From the 2016 Cloud Identity Summit:
Complete with the requisite bad jokes and gratuitous photography, this session will provide an introduction to an emerging new protocol for a lightweight HTTP- and JSON- based Security Token Service built on OAuth 2.0. The presenter, Brian Campbell, is a long time veteran of the CIS speaking circuit who peaked in 2013 when Vittorio Bertocci tweeted about his session, "I love @__b_c presentations :-) hilarious & very informative!" Attendees expecting this session to live up to that will be sorely disappointed but are encouraged to come nonetheless.
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
OAuth 2.0 Token Exchange: An STS for the REST of Us
1. An STS for the REST of Us
Brian Campbell
@__b_c
June 2016
OAuth 2.0 Token Exchange
2. Formalities, Introductions, etc.
• Long long time @ Ping
– Product Development & Standards
• Trolling around CIS with a camera since ’11
– Presentations contain many gratuitous photos
2
3.
4. Formalities, Introductions, etc.
• Not above compromising photos myself
• Slides will be available
– No need to take notes
• Like you were going to anyway…
– at http://www.slideshare.net/briandavidcampbell
– & at https://twitter.com/__b_c
• 2 underscores +
• b +
• 1 underscore +
• c
• Tweeting *not* discouraged
– As long as it’s nice
4
6. Use Cases
• Trade one token for another (active clients)
– Useful in a wide variety of circumstances
• Access to heterogeneous systems
– Cross domain and otherwise
– Client is a ‘client’
– Microservices!
– Client is reverse proxy or gateway
• Chaining, validation, translation, down-scoping, etc.
• Swiss Army Knife of identity integration
• Proprietary approaches exist
6
Client
AS/STS
Somehow has a
token
Needs a different
token
7. What’s in a Name?
7
• Respectable part of title
• Says what it is
• Less respectable part of title
• A play on the popular Seinfeld episode that
featured “a Festivus for the rest of us”
• A colon
• Hope I used it correctly
• Security Token Service
• For “active” clients
OAuth 2.0 Token Exchange:An STS for the REST of Us
• A touch of populist rhetoric
• But the good kind
• Okay, not actually RESTful
• But HTTP & JSON based
• (Hopefully) more palatable to
contemporary developers
• SEO keyword
8. Shall I Compare Thee to a Parody Holiday?
• Festivus: humorous secular alternative to the commercialism & pressures of
the Christmas holiday season
– The Festivus Pole
– The Festivus Dinner
– The Airing of Grievances
– The Feats of Strength
– Festivus Miracles
• OAuth 2.0 Token Exchange: not really like Festivus
– But going to force the comparison anyway
8
9. The Festivus Pole
• Plain unadorned metal pole
– Quintessential symbol of the anti-consumerist holiday
– “Very high strength-to-weight ratio” - Frank Costanza
• Token Exchange is modest and void of unnecessary layers and options
– Aspiring to be a symbol of anti-complexity
• Mostly stayed true to these aspirations
• “Very high utility-to-complexity ratio” - me
– Extension of the normal interaction with the OAuth token endpoint
• request is a simple HTTP POST with form-encoded parameters
• response is a familiar and easily parsed bit of JSON.
9
12. Festivus Dinner
• Traditional Festivus dinner is meatloaf on a bed of lettuce. Period.
– No alcohol
• Token Exchange is much less prescriptive about what gets consumed and
served
– A few new JWT specific claims allowing for delegation semantics
• "act" (Actor)
• "scp" (Scopes)
• "may_act" (May Act For)
– The core protocol is token-type agnostic and can be used with all kind of
tokens
12
14. The Airing of Grievances
• The Airing of Grievances takes place immediately after dinner and
consists of each person lashing out at others about how they have
been disappointed in the past year
• I was part of the engineering team that added WS-Trust support to
PingFederate years ago
– Tremendously useful and flexible but a huge PITA
– I still bear the scars
– Been requested more than once to tone done my own lashing out in
the document’s Introduction
14
25. The Feats of Strength
• The head of the household
challenges one person to a
wrestling match and Festivus is not
over until he/she is pinned
25
• There's been some wrestling over the syntax and semantics of
Token Exchange too
– The entrenched draft
– A more ‘OAuthy’ approach
– So I tried to pick a nerd fight leading up to IETF 93
26. …and IETF 93 was in Prague
Where in the 1600’s the Hapsburg dynasty displayed the severed heads of leaders of
the Bohemian uprising on the tower as a deterrent to further resistance
A fitting location for The Feats of Strength…
27. It's a Festivus Miracle!
• Turns out that no wrestling was
needed
– Logical respectful discussions
– Compromises reached
– Competing approaches unified (in
-03)
• Looking forward
– Standards work is inevitably slow
and subject to bumps in the road
– But seems to be relatively stable
and have generally broad support
– Implementations… it’s early
– Can live alongside WS-Trust and
proprietary approaches
27
A more peaceful view of Prague