subject:"\[OAUTH\-WG\] Tenancy in OAuth"

Re: [OAUTH-WG] Tenancy in OAuth

2021-01-14 Thread Vladimir Dzhuvinov

On 13/01/2021 12:10, Jaap Francke wrote:
> Thanks Justin and Vladimir for your guidance!
>
> The resource indicator approach seems to have the best fit for my use case.
> It addresses my coarse/mid-grained use case, without bringing the complexity 
> of the fine-grained RAR approach.
> Encoding the tenant into scope values remains an option as well.
> Ensuring the token validation is implemented properly is indeed a point of 
> attention.
>
> Meanwhile I've been looking into OAuth/OIDC specs for client registration. 
> It may also be useful to extend the client's metadata with 'resource' to bind 
> the specific client to a specific tenant(s).
> Would that make sense to you as well?

If that make sense in your scenario, then why not. We have the "scope"
client metadata field, which was intended for that purpose, but relating
to the scope authZ parameter.

https://tools.ietf.org/html/rfc7591#section-2

>scope
>   String containing a space-separated list of scope values (as
>   described in Section 3.3 
> <https://tools.ietf.org/html/rfc7591#section-3.3> of OAuth 2.0 [RFC6749 
> <https://tools.ietf.org/html/rfc6749>]) that the client
>   can use when requesting access tokens.  The semantics of values in
>   this list are service specific.  If omitted, an authorization
>   server MAY register a client with a default set of scopes.


Vladimir


>
> Great feedback, kind regards, 
> Jaap
>
>
> On 12/01/2021, 23:10, "OAuth on behalf of oauth-requ...@ietf.org" 
>  wrote:
>
> Send OAuth mailing list submissions to
>   oauth@ietf.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>   
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zNVyuy2avEEWtIJ3eXZGEV9S0KLyYj27KiG2yOPtW9Q%3D&reserved=0
> or, via email, send a message with subject or body 'help' to
>   oauth-requ...@ietf.org
>
> You can reach the person managing the list at
>   oauth-ow...@ietf.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of OAuth digest..."
>
>
> Today's Topics:
>
>1. Re: Tenancy in OAuth (Justin Richer)
>2. Re: Tenancy in OAuth (Vladimir Dzhuvinov)
>
>
>     ------
>
> Message: 1
> Date: Tue, 12 Jan 2021 16:13:26 -0500
> From: Justin Richer 
> To: Jaap Francke 
> Cc: "oauth@ietf.org" 
> Subject: Re: [OAUTH-WG] Tenancy in OAuth
> Message-ID: 
> Content-Type: text/plain; charset="utf-8"
>
> Hi Jaap,
>
> There have been a number of efforts to address this kind of thing in the 
> OAuth world. You can definitely use a special scope to encode this value, 
> which has the benefit of fitting into the implementation limitations of 
> nearly all OAuth systems out there. The ?resource? parameter can also be used 
> for the kind of thing, and it gives you a bucket that?s separate from ?scope? 
> so that you can keep the latter available for describing the API itself:
>
> 
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8707&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5clKn%2B8%2FCEiQindejfHncA670FWVoy%2BHDQ49JtOORjE%3D&reserved=0
>  
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8707&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5clKn%2B8%2FCEiQindejfHncA670FWVoy%2BHDQ49JtOORjE%3D&reserved=0>
>
> There?s also the Rich Authorization Request (RAR) draft that this group 
> is currently working on, which provides a multi-dimensional way to describe 
> access. It?s more complex than scopes, but it boils down to having JSON 
> objects describe the elements needed. In this case you might put the API bits 
> into the ?actions? and ?datatypes? fields, and put the tenant i

Re: [OAUTH-WG] Tenancy in OAuth

2021-01-13 Thread Jaap Francke

Thanks Justin and Vladimir for your guidance!

The resource indicator approach seems to have the best fit for my use case.
It addresses my coarse/mid-grained use case, without bringing the complexity of 
the fine-grained RAR approach.
Encoding the tenant into scope values remains an option as well.
Ensuring the token validation is implemented properly is indeed a point of 
attention.

Meanwhile I've been looking into OAuth/OIDC specs for client registration. 
It may also be useful to extend the client's metadata with 'resource' to bind 
the specific client to a specific tenant(s).
Would that make sense to you as well?

Great feedback, kind regards, 
Jaap


On 12/01/2021, 23:10, "OAuth on behalf of oauth-requ...@ietf.org" 
 wrote:

Send OAuth mailing list submissions to
oauth@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit

https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zNVyuy2avEEWtIJ3eXZGEV9S0KLyYj27KiG2yOPtW9Q%3D&reserved=0
or, via email, send a message with subject or body 'help' to
oauth-requ...@ietf.org

You can reach the person managing the list at
oauth-ow...@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of OAuth digest..."


Today's Topics:

   1. Re: Tenancy in OAuth (Justin Richer)
   2. Re: Tenancy in OAuth (Vladimir Dzhuvinov)


--

Message: 1
Date: Tue, 12 Jan 2021 16:13:26 -0500
From: Justin Richer 
To: Jaap Francke 
    Cc: "oauth@ietf.org" 
Subject: Re: [OAUTH-WG] Tenancy in OAuth
Message-ID: 
Content-Type: text/plain; charset="utf-8"

Hi Jaap,

There have been a number of efforts to address this kind of thing in the 
OAuth world. You can definitely use a special scope to encode this value, which 
has the benefit of fitting into the implementation limitations of nearly all 
OAuth systems out there. The ?resource? parameter can also be used for the kind 
of thing, and it gives you a bucket that?s separate from ?scope? so that you 
can keep the latter available for describing the API itself:


https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8707&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5clKn%2B8%2FCEiQindejfHncA670FWVoy%2BHDQ49JtOORjE%3D&reserved=0
 
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc8707&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=5clKn%2B8%2FCEiQindejfHncA670FWVoy%2BHDQ49JtOORjE%3D&reserved=0>

There?s also the Rich Authorization Request (RAR) draft that this group is 
currently working on, which provides a multi-dimensional way to describe 
access. It?s more complex than scopes, but it boils down to having JSON objects 
describe the elements needed. In this case you might put the API bits into the 
?actions? and ?datatypes? fields, and put the tenant information into the 
?locations? field. I believe there are people using it in exactly this way 
today:


https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-rar-03&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hxn2gFdUhhmWrf0ATaqUUUB9C62yh%2FY27aNOvR1hWbM%3D&reserved=0
 
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-rar-03&data=04%7C01%7Cjaap.francke%40mendix.com%7C93707202bd484789530008d8b746e1f4%7Cb4e3c78d8e3b46d8bc565540da23ba4d%7C0%7C0%7C637460862383168168%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hxn2gFdUhhmWrf0ATaqUUUB9C62yh%2FY27aNOvR1hWbM%3D&reserved=0>

There are also some historical efforts to address this, including an 
?audience? and a (completely separate) ?aud" parameter, but AFAIK neither of 
these have been raised to standard or even to common

Re: [OAUTH-WG] Tenancy in OAuth

2021-01-12 Thread Vladimir Dzhuvinov

Hello Jaap,

Justin made a good overview of the available OAuth facilities when
dealing with multiple resource servers or resource server tenants.

If you have control over the resource server, i.e. the token validation
is going to happen in one place, then you have plenty of freedom to find
out what will work best for you, semantically and in terms of available
OAuth server.

In cases when the resources are left to implement the token validation
on their own my preferred approach is to encode the resource server
identity (tenant) into the scope values. Access is defined in one place
and I don't have to worry about the developer accidentally forgetting
the "resource" or "aud(ience)" check.

Vladimir


On 12/01/2021 23:13, Justin Richer wrote:
> Hi Jaap,
>
> There have been a number of efforts to address this kind of thing in
> the OAuth world. You can definitely use a special scope to encode this
> value, which has the benefit of fitting into the implementation
> limitations of nearly all OAuth systems out there. The “resource”
> parameter can also be used for the kind of thing, and it gives you a
> bucket that’s separate from “scope” so that you can keep the latter
> available for describing the API itself:
>
> https://tools.ietf.org/html/rfc8707
>
> There’s also the Rich Authorization Request (RAR) draft that this
> group is currently working on, which provides a multi-dimensional way
> to describe access. It’s more complex than scopes, but it boils down
> to having JSON objects describe the elements needed. In this case you
> might put the API bits into the “actions” and “datatypes” fields, and
> put the tenant information into the “locations” field. I believe there
> are people using it in exactly this way today:
>
> https://tools.ietf.org/html/draft-ietf-oauth-rar-03
>
> There are also some historical efforts to address this, including an
> “audience” and a (completely separate) “aud" parameter, but AFAIK
> neither of these have been raised to standard or even to common
> practice, and so I wouldn’t recommend it. I currently have a project
> to migrate a system that’s currently using one of these onto RAR.
>
>  — Justin
>
>> On Jan 12, 2021, at 11:20 AM, Jaap Francke
>> > > wrote:
>>
>> Hi,
>>  
>> I’m looking into the topic of tenancy. A multi-tenant service can be
>> considered as an OAuth Resource Server managing resources of
>> different tenants.
>> An AS makes authorization decisions and communicates these using
>> scopes, so one way would be to ‘encode’ the tenant into the scope values.
>> Another line of thought is to somehow bind/restrict an acces-token to
>> a certain tenant, leaving the set of scopes being used more static.
>>  
>> My question is whether this has been a topic that has been addressed
>> in the OAuth working group? Any common practice or draft?
>> Thanks in advance for your replies.
>>  
>> Kind regards,
>> * *
>> *Jaap Francke*
>> Product Manager Identity
>> +31(0)641495324
>>
>> mendix.com 
>>
>> ** 
>> * *
>>  
>> ___
>> OAuth mailing list
>> OAuth@ietf.org 
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Vladimir Dzhuvinov



smime.p7s
Description: S/MIME Cryptographic Signature
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Tenancy in OAuth

2021-01-12 Thread Justin Richer

Hi Jaap,

There have been a number of efforts to address this kind of thing in the OAuth 
world. You can definitely use a special scope to encode this value, which has 
the benefit of fitting into the implementation limitations of nearly all OAuth 
systems out there. The “resource” parameter can also be used for the kind of 
thing, and it gives you a bucket that’s separate from “scope” so that you can 
keep the latter available for describing the API itself:

https://tools.ietf.org/html/rfc8707 

There’s also the Rich Authorization Request (RAR) draft that this group is 
currently working on, which provides a multi-dimensional way to describe 
access. It’s more complex than scopes, but it boils down to having JSON objects 
describe the elements needed. In this case you might put the API bits into the 
“actions” and “datatypes” fields, and put the tenant information into the 
“locations” field. I believe there are people using it in exactly this way 
today:

https://tools.ietf.org/html/draft-ietf-oauth-rar-03 

There are also some historical efforts to address this, including an “audience” 
and a (completely separate) “aud" parameter, but AFAIK neither of these have 
been raised to standard or even to common practice, and so I wouldn’t recommend 
it. I currently have a project to migrate a system that’s currently using one 
of these onto RAR.

 — Justin

> On Jan 12, 2021, at 11:20 AM, Jaap Francke 
>  wrote:
> 
> Hi,
>  
> I’m looking into the topic of tenancy. A multi-tenant service can be 
> considered as an OAuth Resource Server managing resources of different 
> tenants.
> An AS makes authorization decisions and communicates these using scopes, so 
> one way would be to ‘encode’ the tenant into the scope values.
> Another line of thought is to somehow bind/restrict an acces-token to a 
> certain tenant, leaving the set of scopes being used more static.
>  
> My question is whether this has been a topic that has been addressed in the 
> OAuth working group? Any common practice or draft?
> Thanks in advance for your replies.
>  
> Kind regards,
>  
> Jaap Francke
> Product Manager Identity
> +31(0)641495324
> mendix.com 
>  
>  
>  
> ___
> OAuth mailing list
> OAuth@ietf.org 
> https://www.ietf.org/mailman/listinfo/oauth 
> 
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

[OAUTH-WG] Tenancy in OAuth

2021-01-12 Thread Jaap Francke

Hi,

I’m looking into the topic of tenancy. A multi-tenant service can be considered 
as an OAuth Resource Server managing resources of different tenants.
An AS makes authorization decisions and communicates these using scopes, so one 
way would be to ‘encode’ the tenant into the scope values.
Another line of thought is to somehow bind/restrict an acces-token to a certain 
tenant, leaving the set of scopes being used more static.

My question is whether this has been a topic that has been addressed in the 
OAuth working group? Any common practice or draft?
Thanks in advance for your replies.

Kind regards,

Jaap Francke
Product Manager Identity
+31(0)641495324
mendix.com
[signature_827714327]


___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Tenancy in OAuth

Re: [OAUTH-WG] Tenancy in OAuth

Re: [OAUTH-WG] Tenancy in OAuth

Re: [OAUTH-WG] Tenancy in OAuth

[OAUTH-WG] Tenancy in OAuth

5 matches

Site Navigation

Mail list logo

Footer information