IETF Logo Mail Archive

[Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

Joseph Salowey <joe@salowey.net> Thu, 08 August 2024 21:51 UTC

Return-Path: <joe@salowey.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B84BC151095 for <wimse@ietfa.amsl.com>; Thu, 8 Aug 2024 14:51:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 08WWnbHEw_5V for <wimse@ietfa.amsl.com>; Thu, 8 Aug 2024 14:51:29 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D100AC14F6A1 for <wimse@ietf.org>; Thu, 8 Aug 2024 14:51:28 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2f183f4fa63so12383641fa.1 for <wimse@ietf.org>; Thu, 08 Aug 2024 14:51:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1723153887; x=1723758687; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=N/kChcWqzUTghrd1TrDKj/hbrLN1Z6yUyHpRLD8tJrM=; b=OENGpaNIOdxz3+fBh1y+6mFjdmVcTaxGH4fSIU23671Xr1EoRGXwKEtPHJijqGecfi YZMZgVPfe2EgGVInoYY7vwm1P/3e3WV99ziEpe6vp2U5W/6mbebHdeKeZEsGu6Xk3vM8 0S46jrHDpgG0f6N5lQ5cxdh0MfDlDksfuEYe4e4jSGC8KAxhGBXwvNj9BWWlV0c+1P+e wp+Q5BdHgesazo4swMBC2/O5Ii8175IcIdptRK2vCAKr9GH2VbwysQGnNwQJa/Dr4TRS DGJ5fNM858EVX9ugFcFbicCpuvZK++XNhXtzF0asq4jbI7vEfQY/R0hC+sz9tmJvCi4A ZF0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723153887; x=1723758687; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=N/kChcWqzUTghrd1TrDKj/hbrLN1Z6yUyHpRLD8tJrM=; b=lNGKHlKeG6iM7yVhvI2TeuTH9W+UJKi6SGnNgr+UaZmZrnitKXHmt5yQw+ZQyLaaMJ ijF+yliCXKNlGzSBEK3m4V90qmmCz+O4WLewAS9F9sqFtQVV9RL21YYpeD4XU2EaZh9y D9Y9UFRDhzUXDeGK3A6PBRg0hElLhryPJ85Ke9arkJShD7tDGRQ56NSr7cksLLY8CmV2 3gv+cL4gtMybTTHioF4cbv7BY0M/BcVyv3lgCF/0Sjy90NUI+8bR6tJool/KjxUWiTzu INrWSzg1i1TQ2TZYZDbW6tpSgQRNNCyH5zXBb3QqI/v0/hYEZiTpx1loppf6RHRoKFDp rmew==
X-Forwarded-Encrypted: i=1; AJvYcCU0T0EqsWo4paivqnbcCiCqpaOYHHXEK2Urv6IypvRl4paWTGOJc/B2VMeCOTmOBJEsZcszxg==@ietf.org
X-Gm-Message-State: AOJu0YzwIz4erbLk9ZXRfMo43gM79TPtX76lPQba9DUs/VBL/kG2VydC tJfyZPaKsh4oNUn+mwGDYXe3NC9FypZ19VH8mOHHN51nzjKinlaHh33lgGoM45CL2Hm2irbHUvU S4WIC365cMITW1BMoPDBoEdFbLaYE4B9kbL32SQ==
X-Google-Smtp-Source: AGHT+IEXaWdnBerbUmwNbn37x/opQf6oHyp/vIFnaI9j5i000PuokJiTXPpp28PIoMWnSiX1To8daR7ei+MzUCkT/JU=
X-Received: by 2002:a05:651c:b2b:b0:2ee:df8f:652d with SMTP id 38308e7fff4ca-2f19e34c6d0mr9677581fa.2.1723153886567; Thu, 08 Aug 2024 14:51:26 -0700 (PDT)
MIME-Version: 1.0
References: <19EE151F-D6EB-0140-A04B-24584C526E1D@hxcore.ol>
In-Reply-To: <19EE151F-D6EB-0140-A04B-24584C526E1D@hxcore.ol>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 08 Aug 2024 14:51:14 -0700
Message-ID: <CAOgPGoB30ew7ocWTyP-603RhXwxXQq3N6PA0iNND8a8yF0-SUw@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000004d8a1b061f330797"
Message-ID-Hash: TYZXIP5CBAMVHD32IWIZ74EAERAPCY5C
X-Message-ID-Hash: TYZXIP5CBAMVHD32IWIZ74EAERAPCY5C
X-MailFrom: joe@salowey.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Justin Richer <jricher@mit.edu>, "wimse@ietf.org" <wimse@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/eKTZqZ6L2UC42z8VztUk5NDUUzs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

I think the document is closest to a description of current mechanisms to
get authentication tokens for workloads and the security considerations
surrounding them.  I do not think we are in a place to define what is best
practice here, but perhaps after a bit more analysis and work on the
document we might be in that position.  Perhaps, at a later point when we
have made more progress we could recommend don't do this, but use this
other thing we are working on.

Answering the question as posed, I think this is an informational
document and not a BCP.  The document should describe the existing practice
and the security considerations associated with this practice.  At this
point I don't think I can say whether we will be able to make strong
recommendations on what to do in this document.  So I think that is
somewhat of a combination of A and C.

I think it would be good if we could make security recommendations that you
should use WIMSE tokens instead because they have properties X,Y and Z.  I
share the hesitation in describing how to obtain WIMSE tokens in this
document, I would prefer to keep them separated, but it's quite probable
that the same mechanisms will apply to WIMSE tokens with perhaps some
different caveats.

Cheers,

Joe

On Wed, Aug 7, 2024 at 6:26 AM Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

> Hi Justin,
>
>
>
> I’m puzzled by your proposal, because you are mixing existing deployments
> (workload security in K8s, the current focus of the document) with future,
> “aspirational” problems. The WIMSE token does not exist yet, all we have is
> a not-yet-adopted draft that defines it.
>
>
>
> There’s a lot of value in documenting existing (pre-WIMSE) practices of
> getting workload credentials, and in recommending the best security for
> these practices.
>
>
>
> In the future there may be value in having an Informational document about
> various ways of provisioning WIMSE tokens.
>
>
>
> But mixing the two is IMHO a bad idea.
>
>
>
> Thanks,
>
>                 Yaron
>
>
>
>
>
> *From: *Justin Richer <jricher@mit.edu>
> *Date: *Friday, 2 August 2024 at 0:31
> *To: *wimse@ietf.org <wimse@ietf.org>
> *Subject: *[Wimse] Re: Request for Input: Best Current Practice for OAuth
> 2.0 Client Authentication in Workload Environments
>
> Chair hat off — this is entirely my position as a member of the community.
>
>
>
> My answer to the question is a form of (B), but I think there’s actually
> more to do than just add some OAuth considerations to the document.
>
>
>
> As the document stands today, *I do not believe that it addresses the
> milestone or deliverable* as defined by the working group, in either its
> stated scope or its content. I would like to offer what I hope is a helpful
> framing of the goals that I believe this document should ascribe to. I
> believe the document can reach these goals if we choose to, but it would
> need a good amount of work to get to that point.
>
>
>
>
>
> *1) It should be informational, not BCP.* We are far too early in the
> work of WIMSE to determine what "best practices" are by the IETF
> definition. [1]
>
>
>
>
>
> *2) It should explicitly enumerate and address the three non-oauth means
> of "getting a token" that are common in this space.* These are hinted at
> in the document, but to my understanding these practices are:
>
>
>
>  - Setting environment variables
>
>  - Mounting a file on a virtual filesystem (usually through some container
> overlay, etc)
>
>  - Reading from a local socket through an agent
>
>
>
> Each of these approaches has different security considerations and
> tradeoffs, and this document is the perfect place to address each of these
> practices with clear, sober advice for implementors on what to choose and
> when to choose it.
>
>
>
>
>
> *3) It should focus on the token from (2) in the cases where it’s a WIMSE
> token,* as defined by other docs in this WG. Specifically it should point
> out that what you’re mounting/loading/etc is not an "access token" in the
> traditional sense, as it’s not intended to directly call another service
> after an act of delegation. Instead, it’s a means of identifying the
> workload instance and allowing it to perform core functions, which might
> include getting an access token through some means.
>
>
>
>
>
> *4) It should point to other work for trading the WIMSE token* from (3)
> for an access token where needed, these won’t be in this document. The WG
> has identified token exchange/translation and as-of-yet-undefined "local
> token issuance" as means of going from the WIMSE space into OAuth space,
> and vice versa. This document shouldn’t specify how to do any of that, but
> should instead point forward to other work as out of scope. This work could
> also talk about getting transaction tokens or other artifacts.
>
>
>
>
>
> *5) In the case where the token from (2) is actually an access token or
> used as such*, there should be security considerations and discussion
> around the tradeoff — because somebody’s going to do it that way anyway
> regardless of how much we warn them. This document is a good place to
> discuss such tradeoffs — for example, you save a round trip, but now you
> have a much more dangerous artifact immediately available.
>
>
>
>
>
> *6) It should address but not define proof of possession, *to the extent
> that it talks about loading and managing associated secrets alongside the
> token. The means of token PoP should be covered by other documents, such as
> the proposed S2S document.
>
>
>
>
>
> I think that if we address the six points here, this document could be an
> incredibly useful piece of work for the wider community. I also don’t think
> it’s a massive amount of work to get there — certainly much more than what
> the document currently addresses, but as it’s informational and largely
> documenting and commenting on existing practices instead of inventing
> protocols and formats, I believe a lot of the knowledge already exists out
> there in the community and it needs to be distilled and edited.
>
>
>
>
>
> — Justin
>
>
>
> https://datatracker.ietf.org/doc/html/rfc1818
>
>
>
> On Jul 29, 2024, at 6:21 AM, Pieter Kasselman <
> pieter.kasselman@microsoft.com> wrote:
>
>
>
> During the Working Group meeting in Vancouver there was discussion on the
> scope of the Working Group document titled Best Current Practice for OAuth
> 2.0 Client Authentication in Workload Environments [1], which was adopted
> in accordance with the following deliverable in the charter [2]:
>
>
>
>    - [I or BCP] Document and make recommendations based on operational
>    experience to existing token distribution practices for workloads.
>
>
>
> This is intended to respond to the following milestone [3]:
>
>
>
>    - Submit informational document describing considerations for
>    filesystem-based JWT delivery in Kubernetes to the IESG
>
>
>
> Please reply to the list to indicate which of the following options
> represent the appropriate scope for this document:
>
>
>
>    1. Document existing practices without specific recommendations on how
>    to obtain, protect and use OAuth Access Tokens.
>    2. Document existing practices along with strong recommendations on
>    how to obtain, protect and use OAuth Access Tokens.
>    3. Need more information (please state what more information you need).
>    4. No opinion (i.e., this isn’t a topic you care strongly about).
>
>
> Please reply to the list by August 12th, 2024.
>
>
>
> Thank you,
>
>
>
> Pieter and Justin
>
>
>
> [1]
> https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/
>
> [2] https://datatracker.ietf.org/doc/charter-ietf-wimse/
>
> [3] https://datatracker.ietf.org/wg/wimse/about/
>
>
> --
> Wimse mailing list -- wimse@ietf.org
> To unsubscribe send an email to wimse-leave@ietf.org
>

v2.29.0 | Report a Bug | By Email | System Status