Local RE-Delegation With OATH
Local Re-Delegation with OAUTH
Tuesday 4G
Convener: Alan K.
Notes-taker(s): Alan K.
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
The Problem: Alice gets an access token authorizing her to access a protected resource. She wishes to give Bob an access token with reduced scope to access the same protected resource. There are two RFCs, but both have expired without being adopted. They both work by having Alice present her access token to the Authorization Service, which returns the sub-scope token that Alice can pass to Bob. Alice would like to avoid the round trip to the AS and be able to generate the delegation token when she can’t reach the AS.
Proposal: The basic idea is to generate the delegation token by hashing the original token. Say that Alice has an OAuth bearer token T1. Under this proposal, she can create a separately revocable token with the same scope by hashing, T2 = H(T1). The AS can validate T2 by hashing T1.
We need some additional metadata to make the proposal practical. First, the AS has lots of tokens, so we should tell it which token to hash. We can do that by having T1 associated with a label unique among all the AS’s tokens, call it L1. Now we have T2 = L1 H(T1). (Blank denotes string concatenation.) If we want to produce a subscope token, we can list the permissions being delegated. For example, if T1 has Read/Write/Append permissions, we can delegate Read/Append permission with T2 = L1 [R,A] H([R,A] T1).
It’s obvious that the proposal is incomplete, but the consensus from the session was that it might work. One important contribution of the group was to correct a mistake I had made. I had assumed that the Resource Server could validate the delegated tokens, but the group pointed out that only the AS had sufficient information to do that. (Of course, the AS and RS could be tightly coupled.) I would have been in a lot of trouble had I gone ahead with my original idea.
Thanks for the free consulting folks. Your check is in the mail.