IETF Logo Mail Archive

[Wimse] Re: Token Exchange design team update

"Saxe, Dean" <deansaxe@amazon.com> Fri, 14 June 2024 00:12 UTC

Return-Path: <prvs=888be7f0b=deansaxe@amazon.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BDC2C1CAF2D for <wimse@ietfa.amsl.com>; Thu, 13 Jun 2024 17:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.403
X-Spam-Level:
X-Spam-Status: No, score=-4.403 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, UNPARSEABLE_RELAY=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id za2fFuLY0u6X for <wimse@ietfa.amsl.com>; Thu, 13 Jun 2024 17:12:07 -0700 (PDT)
Received: from smtp-fw-80008.amazon.com (smtp-fw-80008.amazon.com [99.78.197.219]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64A8EC1CAE6F for <wimse@ietf.org>; Thu, 13 Jun 2024 17:12:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1718323927; x=1749859927; h=from:to:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version:subject; bh=/JD/UDFSgpa/n1VJjnKXF+YMHf2b6IBM1wSiESef1DA=; b=FMPW6HN7YBqYZO7b713cONBi7eUZM3UA6ipNtDb6F4hgRksihzQeAEFE v0iT+lsrQgQcCUQJZXrqOpGpKqsgzMx3f1TD/oAjomj6fqCELbGhHTySh 8jzbTnVpGjJRpF83yyeNt3IcIxBHT6jmmOjMFcFq4/JbYNE8Mw9YyfABZ I=;
X-IronPort-AV: E=Sophos;i="6.08,236,1712620800"; d="scan'208";a="96707237"
Thread-Topic: [Wimse] Re: Token Exchange design team update
Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-80008.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 Jun 2024 00:12:07 +0000
Received: from EX19MTAUWC001.ant.amazon.com [10.0.38.20:13022] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.27.198:2525] with esmtp (Farcaster) id cae0f0c9-a35c-4de6-b4c4-1d0753c4b6f2; Fri, 14 Jun 2024 00:12:06 +0000 (UTC)
X-Farcaster-Flow-ID: cae0f0c9-a35c-4de6-b4c4-1d0753c4b6f2
Received: from EX19D003UWC002.ant.amazon.com (10.13.138.169) by EX19MTAUWC001.ant.amazon.com (10.250.64.174) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 14 Jun 2024 00:12:06 +0000
Received: from EX19D003UWC004.ant.amazon.com (10.13.138.150) by EX19D003UWC002.ant.amazon.com (10.13.138.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Fri, 14 Jun 2024 00:12:06 +0000
Received: from EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa]) by EX19D003UWC004.ant.amazon.com ([fe80::38e:f9f6:c9f7:63fa%4]) with mapi id 15.02.1258.034; Fri, 14 Jun 2024 00:12:06 +0000
From: "Saxe, Dean" <deansaxe@amazon.com>
To: John Kemp <stable.pseudonym@gmail.com>, "wimse@ietf.org" <wimse@ietf.org>
Thread-Index: AQHavcU+lspqjWN+EUqNT8nDssYC3LHF7haA
Date: Fri, 14 Jun 2024 00:12:06 +0000
Message-ID: <BC38A085-2730-40F3-AA61-967D56A277FB@amazon.com>
References: <CAMtubr2c=c=pE5xV4f1N84y8ACAk98nvf7=F1CCwp3PaQMU_bw@mail.gmail.com> <A6CC88F8-D289-4AA7-8F75-519EEEEFC9CD@amazon.com> <ff22af7d-1197-413d-9f84-df54b262b38a@gmail.com>
In-Reply-To: <ff22af7d-1197-413d-9f84-df54b262b38a@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.85.24051916
x-originating-ip: [10.187.171.60]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C93A2EF288C0E84998B0BFC79EA477BE@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Message-ID-Hash: VM36ZXQHVHROYWRF5EU24UGPXA2D4PNH
X-Message-ID-Hash: VM36ZXQHVHROYWRF5EU24UGPXA2D4PNH
X-MailFrom: prvs=888be7f0b=deansaxe@amazon.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Token Exchange design team update
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/_2sUwUCu7LPOZDinoRceRgD0nus>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

That sounds correct.  In the specific example, I see two different token translations/exchanges happening.  The first is through the OIDC discovery mechanism.  The second is through a bespoke AWS mechanism (AWS STS) to return the temporary security credentials.

The important thing to note is that translations from token type A to token type B need to be more clearly defined as profiles to ensure that there are defined patterns for how to translate from A to B to ensure consistent mechanisms for translation, and a clear understanding of what, if anything, is lost.

I hope that helps!

-dhs
-- 
Dean H. Saxe, CIDPRO <https://idpro.org/cidpro/> (he/him) 
Senior Security Engineer, AWS Identity Security Team | Amazon Web Services (AWS) 
E: deansaxe@amazon.com <mailto:deansaxe@amazon.com> | M: 206-659-7293 <tel:206-659-7293> 




On 6/13/24, 12:09 PM, "John Kemp" <stable.pseudonym@gmail.com <mailto:stable.pseudonym@gmail.com>> wrote:


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.






On 6/13/24 14:02, Saxe, Dean wrote:
> Second, we have come to the conclusion that token exchange has a
> distinct meaning due to the use of the term in RFC 8693
> <https://datatracker.ietf.org/doc/html/rfc8693> <https://datatracker.ietf.org/doc/html/rfc8693&gt;>. Recognizing that WIMSE
> is broader than OAuth 2.0 and that there may be exchanges that are lossy
> between different token types, we have embraced the idea of “token
> translation” as a term to express that there may be information “lost in
> translation” in such exchanges. Where WIMSE can use the existing
> mechanisms in RFC 8693, we will continue to refer to that as “token
> exchange”. In my opinion, token translation is a superset which
> includes the existing OAuth Token Exchange protocol. I look forward to
> broader discussion on this idea with the WIMSE WG.


Just an attempt to understand this concretely, I thought I'd use the
SPIRE-OIDC-AWSIAM example from the docs:


1. A SPIRE SVID JWT is issued to the workload at some point prior to the
use of AWS S3, just via the normal SPIRE mechanisms.


2. Once OIDC discovery + IdP in AWS is setup, via OIDC discovery, the
SPIRE OIDC provider provides an OpenID Connect ID Token to the AWS IdP,
representing the workload, with the SVID url as its 'sub'. So this has
been an actual token exchange (of a kind) from one format of JWT to
another (let's forget there's probably barely any translation needed there).


3. Once the token has been obtained by the client, it can be used to go
to S3, along with the request to 'assume role' based on that token.


4. The JWT is "translated" (and I think translation sounds more accurate
than "exchange" here) to an IAM role (which concretely means AWS
"temporary credentials" - but the client application never sees those
effectively, so there is no "exchange" as such.


So the overall protocol requires both an actual token exchange (not
mediated by the client) and a translation.


Did I get that right (in which case, I agree with "translation" being
needed?)


Cheers, - johnk


--
Wimse mailing list -- wimse@ietf.org <mailto:wimse@ietf.org>
To unsubscribe send an email to wimse-leave@ietf.org <mailto:wimse-leave@ietf.org>

v2.31.3 | Report a Bug | By Email | System Status