[Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments

"Flemming Andreasen (fandreas)" <fandreas@cisco.com> Mon, 29 July 2024 22:17 UTC

IronPort-PHdr: A9a23:Shv8+RfuWY2P0Yn/rgOuUog2lGM/gIqcDmcuAtIPgrZKdOGk55v9e RCZ7vR2h1iPVoLeuLpIiOvT5rjpQndIoY2Av3YLbIFWWlcbhN8XkQ0tDI/NCUDyIPPwKS1vN M9DT1RiuXq8NCBo
IronPort-Data: A9a23:p31S+6iJluSec2oNY3YtKyFJX161ahAKZh0ujC45NGQN5FlHY01je htvCDvSOfeDa2Sjet9zPIm+8xgP7ZTVmNUyHgI+pS9mH3hjpJueD7x1DKtf0wB+jyHnZBg6h ynLQoCYdKjYdleF+1HwdOGn9SQhvU2xbuKUIPbePSxsThNTRi4kiBZy88Y0mYcAbeKRW2thg vus5ZWOULOZ82QsaD5MtPjS8EkHUMna4Vv0gHRvPZing3eG/5UlJMp3Db28KXL+Xr5VEoaSL 87fzKu093/u5BwkDNWoiN7TKiXmlZaLYGBiIlIPM0STqkAqSh4ai87XB9JAAatjsAhlqvgqo Dl7WTNcfi9yVkHEsLx1vxC1iEiSN4UekFPMCSDXXcB+UyQqflO0q8iCAn3aMqUp4eFtG2Zt9 cY4LSgtNEjfhceE5K2SH7wEasQLdKEHPasFsX1miDreF/tjHdbIQr7B4plT2zJYasJmRKmFI ZFGL2s0Kk2dPnWjOX9PYH46tOmhgHXlfjRDgFmUvqEwpWPUyWSd1ZC3a4aLJYfVFZo9ckCwm 2H+xj3wME0gLPetymOo2HnyoO6WpHauMG4VPOblrqEx2gL7KnYoIAIXUEC2ifi0lkD4XMhQQ 3H44QI0pqQ0sUesVNS4A1uzoWWPuVgXXN84//AGBB+l+7HT+RyeJWg+bjtZSIZ+6M0Tdxg1/ wrc9z/2PgBHvLqQQHOb076bqzKuJCQYRVPugwdaEGPpBPG9/OkOYgLzczp1LEKiYjTI9dzY2 TuGqm01gK8eyJJN3KSg9leBiDWpznQocuLXzluJNo5GxlolDGJAW2BOwQOChRqnBN3CJmRtR FBex6CjABkmVPlhbhClTuQXB62O7P2YKjDailMHN8B+rW71oCb5INkKvm0WyKJV3iAsJGOBj Kj75FM52XOvFCHxBUOKS9vrUp1xnPKI+SrNCq+NMIYmjmdNmP+vp3w2OhXKgAgBYWAnkLo0P t+AYN2wAHMBQaVhx3zeegvu+eFD+8zK/kuKHcqT503+idK2PSfFIZ9bawHmRr5is8u5TPD9r ow32z2ikUsPCYUTo0D/rOYuELz9BSNnVMmr95MNKbTrz8gPMDhJNsI9CIgJIuRNt69UjezPu Hq6XydlJJDX3BUr9S3ihqhfVY7S
IronPort-HdrOrdr: A9a23:7v8iOKHe3/MiBYFlpLqFoZLXdLJyesId70hD6qkvc203TiXIra CTdaogtCMc0AxhJ03I+ertBEDyewKjyXcV2/hcAV7MZnichILFFvAH0WKm+UydJ8SczJ8T6U 4DSdkFNDSYNzET5qiKgnjcLz9j+qj7zEnCv5a5854Zd3ATV0gW1XYBNu/0KDwQeCB2QbACON 634M1BqzC8eXIRQPiaKxA+NdTrlpngrr6jRQQJKSIGxWC14A9A7oSULzGomjMlFx9fy7Yr9m bI1ybj4L+4jv29whjAk0fO8pV/grLau5p+Lf3JrvJQBiTniw6uaogkcaaFpioJrOam70tvuM XQoi0nI9945xrqDyGISFrWqkrdOQQVmjrfIGyj8D/eSAvCNXUH4v969MBkm93imgwdVZ9Hof t2Nimixutq5Fv77VTADp7zJl9Xfo7emwt4rQbV5EYvCbf3ItVq3P8i1VIQH5EaEC3g7oc7VO FoEcHH/f5TNUiXdnbDowBUsZeRt1kIb167q3I5y4So+ikTmGo8w1oTxcQZkHtF/JUhS4Nc7+ CBNqhzjrlBQsIfcKo4XY46MIaKI32IRQiJPHOZIFzhGq1CM3XRq4Tv6LFw4O2xYpQHwJY7hZ yEWlJFsmw5fV7oFKS1rdd22wGIRH/4USXmy8lY6ZQ8srrgRKDzOSnGU1wqm9vImYRoPiQaYY fFBHt7OY6WEYK1I/c64+TXYegmFUUj
From: "Flemming Andreasen (fandreas)" <fandreas@cisco.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>, "wimse@ietf.org" <wimse@ietf.org>, Justin Richer <jricher@mit.edu>
Thread-Topic: [Wimse] Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Thread-Index: AdrhoMjopmD8yk6CTG2adWt4Qe20MQAZEn0A
Date: Mon, 29 Jul 2024 22:17:18 +0000
Message-ID: <7c7c2092-a806-4f28-a37b-f3556b9858a5@cisco.com>
References: <DBAPR83MB0437B6623ED287A218D1FE4F91B72@DBAPR83MB0437.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB0437B6623ED287A218D1FE4F91B72@DBAPR83MB0437.EURPRD83.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
user-agent: Mozilla Thunderbird
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: QVolnR0jwaYplmlh2IutEk++L3U6nPHT5OQ1YMVqRHGDG2fOAi1+t+zMCc44zjDZZ5AC6gLI4ddQXrnZ+5xh4Nz7LRPA8IMzsmXruydLVD7jqH4O0RuWDKDOFoqr3uDIiCXzQvehzc4vPx8V25maV7Pd1XY/oU0OpA9HK9Cj/hJYfjdUmdkgd5a7qFr1Fatt+4ObvXHhDKYjeVs87C5nPgzf9la1lg+QQ51tlbZJmPahQ5DcglVq9XRowPoJ/+K6GR6c6Mbq6Z99VnEXLYODj671kgfpFoiEAax8u+fiLL5g5zCQqaUAc81SGMq0zb/Kgb4kGLliDEpnMrYe4wu/YHRhYRt1DRFzGUFqSFzoiYVxnym5grQcYQjwbWz3mXMII247KiKS6H3dBu1W3btfg7NGunYFS74J6P6esKukHn3hzmXDpLDxRwv1wmEeTgSlolLfLW9Wf05LkF/SAQj+bNgdP2Dzo5SVqcnAmLKRN6gchAO+e7pmQOGC59W2YQTQu8OJMTMh/MNY2AGqsue+OpxTLYVwisMVue5moXTqnVpCNmDG1aWncwOwIP2gUSDG3WecdfrIlcjdtSEaXxC+74QPg629q7DwcFlAbxisf1pLspbM+ASgdnwuBLKhFTTFcg7yJnVKGJiv1tyg/lHgkvwBFaTLyuWwMmP8Vf4glw5Z15XV+IP9LNgwU6TXNsoeRbB10VTBuSayrBLu/ZXpd7KXU7sn4vdxGnTU/zD4fNJ0DR8Q4guQZDhaCEBzWvrSDsgX/qL9jwLBcPsxkuVh3cy3G1/XaUfF3yCEYmiv8KSc0oUd0x+fLGxuAXjPSs0a/XWZ1fwD9lceD+FznnyAkElKjWSpKWIr6+HNx3xiio3BeeB+JcVA4TNRBfKFeMDAUAMKgKASxwukEB6FcBEaOp2DK68de4og782/ZlM5npmoqciyy2g5Iad/ycz7kRJCp2BNm4/RLoX3wGVMricKK+Mx/Ci/R62rFVd/VSjaWMHXoMFbdNwqXsSE6UdzKgP6AYxywYU6RyvZUR9iArzTOt2eo2yZWUynXMI/pSG2L2YeTioW98kck866fYSlCBpZZPJGojJokWbcCYAhRUg3h1mFM4GdxKANpua2d/BzYJKp09XxzS9urhI/DkNWVps7CAE1KA1z21l3QJxwG0Vd6URTs3PlRUAEGbbb6Cx9ExAPRae86l78CnP1H3gHRQM+GY1+AFE3qT9q1yYnT5jG4yJ31hQMysOiWZTtqFIflPVZA5jwXwLjrjEnWOyoFcxv6S/XyOdcg8u39z3kNdrRVZe9Kfj97/gDZDoqU3ObMZJbaSzQSnN3E5lxOO36orAEFY5eB4mecd+x67C4az0hSdEL4xfT4yW6KD8RLEq5IhVh1fohTGoZe+6mwvDi9rC4vVMWgp8WTudvcSWr+Fn/6buTOaHbJVVg+Fxmz3mvRnWqfJ8xbc8qhmCKTQmWwAIgLg4fICKaKGMVyCkATTARjLe2/ZCgV1u7vFzMxkOxDAVaS/gtevo5QVcDWIe4jb2cwQ/pGYB/jIOYGXtGuF9gZ5xMA0OmDW5Og0TtRdEO3eXSjlMsvgb3GDt9dEH3FoRE
Content-Type: multipart/alternative; boundary="_000_7c7c2092a8064f28a37bf3556b9858a5ciscocom_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4760.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1eb92eeb-3dba-4b09-e7e3-08dcb01c35bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2024 22:17:18.6715 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gbKMtgUJDzK3Bg8WaWU1ozVAaeA+5phUR3GJb8De7SO1YLlQI7XSX7/BfsoZpJUeefCzytFwUsu8t2zI29VgTA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB5123
X-Outbound-SMTP-Client: 173.37.147.252, alln-opgw-4.cisco.com
X-Outbound-Node: rcdn-core-4.cisco.com
Message-ID-Hash: Z2HEVJBXCIFHJGWRZVOVU65FZFGUHX7C
X-Message-ID-Hash: Z2HEVJBXCIFHJGWRZVOVU65FZFGUHX7C
X-MailFrom: fandreas@cisco.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/tPPjYoOt-rjM2ZaPGVtyJpjArUk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>

Given the choices, I would go for option A (i.e. no specific recommendations), the reason being I don't think it makes a lot of sense for WIMSE to recommend one thing based purely on OAuth access tokens, when we may end up specifying something different using WIMSE tokens (or whatever we end up calling it). I do think pointing out potential issues with current mechanisms would be helpful though.

Thanks

-- Flemming


On 7/29/24 06:21, Pieter Kasselman wrote:
During the Working Group meeting in Vancouver there was discussion on the scope of the Working Group document titled Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments [1], which was adopted in accordance with the following deliverable in the charter [2]:


  *   [I or BCP] Document and make recommendations based on operational experience to existing token distribution practices for workloads.

This is intended to respond to the following milestone [3]:


  *   Submit informational document describing considerations for filesystem-based JWT delivery in Kubernetes to the IESG

Please reply to the list to indicate which of the following options represent the appropriate scope for this document:


  1.  Document existing practices without specific recommendations on how to obtain, protect and use OAuth Access Tokens.
  2.  Document existing practices along with strong recommendations on how to obtain, protect and use OAuth Access Tokens.
  3.  Need more information (please state what more information you need).
  4.  No opinion (i.e., this isn’t a topic you care strongly about).

Please reply to the list by August 12th, 2024.

Thank you,

Pieter and Justin

[1] https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/
[2] https://datatracker.ietf.org/doc/charter-ietf-wimse/
[3] https://datatracker.ietf.org/wg/wimse/about/

[Wimse] Request for Input: Best Current Practice … Pieter Kasselman
[Wimse] Re: Request for Input: Best Current Pract… Flemming Andreasen (fandreas)
[Wimse] Re: Request for Input: Best Current Pract… Andrii Deinega
[Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Arndt Schwenkschuster
[Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Yaron Sheffer
[Wimse] Re: Request for Input: Best Current Pract… Justin Richer
[Wimse] Re: Request for Input: Best Current Pract… Yaron Sheffer
[Wimse] Re: Request for Input: Best Current Pract… Joseph Salowey
[Wimse] Re: Request for Input: Best Current Pract… Justin Richer
[Wimse] Re: Request for Input: Best Current Pract… John Kemp
[Wimse] Re: Request for Input: Best Current Pract… McAdams, Darin