OAuth 2.0 Token Exchange: An STS for the REST of Us
-
Upload
brian-campbell -
Category
Technology
-
view
597 -
download
2
Transcript of OAuth 2.0 Token Exchange: An STS for the REST of Us
An STS for the REST of Us
Brian Campbell @__b_c
June 2016
OAuth 2.0 Token Exchange
Formalities, Introductions, etc.
• Long long time @ Ping – Product Development & Standards
• Trolling around CIS with a camera since ’11 – Presentations contain many gratuitous photos
2
Formalities, Introductions, etc.
• Not above compromising photos myself
• Slides will be available – No need to take notes
• Like you were going to anyway…
– at http://www.slideshare.net/briandavidcampbell – & at https://twitter.com/__b_c
• 2 underscores +
• b +
• 1 underscore +
• c
• Tweeting *not* discouraged – As long as it’s nice
4
Token Exchange: An RFC in Progress
5
Use Cases • Trade one token for another (active clients)
– Useful in a wide variety of circumstances
• Access to heterogeneous systems
– Cross domain and otherwise
– Client is a ‘client’
– Microservices!
– Client is reverse proxy or gateway
• Chaining, validation, translation, down-scoping, etc.
• Swiss Army Knife of identity integration
• Proprietary approaches exist
6
Client
AS/STS
Somehow has a token
Needs a different token
What’s in a Name?
7
• Respectable part of title • Says what it is
• Less respectable part of title • A play on the popular Seinfeld episode that
featured “a Festivus for the rest of us”
• A colon • Hope I used it correctly
• Security Token Service • For “active” clients
OAuth 2.0 Token Exchange: An STS for the REST of Us
• A touch of populist rhetoric • But the good kind
• Okay, not actually RESTful • But HTTP & JSON based • (Hopefully) more palatable to
contemporary developers • SEO keyword
Shall I Compare Thee to a Parody Holiday?
• Festivus: humorous secular alternative to the commercialism & pressures of the Christmas holiday season – The Festivus Pole
– The Festivus Dinner
– The Airing of Grievances
– The Feats of Strength
– Festivus Miracles
• OAuth 2.0 Token Exchange: not really like Festivus – But going to force the comparison anyway
8
The Festivus Pole
• Plain unadorned metal pole
– Quintessential symbol of the anti-consumerist holiday
– “Very high strength-to-weight ratio” - Frank Costanza
• Token Exchange is modest and void of unnecessary layers and options
– Aspiring to be a symbol of anti-complexity
• Mostly stayed true to these aspirations
• “Very high utility-to-complexity ratio” - me
– Extension of the normal interaction with the OAuth token endpoint
• request is a simple HTTP POST with form-encoded parameters
• response is a familiar and easily parsed bit of JSON.
9
utility-to-complexity ratio
Request POST Parameters • grant_type • resource • audience • scope • requested_token_type • subject_token • subject_token_type • actor_token • actor_token_type • want_composite
10
JSON Response Parameters • access_token • issued_token_type • token_type • expires_in • scope • refresh_token
Unadorned Example
11
Resource Server frontend.example.com
AS/STS as.example.com
Backend Service backend.example.com
Client
Festivus Dinner
• Traditional Festivus dinner is meatloaf on a bed of lettuce. Period. – No alcohol
• Token Exchange is much less prescriptive about what gets consumed and served – A few new JWT specific claims allowing for delegation semantics
• "act" (Actor)
• "scp" (Scopes)
• "may_act" (May Act For)
– The core protocol is token-type agnostic and can be used with all kind of tokens
12
Festivus Dinner Companions
13
The Airing of Grievances
• The Airing of Grievances takes place immediately after dinner and consists of each person lashing out at others about how they have been disappointed in the past year • I was part of the engineering team that added WS-Trust support to
PingFederate years ago – Tremendously useful and flexible but a huge PITA
– I still bear the scars
– Been requested more than once to tone done my own lashing out in the document’s Introduction
14
WS-Grievances (Request)
15
WS-Grievances (Request)
16
WS-Grievances (Request)
17
WS-Grievances (Request)
18
WS-Grievances (Request)
19
WS-Grievances (Response)
20
WS-Grievances (Response)
21
WS-Grievances (Response)
22
WS-Grievances (Response)
23
WS-Grievances (Response)
24
The Feats of Strength
• The head of the household challenges one person to a wrestling match and Festivus is not over until he/she is pinned
25
• There's been some wrestling over the syntax and semantics of Token Exchange too – The entrenched draft – A more ‘OAuthy’ approach – So I tried to pick a nerd fight leading up to IETF 93
…and IETF 93 was in Prague Where in the 1600’s the Hapsburg dynasty displayed the severed heads of leaders of the Bohemian uprising on the tower as a deterrent to further resistance A fitting location for The Feats of Strength…
It's a Festivus Miracle!
• Turns out that no wrestling was needed
– Logical respectful discussions
– Compromises reached
– Competing approaches unified (in -03)
• Looking forward
– Standards work is inevitably slow and subject to bumps in the road
– But seems to be relatively stable and have generally broad support
– Implementations… it’s early
– Can live alongside WS-Trust and proprietary approaches
27
A more peaceful view of Prague
Questions?