IETF Logo Mail Archive

Re: [Wimse] JWT-based workload authentication via OIDC (ab)use

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 29 November 2023 15:21 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8B1AC14CE53; Wed, 29 Nov 2023 07:21:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmx.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBF91aOE173w; Wed, 29 Nov 2023 07:21:52 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FD27C14CE55; Wed, 29 Nov 2023 07:21:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=s31663417; t=1701271309; x=1701876109; i=hannes.tschofenig@gmx.net; bh=RXLxJmxK7+cSWu6N9p2r5ae0F6hT4E2rjhvVlX7p6Ok=; h=X-UI-Sender-Class:Date:Subject:To:Cc:References:From: In-Reply-To; b=PSwaTA5uKDjQvrFYEDMkvwNkmL4Cn6o2regN7fVdQDsIHjvI4bT/qvHb29k1AJdq 1SXHAYgnAMN+fSy87PIP9BMJNLydOMIl4pFuK1LzMotqsT+czR35Q7ZVeP96vsRIb TBdinGwMvXS4OmJt1cMA8wN07wSO44JJc+1pMl4qN1AUqHAUX3CZtd9BWNeea42GH C70DH4+OT0M/sQsWKus7wyDMGUVcHtGPBOi5cs6HrmbADrtWf1nTRb3kzMHCyP7YZ ZSaHgt/9Xqj2FIKuksnj2va4zwKhR4l8/HZXRSr3lKSpUnhln/2h1LdXHwjWXfeCz cShkuJoXaChgcx3/ug==
X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a
Received: from [172.16.254.186] ([185.176.157.173]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1M7K3Y-1rDqYz1gpY-007nM0; Wed, 29 Nov 2023 16:21:49 +0100
Content-Type: multipart/alternative; boundary="------------yZZ20sH0qokVrpCpGExsHBmB"
Message-ID: <88c47206-f7b1-461f-84f7-22f548e7783c@gmx.net>
Date: Wed, 29 Nov 2023 16:21:50 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Evan Gilman <evan@spirl.com>
Cc: wimse@ietf.org
References: <CAOB-mKnZzau0ks+4T5KCcxhtk7BEZdVjqJAaE=gVNK3WFYYvAw@mail.gmail.com> <CA+k3eCRg1N_DCDVUq+FLqQEZA5EMMdY4Yu7XiQ4MvUZb9Rrg0w@mail.gmail.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
In-Reply-To: <CA+k3eCRg1N_DCDVUq+FLqQEZA5EMMdY4Yu7XiQ4MvUZb9Rrg0w@mail.gmail.com>
X-Provags-ID: V03:K1:+35PIB0U/ZOWwa2jgPey/V9rrSbvQDV6jU9mMIm0nGwdO5/csnU iZanopmLk6TUp2W4fCBBQ1ZWtyOOuYGMoIutc6KhqoywuAgzcqvJAZNaUR3EDxt2gOpkLPv cF48ARKebcRhbWaXlSZrtraW00/0tT+9Rg6ijQhOfzxI1O1ZY+BJ4KtJwLGXV+9Nb1OIqsi C/y9QWSfS7/oa3VOP5wvw==
UI-OutboundReport: notjunk:1;M01:P0:Hs/XsCQvZg0=;4Zz43OTlVuIXQaV3Ce5dUZEoU7s GCFf/l6PVlmalCjOcEfxDgouzUaUEu4XOLYpMkSOUuSwKD5Sm5Lv0GhM0rDx5eyeHyxLr5Xta xiQvVGFFnF8OseSXgNA16s6ZPzM8vZp441jF+Wr1s8+V6y2raoO0wfNs7fNIeb9vYLznwfBBY MdFkfdnUjDqXH93+GNZuo7AiZ8lFdG8tlSO0T2U6zYKdwtov8EgZB7iN+Bbis+6G/iN7dKq6k ZSwuQL/xnMrHbz6iW7PAQKHTN/K0YwNvyjladAd3McjLYARa96APMNDXAIawx3UyAQo4z1XXV 96INVtgEOfb4/h/C/230/LeXyZ+FCUVSSYOuVirvnb+93Za6LtchMMwBYiZYyJb3tiacBJVg2 nG7PP9+S81eaEPA9bLywqvAaPbfnSS5V/w5TSmJ7Oy6+AGhyMgnkC8c5b6kSK+ONGuJCVuixl Qnq5KVbnBbDS5woba1aMK6TqXLOQnG9gcq0urVHelCbm3IbCJih6wI4iDMFautBQPsrf5R+Ph Ocvh2ctXWazsnIajMAlWzOnE7gN8sqm8Ol5GikHd9KJfY004oFvz/2Q+WJwxv7jouiMnOAmek g7Rmlgb9+uVS9Gfflz5jDTMHGf0WnNXdXH4hC8bQ/w0+WMAsD34WlRumvg2VRpUiNMtKfEdQc dB29DsfxMTloHoKJxWdEL5oLRIrkd7KuW4y6WGQtmTpX7HeVp6W8AcKf76NCDEvuSpHYRcYHS WsequUM03PiEVYZEqbzy15Hdl3W9Ym66sHHrqM9kBbS9+bMLNvshp+qhokXzGpsSQLryKUOv0 Io7NrCsaAZ0vtUVskQF4hh7XCXjmj3GYV29XSrgmI5GERNC3vpS5CvI2lZM2VAHM/qFtXbBCF Qhm/G156FfASS9hKk4JT+8T+bIL4eRA2XEA1ZLLdo9lemcWpjtMA3dbPM3lF050rId4UI0FRG YDP8H/AL70uHd0dSPR03gQGdY/Y=
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/ncbR1VVgBaRLM1us4syQjCZeaOY>
Subject: Re: [Wimse] JWT-based workload authentication via OIDC (ab)use
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Nov 2023 15:21:57 -0000

Hi all,


after we posted [1] we got feedback that the description of how the
workload proceeds interacting with the resource server may be
over-specified and too specific and should instead be generalized.


Reading the review feedback from Evan gives me the impression that there
is probably a possible separation between

(a) the interaction needed to present the workload with a token and the
way to convert that token into something that can be used subsequently
through the use of token exchange,

and

(b) the intaction that follows afterwards by the workload.


I sounds a bit like (b) should be aligned with the work in the industry
today, for example with [2]. Regarding Brian's draft
<draft-schwenkschuster-oauth-identity-chaining>, I couldn't recognize a
good alignment with [2]. [2] talks about re-using OpenID Connect while
Brian's document doesn't.


Ciao

Hannes


PS: Should <draft-schwenkschuster-oauth-identity-chaining> actually be
an item to be worked on in WIMSE rather than in OAuth?


Am 29.11.2023 um 14:52 schrieb Brian Campbell:
> On the face of it this sounds a lot like the JWT authorization grant
> from https://datatracker.ietf.org/doc/html/rfc7523
>
> This draft
> https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-identity-chaining/,
> which wasrecently adopted by the OAuth WG
> <https://mailarchive.ietf.org/arch/msg/oauth/l6dGZNuyH7GyiNX9uz1C9R_SCRc/>
> attempts to further profile/describe the JWT authorization grant
> including mention of the metadata/JWKS and a local token exchange to
> receive the initial token.
>
> On Tue, Nov 28, 2023 at 3:48 PM Evan Gilman <evan@spirl.com> wrote:
>
>     Hannes' BCP draft on kubernetes workload identity tokens [1]
>     discusses a very common use case where a workload uses a
>     platform-provided JWT to authenticate to another service in a
>     different identity domain. In the case of the BCP, authentication
>     to an OAuth Resource Server is discussed, which uses the
>     platform-provided token to "enter an OAuth domain" and receive an
>     access token. There are similar (perhaps even more popular)
>     patterns e.g. use a platform-provided token to "enter the AWS
>     domain" by exchanging it for a time-limited AWS secret access key.
>     In fact, the latter pattern exists in all three major cloud
>     providers, and has been colloquially coined as "Workload Identity
>     Federation".
>
>     Aside from the fact that "Workload Identity Federation" is a very
>     confusing way to describe this pattern, it has emerged as a
>     powerful primitive for cross-domain authentication and access. For
>     example, there are dozens of pages of documentation on how to do
>     this against a variety of targets on the GitHub website [2] ... in
>     fact, it is the recommended way to authenticate GitHub Actions CI
>     runners to pieces of infrastructure.
>
>     And yet, there is no standard way to do this.
>
>     It works purely due to lax OIDC validators ... my read of the
>     situation is that this flow is an abuse of OIDC and nowhere is
>     this pattern described by text. The following gives a rough idea:
>     * Workload receives platform token
>       * Often via disk (see [1])
>       * Platform token has a variety of bits set, depending on platform
>       * Token mocks an ID token, with a subject/issuer/audience, but
>     lacking most other things
>     * Workload calls target token exchange service, provides platform
>     token
>       * Target service is branded as OIDC-based authentication
>       * Target service is configured with mappings, usually
>     referencing sub claim and sometimes others
>       * Target service is configured with issuers
>     * Target pulls well-known OIDC discovery doc from issuer URL
>       * Target follows JWKS link, everything else is ignored
>       * (sometimes, target will be directly configured with JWKS URL
>     and skip the discovery doc)
>     * Target validates presented platform token against issuer using JWKS
>       * Target refers to mapping to know what credential to return
>     * Target returns credential valid in target domain
>     * Workload proceeds on with its day
>
>     It would be really great to capture this flow/pattern in a more
>     formal way. I think WIMSE could be a good place to do that. Even
>     just giving it a name would be valuable.
>
>     [1]:
>     https://datatracker.ietf.org/doc/draft-hofmann-wimse-workload-identity-bcp/
>     [2]:
>     https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
>     --
>     Wimse mailing list
>     Wimse@ietf.org
>     https://www.ietf.org/mailman/listinfo/wimse
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly
> prohibited.  If you have received this communication in error, please
> notify the sender immediately by e-mail and delete the message and any
> file attachments from your computer. Thank you./
>

v2.23.0 | Report a Bug | By Email