IETF Logo Mail Archive

[Wimse] Re: [EXTERNAL] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 01 August 2024 14:03 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D857DC14CEFC for <wimse@ietfa.amsl.com>; Thu, 1 Aug 2024 07:03:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.942
X-Spam-Level:
X-Spam-Status: No, score=0.942 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_FUTURE_06_12=1.947, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6Lsj1L-QMzD for <wimse@ietfa.amsl.com>; Thu, 1 Aug 2024 07:03:13 -0700 (PDT)
Received: from mail-wm1-x333.google.com (mail-wm1-x333.google.com [IPv6:2a00:1450:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED868C14F71C for <wimse@ietf.org>; Thu, 1 Aug 2024 07:03:12 -0700 (PDT)
Received: by mail-wm1-x333.google.com with SMTP id 5b1f17b1804b1-42808071810so46513105e9.1 for <wimse@ietf.org>; Thu, 01 Aug 2024 07:03:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722520991; x=1723125791; darn=ietf.org; h=content-transfer-encoding:cc:to:message-id:thread-topic:subject :from:date:mime-version:from:to:cc:subject:date:message-id:reply-to; bh=YgQYsEs5/sU9+/SzHPEBpJps2om4rJ1UgDrlQa8UAYE=; b=Lwdl7Z6w4dIZNPjwgy0kKJCuRnPqKOdkM1t9Dtno0r9GwmZd7tWDeyugFkgY6e3xue cVef/sk6Ea62+weTdUKd//28vv//ukEDs4HXuPF2eUvQ5gz+TQDFQPnJeF42K3IC9P1I nDkdNHvGNQ5IoA4W6PHO630WQoBYbqoUgMDbGWFeRskzuwItRNWjDg3pQDTRssZxtJbz nO1WknEi+90iT/0FkKTLoDKO8zqgqGJiziKjkt3AX3CZld1Ay+cDd8qHRTrIwSWh1kdm 2xO7qVskZTs0v5hjhX3MYa3zhXDmkJMA+kmQSunUzQ2PtwG4n0rJ6PkwCMfSvGMnL/xC +aJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722520991; x=1723125791; h=content-transfer-encoding:cc:to:message-id:thread-topic:subject :from:date:mime-version:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YgQYsEs5/sU9+/SzHPEBpJps2om4rJ1UgDrlQa8UAYE=; b=uZD5/THWSWop0udP0srSyyC4p4E7mP81ROwZaBuaYxkeMDL1sBogl/D6pTJ0YWloJ1 FQPK8PXA+4zA2a5ZSFWJcTKFF5NsDdzzLe9SBj9QWAOUXm4cSxs0bJMn1/UKqrOQya2k oec+u5sh4A9SvisKdLrm5UtXeVd2ahNcHwBWHo/PH9iaXKTvZXoW8pDPOtfaw5qJKhv4 Z9xiL5RiLbpbDySXiDK0aTAnbkF5K75XEqIwtn3lfmMJtxHlCF6yHRG83WTAAvBNvD8d OQWzISCVtY6D9g1wFRkPOYPSRpjuZ4sSIm1m6DfhnNMOAm8VqY2bX3MpUZR5Ub59YfXI kcvA==
X-Forwarded-Encrypted: i=1; AJvYcCWvLFl+JQzS64fiCAn9OmgVqoBew7l5A0Ph3nbrzA/UDO6P++ewcZ/w3n9q5SfKeQh2UqwyOEcXNViM7CFa3A==
X-Gm-Message-State: AOJu0YxdHh5VPC/foA/8ArTVjNj7zoE4NyT922JF5NLKv6GSeWO1TOa3 7/8omQCs5+Hh6i0urDXdwvHTeeSd/kOO/GZd+L+6qwzwIjQTtFbl
X-Google-Smtp-Source: AGHT+IE4Npvq+EWaFCLclEZPBeABaWvALw/ct/wkWXryIkUjIJ7GxWSyO0972e+J28Ro2nfiIP26bQ==
X-Received: by 2002:a05:6000:11c7:b0:368:460b:4f8e with SMTP id ffacd0b85a97d-36baacb5f87mr2336843f8f.13.1722520990227; Thu, 01 Aug 2024 07:03:10 -0700 (PDT)
Received: from macos-F7LQR2FV6V (IGLD-84-229-146-123.inter.net.il. [84.229.146.123]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-36b367e49bdsm19647570f8f.44.2024.08.01.07.03.08 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Aug 2024 07:03:09 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 01 Aug 2024 17:03:06 -0700
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: Re: [Wimse] Re: [EXTERNAL] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Message-ID: <363922EB-4A28-2948-9D3D-E65A3D21BD5E@hxcore.ol>
To: Arndt Schwenkschuster <arndts@microsoft.com>, Andrii Deinega <andrii.deinega@gmail.com>, "Flemming Andreasen (fandreas)" <fandreas=40cisco.com@dmarc.ietf.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Message-ID-Hash: QOJ5NSSTZ63II3D32MY4ZQ2SUKI2YLII
X-Message-ID-Hash: QOJ5NSSTZ63II3D32MY4ZQ2SUKI2YLII
X-MailFrom: yaronf.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>, Justin Richer <jricher@mit.edu>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: [EXTERNAL] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/MSqE0tavfFrZp1YHDiShpWQTDK0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

I agree with Arndt on the selection of option A: document existing practices but without labelling them as BCP.

 

I disagree about the separate document he proposes, because I think once we are further along with the WIMSE solution, we can work with the Kubernetes (and/or service mesh) communities to come up with better solutions, rather than keep with the old file-based hacks. If we write a BCP too early we face the risk of ossifying bad practices.

 

Thanks,

                Yaron

 

 

From: Arndt Schwenkschuster <arndts@microsoft.com>
Date: Tuesday, 30 July 2024 at 13:04
To: Andrii Deinega <andrii.deinega@gmail.com>, Flemming Andreasen (fandreas) <fandreas=40cisco.com@dmarc.ietf.org>
Cc: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, wimse@ietf.org <wimse@ietf.org>, Justin Richer <jricher@mit.edu>
Subject: [Wimse] Re: [EXTERNAL] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

TLDR: I vote for A.

 

As one of the authors, I see value in documenting existing patterns and believe it’s crucial to do this as soon as possible.

On the other hand, I understand the concern labelling this as “best current practices”.

I would like to propose to:

  • Move forward with the current scope as “Informational"
  • Others and I work together to start a new individual draft BCP which contains a wider scope including proof of possession and other aspects (for example Andrii’s feedback) the current scope does not consider. I believe this work can be built on top of the service-to-service authentication work, which is currently in call for adoption where token format and other things are defined.

 

-Arndt

 

From: Andrii Deinega <andrii.deinega@gmail.com>
Date: Monday, 29 July 2024 at 23:57
To: Flemming Andreasen (fandreas) <fandreas=40cisco.com@dmarc.ietf.org>
Cc: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, wimse@ietf.org <wimse@ietf.org>, Justin Richer <jricher@mit.edu>
Subject: [EXTERNAL] [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

You don't often get email from andrii.deinega@gmail.com. https://aka.ms/LearnAboutSenderIdentification" rel="nofollow">Learn why this is important

Pieter, I choose to go with C.

 

ATs need to be protected from replay attacks, there must be a proof of possession mechanism in place, without that we can't simply refer to it as BCP.

 

 

On Mon, Jul 29, 2024 at 3:17PM Flemming Andreasen (fandreas) <fandreas=40cisco.com@dmarc.ietf.org> wrote:

Given the choices, I would go for option A (i.e. no specific recommendations), the reason being I don't think it makes a lot of sense for WIMSE to recommend one thing based purely on OAuth access tokens, when we may end up specifying something different using WIMSE tokens (or whatever we end up calling it). I do think pointing out potential issues with current mechanisms would be helpful though.

Thanks

-- Flemming

On 7/29/24 06:21, Pieter Kasselman wrote:

During the Working Group meeting in Vancouver there was discussion on the scope of the Working Group document titled Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments [1], which was adopted in accordance with the following deliverable in the charter [2]:

 

  • [I or BCP] Document and make recommendations based on operational experience to existing token distribution practices for workloads.

 

This is intended to respond to the following milestone [3]:

 

  • Submit informational document describing considerations for filesystem-based JWT delivery in Kubernetes to the IESG

 

Please reply to the list to indicate which of the following options represent the appropriate scope for this document:

 

  1. Document existing practices without specific recommendations on how to obtain, protect and use OAuth Access Tokens.
  2. Document existing practices along with strong recommendations on how to obtain, protect and use OAuth Access Tokens.
  3. Need more information (please state what more information you need).
  4. No opinion (i.e., this isn’t a topic you care strongly about).


Please reply to the list by August 12th, 2024.

 

Thank you,

 

Pieter and Justin

 

[1] https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/" rel="nofollow">https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/

[2] https://datatracker.ietf.org/doc/charter-ietf-wimse/" rel="nofollow">https://datatracker.ietf.org/doc/charter-ietf-wimse/

[3] https://datatracker.ietf.org/wg/wimse/about/" rel="nofollow">https://datatracker.ietf.org/wg/wimse/about/

 



 

--
Wimse mailing list -- wimse@ietf.org
To unsubscribe send an email to wimse-leave@ietf.org

v2.29.0 | Report a Bug | By Email | System Status