# Meeting Notes 07-21-2023 ## Attendees: - Rifaat - Pieter - George - Kelley - Justin - Atul ## Agenda - SPIFEE in the IETF (Justin) - Transaction Tokens Feedback (Atul) ## SPIFFE in the IETF - Being presented in dispatch and secdispatch WGs - Propose to discuss in IAB open office hours - Justin went through a presentation that introduces the problem both at the SPIFFE level and higher level use cases - [Pieter] There is no venue to talk about this stuff right now - [Rifaat] You may want to take a look at the Network Service Mesh concepts, which we have examined in the JWT embedded tokens world - [Justin] The data structure and packaging are two different questions, but there is a lot of unanswered stuff on both sides of that ## Transaction Tokens - [Atul] No feedback on the new section yet. - [Kelly] No specific concerns. - [Atul] We have open issueds and the nesting discussion to go through. - [Atul] Couldn't find open questions (found them in [notes for 7/7/21](https://hackmd.io/@rpc-sec-wg/notes-20230707)) - [Atul] Is the Tx-Token Service and new token endpoint - [Justin] - probably not - [Rifaat] - agreed - [George] - Don't want to ovrload the AS. - From operational perspective want to seperate the load. May need a way from a configuration perspective to point to the endpoint. - [Justin] - Question is whether that means it points to a functionally different Authroization Server or an aspect of an existig service. - [Atul] - Proposing to use token exchange - functionally looks different. Wants to call it as a different server. - [Justin] - can be a an authz server, but a different authz server. - [George] - Some logic happens when it hits the service. Domain the authz manages is the internal domain of the workloads. This is a another layer of AuthZ server. - [Pieter] The placement of this server is different from an authorization server, in terms of traffic, latency, etc. So it may have to be a different server - [Justin] Its a different grant type, but still an authroization server that issues this token. - [Justin] Is this a new type of server or is this an OAuth server. - [George] Clarify to the reader it is a specialised authz server focused on the internal domain. It is not a front door authz service. Need to clarify this to avoid confusion. - [Atul] Wording "OAuth Authorization server for issuing transaction tokens". - [Justin] Should be able to get transaction tokens out of a GNAP service for example. - [Atul] Will define it Transaction Token service as an OAuth Authroization Server ### Token Lifetime - [Atul] In a batch process, the batch process will get new transaction tokens (probably replacement transaction tokens) to execute each RPC - [George] These calls do not ACID properties. So unless you keep the token lifetime small, you will get into trouble because of inability identify which transaction occured / failed - [George] That said, we did run into a few use cases in Yahoo, where when a batch actually ran, the original user ID was removed / not present in the database. So we should not be too prescriptive about the lifetime, but the short-lived nature reduces the need for intermediary validation - [Rifaat] When you say intermediary validation, what do you mean? - [George] Each server in the chain going back to the AuthZ server to check the token - [Rifaat] I'm assuming the tokens are JWT tokens, which can be validated by themselves - [George] Local validation of a signature is not the full level of authorization when a user is presenting an external access token, so you need to bind the transaction related info. - [Rifaat] Are Transaction Tokens Access Tokens? are there refresh tokens associated with Transaction Tokens? - [George, Atul] No refresh tokens. They're not, although they are JWTs with data - [George] We can investigate whether it is valuable to understand whether TraTs are OAuth Access Tokens - [Pieter] I would want them to not be access tokens just because of where we will be deploying these - [Rifaat] We need to explain the difference between the Access Token and a Transaction Token - [George] Access tokens tend to be coarse-grained, and TraTs are fine-grained. - [George] How these things map for the purpose of bridging authorization domains is interesting