IETF Logo Mail Archive

[Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 07 August 2024 13:26 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40FCFC14F681 for <wimse@ietfa.amsl.com>; Wed, 7 Aug 2024 06:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0aJijnZ6sK4 for <wimse@ietfa.amsl.com>; Wed, 7 Aug 2024 06:25:59 -0700 (PDT)
Received: from mail-wm1-x335.google.com (mail-wm1-x335.google.com [IPv6:2a00:1450:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50253C14E515 for <wimse@ietf.org>; Wed, 7 Aug 2024 06:25:59 -0700 (PDT)
Received: by mail-wm1-x335.google.com with SMTP id 5b1f17b1804b1-4280bca3960so13108505e9.3 for <wimse@ietf.org>; Wed, 07 Aug 2024 06:25:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723037157; x=1723641957; darn=ietf.org; h=content-transfer-encoding:to:message-id:thread-topic:subject:from :date:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=y95UY0ofXKAF4wjP7bk4POSi7aqicneXadKj+oo2buk=; b=IxRm1GnFSYZkK6h7Gw1nEQwmett8BVSN/DWElVpHOdSNWnqRCYDLsGKe7nziBBn73N 2/ekkq/HEzOsJN28U1U0CcIUROuCFxZ90qx9O8npyV7h39s7pGhTTW7jqdxuQSXQhq/v ZrL/9on3EUUFwd4TX9tSRHrZ3GU5L+DUmzEEXI8+f8yvWkjovbJp9lK3SMhTDrp0YjGg /3J6DQaASlNTPP4yCLy5tH7WrW9TY2ty/XaZYJoFivXkqp83mvDAw+gYe1YPFX4SwNdK qQihQtWbYe3lsm00vsA8ePxSFnyeYwLrG2yNMpQV5HYAoMyHDEMWSW3Jqc104PErXKHR rRvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723037157; x=1723641957; h=content-transfer-encoding:to:message-id:thread-topic:subject:from :date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=y95UY0ofXKAF4wjP7bk4POSi7aqicneXadKj+oo2buk=; b=hToRnKVYUyklM3o0mVKdazlyB8xiEwomBs7mFH7SYtgNp5OV/iugWWAiUdTgabL4z1 U5LlSZxyKz3BdFAS1UXPxzBqY541hW4SuNFwXy3L1w2ftwjPRIDKF0Ahpcaf+/gGTNZA OcbQ4aWxUvagbEGdUDV8OX5HnxrDo0R6lbaautAFGnKGQQx3VWukaCAxBMiavo26By/Z 9hIrOHCQFP8UJWiUeWRskc7FMKBhWn9Wug8Tpzp2N97M5UP/oslmsCz26n6mZ6sJBDB2 LRdZRvdPS2Wk2ZBj8B7LuVtW1naMUOAq4ZGBP8ZFti/VsEpSqdf1X11tU0jjng3ayoHP NNqg==
X-Forwarded-Encrypted: i=1; AJvYcCXe/nK4sK5SI9cqwR9kfZcPTTkxoM3cJ+TdIZsb6d4AWVGyPpooCkShhXvA9vt052BOKTrNMBP0SD6KrcI3zg==
X-Gm-Message-State: AOJu0YxtIChi+ly9NyaTlzq2VV+3r2nwYI9EnkxWgD4EyZidvMX6iSgj 3x1/SZa5wK3qemMkzNLyk79+DTk7lsETLGBgJmNsPzs/DqKBKiwWueKxkg==
X-Google-Smtp-Source: AGHT+IG2eM+9zi1wucdodmjy+xMoEc1pB8kXNMFn2rwBjrnO9rKFRSI5e8UPCsgTDbpYvZwmtbZxdg==
X-Received: by 2002:a05:600c:3108:b0:426:55c4:ff34 with SMTP id 5b1f17b1804b1-428e6aff8fcmr127109635e9.15.1723037156704; Wed, 07 Aug 2024 06:25:56 -0700 (PDT)
Received: from macos-F7LQR2FV6V (IGLD-84-229-146-123.inter.net.il. [84.229.146.123]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429059cb20esm29440955e9.40.2024.08.07.06.25.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Aug 2024 06:25:56 -0700 (PDT)
MIME-Version: 1.0
Date: Wed, 07 Aug 2024 16:25:53 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: Re: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Message-ID: <19EE151F-D6EB-0140-A04B-24584C526E1D@hxcore.ol>
To: Justin Richer <jricher@mit.edu>, "wimse@ietf.org" <wimse@ietf.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Message-ID-Hash: LF6FFFMRCXAYRC3753FQAREQRH7HVMX2
X-Message-ID-Hash: LF6FFFMRCXAYRC3753FQAREQRH7HVMX2
X-MailFrom: yaronf.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/KyOAzDN8hih5TkC1k52DmLUTmI8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Hi Justin,

 

I’m puzzled by your proposal, because you are mixing existing deployments (workload security in K8s, the current focus of the document) with future, “aspirational” problems. The WIMSE token does not exist yet, all we have is a not-yet-adopted draft that defines it.

 

There’s a lot of value in documenting existing (pre-WIMSE) practices of getting workload credentials, and in recommending the best security for these practices.

 

In the future there may be value in having an Informational document about various ways of provisioning WIMSE tokens.

 

But mixing the two is IMHO a bad idea.

 

Thanks,

                Yaron

 

 

From: Justin Richer <jricher@mit.edu>
Date: Friday, 2 August 2024 at 0:31
To: wimse@ietf.org <wimse@ietf.org>
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

Chair hat off — this is entirely my position as a member of the community.

 

My answer to the question is a form of (B), but I think there’s actually more to do than just add some OAuth considerations to the document.

 

As the document stands today, I do not believe that it addresses the milestone or deliverable as defined by the working group, in either its stated scope or its content. I would like to offer what I hope is a helpful framing of the goals that I believe this document should ascribe to. I believe the document can reach these goals if we choose to, but it would need a good amount of work to get to that point.

 

 

1) It should be informational, not BCP. We are far too early in the work of WIMSE to determine what "best practices" are by the IETF definition. [1]

 

 

2) It should explicitly enumerate and address the three non-oauth means of "getting a token" that are common in this space. These are hinted at in the document, but to my understanding these practices are:

 

 - Setting environment variables

 - Mounting a file on a virtual filesystem (usually through some container overlay, etc)

 - Reading from a local socket through an agent

 

Each of these approaches has different security considerations and tradeoffs, and this document is the perfect place to address each of these practices with clear, sober advice for implementors on what to choose and when to choose it. 

 

 

3) It should focus on the token from (2) in the cases where it’s a WIMSE token, as defined by other docs in this WG. Specifically it should point out that what you’re mounting/loading/etc is not an "access token" in the traditional sense, as it’s not intended to directly call another service after an act of delegation. Instead, it’s a means of identifying the workload instance and allowing it to perform core functions, which might include getting an access token through some means.

 

 

4) It should point to other work for trading the WIMSE token from (3) for an access token where needed, these won’t be in this document. The WG has identified token exchange/translation and as-of-yet-undefined "local token issuance" as means of going from the WIMSE space into OAuth space, and vice versa. This document shouldn’t specify how to do any of that, but should instead point forward to other work as out of scope. This work could also talk about getting transaction tokens or other artifacts.

 

 

5) In the case where the token from (2) is actually an access token or used as such, there should be security considerations and discussion around the tradeoff — because somebody’s going to do it that way anyway regardless of how much we warn them. This document is a good place to discuss such tradeoffs — for example, you save a round trip, but now you have a much more dangerous artifact immediately available.

 

 

6) It should address but not define proof of possession, to the extent that it talks about loading and managing associated secrets alongside the token. The means of token PoP should be covered by other documents, such as the proposed S2S document.

 

 

I think that if we address the six points here, this document could be an incredibly useful piece of work for the wider community. I also don’t think it’s a massive amount of work to get there — certainly much more than what the document currently addresses, but as it’s informational and largely documenting and commenting on existing practices instead of inventing protocols and formats, I believe a lot of the knowledge already exists out there in the community and it needs to be distilled and edited.

 

 

— Justin

 



On Jul 29, 2024, at 6:21AM, Pieter Kasselman <pieter.kasselman@microsoft.com> wrote:

 

During the Working Group meeting in Vancouver there was discussion on the scope of the Working Group document titled Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments [1], which was adopted in accordance with the following deliverable in the charter [2]:

 

  • [I or BCP] Document and make recommendations based on operational experience to existing token distribution practices for workloads.

 

This is intended to respond to the following milestone [3]:

 

  • Submit informational document describing considerations for filesystem-based JWT delivery in Kubernetes to the IESG

 

Please reply to the list to indicate which of the following options represent the appropriate scope for this document:

 

  1. Document existing practices without specific recommendations on how to obtain, protect and use OAuth Access Tokens.
  2. Document existing practices along with strong recommendations on how to obtain, protect and use OAuth Access Tokens.
  3. Need more information (please state what more information you need).
  4. No opinion (i.e., this isn’t a topic you care strongly about).


Please reply to the list by August 12th, 2024.

 

Thank you,

 

Pieter and Justin

 

 

v2.29.0 | Report a Bug | By Email | System Status