Re: [Wimse] JWT-based workload authentication via OIDC (ab)use
Brian Campbell <bcampbell@pingidentity.com> Thu, 30 November 2023 20:56 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3B9BC14F73E for <wimse@ietfa.amsl.com>; Thu, 30 Nov 2023 12:56:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnkIWUGT4-Q7 for <wimse@ietfa.amsl.com>; Thu, 30 Nov 2023 12:56:29 -0800 (PST)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CA46C14CE2C for <wimse@ietf.org>; Thu, 30 Nov 2023 12:56:29 -0800 (PST)
Received: by mail-pj1-x1035.google.com with SMTP id 98e67ed59e1d1-28647f4ebd9so677428a91.3 for <wimse@ietf.org>; Thu, 30 Nov 2023 12:56:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1701377788; x=1701982588; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FX9iUZWafx4y1m9LMUtSOtQHyGGtZW4GaF2WXShwJz8=; b=Dh17hxjRH0pdAOZbntEvgr2HIJxVQ7Or/FYp9CM6/iqTzQaTaOZEoXaOl1w72bfZQV hmWs2q8igAbShmvoT7RbSnTpRQFlxFpNk/Pac3c/G0In39xIFQ4ZIRqCY3YVtrpdJblP bBhIgAOOeLicD8ZNrrrB0igYU6DZisMUTzqGBEpMy2FLayf7rtO76VekcL+Tx6GFqN1H oKGi0DLJxoeVbOhNXMUf+LlE3p5+uDzuV6hRVDNk8JVAnt71sN1mlW06g3uvZ5g02AnE Z194j9RrG9TcapzGMqFCJW3xS5igswP+ncK/gbrdFdNvUEt78NUXDg8nCthgs6ki+k2r EIxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701377788; x=1701982588; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FX9iUZWafx4y1m9LMUtSOtQHyGGtZW4GaF2WXShwJz8=; b=A7DX4qJHg7gJr2Osgbv/t6Wbx0MICABzSAEEI1WixzbJp3RaGGel0ortBIDo7Z6w47 xNcO0u8B5ktyPSDOddcUkL54/BV9W6X5MhWGORqdmhqTi1EaVEjEdDp6RSYLxZEbYm+B 8pzX56ZMzm4C58IhU/uWbsDLke9rWAR0+Wbos6Mo8wN2nyZFToymXHrcFFFqSFdGvU2I J/gzMVML9AivJ/Z7mqsPylLlWlgJnCXvADcWyzZHK+idVdJS9l1RS/KNslGJ1BbnK6m3 7UPJpvbqCz0DvTrF7ZCYyk6KINrd8WTmYRlMoEENh/fCYsbAWLa0pP9lCFRyGPIiV1iQ tgFg==
X-Gm-Message-State: AOJu0Yx+jS01ZoA/gLdlP7TL32u0hm4mmatqgCj77Fz/2ASfw+MJX78C LI4BTsbpCiklnn0Kpy7Ty6HRQuJmOzUQKAJdXV5X2PSA39MtfZgEQ+wqM/QMWnYJutcUo9qy9hp 6UBYGlV7tbJte1TfNa/supLvS
X-Google-Smtp-Source: AGHT+IG8lNtb7nnPPzZA1WXkNbfUBpB0OOuhaFmm3VLt9/aMNDMe7jrDIJMl9Nx8aHi01Q7w1BP58S0Y595H9Q2pR2g=
X-Received: by 2002:a17:90b:3a90:b0:285:34a2:3dab with SMTP id om16-20020a17090b3a9000b0028534a23dabmr23231033pjb.11.1701377788303; Thu, 30 Nov 2023 12:56:28 -0800 (PST)
MIME-Version: 1.0
References: <CAOB-mKnZzau0ks+4T5KCcxhtk7BEZdVjqJAaE=gVNK3WFYYvAw@mail.gmail.com> <CA+k3eCRg1N_DCDVUq+FLqQEZA5EMMdY4Yu7XiQ4MvUZb9Rrg0w@mail.gmail.com> <88c47206-f7b1-461f-84f7-22f548e7783c@gmx.net>
In-Reply-To: <88c47206-f7b1-461f-84f7-22f548e7783c@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 30 Nov 2023 13:55:50 -0700
Message-ID: <CA+k3eCQMbZ_g4+nJyyY5AoU1+26Uo6Yx=0Xd_ki2HXTW5f-T+g@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Cc: Evan Gilman <evan@spirl.com>, wimse@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b3ed39060b64e288"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/L7GgtPFRcizObdCNgjqNeVgt5eo>
Subject: Re: [Wimse] JWT-based workload authentication via OIDC (ab)use
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Nov 2023 20:56:33 -0000
On Wed, Nov 29, 2023 at 8:21 AM Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hi all, > > > after we posted [1] we got feedback that the description of how the > workload proceeds interacting with the resource server may be > over-specified and too specific and should instead be generalized. > > > Reading the review feedback from Evan gives me the impression that there > is probably a possible separation between > > (a) the interaction needed to present the workload with a token and the > way to convert that token into something that can be used subsequently > through the use of token exchange, > > and > > (b) the intaction that follows afterwards by the workload. > > > I sounds a bit like (b) should be aligned with the work in the industry > today, for example with [2]. Regarding Brian's draft > <draft-schwenkschuster-oauth-identity-chaining>, I couldn't recognize a > good alignment with [2]. [2] talks about re-using OpenID Connect while > Brian's document doesn't. > Calling that stuff OpenID Connect is an understandable but (in this context anyway) unfortunate misuse of the name. Beyond the terminology I believe there is a lot of similarity. At least in the general concepts and flow. "Workload receives platform token" is similar to a local token exchange <https://www.ietf.org/archive/id/draft-oauth-identity-chaining-00.html#name-token-exchange> to acquire a JWT suitable for cross-domain use where "Workload calls target token exchange service, provides platform token" to acquire an access token like "Target returns credential valid in target domain" which is similar to the JWT Authorization Grant of RFC7523 and described/profiled/something in the identity-chaining draft <https://www.ietf.org/archive/id/draft-schwenkschuster-oauth-identity-chaining-00.html#name-authorization-grant>. Ciao > > Hannes > > > PS: Should <draft-schwenkschuster-oauth-identity-chaining> actually be an > item to be worked on in WIMSE rather than in OAuth? > > > Am 29.11.2023 um 14:52 schrieb Brian Campbell: > > On the face of it this sounds a lot like the JWT authorization grant from > https://datatracker.ietf.org/doc/html/rfc7523 > > This draft > https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-identity-chaining/, > which was recently adopted by the OAuth WG > <https://mailarchive.ietf.org/arch/msg/oauth/l6dGZNuyH7GyiNX9uz1C9R_SCRc/> > attempts to further profile/describe the JWT authorization grant including > mention of the metadata/JWKS and a local token exchange to receive the > initial token. > > On Tue, Nov 28, 2023 at 3:48 PM Evan Gilman <evan@spirl.com> wrote: > >> Hannes' BCP draft on kubernetes workload identity tokens [1] discusses a >> very common use case where a workload uses a platform-provided JWT to >> authenticate to another service in a different identity domain. In the case >> of the BCP, authentication to an OAuth Resource Server is discussed, which >> uses the platform-provided token to "enter an OAuth domain" and receive an >> access token. There are similar (perhaps even more popular) patterns e.g. >> use a platform-provided token to "enter the AWS domain" by exchanging it >> for a time-limited AWS secret access key. In fact, the latter pattern >> exists in all three major cloud providers, and has been colloquially coined >> as "Workload Identity Federation". >> >> Aside from the fact that "Workload Identity Federation" is a very >> confusing way to describe this pattern, it has emerged as a powerful >> primitive for cross-domain authentication and access. For example, there >> are dozens of pages of documentation on how to do this against a variety of >> targets on the GitHub website [2] ... in fact, it is the recommended way to >> authenticate GitHub Actions CI runners to pieces of infrastructure. >> >> And yet, there is no standard way to do this. >> >> It works purely due to lax OIDC validators ... my read of the situation >> is that this flow is an abuse of OIDC and nowhere is this pattern described >> by text. The following gives a rough idea: >> * Workload receives platform token >> * Often via disk (see [1]) >> * Platform token has a variety of bits set, depending on platform >> * Token mocks an ID token, with a subject/issuer/audience, but lacking >> most other things >> * Workload calls target token exchange service, provides platform token >> * Target service is branded as OIDC-based authentication >> * Target service is configured with mappings, usually referencing sub >> claim and sometimes others >> * Target service is configured with issuers >> * Target pulls well-known OIDC discovery doc from issuer URL >> * Target follows JWKS link, everything else is ignored >> * (sometimes, target will be directly configured with JWKS URL and skip >> the discovery doc) >> * Target validates presented platform token against issuer using JWKS >> * Target refers to mapping to know what credential to return >> * Target returns credential valid in target domain >> * Workload proceeds on with its day >> >> It would be really great to capture this flow/pattern in a more formal >> way. I think WIMSE could be a good place to do that. Even just giving it a >> name would be valuable. >> >> [1]: >> https://datatracker.ietf.org/doc/draft-hofmann-wimse-workload-identity-bcp/ >> [2]: >> https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect >> -- >> Wimse mailing list >> Wimse@ietf.org >> https://www.ietf.org/mailman/listinfo/wimse >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [Wimse] JWT-based workload authentication via OID… Evan Gilman
- Re: [Wimse] JWT-based workload authentication via… Brian Campbell
- Re: [Wimse] JWT-based workload authentication via… Hannes Tschofenig
- Re: [Wimse] JWT-based workload authentication via… Brian Campbell
- Re: [Wimse] JWT-based workload authentication via… Evan Gilman
- Re: [Wimse] JWT-based workload authentication via… Pieter Kasselman
- Re: [Wimse] JWT-based workload authentication via… Brian Campbell