Thanks Watson, I created https://github.com/oauth-wg/oauth-identity-chaining/issues/170 to try and track this.
On Sun, Aug 31, 2025 at 10:18 AM Watson Ladd <watsonbl...@gmail.com> wrote: > > > On Sun, Aug 31, 2025 at 9:07 AM Brian Campbell <bcampb...@pingidentity.com> > wrote: > > > > Can you say what you would have expected or liked to have seen in the > security considerations or elsewhere about it? > > I would like to see something in the security considerations addressing > it. What those contents are that would be useful I don't really know: a lot > depends on what people expect around the usage of the mechanism. It's one > thing to map e.g. email addresses that are unique across an organization to > ID numbers that are also unique. It's another to rewrite a number of > attributes that might impact the abilities the tokens can be used for on > the other side, especially if the set of attributes is dynamic. > > I think something along the lines of "When rewriting token attributes, > it's important that both the place where the attributes are given and where > they are interpreted agree on the semantics and that the access controls > are consistent", but not sure what the exact words should be. > > > > > Some form of claims transcription, sometimes by other names like mapping > or linking, is extremely common in cross domain token swapping scenarios > like this and SSO type scenarios in general. I think it's a largely > unwritten thing that some of the contributors thought would be worthwhile > to give some treatment to in the draft. There's always opportunity to > improve that treatment though. > > It is common, and in my experience terrible. The one time I've actually > had to deal with it was with hooking up a github action to deposit the > result in a Google Cloud Storage directory, and I just copy pasted examples > and settings and removed restrictions until it worked. Near zero > debuggabilty when it wasn't working. My hope is that at worst, even if we > can't can't solve it, we can call attention to it. > > > > > On Wed, Aug 27, 2025 at 8:44 AM Watson Ladd <watsonbl...@gmail.com> > wrote: > >> > >> Dear oauth WG, > >> > >> I read the draft-ietf-oauth-identity-chaining, and have some concerns > >> about the security considerations section. As it stands it seems to > >> completely ignore the security issues associated with mapping and > >> restricting attributes and assuming that this will work on the other > >> side of the transition. Section 2.5 describes reasons this process > >> might exist, but there's no guidance on what this looks like or the > >> need for both domains A and B to agree on the meaning of the > >> attributes that are being rewritten. > >> > >> Sincerely, > >> Watson > >> > >> --- > >> Astra mortemque praestare gradatim > >> > >> _______________________________________________ > >> OAuth mailing list -- oauth@ietf.org > >> To unsubscribe send an email to oauth-le...@ietf.org > > > > > > CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you. > > > > -- > Astra mortemque praestare gradatim > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
