[Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
John Kemp <stable.pseudonym@gmail.com> Mon, 12 August 2024 20:37 UTC
Return-Path: <stable.pseudonym@gmail.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97B4DC14F6A0 for <wimse@ietfa.amsl.com>; Mon, 12 Aug 2024 13:37:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6Yqm7CbmfEi for <wimse@ietfa.amsl.com>; Mon, 12 Aug 2024 13:37:52 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98BFC14F619 for <wimse@ietf.org>; Mon, 12 Aug 2024 13:37:52 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id 46e09a7af769-7093efbade6so3249738a34.2 for <wimse@ietf.org>; Mon, 12 Aug 2024 13:37:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723495071; x=1724099871; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date:message-id:reply-to; bh=1LlXFobsXZNEK9UvURYhW6mQMYkH35CZqAq1lv7/8t0=; b=bT4jkV9qYGRebKSr/G6xGuNN+5vJBGpRuyegf2Rppv/Gsa3+jHBchAh2qK/dyliF/s 96LYVMeOzYjt3e0eiusiltyHu2VkTXdCflQLSHAV3DARySwCqAqAbiKNVrp2naYgcxk4 TSjnfr/8umyoSqpCTH7mGIikI3P/g20BrWHNT2tm5JDuAfu5rFV8oJ4oKCVEhET8ZS9F 3cMI41b7CeF4S03hfPmg4yGevRwRAAegv1uQtyvUj5sNA1z1Qn4A7mVT6TNS/EGGBav7 695imMuHhwGjbBk2XSHKjhW45Pok78vfGntIpsAeBdKt4V05VochiuOwb8U8bUROj/DM 1Arg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723495071; x=1724099871; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1LlXFobsXZNEK9UvURYhW6mQMYkH35CZqAq1lv7/8t0=; b=tkBRgWfQKB3nPjSfEjnXXvFaxk09XFFy9UMfOtixxOLqpwcIOav5s8w9BMhoC4b9eO hPG7X9U5a9KM3jLxwJ2SoCPGUz7irLm7lAAdLuPIAozgSdltK1zZTqLOlcMUDwuRMIaL X91ilqJ7YF9DJ9iJrBnN1JrzmPi0f68qeGzcepLPyAbtQLOAYWgABXNzkmYkFHEmpxVp 9Ne6xVuwzlvlUoBd2J0OTuelQRdZWJ/lMPo3Rssllk6PV504JG3kanI8p3KB7z1tagwZ orzGjuD6J5AG/GjnMtoU8HaOZnPs1/orTEnYTgDgKF2/4Y6QHssuNwHs6gSiIejUc6z+ Mm7w==
X-Gm-Message-State: AOJu0YwPuz1BjoC1/TbBlVbI6m1uZ2QSVoQbAbbAqU9aJWmsJyrYHvAg bpJL3VCU+KMCjEfq/Osyl2xZ6TA82KM0udgPdOV/+E9ucIm5uR0oc9/C4Q==
X-Google-Smtp-Source: AGHT+IHub1WAnoS1b/0iwM4hHP3JaIh/HDArUeucI2YBDVqvnQEX62W2d+wlPLXDkdTq/eLQGpNlHA==
X-Received: by 2002:a05:6359:4c22:b0:1ac:ef2e:5316 with SMTP id e5c5f4694b2df-1b19d2f3e10mr221326155d.26.1723495071395; Mon, 12 Aug 2024 13:37:51 -0700 (PDT)
Received: from [192.168.1.89] (syn-066-066-241-066.res.spectrum.com. [66.66.241.66]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a4c7d7122bsm275550585a.40.2024.08.12.13.37.50 for <wimse@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Aug 2024 13:37:51 -0700 (PDT)
Message-ID: <2348624c-747f-4b4d-acf4-be230b6b36f5@gmail.com>
Date: Mon, 12 Aug 2024 16:37:50 -0400
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: wimse@ietf.org
References: <DBAPR83MB0437B6623ED287A218D1FE4F91B72@DBAPR83MB0437.EURPRD83.prod.outlook.com> <7c7c2092-a806-4f28-a37b-f3556b9858a5@cisco.com>
Content-Language: en-US
From: John Kemp <stable.pseudonym@gmail.com>
In-Reply-To: <7c7c2092-a806-4f28-a37b-f3556b9858a5@cisco.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: PNNUEMIB6M445HBIN5JESVX7NKSQ2F7K
X-Message-ID-Hash: PNNUEMIB6M445HBIN5JESVX7NKSQ2F7K
X-MailFrom: stable.pseudonym@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Re: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/wl9h7CnGpPl0DjUPhPMneVgn_D0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
I also favour option A for the same reasons. I do think it's worth documenting current practices, since it provides background motivation, especially as related to mitigating potential issues with current practice, which is, I think, the raison d'être of this group. Regards, - johnk On 7/29/24 6:17 PM, Flemming Andreasen (fandreas) wrote: > Given the choices, I would go for option A (i.e. no specific > recommendations), the reason being I don't think it makes a lot of sense > for WIMSE to recommend one thing based purely on OAuth access tokens, > when we may end up specifying something different using WIMSE tokens (or > whatever we end up calling it). I do think pointing out potential issues > with current mechanisms would be helpful though. > > Thanks > > -- Flemming > > > On 7/29/24 06:21, Pieter Kasselman wrote: >> >> During the Working Group meeting in Vancouver there was discussion on >> the scope of the Working Group document titled Best Current Practice >> for OAuth 2.0 Client Authentication in Workload Environments [1], >> which was adopted in accordance with the following deliverable in the >> charter [2]: >> >> * [I or BCP] Document and make recommendations based on operational >> experience to existing token distribution practices for workloads. >> >> This is intended to respond to the following milestone [3]: >> >> * Submit informational document describing considerations for >> filesystem-based JWT delivery in Kubernetes to the IESG >> >> Please reply to the list to indicate which of the following options >> represent the appropriate scope for this document: >> >> 1. Document existing practices without specific recommendations on >> how to obtain, protect and use OAuth Access Tokens. >> 2. Document existing practices along with strong recommendations on >> how to obtain, protect and use OAuth Access Tokens. >> 3. Need more information (please state what more information you need). >> 4. No opinion (i.e., this isn’t a topic you care strongly about). >> >> >> Please reply to the list by August 12th, 2024. >> >> Thank you, >> >> Pieter and Justin >> >> [1] >> https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/ >> >> [2] https://datatracker.ietf.org/doc/charter-ietf-wimse/ >> >> [3] https://datatracker.ietf.org/wg/wimse/about/ >> >> > >
- [Wimse] Request for Input: Best Current Practice … Pieter Kasselman
- [Wimse] Re: Request for Input: Best Current Pract… Flemming Andreasen (fandreas)
- [Wimse] Re: Request for Input: Best Current Pract… Andrii Deinega
- [Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Arndt Schwenkschuster
- [Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Yaron Sheffer
- [Wimse] Re: Request for Input: Best Current Pract… Justin Richer
- [Wimse] Re: Request for Input: Best Current Pract… Yaron Sheffer
- [Wimse] Re: Request for Input: Best Current Pract… Joseph Salowey
- [Wimse] Re: Request for Input: Best Current Pract… Justin Richer
- [Wimse] Re: Request for Input: Best Current Pract… John Kemp
- [Wimse] Re: Request for Input: Best Current Pract… McAdams, Darin