Try   HackMD

Meeting Notes 07-21-2023

Attendees:

  • Rifaat
  • Pieter
  • George
  • Kelley
  • Justin
  • Atul

Agenda

  • SPIFEE in the IETF (Justin)
  • Transaction Tokens Feedback (Atul)

SPIFFE in the IETF

  • Being presented in dispatch and secdispatch WGs
  • Propose to discuss in IAB open office hours
  • Justin went through a presentation that introduces the problem both at the SPIFFE level and higher level use cases
  • [Pieter] There is no venue to talk about this stuff right now
  • [Rifaat] You may want to take a look at the Network Service Mesh concepts, which we have examined in the JWT embedded tokens world
  • [Justin] The data structure and packaging are two different questions, but there is a lot of unanswered stuff on both sides of that

Transaction Tokens

  • [Atul] No feedback on the new section yet.
  • [Kelly] No specific concerns.
  • [Atul] We have open issueds and the nesting discussion to go through.
  • [Atul] Couldn't find open questions (found them in notes for 7/7/21)
  • [Atul] Is the Tx-Token Service and new token endpoint
    • [Justin] - probably not
    • [Rifaat] - agreed
    • [George] - Don't want to ovrload the AS.
    • From operational perspective want to seperate the load. May need a way from a configuration perspective to point to the endpoint.
    • [Justin] - Question is whether that means it points to a functionally different Authroization Server or an aspect of an existig service.
    • [Atul] - Proposing to use token exchange - functionally looks different. Wants to call it as a different server.
    • [Justin] - can be a an authz server, but a different authz server.
    • [George] - Some logic happens when it hits the service. Domain the authz manages is the internal domain of the workloads. This is a another layer of AuthZ server.
    • [Pieter] The placement of this server is different from an authorization server, in terms of traffic, latency, etc. So it may have to be a different server
    • [Justin] Its a different grant type, but still an authroization server that issues this token.
    • [Justin] Is this a new type of server or is this an OAuth server.
    • [George] Clarify to the reader it is a specialised authz server focused on the internal domain. It is not a front door authz service. Need to clarify this to avoid confusion.
    • [Atul] Wording "OAuth Authorization server for issuing transaction tokens".
    • [Justin] Should be able to get transaction tokens out of a GNAP service for example.
    • [Atul] Will define it Transaction Token service as an OAuth Authroization Server

Token Lifetime

  • [Atul] In a batch process, the batch process will get new transaction tokens (probably replacement transaction tokens) to execute each RPC
  • [George] These calls do not ACID properties. So unless you keep the token lifetime small, you will get into trouble because of inability identify which transaction occured / failed
  • [George] That said, we did run into a few use cases in Yahoo, where when a batch actually ran, the original user ID was removed / not present in the database. So we should not be too prescriptive about the lifetime, but the short-lived nature reduces the need for intermediary validation
  • [Rifaat] When you say intermediary validation, what do you mean?
  • [George] Each server in the chain going back to the AuthZ server to check the token
  • [Rifaat] I'm assuming the tokens are JWT tokens, which can be validated by themselves
  • [George] Local validation of a signature is not the full level of authorization when a user is presenting an external access token, so you need to bind the transaction related info.
  • [Rifaat] Are Transaction Tokens Access Tokens? are there refresh tokens associated with Transaction Tokens?
  • [George, Atul] No refresh tokens. They're not, although they are JWTs with data
  • [George] We can investigate whether it is valuable to understand whether TraTs are OAuth Access Tokens
  • [Pieter] I would want them to not be access tokens just because of where we will be deploying these
  • [Rifaat] We need to explain the difference between the Access Token and a Transaction Token
  • [George] Access tokens tend to be coarse-grained, and TraTs are fine-grained.
  • [George] How these things map for the purpose of bridging authorization domains is interesting
Last changed by 
RPC Security Workshop
0
47

Read more

Meeting on 2024-06-14

George Fletcher (Capital One)

Jun 14, 2024
Meeting on 2024-05-17

Atul (SGNL)

May 17, 2024
Meeting on 05-10-2024

Token Buckets

May 10, 2024
Meeting on 05-03-24

Atul Tulshibagwale (SGNL)

May 3, 2024
Read more from RPC Security Workshop
Published on HackMD