An STS for the REST of Us

Brian Campbell @__b_c

June 2016

OAuth 2.0 Token Exchange

Formalities, Introductions, etc.

•  Long long time @ Ping –  Product Development & Standards

•  Trolling around CIS with a camera since ’11 –  Presentations contain many gratuitous photos

2

Formalities, Introductions, etc.

•  Not above compromising photos myself

•  Slides will be available –  No need to take notes

•  Like you were going to anyway…

–  at http://www.slideshare.net/briandavidcampbell –  & at https://twitter.com/__b_c

•  2 underscores +

•  b +

•  1 underscore +

•  c

•  Tweeting *not* discouraged –  As long as it’s nice

4

Token Exchange: An RFC in Progress

5

Use Cases •  Trade one token for another (active clients)

–  Useful in a wide variety of circumstances

•  Access to heterogeneous systems

–  Cross domain and otherwise

–  Client is a ‘client’

–  Microservices!

–  Client is reverse proxy or gateway

•  Chaining, validation, translation, down-scoping, etc.

•  Swiss Army Knife of identity integration

•  Proprietary approaches exist

6

Client

AS/STS

Somehow has a token

Needs a different token

What’s in a Name?

7

•  Respectable part of title •  Says what it is

•  Less respectable part of title •  A play on the popular Seinfeld episode that

featured “a Festivus for the rest of us”

•  A colon •  Hope I used it correctly

•  Security Token Service •  For “active” clients

OAuth 2.0 Token Exchange: An STS for the REST of Us

•  A touch of populist rhetoric •  But the good kind

•  Okay, not actually RESTful •  But HTTP & JSON based •  (Hopefully) more palatable to

contemporary developers •  SEO keyword

Shall I Compare Thee to a Parody Holiday?

•  Festivus: humorous secular alternative to the commercialism & pressures of the Christmas holiday season –  The Festivus Pole

–  The Festivus Dinner

–  The Airing of Grievances

–  The Feats of Strength

–  Festivus Miracles

•  OAuth 2.0 Token Exchange: not really like Festivus –  But going to force the comparison anyway

8

The Festivus Pole

•  Plain unadorned metal pole

–  Quintessential symbol of the anti-consumerist holiday

–  “Very high strength-to-weight ratio” - Frank Costanza

•  Token Exchange is modest and void of unnecessary layers and options

–  Aspiring to be a symbol of anti-complexity

•  Mostly stayed true to these aspirations

•  “Very high utility-to-complexity ratio” - me

–  Extension of the normal interaction with the OAuth token endpoint

•  request is a simple HTTP POST with form-encoded parameters

•  response is a familiar and easily parsed bit of JSON.

9

utility-to-complexity ratio

Request POST Parameters •  grant_type •  resource •  audience •  scope •  requested_token_type •  subject_token •  subject_token_type •  actor_token •  actor_token_type •  want_composite

10

JSON Response Parameters •  access_token •  issued_token_type •  token_type •  expires_in •  scope •  refresh_token

Unadorned Example

11

Resource Server frontend.example.com

AS/STS as.example.com

Backend Service backend.example.com

Client

Festivus Dinner

•  Traditional Festivus dinner is meatloaf on a bed of lettuce. Period. –  No alcohol

•  Token Exchange is much less prescriptive about what gets consumed and served –  A few new JWT specific claims allowing for delegation semantics

•  "act" (Actor)

•  "scp" (Scopes)

•  "may_act" (May Act For)

–  The core protocol is token-type agnostic and can be used with all kind of tokens

12

Festivus Dinner Companions

13

The Airing of Grievances

•  The Airing of Grievances takes place immediately after dinner and consists of each person lashing out at others about how they have been disappointed in the past year •  I was part of the engineering team that added WS-Trust support to

PingFederate years ago –  Tremendously useful and flexible but a huge PITA

–  I still bear the scars

–  Been requested more than once to tone done my own lashing out in the document’s Introduction

14

WS-Grievances (Request)

15

WS-Grievances (Request)

16

WS-Grievances (Request)

17

WS-Grievances (Request)

18

WS-Grievances (Request)

19

WS-Grievances (Response)

20

WS-Grievances (Response)

21

WS-Grievances (Response)

22

WS-Grievances (Response)

23

WS-Grievances (Response)

24

The Feats of Strength

•  The head of the household challenges one person to a wrestling match and Festivus is not over until he/she is pinned

25

•  There's been some wrestling over the syntax and semantics of Token Exchange too –  The entrenched draft –  A more ‘OAuthy’ approach –  So I tried to pick a nerd fight leading up to IETF 93

…and IETF 93 was in Prague Where in the 1600’s the Hapsburg dynasty displayed the severed heads of leaders of the Bohemian uprising on the tower as a deterrent to further resistance A fitting location for The Feats of Strength…

It's a Festivus Miracle!

•  Turns out that no wrestling was needed

–  Logical respectful discussions

–  Compromises reached

–  Competing approaches unified (in -03)

•  Looking forward

–  Standards work is inevitably slow and subject to bumps in the road

–  But seems to be relatively stable and have generally broad support

–  Implementations… it’s early

–  Can live alongside WS-Trust and proprietary approaches

27

A more peaceful view of Prague

Questions?