OAuth Working Group | B. Campbell |
Internet-Draft | Ping |
Intended status: Standards Track | August 8, 2014 |
Expires: February 9, 2015 |
OAuth 2.0 Token Exchange: an STS for the REST of us
draft-campbell-oauth-sts-00
An OAuth 2.0 framework for exchanging security tokens enabling authorization servers to act as lightweight HTTP and JSON based security token services.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 9, 2015.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
A security token service (STS) is a service capable of validating and issuing security tokens, which enables web service clients to obtain appropriate temporary access credentials for resources in heterogeneous environments or across security domains. Clients have historically used WS-Trust [WS-Trust] as the protocol to interact with an STS for token exchange. However WS-Trust is a fairly heavyweight framework which uses XML, SOAP, WS-Security, XML-Signatures, etc. while the trend in modern web development has been towards more lightweight services utilizing RESTful patterns and JSON. The OAuth 2.0 Authorization Framework [RFC6749] and OAuth 2.0 Bearer Tokens [RFC6750] have emerged as popular standards for authorizing and securing access to HTTP and RESTful resources but do not provide all that is needed to support generic STS interactions.
This specification defines a lightweight protocol extending OAuth 2.0 that enables clients to request and obtain security tokens from authorization servers acting in the role of an STS. There is support for enabling one party to act on behalf of another as well as enabling one party to delegate constrained authority to another. Similar to OAuth 2.0, this specification focuses on client developer simplicity and requires only an HTTP client and JSON parser, which are nearly universally available in modern development environments. The STS protocol defined in this specification is not itself RESTful (an STS doesn't lend itself particularly well to a REST approach) but does utilize communication patterns and data formats that should be more palatable to developers accustom to working with RESTful systems.
A new security token request grant type and the associated specific parameters for a security token request to the token endpoint are defined by this specification. A security token response is a normal OAuth 2.0 response from the token endpoint with some additional parameters defined herein to provide information to the client.
The security tokens obtained from an STS could be used in a variety of contexts, the specifics of which are beyond the scope of this document.
The scope of this specification is limited to the definition of a framework and basic wire protocol for an STS style token exchange utilizing OAuth 2.0. The syntax, semantics and security characteristics of the tokens themselves (both those presented to the AS and those obtained by the client) are explicitly out of scope and no requirements are placed on the trust model in which an implementation might be deployed. Additional profiles may provide more detailed requirements around the specific nature of the parties and trust involved, whether signatures and/or encryption of tokens is required, etc., however, such details will often be policy decisions made with respect to the specific needs of individual deployments and will be configured or implemented accordingly.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
This specification uses the terms "authorization server" "token endpoint", "access token request", "access token response", and "client" defined by OAuth 2.0 [RFC6749].
When principal A impersonates principal B, A is given all the rights that B has within some defined rights context. Whereas, with delegation semantics, principal A still has its own identity separate from B and it is explicitly understood that while B may have delegated its rights to A, any actions taken are being taken by A and not B. In a sense, A is an agent for B.
Delegation semantics are therefore different than impersonation semantics, with which it is sometimes confused. When principal A impersonates principal B, then in so far as any entity receiving such a token is concerned, they are actually dealing with B. It is true that some members of the identity system might have awareness that impersonation is going on but it is not a requirement. For all intents and purposes, when A is impersonating B, A is B.
A security token with delegation semantics is requested using this framework by including both an on_behalf_of token and an act_as token in the request. The on_behalf_of token represents the identity of the party on behalf of whom the token is being requested while the act_as token represents the identity of the party to whom the access rights of the returned token are being delegated. In this case, the token returned to the client will contain claims about both parties.
A security token with impersonation semantics is requested using this framework by including an on_behalf_of token in the request and omitting the act_as token. The on_behalf_of token represents the identity of the party on behalf of whom the token is being requested the token returned to the client will contain claims about that party.
A client requests a security token by making a token request to the authorization server's token endpoint using the extension grant type mechanism defined in Section 4.5 of OAuth 2.0 [RFC6749].
Client authentication to the authorization server is done using the normal mechanisms provided by OAuth 2.0. Section 2.3.1 of The OAuth 2.0 Authorization Framework [RFC6749] defines password-based authentication of the client, however, client authentication is extensible and other mechanisms are allowed. For example, [I-D.ietf-oauth-saml2-bearer] and [I-D.ietf-oauth-jwt-bearer] define client authentication using SAML Assertions and JSON Web Tokens respectively. Other mechanisms, such as TLS client authentication, are also possible. The supported methods of client authentication and whether or not to allow unauthenticated or unidentified clients are deployment decisions that are at the discretion of the authorization server.
The client makes a general security token request to the token endpoint with an extension grant type by including the following parameters using the application/x-www-form-urlencoded format with a character encoding of UTF-8 in the HTTP request entity-body:
The authorization server responds to a security token request with a normal OAuth 2.0 response from the token endpoint as defined in Section 5 of RFC 6749 [RFC6749]. Additional details and explanation are provided in the following subsections.
If the request is valid and meets all policy and other criteria of the authorization server, a successful token response is constructed by adding the following parameters to the entity-body of the HTTP response using the "application/json" media type as defined by [RFC4627] and an HTTP 200 status code. The parameters are serialized into a JavaScript Object Notation (JSON) structure by adding each parameter at the top level. Parameter names and string values are included as JSON strings. Numerical values are included as JSON numbers. The order of parameters does not matter and can vary.
If either the on_behalf_of or act_as tokens are invalid for any reason, or are unacceptable based on policy, the authorization server MUST construct an error response as defined in Section 5.2 of OAuth 2.0 [RFC6749] The value of the error parameter MUST be the invalid_grant error code. The authorization server MAY include additional information regarding the reasons for the error using the error_description or error_uri parameters.
[[ TODO: at least two examples, with and without act_as, showing a request/response exchange and including some relevant internal details of the tokens involved ]]
[[ TODO ]] The urn:ietf:params:oauth:grant-type:security-token-request Grant Type is to be registered in the IANA urn:ietf:params:oauth registry established in [RFC6755].
[[ TODO ]] Other parameters like requested_security_token_type, on_behalf_of, on_behalf_of_token_type, act_as, etc. need to be registered in the appropriate registries. The aud parameter needs to be registered too but that may well get done in [I-D.ietf-oauth-pop-key-distribution] and aud may/does have wider applicability so perhaps deserves it's own little spec?
[[ TODO ]]
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC3986] | Berners-Lee, T., Fielding, R. and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. |
[RFC4627] | Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, July 2006. |
[RFC6749] | Hardt, D., "The OAuth 2.0 Authorization Framework", RFC 6749, October 2012. |
[Some] decisions to be made with potential associated draft updates:
The author wishes to thank Michael Jones for bringing forth the concept of OAuth 2.0 Token Exchange with [I-D.jones-oauth-token-exchange]. This draft borrows heavily from Jones' work while striving to provide a syntax that is more consistent with OAuth 2.0 [RFC6749], which will hopefully be more familiar to developers and easier to understand and implement.
The author also wishes to thank John Bradley for his endless patience and willingness to share his expertise.
[[ to be removed by the RFC Editor before publication as an RFC ]]
-00