[Wimse] Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Pieter Kasselman <pieter.kasselman@microsoft.com> Mon, 29 July 2024 13:54 UTC
Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B78C14F5E6 for <wimse@ietfa.amsl.com>; Mon, 29 Jul 2024 06:54:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.254
X-Spam-Level:
X-Spam-Status: No, score=-2.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.148, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSlnil1Tg9Td for <wimse@ietfa.amsl.com>; Mon, 29 Jul 2024 06:54:12 -0700 (PDT)
Received: from EUR03-VI1-obe.outbound.protection.outlook.com (mail-vi1eur03on2096.outbound.protection.outlook.com [40.107.103.96]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C1C7C151093 for <wimse@ietf.org>; Mon, 29 Jul 2024 06:54:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=PagDAwrzhTtwWnRRoEA6829ajLNmqlnR3J+Ovts1C6vMeDQJMJIldYe3p1h1UpZQ7GpeA0/qVl+IzVwKQV52m0KMfEZ2OyAzvsmZD95Sk2Bck+bXg+vPaPW7vGqgtADvxFHmZi+zZOMLPdNISBvj85QwmT4mXEtp09x5mch6enW9mmzY7smOKuiKhhdpn4bLbtTPNNC/Ga5mkxTKAvemyWInhx2rskRYWt77XQakQcQKsLtHWXgh3F6QE8UZ68H1DJfw5H1vGCfIC++T966yisSkm/ssAi33wQ26dAKUbmRtiD85M56N0zyqwfYjb/WfLhA0WpEM//kVVr2iKDBOIQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NrZdzZn1jCV8q4kYet7cNsq0+bl/nfsQh6VJr68vlEM=; b=cLlLKgIto3FH3BQVKSXPTX/Z9luGNF2ojZDoFxKhrvv1S7l0ZHuqtz1a7UahQHCNIJMh0oCKw35Pt9kmzRld+AdfKMyHXgHWnMtUucVAgHNu2sd7LYFZljneK63Ve09sAPZsE2kR4MrFEvaBXhYVPUeFAl9QytNvs1JHYGSTBM80D5MW1TTBJdY+Uhxfy7Ug4pP+4tdpBF1YmyUqql/ddut74vCss7qm9JC/O5wQ5PoS3PkF0voY376Yimpopn0YqNegzAIWmNrJGhPk2zmEmikW712BLW3GCUOMKJtar3niuWVSIeXKK9ySuobgF9NbybHA6dC75DLQ8d0KQrnpTQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NrZdzZn1jCV8q4kYet7cNsq0+bl/nfsQh6VJr68vlEM=; b=Z2hrtxfDmN2d8Cc665X0qG0FOgDg2B8c/n7DZRd/TMcEZCwzHecGtk/+P41YRKwuYmh1X94ghm0C8YJ4kGyofXzkjL5allLO2SvmfIHsk9VTLN4tT20Lh2VTAwE4/gKB6X2tBS2f42IPrevu7W2CJJR7iXJxe2SOrj6Hpz6B4Bg=
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com (2603:10a6:10:19e::6) by PA1PR83MB0750.EURPRD83.prod.outlook.com (2603:10a6:102:48c::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7807.4; Mon, 29 Jul 2024 10:21:40 +0000
Received: from DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded]) by DBAPR83MB0437.EURPRD83.prod.outlook.com ([fe80::9ee1:305:cfd7:dded%3]) with mapi id 15.20.7807.005; Mon, 29 Jul 2024 10:21:40 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: "wimse@ietf.org" <wimse@ietf.org>, Justin Richer <jricher@mit.edu>
Thread-Topic: Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
Thread-Index: AdrhoMjopmD8yk6CTG2adWt4Qe20MQ==
Date: Mon, 29 Jul 2024 10:21:40 +0000
Message-ID: <DBAPR83MB0437B6623ED287A218D1FE4F91B72@DBAPR83MB0437.EURPRD83.prod.outlook.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=0c71978e-8e08-4472-bbbd-593824b9b7fe;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2024-07-29T10:18:13Z;MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DBAPR83MB0437:EE_|PA1PR83MB0750:EE_
x-ms-office365-filtering-correlation-id: 7be3e220-3867-4502-0ce6-08dcafb83c84
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: 6vvwEtEDlL7ge/g9kPVxw4PwL376wxu4TH0Pigpap+yhbn4FxipecwpQIth1yoS8JtrTft8iwKPfmHaz74pU0cPYLpf5NfjTCdh3hkzNfeL3RJMtByz09UoL1yEoPYW0uUW7jtwErlaQenVmmBRwyueAhKwjmZhtSyq5d+6Q6LrxcAm4eLNA7l+hY9iXEnnH3QANO6PCP1rkGLamRLQN6i0hNQ6KzQfv7Mldc7ctR07ssJK/A0gh6lpQ5w3DKJzAT7Xmws60565SMQ5HFBjMUTEo0ZCH1BjTNhWiL+cIevR0n7h60CEuxR/lCQWQYFqtq0nGLw3l8iJRD5OZSLvgkaXfVT+6RgfqYvHlTWdSsGf04QawAXF9T5OSkoBQKSl2CYb55sV1d1NzDQhPSW9RzyPwUbyZNnRi49Vvw0AEok/7AePkPoqY5AA//ZhhwlM0m4Gfb8ySAxo9im+WA5ZNiV7nyvJdMdFv7E6jyrc/0MCnorU4tYgv6EApRZanCV4ZYpDthPX22TJk3UnSGldDHwAER5IW5rdbDtN5I8uy5Zu0n77gY/rq3nfO6tyFXjIJupDNrhobNqGFgCL64DmdWoG4DtuyYERToCjVBLahY/AaJgBV+BWiakqTgOJpoFsskQ2VjJd4LGV1ly6R1AwPz5qM3kef/rrS07jrmNMVYzyXSnytsnr1GtWY7rRhNZipIldygxNmZ9gmEFDg7h1FDPTbAmdn9elfsmqQgrNMocgD22MJjjWV7uYVXw+aXT7TKMkZgYwvk8WfLQiPO9t4a3Cb2CnwZmuNxFowrpT0Rv+HMNerl84u18Jz2A6FBMg37Q+gS+5ZZWcswg6S51dF6130UGGoFi8isirIk33i3auQxkpz0ElJu7YsInInVLLe+leOE218MhDgj3mVVWvLR5MhhY6cUgUc0a8IywlPE1K4vBlcWSBwVrS+W6Gt7al2ePgOeKD2viS+HNWuk1JJ5f7kmTiMSh5P238wLld86NMwu8tVWU2Gh/7VDNsa1tS43wew5HY5buYGpYy2j9FbI58su9sIM9Z2oVEvtb3+AzXuTXsz1HPzAIatzB9kOLUrLxOQ5Z68aNEZvRMLqnSBCUty3/RzJJ14e20/c4W/uqM0xTuXaw/B00vDlAMOIevSa9CEwwDj0rzJ0WCo+DlKOKeYcOkDHQrLCAqIqGQj5pm7CAFFK0yZevUi6wKi9GReKPxDPZsdnGTnYVbskhAzy5oYE4RYB6QCk6S2E6R69r7WQ0BGREWFhgSAe4tL+ZRyr2Dgj2bKhU+uZTQ2csySRxKRNcyTqjfWMx2+IYzwLszL+sL+XDnShkquF0b9wPToLMjxCiiRtZrYtrALWDvxEmi78ooxV4kuDYGSOggI9aw=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DBAPR83MB0437.EURPRD83.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: TdxT1XXv7ZwB7llO5aWXf9do9BfB8FrxInGJ4EKFNR3aZHCuwruQ5kJmvswshy0l9/YXX1Xp/UCgEg0MTOV3uA/aLRF55dIuv2aQkACN00KsgabHNAbyzfcRx/QWBmaG7jAmavKPNVpHMR7jY8+kswz9m++sYO/Sk0BiS2nos9jOto74nG0QHcCpl2/baJLJGbA8wUOLdqypYlw4GkGRnKw2gG5oky//IufJeRvCGjXzeq+7B3wun+mnKb7Ptsv7NusAKHpZy+DWfncbOya/+9SBlBvHHze4+WS2R2jWwuzulh8at1HyGHa7RchsDgIiqO32uIl2SEhEXBYalFeOfNqQAyu004Ku4Py81S0GvSc0wCi4oE9YwEYEeHTEnjcDg+35yPWqiUXaLRLbbtKdOGswlJVU06mXAxJmAjsYIS9vRmsKWJB2sRXCbB8wjB0DDsT3iMq8inAeQyezEgU9JbmzEHOQQ5zad/s+47n27CSnqbffdTbHitdNLi4JLpWHYgLqWi+u+I3XVQnE/cch0umS9YZMUvFonvAg7tzMxnQ7LBxnVqjYbcMa9jLJLmOIrnX6n0WhvxJaPHZA6u/KWB4XsXJJ03zQfnB8mFvsVYq96+p0BRyUehpLdeXuTVKlccauK7ojN0Yp62Qg+/51gfng0/Le2c3xbrv3+IC7oAyh2guDOhX19cxtfNH7OcyJYcxvj/xM2U2qAO7j9oIqYkjotcSdkOu1uudadcVH5KlE/WJHac/6/vXwOivNmAuWsdcapiNLAdoSCgEIWigU6/ZykYsKOhrMD9NqfLLjPMem9y4nP/j6yg11tzlINzzwZxNyvHStTWMF1bzNzui9rsgy9Xb5ZjnqDwxegjQkz/EmxQoJ86TcwnvN8xaWkl62Ja49PZty1xmZ4XslVgdJt1bZe4nvj9FbPXCVeJ7uBWTtGxy73mbc4/zAiI+SZgEQyRh4FUs33XLhs+N5EvfDoOc2PiRdZX2Xr1HK++5/vuX1pEAU++tz8EKgta+3/oWBgBHdgn7uIFFj6LgC73OOQwhzAMIH2Sm2UE0BgydmWW/qERKpK9RPWRCcMbULPxWS99T1eb0oxrjBzVegndJaqPCLkZ0uMvzQrgkpSCqHseQ+iU+5GvMx6chac1OEMexVZBIktczSvvfLthAjGShIXfp0VuGpxNEPHepwJeMAKmRSCWysDLn/wa0thoDwiCa4cXjMIwOC4agg7od2ofSxcImx+m3DFKmwHEvHqoQ6xNRu1VO+TWl4WpYYCejABNZv7ucHN9rgj/ck5zQcOauAQJIWPZ7PvCu+oIbdIy3ThjcbP1zTxf8aVLCGgFoCETJryt0f0xarm0yn4USYIcmDLDTgP7F4GBirutqF9YqVYlPCijCo3/N4FpPzj/Ll3xOrCnk+y+uhe14NDAQVyBgr/8VKp2X97HavvViScEYN4AvjQOhOhFyJQEomgMQoLr6g7+csq70nPC7PDrIfBRkExDBh7wVgMs1UAtEf0907NZVVbrljkVwXCKwyYXU6C2x/
Content-Type: multipart/alternative; boundary="_000_DBAPR83MB0437B6623ED287A218D1FE4F91B72DBAPR83MB0437EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR83MB0437.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7be3e220-3867-4502-0ce6-08dcafb83c84
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jul 2024 10:21:40.3602 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: anMt6m5de3mgU/NOsL6qgkxd4AXrhB1sCsT0wlZLE91u6ltQJpSyFlNbimC/wRg2QJL/sBs+yg9JmBkrHMzbrF/nPW4OIZjIvAUyFu+eNxQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA1PR83MB0750
Message-ID-Hash: XJ6LHBIFODXM6M3QTXFR5NNF4WDOPZV5
X-Message-ID-Hash: XJ6LHBIFODXM6M3QTXFR5NNF4WDOPZV5
X-MailFrom: pieter.kasselman@microsoft.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Wimse] Request for Input: Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/zrEzmYvRRcSwSrhj9d7ncybqAwg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Owner: <mailto:wimse-owner@ietf.org>
List-Post: <mailto:wimse@ietf.org>
List-Subscribe: <mailto:wimse-join@ietf.org>
List-Unsubscribe: <mailto:wimse-leave@ietf.org>
During the Working Group meeting in Vancouver there was discussion on the scope of the Working Group document titled Best Current Practice for OAuth 2.0 Client Authentication in Workload Environments [1], which was adopted in accordance with the following deliverable in the charter [2]: * [I or BCP] Document and make recommendations based on operational experience to existing token distribution practices for workloads. This is intended to respond to the following milestone [3]: * Submit informational document describing considerations for filesystem-based JWT delivery in Kubernetes to the IESG Please reply to the list to indicate which of the following options represent the appropriate scope for this document: 1. Document existing practices without specific recommendations on how to obtain, protect and use OAuth Access Tokens. 2. Document existing practices along with strong recommendations on how to obtain, protect and use OAuth Access Tokens. 3. Need more information (please state what more information you need). 4. No opinion (i.e., this isn't a topic you care strongly about). Please reply to the list by August 12th, 2024. Thank you, Pieter and Justin [1] https://datatracker.ietf.org/doc/draft-ietf-wimse-workload-identity-bcp/ [2] https://datatracker.ietf.org/doc/charter-ietf-wimse/ [3] https://datatracker.ietf.org/wg/wimse/about/
- [Wimse] Request for Input: Best Current Practice … Pieter Kasselman
- [Wimse] Re: Request for Input: Best Current Pract… Flemming Andreasen (fandreas)
- [Wimse] Re: Request for Input: Best Current Pract… Andrii Deinega
- [Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Arndt Schwenkschuster
- [Wimse] Re: [EXTERNAL] Re: Request for Input: Bes… Yaron Sheffer
- [Wimse] Re: Request for Input: Best Current Pract… Justin Richer
- [Wimse] Re: Request for Input: Best Current Pract… Yaron Sheffer
- [Wimse] Re: Request for Input: Best Current Pract… Joseph Salowey
- [Wimse] Re: Request for Input: Best Current Pract… Justin Richer
- [Wimse] Re: Request for Input: Best Current Pract… John Kemp
- [Wimse] Re: Request for Input: Best Current Pract… McAdams, Darin