Intro and high level architecture #3
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -25,7 +25,7 @@ venue: | |||||
| author: | ||||||
| - | ||||||
| fullname: "Brian Campbell" | ||||||
| organization: "Ping Identity" | ||||||
| email: [email protected] | ||||||
| - | ||||||
| fullname: "Daniel Feldman" | ||||||
|
|
@@ -52,34 +52,83 @@ TODO Abstract | |||||
|
|
||||||
| # Introduction | ||||||
|
|
||||||
| This document defines authentication and authorization in the context of interaction between two workloads. | ||||||
| This is the core component of the WIMSE architecture {{?I-D.ietf-wimse-arch}}. | ||||||
| Assume that Service A needs to call Service B. For simplicity, this document focuses on REST services, | ||||||
| and the service-to-service call consists of a single HTTP request and its response. | ||||||
| We define the credentials that both services should possess and how they are used to protect the HTTP exchange. | ||||||
|
|
||||||
| There are multiple deployment styles in use today, and they result in different security properties. | ||||||
| We propose to address them differently. | ||||||
|
|
||||||
| * Many use cases have various middleboxes inserted between pairs of services, resulting in a transport layer | ||||||
| that is not end-to-end encrypted. We propose to address these use cases by protecting the REST messages at the application | ||||||
| level ({{app-level}}). | ||||||
|
|
||||||
| * The other commonly deployed architecture has a mutual-TLS connection between each pair of services. This setup | ||||||
| can be addressed by a simpler solution ({{mutual-tls}}). | ||||||
|
|
||||||
| It is an explicit goal of this protocol that a service deployment, and in fact a single call chain, | ||||||
|
There was a problem hiding this comment.
Suggested change
or do you indeed mean mTLS + TLS terminating middlebox? If that's the case I propose to rephrase the example to something like "TLS terminating middlebox + mTLS" There was a problem hiding this comment. I meant it exactly like you wrote it: a single multi chain call including both architectures. (Except that maybe the word "architecture" is a bit off here.) |
||||||
| can include both architectures. In other words, Service A can call Service B with mutual TLS protection, | ||||||
| while the next call to Service C is protected at the application level. | ||||||
|
|
||||||
| For application-level protection we currently propose two alternative solutions, one inspired by DPoP {{?RFC9449}} and | ||||||
| one which is a profile of HTTP Message Signatures {{!RFC9421}}. The design team believes that we need to pick | ||||||
| one of these two alternatives for standardization, once we have understood their pros and cons. | ||||||
|
|
||||||
| ## Deployment Architecture and Message Flow | ||||||
|
|
||||||
| Regardless of the transport between the workloads, we assume the following logical architecture: | ||||||
|
|
||||||
| ~~~ aasvg | ||||||
| +------------+ +------------+ | ||||||
| | | | | | ||||||
| | | | Workload B | | ||||||
| | Workload A |==============>| | | ||||||
| | | +------------+ | ||||||
| | | | PEP | | ||||||
| +------------+ +------------+ | ||||||
| ^ ^ | ||||||
| | | | ||||||
| | | | ||||||
| v v | ||||||
| +------------+ +------------+ | ||||||
| | | | | | ||||||
| | Identity | | PDP | | ||||||
| | Server | | (optional) | | ||||||
| | | | | | ||||||
| +------------+ +------------+ | ||||||
| ~~~ | ||||||
|
|
||||||
| The Identity Server provisions credentials to each of the workloads. At least Workload A (and possibly both) must be provisioned | ||||||
arndt-s marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| with a credential before the call can proceed. Details of communication with the Identity Server are out of scope | ||||||
| of this document, however we do describe the credential received by the workload. | ||||||
|
|
||||||
| PEP is a Policy Enforcement Point, the component that allows the call to go through or blocks it. PDP is an optional | ||||||
arndt-s marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| Policy Decision Point, which may be deployed in architectures where policy management is centralized. All details of | ||||||
| policy management and message authorization are out of scope of this document. | ||||||
|
|
||||||
| The high-level message flow is as follows: | ||||||
|
|
||||||
| * Workload A obtains a credential from the Identity Server. This happens periodically, e.g. once every 24 hours. | ||||||
| * Workload A makes a REST call into Workload B. This is a regular REST call, with the additional protection | ||||||
| mechanisms defined below. | ||||||
| * Workload B now authenticates Workload A and decides whether to authorize the call. | ||||||
| In certain architectures, Workload B may need to consult with an external server to decide whether to accept the call. | ||||||
|
|
||||||
| # Conventions and Definitions | ||||||
|
|
||||||
| {::boilerplate bcp14-tagged} | ||||||
|
|
||||||
| # Application Level Service To Service Authentication {#app-level} | ||||||
|
|
||||||
| ## The WIMSE ID Token | ||||||
|
|
||||||
| ## Option 1: DPoP-Inspired Authentication | ||||||
|
|
||||||
| ## Option 2: Authentication Based on HTTP Message Signatures | ||||||
|
|
||||||
| # Using Mutual TLS for Service To Service Authentication {#mutual-tls} | ||||||
|
|
||||||
| # Security Considerations | ||||||
|
|
||||||
|
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should stick to one term - either
workloadorservice. Using these two interchangeably may confuse readers.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Note that this includes the document's title. Sigh.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On second thoughts, even in the group charter we called it "service to service". I will let others chime in.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm in favor of switching to workload to workload vs service. I feel that the workload term is more generic and its what we are using elsewhere. I believe the way we are using the they are synonymous.