Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Required requested_token_type parameter #111

Open
arndt-s opened this issue Nov 13, 2024 · 5 comments
Open

Required requested_token_type parameter #111

arndt-s opened this issue Nov 13, 2024 · 5 comments

Comments

@arndt-s
Copy link
Member

arndt-s commented Nov 13, 2024
edited
Loading

Issue to track email sent to the authors

Hello All,
I would like to propose below suggestion for https://datatracker.ietf.org/doc/html/draft-ietf-oauth-identity-chaining
Section 2.3.1 Token Exchange Request
As per my understanding the Token exchange request in this proposed RFC will always expect JWT token (urn:ietf:params:oauth:token-type:jwt) as clearly mentioned in the ‘section 2.3.4 Example’ with Figure 3: Token exchange response with claim ‘issued_token_type’ and also mentioned in section 2.4.1 Access Token Request (where only JWT token/assertion is sent to Authorization Server in Domain B as Authorization grant) .
Hence my suggestion is to enforce it in the Token exchange request itself (as REQUIRED) parameter by using the ‘requested_token_type’ parameter of OAuth 2.0 Token Exchange RFC 8693 section 2.1 with value ‘urn:ietf:params:oauth:token-type:jwt’ as per section 3 of RFC 8693 (OAuth 2.0 Token Exchange). This could prevent the Authorization server in Domain A to respond with another other type of tokens/assertions (like access_token , refresh_token , id_token , saml1 , saml2 as other possible values as per section 3 of RFC 8693 OAuth 2.0 Token Exchange) by mistake or other reasons, which could break this (draft) specification inadvertently.
Best Regards,
Randip Malakar
STMicroelectronics
@arndt-s
Copy link
Member Author

arndt-s commented Nov 13, 2024
edited
Loading

Thank you for your email Randip!
I agree to talk more about the requested_token_type parameter of the token exchange request. I personally don't see a problem setting it as required, but will my co-authors chime in if they see something I don't.
Regarding the value, yes, "urn:ietf:params:oauth:token-type:jwt" seems the one at hand. Personally, I would also like to discuss to introduce a new type here to be able to differentiate ID chaining from other token exchange use cases on the authorization server. For example something like "urn:ietf:params:oauth:token-type:assertion+jwt"?
What do you think? (@RandiP and co-authors)
-Arndt

@PieterKas
Copy link
Contributor

I think making the requested_token_type REQUIRED makes sense (we already restrict it to JWT in any event).

Although JWT is pretty generic (access and ID tokens can be JWTs as well, but they do have their own identifiers), restricting it further may cause adoption issues for existing token Exchange implementations, who do not support a new type like "urn:ietf:params:oauth:token-type:assertion+jwt".

Looking at section 2 of RFC 7523 (https://datatracker.ietf.org/doc/html/rfc7523#section-2.1), it does define a "urn:ietf:params:oauth:grant-type:jwt-bearer", which we could possibly use.

@bc-pi would love your thoughts on this.

@randipmalakar
Copy link

I think making the requested_token_type REQUIRED makes sense (we already restrict it to JWT in any event).

Although JWT is pretty generic (access and ID tokens can be JWTs as well, but they do have their own identifiers), restricting it further may cause adoption issues for existing token Exchange implementations, who do not support a new type like "urn:ietf:params:oauth:token-type:assertion+jwt".

Looking at section 2 of RFC 7523 (https://datatracker.ietf.org/doc/html/rfc7523#section-2.1), it does define a "urn:ietf:params:oauth:grant-type:jwt-bearer", which we could possibly use.

@bc-pi would love your thoughts on this.

Dear @PieterKas Just a feedback on your proposal (unless it's a typo or a copy/paste error), my understanding is that "urn:ietf:params:oauth:grant-type:jwt-bearer" is defined to be used for grant type and in Token exchange request (in the proposed identity-chaining flow) we would use the grant type "urn:ietf:params:oauth:grant-type:token-exchange" and if so, we are left to use "urn:ietf:params:oauth:token-type:jwt" in requested_token_type parameter (unless we define a new token type like "urn:ietf:params:oauth:token-type:assertion+jwt" )

@PieterKas
Copy link
Contributor

PieterKas commented Dec 10, 2024
edited
Loading

Good catch @randipmalakar. I was looking at RFC 7523 to see if a token type was defined there that might be more specific that we can use, but you are right, it's a grant type, not a token type.

Reading a bit on, there is section 8 which defines urn:ietf:params:oauth:client-assertion-type:jwt-bearer - not a token type, but to be used when presenting the assertion https://datatracker.ietf.org/doc/html/rfc7523#section-8.2

So, it may well be that our best option here is urn:ietf:params:oauth:token-type:jwt unless we define a new token type. Immediate pros that come to mind is it would be more specific and less overloaded. The con would be that it is a new token type and would delay or impede adoption. I would like to hear from others on whether urn:ietf:params:oauth:token-type:jwt is a sufficient restriction, or if we need to be more specific.

@bc-pi
Copy link
Contributor

bc-pi commented Dec 19, 2024

requested_token_type can be used now but making it required is IMHO a non starter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@arndt-s @randipmalakar @bc-pi @PieterKas