unity-idm-discuss

[Unity-idm-discuss] audience in token exchange

[Sander A. <sa....@fz...>]

Hi Krzysztof,
last week we had a meeting with service providers and the developers of
their service about the token exchange mechanism in unity. We had the
problem that the service did not work with unity anymore  after a
service update. The software is CERN's FTS3 (file transfer service). We
also found the problem: Using the token exchange mechanism unity
requires the audience claim, which is clearly written in the manual.
But in RFC 8693 (OAuth 2.0 Token Exchange), the audience is defined as
optional. Other IdM solutions like EGI-CheckIn and Indigo IAM (used by
WLCG) do not require the audience claim for token exchange and CERN FTS
does also not send this. What is the reason for unity to make it
mandatory and do you see any possibilities to change this to optional?
Is it possible to use multiple audiences in the claim if unity requires
the requesting client_id to be in there? FTS needs to alter the
audience for delegation on behalf of a user.

Best regards,
Sander
-- 
Federated Systems and Data
Juelich Supercomputing Centre

phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...

-----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht,
Prof. Dr. Frauke Melchior
-----------------------------------------------------------------------
-----------------------------------------------------------------------

Re: [Unity-idm-discuss] audience in token exchange

[Krzysztof B. <kb...@un...>]

Hi Sander,

W dniu 11.10.2022 o 08:40, Sander Apweiler pisze:
> Hi Krzysztof,
> last week we had a meeting with service providers and the developers of
> their service about the token exchange mechanism in unity. We had the
> problem that the service did not work with unity anymore  after a
> service update. The software is CERN's FTS3 (file transfer service). We
> also found the problem: Using the token exchange mechanism unity
> requires the audience claim, which is clearly written in the manual.
> But in RFC 8693 (OAuth 2.0 Token Exchange), the audience is defined as
> optional. Other IdM solutions like EGI-CheckIn and Indigo IAM (used by
> WLCG) do not require the audience claim for token exchange and CERN FTS
> does also not send this. What is the reason for unity to make it
> mandatory and do you see any possibilities to change this to optional?
> Is it possible to use multiple audiences in the claim if unity requires
> the requesting client_id to be in there? FTS needs to alter the
> audience for delegation on behalf of a user.

All you wrote is correct. For the early use-cases of token exchange back 
when it was implemented, we added a simplification which you described 
around mandatory audience. The reason is: we have simpler code and have 
to worry about AuthZ less :-)

Yes, it should be possible to lift this limitation, as well as allow for 
multiple audiences. It won't be a very easy change, but also not super 
difficult.

Best,
Krzysztof