Let me see if I can provide more details on the usecase: 1. A tenant is subscribed to SaaS application A and SaaS application B, and both applications are separately managed by different teams in the same organization. No assumption can be made about the trust between those teams. 2. Application A backend is supposed to access Application B. App B also has the authorization server. Both applications expose administration UI for its tenants. 3. App B admin generates client_id and client_secret, and hands them over to App A admin. 4. App A admin enters the client_id and clilent_secret in the UI, so the backend App A can now communicate with/access App B.
#3 exposes client credentials of App B to admins of app A — this is our problem. As stated in #1, we cannot make any assumptions about the level of trust between the two groups. If OAuth2 provided a client credential rotation, this exposure of credentials can be limited to a small time window. The original client_secret can be a one-time-use-bootstrap, that App A backend exchanges for another secret from the authorization server. Generalizing it, the OAuth2 spec can provide for servers to trigger a client_secret rotation. To your analogy, the front-end app can “leak” the credentials during provisioning (it can be a simple copy/paste that the user has to do), thus creating a security issue. But if the credentials are one-time-bootstrap, then first time the front-end app connects to Google drive, drive changes the client_secret for a different one, which then would be used by front-end app in the future. Drive also has the ability to periodically rotate the client_secret in a similar manner. This assumes front-end app cannot access the client_secret once it is provisioned. Is this better? Thanks! -Amarendra -- sent via recycled electrons, from my portable command center. > On Jul 13, 2020, at 1:48 PM, Warren Parad <wpa...@rhosys.ch> wrote: > > I'm not sure if it is just me, but I'm not sure I'm totally following. > > I can see a concrete analogy being that, Tenant application B could be Google > Drive, and Tenant application A being any front end app that wants to offer a > service that saves files in a user's Google Drive. If application A wants to > interact with application B offline then tenant A needs a service > client/secret along with an authorization grant initiated through application > A (currently via UI in OAuth2). > > Whether application A cycles the client secret or not seems like a different > problem. But I think I'm missing something. Given the example I provided, > would you be able to provide more insight into the problem you are seeing? > > Warren Parad > Secure your user data and complete your authorization architecture. Implement > Authress <https://bit.ly/37SSO1p>. > <https://rhosys.ch/> > > On Mon, Jul 13, 2020 at 10:36 PM Amarendra Godbole > <ag=40broadcom....@dmarc.ietf.org <mailto:40broadcom....@dmarc.ietf.org>> > wrote: > Hi All, > > First post to the list, and hopefully I am articulate enough to describe the > problem I am facing — did OAuth ever consider an ability to dynamically > rotate client secret (part of the “client credentials” authorization grant)? > I stumbled across rfc7591 (OAuth 2.0 Dynamic Client Registration Protocol), > but the OAuth 2.0 implementation I am looking at [1], does not support it. I > also found some previous reference to client secret rotation [2], but it does > not discuss my use case. > > We operate a SaaS application A, which is supposed to talk with another SaaS > application B. Our customers subscribe to both, our application A as well as > application B. However, the teams adminstering A and B are separate teams > within the same organization, though we cannot assume the level of trust > between them. Let’s call them Tenant Admin A and Tenant Admin B. In our > usecase, application A is the client for application B, and application B > provides OAuth 2.0 authorization workflows. Now, Tenant Admin A has to > provision the "client credentials” authorization grant — in order to do that, > Tenant Admin B generates the client_id and client_secret, and sends them to > Tenant Admin B. There is the problem — as I earlier stated, we cannot assume > the level of trust between Tenant Admin A and Tenant Admin B, and exchanging > client_id and client_secret now means the circle of trust for application B > includes individuals who may or may not be trusted. > > One thought that occured to me was a provision in OAuth 2.0’s client > credentials grant flow was the ability to “bootstrap” a client application — > basically the client_secret is one-time-use-and-timebound-only, and allows > the client to exchange it for a different client_secret. In our case, this > can be handled by the SaaS application backend, thus making sure the Tenant > Admin A no longer have access to it once they provision the client. This can > be generalized, such that the authZ server can periodically trigger > client_secret rotation, and won’t require manual intervention [3]. As I > stated earlier, rfc7591 talks about this, but but in the context of dynamic > registration. > > Having the client secret rotation a part of the protocol exchange messages, > maybe a bootstrap, would be the ideal solution for our usecase. > > Or the bigger question: Did I misinterpret it all? Looking for guidance from > this list. > > Thanks in advance. > > -Amarendra > > [1] Microsoft Azure > https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types > <https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-app-types> > [2] https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/ > <https://mailarchive.ietf.org/arch/msg/oauth/7ICMSRI2tjfXDD1Bk_G-qNpLy-0/> > [3] Auth0 rotate client secret: > https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret > <https://auth0.com/docs/dashboard/guides/applications/rotate-client-secret> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
