Skip to content

Clarify authentication requriements #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Clarify authentication requriements #239

wants to merge 14 commits into from

Conversation

PieterKas
Copy link
Collaborator

Attempt at simplifying both client and server authentication requirements throughout the draft (see #198, #198 and #218)

@PieterKas
Clarify authentication requriements
85fe0c1 
Attempt at simplifying both client and server authentication requirements throughout the draft.
@PieterKas PieterKas requested a review from tulshi as a code owner September 1, 2025 18:17
@PieterKas PieterKas mentioned this pull request Sep 1, 2025
Open
yaronf
yaronf reviewed Sep 1, 2025
View reviewed changes
bc-pi
bc-pi reviewed Sep 5, 2025
View reviewed changes
draft-ietf-oauth-transaction-tokens.md Outdated
Comment on lines 119 to 130
WIMSE:
title: WIMSE Workload to Workload Authentication
target: https://www.ietf.org/archive/id/draft-ietf-wimse-s2s-protocol-06.html
author:
- name: Brian Campbell
org: Ping Identity
- name: Joe Salowey
org: CyberArk
- name: Arndt Schwenkschuster
org: SPIRL
- name: Yaron Sheffer
org: Intuit
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is there reason to not use the I-D.ietf-wimse-s2s-protocol style notation that (hopefully) pulls in a lot of this automatically?

also using the name of the WG for one doc from that WG doesn't seem quite right

Suggested change
WIMSE:
title: WIMSE Workload to Workload Authentication
target: https://www.ietf.org/archive/id/draft-ietf-wimse-s2s-protocol-06.html
author:
- name: Brian Campbell
org: Ping Identity
- name: Joe Salowey
org: CyberArk
- name: Arndt Schwenkschuster
org: SPIRL
- name: Yaron Sheffer
org: Intuit

Copy link
Collaborator Author

@PieterKas PieterKas Sep 8, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If there are better ways to create references, let's use that (I am not a tooling expert).

And yes - agreed on overreach in using the WIMSE tag...

bc-pi
bc-pi suggested changes Sep 5, 2025
View reviewed changes
Copy link
Contributor

@bc-pi bc-pi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @PieterKas, I think this is moving in the right direction. I've got some suggestions - mostly tooling syntax stuff and a few (hopefully) minor things.

@PieterKas PieterKas mentioned this pull request Sep 8, 2025
Open
@PieterKas
Copy link
Collaborator Author

Thanks @bc-pi - I appreciate the review - changes accepted.

@PieterKas PieterKas requested review from yaronf and bc-pi September 8, 2025 10:50
tulshi
tulshi reviewed Sep 9, 2025
View reviewed changes
draft-ietf-oauth-transaction-tokens.md
## Client Authentication
If using the `actor_token` and `actor_token_type` parameters of the OAuth 2.0 Token Exchange specification, both parameters MUST be present in the request. The `actor_token` MUST authenticate the identity of the requesting workload.
## Use of 'actor_token'
If using the `actor_token` and `actor_token_type` parameters of the OAuth 2.0 Token Exchange specification {{RFC8693}}, both parameters MUST be present in the request. The `actor_token` can authenticate the identity of the requesting workload.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a "MAY"?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I want to resolve this as the last open comment before merging. For my own eduication, I am curious about the choice of "can" here vs a normative MUST or MAY.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also am curious. If the actor_token does not identify the identity of the requesting workload then it seems that its use is not for the purpose of client authentication which was the original reason for including the text at all.

bc-pi
bc-pi reviewed Sep 9, 2025
View reviewed changes
bc-pi
bc-pi reviewed Sep 10, 2025
View reviewed changes
@bc-pi bc-pi mentioned this pull request Sep 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaronf yaronf Awaiting requested review from yaronf

@bc-pi bc-pi Awaiting requested review from bc-pi

@tulshi tulshi Awaiting requested review from tulshi tulshi is a code owner

@gffletch gffletch Awaiting requested review from gffletch

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@PieterKas @gffletch @yaronf @tulshi @bc-pi