5+4aIRViSjivGF1tIIV6xllaSrI8TKHj3TRJFlsvZH30FCe4dDgx9Rq4WfEkUGZKvdVPusVgbqcL+FrIIVq8UgeRK5YNQ3VkFO+G7ebbZ701M2/moZrqa0/bRZwzXc5ZZOXFL41qpRNtRy2LVITuaD5kCcK3pPA9yj5lp7NUvs0A1T16e0LgtGoGfSMC9JlACecb2ew5YZphgBFio1mkYIgHL/7PtG8N2j9ce0+TbwYh6ni1metf/ncr/QHYOXvfEitwL26TCBxHbJO99VMU+UyhWHqAzaoRv04fUM3u+uiEZcdEudlWUvhZCnbw8C9CqLJJzzvhqAe9mPXEhLFNPZtHAwjlfqm1+hTpwMLsGIKJdL/x8P9SZ+LSaN2Y6WBY/y2Sp9PqiXTSoS2l47F
Content-Type: multipart/alternative; boundary="_000_PR3PR83MB0441A9ACBEC993AC0239398991802PR3PR83MB0441EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PR3PR83MB0441.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 83511cfb-e9e6-4bdf-085d-08dcbd3ec74f
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2024 15:27:30.9069 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vkGFiPdD/0MBw8IJAb32DmjI1RAZaLee9XU0v6Lg60up3y8YOdG9dFeF/aHavSU7Mly1ROItwPRg270cnm4tfEYXP2W4FygnpGm+9AsTAnU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI2PR83MB0718
Message-ID-Hash: V2DFA2KRGKYDJE3S6PRZPO2SFDGQ632Y
X-Message-ID-Hash: V2DFA2KRGKYDJE3S6PRZPO2SFDGQ632Y
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Next Steps: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/BBOs0Td4iwZ0seD3LDLi1hc8ptE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
Following the WIMSE meeting at IETF 120 in Vancouver, the chairs put out a "Request for Input" [1] regarding the working group document "Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments" (draft-ietf-wimse-workload-identity-bcp-01) [2]. Based on the feedback received, we believe rough consensus has been achieved and the document should: 1. Document existing practices without specific recommendations on how to obtain, protect and use OAuth Access Tokens. 2. Include security considerations for these current practices. 3. Be considered informational, and not a best current practices document. Thanks to everyone who provided input and shared their perspective on this issue. We look foraward to your ongoing contributions. - Pieter and Justin [1] https://mailarchive.ietf.org/arch/msg/wimse/zrEzmYvRRcSwSrhj9d7ncybqAwg/ [2] https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/
- [Wimse] Next Steps: Best Current Practice for OAu… Pieter Kasselman