IETF Logo Mail Archive

Re: [Wimse] JWT-based workload authentication via OIDC (ab)use

Pieter Kasselman <pieter.kasselman@microsoft.com> Fri, 01 December 2023 15:12 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23057C14F74A for <wimse@ietfa.amsl.com>; Fri, 1 Dec 2023 07:12:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.109
X-Spam-Level:
X-Spam-Status: No, score=-7.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IrBMC7giMAkL for <wimse@ietfa.amsl.com>; Fri, 1 Dec 2023 07:12:16 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2132.outbound.protection.outlook.com [40.107.21.132]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D622FC151093 for <wimse@ietf.org>; Fri, 1 Dec 2023 07:12:15 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fDDGyPnC0GnPG1gpxN+7FPG+oX6xkuckDqtH4/8SNT8yrY+/M4fOjxkml45wy+Rlt3quQ1oGq/ilniMtosxbBNz3owMabmUm1Dd3+w4NXWlAwpUto9R7/axtWouScSfqvrf01pmqzIahFOUy2BS81nSTeYTmhVcD9RSbvTOwUV8O0ZKRPKI0n2jiibenPOhe3I6ipnqKcoySa4Qwx3QgkAGItsXxars9BdQHRFVFkyPd+oxcQuAs+G6cGAK0ne3RzDjt3PKjD3rTM7HNMEXYy8Ke+wn25BnAXWn9YTXQmJXDb/ZC46K+v+deXGpFZfUDaAdjAxCbb5Z9V/0RrMpQkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aqkgo9oZLn8EbQ21x1mQXuqpTZuqSB0ISqHqUuo0S2w=; b=OqS2TRT4o1+RQj5Uaz5h+fuBRF4lR2I+NRz+OCCetlCOlGMhSavQsuGS0j5PFlBAk/WNKd8udOMnGdn6eqX5qRJUa1O1VVpOP/fUGEltX3IVQ2Io34QotI/WxuYIc+6i3MSGx0DfgCVemTOfHyrFPlzezK8K1HmbcgjsT9IVHN0NYSbJ8KImGMjN2yb4tJufGr32v6eo4o2q5rGbE42RG/a3kBakj2COU/qHxKO47WqAxOvLnGfNMyhQEULoaLgX75dOFLekdAc7T98M5vlrIVSBGt8h4/7CBpI9dN/lLDV14xoPv3dK5yOIsRy3aL/vgrqTZefZUeRrupnMJdbntA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aqkgo9oZLn8EbQ21x1mQXuqpTZuqSB0ISqHqUuo0S2w=; b=ErQyqJUY0U4Y+6ZQ+L5kWPzUfzf4J/2J/ID97K5GAcezqDgOG6JInaG++CXNQmdWIeXt79qszdR+t+BDkDq/0lW/rwjZskz4ZXEYa0EYxAXV8P2jTa3HGrU1NbUdbbETop8prLLImve3ygVK9MFUXWzcAc9cTK22SBK2/dYsYUA=
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com (2603:10a6:10:195::11) by DU0PR83MB0530.EURPRD83.prod.outlook.com (2603:10a6:10:312::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7068.15; Fri, 1 Dec 2023 15:12:11 +0000
Received: from DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::c70a:7598:17f:db3d]) by DBAPR83MB0422.EURPRD83.prod.outlook.com ([fe80::c70a:7598:17f:db3d%3]) with mapi id 15.20.7068.014; Fri, 1 Dec 2023 15:12:11 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Evan Gilman <evan@spirl.com>
CC: "wimse@ietf.org" <wimse@ietf.org>
Thread-Topic: [Wimse] JWT-based workload authentication via OIDC (ab)use
Thread-Index: AQHaIk0TaphZzjm6fEWEO5nDp2SGgbCRUdsAgAAZFwCAAyAggA==
Date: Fri, 01 Dec 2023 15:12:10 +0000
Message-ID: <DBAPR83MB042240E0089386843C8D16729181A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
References: <CAOB-mKnZzau0ks+4T5KCcxhtk7BEZdVjqJAaE=gVNK3WFYYvAw@mail.gmail.com> <CA+k3eCRg1N_DCDVUq+FLqQEZA5EMMdY4Yu7XiQ4MvUZb9Rrg0w@mail.gmail.com> <88c47206-f7b1-461f-84f7-22f548e7783c@gmx.net>
In-Reply-To: <88c47206-f7b1-461f-84f7-22f548e7783c@gmx.net>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=87bcc5e6-a929-48ae-96be-e8927b72f9ff; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2023-12-01T15:05:35Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0422:EE_|DU0PR83MB0530:EE_
x-ms-office365-filtering-correlation-id: d853d017-0aa2-4344-3a16-08dbf27fe474
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: bwr4Z8z30oh664hqAQ7gsEo9xSnxOA1/YNh0jDs3J4YdKjG0EWL48OkW1qiBPuaWBAuc2N5KF7pdsUyfMzoW8vQ6Qkl1RCpw88Nu76/wEUaf0kRXoyhxbxbAWkpFt2k8qyEjCBsizfnB+7wHWTwBG8DjmL5kizAZHfeBVQ3X1obCW+Ha+kZ0/vyb0wahLKFcBX8C9ikz898vf5c1i0UnkYnSDUXofzus2WSooGyLs7CbDaUJIkwgCsMZ58VOWxgncYQ40xy0Cvaj8JZfPgjr+e7nFqCK7mE0M7G8sXWF0iAQSykPhbJmWK9W8Vp2d2gZteFKDLJWPwRtXpmJS1yrrEIlH5/EVht7AK8Z6DBouksz2Xwbhsu70ptRWABZtKtUxFrm8z8IbV1rHn+KU3h8uhxOp/EkA+FwhUOL+XDfN6YrSIqSd5XiVlJ/uHP6IPs958r2zjorgzwoTIdpaa38EkqDZP6D+Bxqb36V4YblgzJTStkI/6Xqkk7Dsr3OqaahlJ/MEcnMpeFXqSoOFWvwybkTfhkXahW0OqbLkpM7zcYNQygukza9Yqvk5t511+/hSw/SpiigWKHLcv5umUEkYMEhz7ZlT2G8ZCQvXZqVr7i5iTrdZOuERGnGQ3363HsFwroAkR+NrIF946HWmKUlYDKMHoRs9o7Eta1j3UWxbMRj94B+2YoYjNN6f0fLv/Zz
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR83MB0422.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(376002)(366004)(346002)(396003)(136003)(230473577357003)(230922051799003)(230373577357003)(64100799003)(186009)(451199024)(1800799012)(66946007)(66446008)(66476007)(66556008)(64756008)(110136005)(76116006)(122000001)(38100700002)(86362001)(55016003)(316002)(38070700009)(6506007)(71200400001)(10290500003)(7696005)(41300700001)(2906002)(8676002)(4326008)(83380400001)(33656002)(8936002)(44832011)(166002)(52536014)(966005)(53546011)(478600001)(9686003)(26005)(82950400001)(82960400001)(5660300002)(8990500004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: btOk/gCLgDEpgTehXhkOw5q5oJzC7uE04KsuMnLQibuz7xf+GOVbiP5mimhWNMEs7OxAgHxMBrmeplNo7dbCjWTfV1HzAq9wBHF5mq4jQ6Vcp893cIjgR6bSdg2X8gsam0IRMHipItvufBB93pXT/aJ1bpMemNlX/AmisCJuSXnA1GJr7tVeTL3CCnBBr/Iq+qC9StByDTjQLvauwo0leuZg64nNiQpYRxIXPNGCNrCxXf+nwi0oHg2eLBy/lchBC2erXWRb0QakjsFJ5C3PPVJiD4g6fBg6a7SITgt4DB502hYPckOuyAoCixJHwyWBUNnhh3QyfEhXlsc2PLwj1IGdLybpHz+xGFtWcrdKMXodlkqOWCdRPEBg01xpbjnwyVTaEt4zxfoZ0cuZvzYnsTGH3OXw8jsxU1Jby1fNuF2cUcbau56jtgpfIeL/r5Rzt5AnPtcYAkox8BQfe7aP2gVocQcZpd+SEnZUvIUQtpmyH7AZ0ocYFxU/FXlJAt4RCY2SHCK5WhBzXBkGmH03KYjCH9yH8n1NamicKv7oZ8n+Xw0N2arcQAnYmjAS8NP3NvrriPDyybaRXFUJ62NECvCxSJalZ+7ycfqGO30Rg2h6T1LPxn6Z5ZdJfeDjZljfXNSLcoi+H9kZ0eLsyUj5WKDI4YZ+HISJDg7hnsXYWPqhRq5i/6+C59e0usTABFc/629jaq/TVcgwIoVxewjQTPMsmD/tOYUoMBTDp7AuzpDY/6u+HG6xe7hAdPx5wJ9aVzBIA9pSl986yVfJgVdQe3a552rfghD3bk9iPrxmO3kuCOGEyc6v/mbBvbhgctQ8n2ITuZ0wW3F5n/CuyPLJJ1khKm2yXae3Es3dpJNnbqYcH4Tg/vC+tsSKAMU83VjktHBXD5P1bmmmDngbpZVr7zhav8/Rta3pw7lr6AkXsGIS+AUUodnU74CCWNNvsJw9KpHDWLprm0WtUs/kKsEAzDJEPj5xqEM41l2Y6xEplrjBPcvYRljFbdgqx/KnpG/ywXlrNlhahQqHPpi1n5v2qeJD/gjCX2Xr3WdEthQVUc+EFLKs9Ye9dXhIiSaTRDwLDL8+PLfTOvkThD7fFwCFMKJB3ZiGp4Y0JxEObi/16A3NtjRPb/J1inoS11yiFnOGm4UElvpNW2rFWi/SLeOhBE5a3cDN1wSP48L+SVFXSZIKKhOUD5HtJ6qvKts6VeJuC3Yktj9kOlVf0f5ALS07GOfevtuEZ5olo0j01MiqKjZ2s7GEFm01M0UqNKRlm0QjwdumyTuiYzNFsWyciqVEa4QvDpG8oQkhHB0FxM2W9yu5+MCCpYYDcnsqgx0lm0DDryB8kzldyK37wUIUxAOdBADSZdAGE/7dim7eFwdB7DOW1zfsuCSVvCAn+zZmSqM5ACC2+jDptoqc8C7A33iCY7hDnFD7SKbsby5xYjPh8+VUHpDHGycCrXmneXmEgigzOH6jB56pBIvg3aZ2PeQLsfnJckY3ou+iRC++EUhtLEPwDhRFeu+J21b3CVQgWcQh
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB042240E0089386843C8D16729181ADBAPR83MB0422EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0422.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d853d017-0aa2-4344-3a16-08dbf27fe474
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Dec 2023 15:12:11.0225 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QDUj4ZNXUSit3A2ME+PHCogIBITJHRSEgS/r1B6jGK1Y+63Cco4/BLXRTtb2R8bczELNa2cfyCzrWIOLRrBFUut7QKfJUz7CFYwUj4EfNeA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR83MB0530
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/gN0KvSZvCcEB7_H2M58LNf9_qRM>
Subject: Re: [Wimse] JWT-based workload authentication via OIDC (ab)use
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Dec 2023 15:12:17 -0000

Hi Hannes

Regarding your question on whether <draft-schwenkschuster-oauth-identity-chaining> actually should be an item to be worked on in WIMSE rather than in OAuth, I think that work has specific application in the OAuth ecosystem, but a discussion we can have in OAuth as well as here (some of my co-authors can chime in). Perhaps we need a profile of it for workloads, but that may be getting ahead of things a bit.

Cheers

Pieter


From: Wimse <wimse-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Wednesday, November 29, 2023 3:22 PM
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>; Evan Gilman <evan@spirl.com>
Cc: wimse@ietf.org
Subject: Re: [Wimse] JWT-based workload authentication via OIDC (ab)use


Hi all,



after we posted [1] we got feedback that the description of how the workload proceeds interacting with the resource server may be over-specified and too specific and should instead be generalized.



Reading the review feedback from Evan gives me the impression that there is probably a possible separation between

(a) the interaction needed to present the workload with a token and the way to convert that token into something that can be used subsequently through the use of token exchange,

and

(b) the intaction that follows afterwards by the workload.



I sounds a bit like (b) should be aligned with the work in the industry today, for example with [2]. Regarding Brian's draft <draft-schwenkschuster-oauth-identity-chaining>, I couldn't recognize a good alignment with [2]. [2] talks about re-using OpenID Connect while Brian's document doesn't.


Ciao

Hannes



PS: Should <draft-schwenkschuster-oauth-identity-chaining> actually be an item to be worked on in WIMSE rather than in OAuth?


Am 29.11.2023 um 14:52 schrieb Brian Campbell:
On the face of it this sounds a lot like the JWT authorization grant from https://datatracker.ietf.org/doc/html/rfc7523

This draft https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-identity-chaining/, which was recently adopted by the OAuth WG<https://mailarchive.ietf.org/arch/msg/oauth/l6dGZNuyH7GyiNX9uz1C9R_SCRc/> attempts to further profile/describe the JWT authorization grant including mention of the metadata/JWKS and a local token exchange to receive the initial token.

On Tue, Nov 28, 2023 at 3:48 PM Evan Gilman <evan@spirl.com<mailto:evan@spirl.com>> wrote:
Hannes' BCP draft on kubernetes workload identity tokens [1] discusses a very common use case where a workload uses a platform-provided JWT to authenticate to another service in a different identity domain. In the case of the BCP, authentication to an OAuth Resource Server is discussed, which uses the platform-provided token to "enter an OAuth domain" and receive an access token. There are similar (perhaps even more popular) patterns e.g. use a platform-provided token to "enter the AWS domain" by exchanging it for a time-limited AWS secret access key. In fact, the latter pattern exists in all three major cloud providers, and has been colloquially coined as "Workload Identity Federation".

Aside from the fact that "Workload Identity Federation" is a very confusing way to describe this pattern, it has emerged as a powerful primitive for cross-domain authentication and access. For example, there are dozens of pages of documentation on how to do this against a variety of targets on the GitHub website [2] ... in fact, it is the recommended way to authenticate GitHub Actions CI runners to pieces of infrastructure.

And yet, there is no standard way to do this.

It works purely due to lax OIDC validators ... my read of the situation is that this flow is an abuse of OIDC and nowhere is this pattern described by text. The following gives a rough idea:
* Workload receives platform token
  * Often via disk (see [1])
  * Platform token has a variety of bits set, depending on platform
  * Token mocks an ID token, with a subject/issuer/audience, but lacking most other things
* Workload calls target token exchange service, provides platform token
  * Target service is branded as OIDC-based authentication
  * Target service is configured with mappings, usually referencing sub claim and sometimes others
  * Target service is configured with issuers
* Target pulls well-known OIDC discovery doc from issuer URL
  * Target follows JWKS link, everything else is ignored
  * (sometimes, target will be directly configured with JWKS URL and skip the discovery doc)
* Target validates presented platform token against issuer using JWKS
  * Target refers to mapping to know what credential to return
* Target returns credential valid in target domain
* Workload proceeds on with its day
It would be really great to capture this flow/pattern in a more formal way. I think WIMSE could be a good place to do that. Even just giving it a name would be valuable.

[1]: https://datatracker.ietf.org/doc/draft-hofmann-wimse-workload-identity-bcp/
[2]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
--
Wimse mailing list
Wimse@ietf.org<mailto:Wimse@ietf.org>
https://www.ietf.org/mailman/listinfo/wimse

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.

v2.23.0 | Report a Bug | By Email