From 9dad41da56620a59c8de0ff41abf85cc93eb3cde Mon Sep 17 00:00:00 2001 From: Arndt Date: Fri, 11 Oct 2024 15:57:18 +0100 Subject: [PATCH 1/5] add 'wth' claim to WPT to bind WPT to a WIT --- draft-ietf-wimse-s2s-protocol.md | 48 +++++++++++++------------------- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md index b6b44c1..bb259ae 100644 --- a/draft-ietf-wimse-s2s-protocol.md +++ b/draft-ietf-wimse-s2s-protocol.md @@ -313,6 +313,8 @@ A WPT contains the following: * `exp`: The expiration time of the WIT (as defined in {{Section 4.1.4 of RFC7519}}). WPT lifetimes MUST be short, e.g., on the order of minutes or seconds. * `jti`: A unique identifier for the token. + * `wth`: Hash of the Workload Identity Token. The value, as per {{TODO}}, is the base64url encoding of the SHA-256 + hash of the ASCII encoding of the token's value. * `ath`: Hash of the OAuth access token, if present in the request, which might convey end-user identity and authorization context of the request. The value, as per {{Section 4.1 of RFC9449}}, is the base64url encoding of the SHA-256 hash of the ASCII encoding of the access token's value. @@ -328,12 +330,13 @@ A WPT contains the following: An example WPT might look like the following: ~~~ jwt -eyJ0eXAiOiJ3aW1zZS1wcm9vZitqd3QiLCJhbGciOiJFZERTQSJ9.eyJpc3MiOiJ3aW1z -ZTovL2V4YW1wbGUuY29tL3NwZWNpZmljLXdvcmtsb2FkIiwiYXVkIjoiaHR0cHM6Ly9zZ -XJ2aWNlLmV4YW1wbGUuY29tL3BhdGgiLCJleHAiOjE3MTc2MTI4MjAsImp0aSI6Il9fYn -djNEVTQzNhY2MyTFRDMS1feCIsImF0aCI6IkNMNHdqZnBSbU5mLWJkWUliWUxuVjlkNXJ -NQVJHd0tZRTEwd1V3ekMwakkifQ.Zq50mcIVTUykQhOBS7lyF93py3q5QOSPIbnI_oESv -j6zSTWi-p0QNNHpKeB4IAgmC8Mt3dBM_rufwCxiKHSmDA +eyJhbGciOiJFZERTQSIsInR5cCI6IndpbXNlLXByb29mK2p3dCJ9.eyJhdGgiOiJDTDR3 +amZwUm1OZi1iZFlJYllMblY5ZDVyTUFSR3dLWUUxMHdVd3pDMGpJIiwiYXVkIjoiaHR0c +HM6Ly9zZXJ2aWNlLmV4YW1wbGUuY29tL3BhdGgiLCJleHAiOjE3Mjg2NTg2NzIsImlzcy +I6IndpbXNlOi8vZXhhbXBsZS5jb20vc3BlY2lmaWMtd29ya2xvYWQiLCJqdGkiOiI0YjQ +yYzVmNjExZTJiMWNmYTFkMmM0MWIzYTJmYjc4MiIsInd0aCI6Ii1KaThUbE1ORmszcW16 +bXBBeEJPXzdXLVl1dGNIXzJfZnVGQUZGU1YxUmcifQ.jrUBsDjWMG_FpuhLo3lNC-IBei +PQXZ4UOuttPdNj8fRmIG4ZDFF9B10y7uGbiNIhbRdpgG_KXEPLHXWnvzLmBA ~~~ {: #example-wpt title="Example Workload Proof Token (WPT)"} @@ -341,8 +344,8 @@ The decoded JOSE header of the WPT from the example above is shown here: ~~~ json { - "typ": "wimse-proof+jwt", - "alg": "EdDSA" + "alg": "EdDSA", + "typ": "wimse-proof+jwt" } ~~~ {: title="Example WPT JOSE Header"} @@ -351,11 +354,12 @@ The decoded JWT claims of the WPT from the example above are shown here: ~~~ json { - "iss": "wimse://example.com/specific-workload", - "aud": "https://service.example.com/path", - "exp": 1717612820, - "jti": "__bwc4ESC3acc2LTC1-_x", - "ath": "CL4wjfpRmNf-bdYIbYLnV9d5rMARGwKYE10wUwzC0jI" + "ath": "CL4wjfpRmNf-bdYIbYLnV9d5rMARGwKYE10wUwzC0jI", + "aud": "https://service.example.com/path", + "exp": 1728658672, + "iss": "wimse://example.com/specific-workload", + "jti": "4b42c5f611e2b1cfa1d2c41b3a2fb782", + "wth": "-Ji8TlMNFk3qmzmpAxBO_7W-YutcH_2_fuFAFFSV1Rg" } ~~~ {: title="Example WPT Claims"} @@ -367,21 +371,8 @@ POST /path HTTP/1.1 Host: service.example.com Content-Type: application/json Authorization: Bearer 16_mAd0GiwaZokU26_0902100 -Workload-Identity-Token: eyJ0eXAiOiJ3aW1zZS1pZCtqd3QiLCJhbGciOiJFUzI1 - NiIsImtpZCI6Ikp1bmUgNSJ9.eyJpc3MiOiJ3aW1zZTovL2V4YW1wbGUuY29tL3RydXN - 0ZWQtY2VudHJhbC1hdXRob3JpdHkiLCJleHAiOjE3MTc2MTI0NzAsInN1YiI6IndpbXN - lOi8vZXhhbXBsZS5jb20vc3BlY2lmaWMtd29ya2xvYWQiLCJqdGkiOiJ4LV8xQ1RMMmN - jYTNDU0U0Y3diX18iLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU - 1MTkiLCJ4IjoiX2FtUkMzWXJZYkhoSDFSdFlyTDhjU21URE1oWXRPVVRHNzhjR1RSNWV - 6ayJ9fX0.rOSUMR8I5WhM5C704l3iVdY0zFqxhugJ8Jo2xo39G7FqUTbwTzAGdpz2lHp - 6eL1M486XmRgl3uyjj6R_iuzNOA -Workload-Proof-Token: eyJ0eXAiOiJ3aW1zZS1wcm9vZitqd3QiLCJhbGciOiJFZER - TQSJ9.eyJpc3MiOiJ3aW1zZTovL2V4YW1wbGUuY29tL3NwZWNpZmljLXdvcmtsb2FkIi - wiYXVkIjoiaHR0cHM6Ly9zZXJ2aWNlLmV4YW1wbGUuY29tL3BhdGgiLCJleHAiOjE3MT - c2MTI4MjAsImp0aSI6Il9fYndjNEVTQzNhY2MyTFRDMS1feCIsImF0aCI6IkNMNHdqZn - BSbU5mLWJkWUliWUxuVjlkNXJNQVJHd0tZRTEwd1V3ekMwakkifQ.Zq50mcIVTUykQhO - BS7lyF93py3q5QOSPIbnI_oESvj6zSTWi-p0QNNHpKeB4IAgmC8Mt3dBM_rufwCxiKHS - mDA +Workload-Identity-Token: eyJ0eXAiOiJ3aW1zZS1pZCtqd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6Ikp1bmUgNSJ9.eyJpc3MiOiJ3aW1zZTovL2V4YW1wbGUuY29tL3RydXN0ZWQtY2VudHJhbC1hdXRob3JpdHkiLCJleHAiOjE3MTc2MTI0NzAsInN1YiI6IndpbXNlOi8vZXhhbXBsZS5jb20vc3BlY2lmaWMtd29ya2xvYWQiLCJqdGkiOiJ4LV8xQ1RMMmNjYTNDU0U0Y3diX18iLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiX2FtUkMzWXJZYkhoSDFSdFlyTDhjU21URE1oWXRPVVRHNzhjR1RSNWV6ayJ9fX0.rOSUMR8I5WhM5C704l3iVdY0zFqxhugJ8Jo2xo39G7FqUTbwTzAGdpz2lHp6eL1M486XmRgl3uyjj6R_iuzNOA +Workload-Proof-Token: eyJhbGciOiJFZERTQSIsInR5cCI6IndpbXNlLXByb29mK2p3dCJ9.eyJhdGgiOiJDTDR3amZwUm1OZi1iZFlJYllMblY5ZDVyTUFSR3dLWUUxMHdVd3pDMGpJIiwiYXVkIjoiaHR0cHM6Ly9zZXJ2aWNlLmV4YW1wbGUuY29tL3BhdGgiLCJleHAiOjE3Mjg2NTg2NzIsImlzcyI6IndpbXNlOi8vZXhhbXBsZS5jb20vc3BlY2lmaWMtd29ya2xvYWQiLCJqdGkiOiI0YjQyYzVmNjExZTJiMWNmYTFkMmM0MWIzYTJmYjc4MiIsInd0aCI6Ii1KaThUbE1ORmszcW16bXBBeEJPXzdXLVl1dGNIXzJfZnVGQUZGU1YxUmcifQ.jrUBsDjWMG_FpuhLo3lNC-IBeiPQXZ4UOuttPdNj8fRmIG4ZDFF9B10y7uGbiNIhbRdpgG_KXEPLHXWnvzLmBA {"do stuff":"please"} ~~~ @@ -398,6 +389,7 @@ To validate the WPT in the request, the recipient MUST ensure the following: in which the WPT was received, ignoring any query and fragment parts. * The `exp` claim is present and conveys a time that has not passed. WPTs with an expiration time unreasonably far in the future SHOULD be rejected. +* The `wth` claim is present and matches the hash of the token value conveyed in the `Workload-Identity-Token` header. * Optionally, check that the value of the `jti` claim has not been used before in the time window in which the respective WPT would be considered valid. * If presented in conjunction with an OAuth access token, the value of the `ath` claim matches the hash of that token's value. From 5b9a5ac74f8a05f64a8aa0ef46cd540ea132643a Mon Sep 17 00:00:00 2001 From: Arndt Date: Fri, 11 Oct 2024 16:00:42 +0100 Subject: [PATCH 2/5] fix link --- draft-ietf-wimse-s2s-protocol.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md index bb259ae..0b2608b 100644 --- a/draft-ietf-wimse-s2s-protocol.md +++ b/draft-ietf-wimse-s2s-protocol.md @@ -313,7 +313,7 @@ A WPT contains the following: * `exp`: The expiration time of the WIT (as defined in {{Section 4.1.4 of RFC7519}}). WPT lifetimes MUST be short, e.g., on the order of minutes or seconds. * `jti`: A unique identifier for the token. - * `wth`: Hash of the Workload Identity Token. The value, as per {{TODO}}, is the base64url encoding of the SHA-256 + * `wth`: Hash of the Workload Identity Token. The value, as defined in {{to-wit}}, is the base64url encoding of the SHA-256 hash of the ASCII encoding of the token's value. * `ath`: Hash of the OAuth access token, if present in the request, which might convey end-user identity and authorization context of the request. The value, as per {{Section 4.1 of RFC9449}}, From a2d7365cdd7a09583adad16e1743e9baa263c1e0 Mon Sep 17 00:00:00 2001 From: Arndt Date: Fri, 11 Oct 2024 11:07:41 -0400 Subject: [PATCH 3/5] improve presentation at http message example --- draft-ietf-wimse-s2s-protocol.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md index 0b2608b..0efc4a2 100644 --- a/draft-ietf-wimse-s2s-protocol.md +++ b/draft-ietf-wimse-s2s-protocol.md @@ -371,8 +371,22 @@ POST /path HTTP/1.1 Host: service.example.com Content-Type: application/json Authorization: Bearer 16_mAd0GiwaZokU26_0902100 -Workload-Identity-Token: eyJ0eXAiOiJ3aW1zZS1pZCtqd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6Ikp1bmUgNSJ9.eyJpc3MiOiJ3aW1zZTovL2V4YW1wbGUuY29tL3RydXN0ZWQtY2VudHJhbC1hdXRob3JpdHkiLCJleHAiOjE3MTc2MTI0NzAsInN1YiI6IndpbXNlOi8vZXhhbXBsZS5jb20vc3BlY2lmaWMtd29ya2xvYWQiLCJqdGkiOiJ4LV8xQ1RMMmNjYTNDU0U0Y3diX18iLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkVkMjU1MTkiLCJ4IjoiX2FtUkMzWXJZYkhoSDFSdFlyTDhjU21URE1oWXRPVVRHNzhjR1RSNWV6ayJ9fX0.rOSUMR8I5WhM5C704l3iVdY0zFqxhugJ8Jo2xo39G7FqUTbwTzAGdpz2lHp6eL1M486XmRgl3uyjj6R_iuzNOA -Workload-Proof-Token: eyJhbGciOiJFZERTQSIsInR5cCI6IndpbXNlLXByb29mK2p3dCJ9.eyJhdGgiOiJDTDR3amZwUm1OZi1iZFlJYllMblY5ZDVyTUFSR3dLWUUxMHdVd3pDMGpJIiwiYXVkIjoiaHR0cHM6Ly9zZXJ2aWNlLmV4YW1wbGUuY29tL3BhdGgiLCJleHAiOjE3Mjg2NTg2NzIsImlzcyI6IndpbXNlOi8vZXhhbXBsZS5jb20vc3BlY2lmaWMtd29ya2xvYWQiLCJqdGkiOiI0YjQyYzVmNjExZTJiMWNmYTFkMmM0MWIzYTJmYjc4MiIsInd0aCI6Ii1KaThUbE1ORmszcW16bXBBeEJPXzdXLVl1dGNIXzJfZnVGQUZGU1YxUmcifQ.jrUBsDjWMG_FpuhLo3lNC-IBeiPQXZ4UOuttPdNj8fRmIG4ZDFF9B10y7uGbiNIhbRdpgG_KXEPLHXWnvzLmBA +Workload-Identity-Token: eyJ0eXAiOiJ3aW1zZS1pZCtqd3QiLCJhbGciOiJFUzI1 + NiIsImtpZCI6Ikp1bmUgNSJ9.eyJpc3MiOiJ3aW1zZTovL2V4YW1wbGUuY29tL3RydX + N0ZWQtY2VudHJhbC1hdXRob3JpdHkiLCJleHAiOjE3MTc2MTI0NzAsInN1YiI6Indpb + XNlOi8vZXhhbXBsZS5jb20vc3BlY2lmaWMtd29ya2xvYWQiLCJqdGkiOiJ4LV8xQ1RM + MmNjYTNDU0U0Y3diX18iLCJjbmYiOnsiandrIjp7Imt0eSI6Ik9LUCIsImNydiI6IkV + kMjU1MTkiLCJ4IjoiX2FtUkMzWXJZYkhoSDFSdFlyTDhjU21URE1oWXRPVVRHNzhjR1 + RSNWV6ayJ9fX0.rOSUMR8I5WhM5C704l3iVdY0zFqxhugJ8Jo2xo39G7FqUTbwTzAGd + pz2lHp6eL1M486XmRgl3uyjj6R_iuzNOA +Workload-Proof-Token: eyJhbGciOiJFZERTQSIsInR5cCI6IndpbXNlLXByb29mK2p + 3dCJ9.eyJhdGgiOiJDTDR3amZwUm1OZi1iZFlJYllMblY5ZDVyTUFSR3dLWUUxMHdVd + 3pDMGpJIiwiYXVkIjoiaHR0cHM6Ly9zZXJ2aWNlLmV4YW1wbGUuY29tL3BhdGgiLCJl + eHAiOjE3Mjg2NTg2NzIsImlzcyI6IndpbXNlOi8vZXhhbXBsZS5jb20vc3BlY2lmaWM + td29ya2xvYWQiLCJqdGkiOiI0YjQyYzVmNjExZTJiMWNmYTFkMmM0MWIzYTJmYjc4Mi + IsInd0aCI6Ii1KaThUbE1ORmszcW16bXBBeEJPXzdXLVl1dGNIXzJfZnVGQUZGU1YxU + mcifQ.jrUBsDjWMG_FpuhLo3lNC-IBeiPQXZ4UOuttPdNj8fRmIG4ZDFF9B10y7uGbi + NIhbRdpgG_KXEPLHXWnvzLmBA {"do stuff":"please"} ~~~ From 8654a3802adaea8b72b999ab5a3c7eadc01d7080 Mon Sep 17 00:00:00 2001 From: Arndt Date: Mon, 14 Oct 2024 11:28:36 +0100 Subject: [PATCH 4/5] add TODO to IANA and editorial changes --- draft-ietf-wimse-s2s-protocol.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md index 0efc4a2..b1d3ff2 100644 --- a/draft-ietf-wimse-s2s-protocol.md +++ b/draft-ietf-wimse-s2s-protocol.md @@ -313,8 +313,8 @@ A WPT contains the following: * `exp`: The expiration time of the WIT (as defined in {{Section 4.1.4 of RFC7519}}). WPT lifetimes MUST be short, e.g., on the order of minutes or seconds. * `jti`: A unique identifier for the token. - * `wth`: Hash of the Workload Identity Token. The value, as defined in {{to-wit}}, is the base64url encoding of the SHA-256 - hash of the ASCII encoding of the token's value. + * `wth`: Hash of the Workload Identity Token, defined in {{to-wit}}. The value is the base64url encoding of the + SHA-256 hash of the ASCII encoding of the token's value. * `ath`: Hash of the OAuth access token, if present in the request, which might convey end-user identity and authorization context of the request. The value, as per {{Section 4.1 of RFC9449}}, is the base64url encoding of the SHA-256 hash of the ASCII encoding of the access token's value. @@ -562,7 +562,7 @@ WITs and certificates with WIMSE identifiers are typically associated with a wor TODO: maybe a URI Scheme registration of `wimse` in [URI schemes](https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml) per {{?RFC7595}} but it's only being used in an example right now and might not even be appropriate. Or maybe use an ietf URI scheme a la [URN Namespace for IETF Use](https://www.iana.org/assignments/params/params.xhtml) somehow. Or maybe nothing. Or maybe something else. -TODO: `tth` and maybe `oth` claim in [JSON Web Token Claims Registry](https://www.iana.org/assignments/jwt/jwt.xhtml) +TODO: `tth`, `wth` and maybe `oth` claim in [JSON Web Token Claims Registry](https://www.iana.org/assignments/jwt/jwt.xhtml) ## Media Type Registration From 5a6969d1f23d492adfcfb530a5bb97eb1e14876f Mon Sep 17 00:00:00 2001 From: Arndt Date: Mon, 14 Oct 2024 11:42:46 +0100 Subject: [PATCH 5/5] fix lint --- draft-ietf-wimse-s2s-protocol.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md index b1d3ff2..1714eef 100644 --- a/draft-ietf-wimse-s2s-protocol.md +++ b/draft-ietf-wimse-s2s-protocol.md @@ -313,7 +313,7 @@ A WPT contains the following: * `exp`: The expiration time of the WIT (as defined in {{Section 4.1.4 of RFC7519}}). WPT lifetimes MUST be short, e.g., on the order of minutes or seconds. * `jti`: A unique identifier for the token. - * `wth`: Hash of the Workload Identity Token, defined in {{to-wit}}. The value is the base64url encoding of the + * `wth`: Hash of the Workload Identity Token, defined in {{to-wit}}. The value is the base64url encoding of the SHA-256 hash of the ASCII encoding of the token's value. * `ath`: Hash of the OAuth access token, if present in the request, which might convey end-user identity and authorization context of the request. The value, as per {{Section 4.1 of RFC9449}},