Internet-Draft | Txn-Tokens | August 2023 |
Tulshibagwale, et al. | Expires 5 February 2024 | [Page] |
Transaction Tokens (Txn-Tokens) enable workloads in a trusted domain to ensure that user identity and authorization context of an external programmatic request, such as an API invocation, is preserved and available to all workloads that are invoked as part of processing such a request. Txn-Tokens also enable workloads within the trusted domain to optionally immutably assert to downstream workloads that they were invoked in the call chain of the request.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 5 February 2024.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Modern computing architectures often use multiple independently running components called workloads. In many cases, external invocations through externally visible interfaces such as APIs result in a number of internal workloads being invoked in order to process the external invocation. These workloads often run in virtually or physically isolated networks. These networks and the workloads running within their perimeter may be compromised by attackers through software supply chain, privileged user compromise or other attacks. Workloads compromised through external attacks, malicious insiders or software errors can cause any or all of the following unauthorized actions:¶
The results of these actions are unauthorised access to resources.¶
Transaction Tokens (Txn-Token) are a means to mitigate damage from such attacks or spurious invocations. A valid Txn-Token indicates a valid external invocation. They ensure that the identity of the user or a workload that made the external request is preserved throughout subsequent workload invocations. They preserve any context such as:¶
Cryptographically protected Txn-Token ensure that downstream workloads cannot make unauthorized modifications to such information, and cannot make spurious calls without the presence of an external trigger.¶
Txn-Tokens are short-lived, signed JWTs [RFC7519] that assert the identity of a user or a workload and assert an authorization context. The authorization context provides information expected to remain constant during the execution of a call as it passes through multiple workloads.¶
When necessary, a Txn-Token may include embedded tokens, as described in [JWTEmbeddedTokens]. This is called Nested Txn-Token. This nesting enables workloads in a call chain to assert their invocation during the call chain to downstream workloads.¶
Txn-Tokens are typically created when a workload is invoked using an endpoint that is externally visible, and is authorized using a separate mechanism, such as an OAuth [RFC6749] token or an OpenID Connect [OpenIdConnect] token. We call this token "Leaf Txn-Token". This workload then performs an OAuth 2.0 Token Exchange [RFC8693] to obtain a Txn-Token. To do this, it invokes a special Token Service (the Txn-Token Service) and provides context that is sufficient for it to generate a Txn-Token. This context MAY include:¶
The Txn-Token Service responds to a successful invocation by generating a Txn-Token. The calling workload then uses the Txn-Token to authorize its calls to subsequent workloads. Subsequent workloads may obtain Txn-Tokens of their own.¶
A workload within the call chain of such an external call MAY generate a new Nested Txn-Token. To generate the Nested Txn-Token, it creates a self-signed JWT Embedded Token [JWTEmbeddedTokens] that includes the received Txn-Token by value. Subsequent workloads can therefore know that the signing workload was in the path of the call chain.¶
Txn-Tokens are expected to be short-lived (order of minutes, e.g. 5 minutes), and as a result MAY be used only for the expected duration of an external invocation. If a long-running process such as an batch or offline task is involved, it can use a separate mechanism to perform the external invocation, but the resulting Txn-Token SHALL still be short-lived.¶
Txn-Tokens help prevent spurious invocations by ensuring that a workload receiving an invocation can independently verify the user or workload on whose behalf an external call was made and any context relevant to the processing of the call. Through the presence of additional signatures on the Txn-Token, a workload receiving an invocation can also independently verify that specific workloads were within the path of the call before it was invoked.¶
Figure 1 shows the basic flow of how Txn-Tokens are used in an a multi-workload environment.¶
Figure 2 shows an internal microservice generating a Nested Txn-Token in the flow¶
In the diagram above, steps 1-5 are the same as in Section 2.5.1.¶
An intermediate service may decide to obtain a replacement Txn-Token from the Txn-Token service. That flow is described below in Figure 3¶
In the diagram above, steps 1-5 are the same as in Section 2.5.1¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
An independent computational unit that can autonomously receive and process invocations, and can generate invocations of other workloads. Examples of workloads include containerized microservices, monolithic services and infrastructure services such as managed databases.¶
A virtually or physically separated network, which contains two or more workloads. The workloads within an Trust Domain may be invoked only through published interfaces. A Trust Domain must have a name that is used as the aud
(audience) value in Txn-Tokens.¶
A published interface to an Trust Domain that results in the invocation of a workload within the Trust Domain.¶
A sequence of invocations that results from the invocation of an external endpoint.¶
A signed JWT that has a short lifetime, which provides immutable information about the user or workload, certain parameters of the call and certain contextual attributes of the call. A Txn-Token may contain a nested Txn-Token.¶
A Txn-Token that does not contain a txn_token
claim in its JWT body.¶
A JWT Embedded Token [JWTEmbeddedTokens] that embeds a Txn-Token by value.¶
A JSON object containing a set of claims that represent the immutable context of a call chain.¶
A special service within the Trust Domain, which issues Txn-Tokens to requesting workloads.¶
A Txn-Token is a JSON Web Token [RFC7519] protected by a JSON Web Signature [RFC7515]. The following is true in a Txn-Token:¶
In the JWT Header:¶
typ
claim MUST be present and MUST have the value txn_token
.¶
kid
claim.¶
Figure 4 is a non-normative example of the JWT Header of a Txn-Token¶
The JWT body MUST have the following claims regardless of whether the Txn-Token is a Leaf Txn-Token or a Nested Txn-Token:¶
iss
claim, whose value is a URN [RFC8141] that uniquely identifies the workload or the Txn-Token Service that created the Txn-Token.¶
iat
claim, whose value is the time at which the Txn-Token was created.¶
exp
claim, whose value is the time at which the Txn-Token expires. Note that if this claim is in a Nested Txn-Token, then this exp
value MUST NOT exceed the exp
value of the Txn-Token included in the JWT Body.¶
The following claims MUST be present in the JWT body of a Leaf Txn-Token:¶
tid
claim, whose value is the unique identifier of entire call chain.¶
sub_id
claim, whose value is the unique identifier of the user or workload on whose behalf the call chain is being executed. The format of this claim MAY be a Subject Identifier as specified in [SubjectIdentifiers].¶
azc
claim, whose value is a JSON object that contains values that remain constant in the call chain.¶
Figure 5 shows a non-normative example of the JWT body of a Leaf Txn-Token:¶
A Nested Txn-Token is a JWT Embedded Token [JWTEmbeddedTokens], which embeds a Txn-Token by value. The following claims MUST be present in a Nested Txn-Token:¶
type
claim, whose value is urn:ietf:params:oauth:token-type:txn_token
.¶
token
claim, whose value is an encoded JWT representation of a Txn-Token.¶
Figure 6 shows a non-normative example the JWT body of a nested Txn-Token¶
A workload requests a Txn-Token from a Transaction Token Service using OAuth 2.0 Token Exchange [RFC8693]. The request to obtain a Txn-Token using this method is called a Txn-Token Request, and a success response is called a Txn-Token Response. A Txn-Token Request is a Token Exchange Request, as described in Section 2.1 of [RFC8693] with additional parameters. A Txn-Token Response is a OAuth 2.0 token endpoint response, as described in Section 5 of [RFC6749], where the token_type
in the response has the value txn_token
.¶
The Transaction Token Service acts as an OAuth 2.0 [RFC6749] Authorization Server. The requesting workload acts as the OAuth 2.0 Client, which authenticates itself to the Transaction Token Service through mechanisms defined in OAuth 2.0.¶
A Txn-Token Request is an OAuth 2.0 Token Exchange Request, as described in Section 2.1 of [RFC8693], with an additional parameter in the request. The following is true of the Txn-Token Request:¶
audience
value MUST be set to the Trust Domain name.¶
requested_token_type
value MUST be urn:ietf:params:oauth:token-type:txn_token
.¶
subject_token
value MUST be the external token received by the workload that authorized the call.¶
subject_token_type
value MUST be present and indicate the type of the authorization token present in the subject_token
parameter.¶
The following additional parameter MUST be present in a Txn-Token Request:¶
azc
, whose value is a JSON object. This object contains any information the Transaction Token Service needs to understand the context of the incoming request.¶
Figure 7 shows a non-normative example of a Txn-Token Request.¶
A successful response to a Txn-Token Request by a Transaction Token Service is called a Txn-Token Response. If the Transaction Token Service responds with an error, the error response is as described in Section 5.2 of [RFC6749]. The following is true of a Txn-Token Response:¶
token_type
value MUST be set to txn_token
.¶
access_token
value MUST be the Txn-Token.¶
expires_in
, refresh_token
and scope
.¶
Figure 8 shows a non-normative example of a Txn-Token Response.¶
A workload within a call chain may request the Transaction Token Server to replace a Txn-Token. Replacement Txn-Tokens are Leaf Txn-Tokens.¶
Workloads MAY request replacement Txn-Tokens in order to change (add to, remove or modify) the asserted values within a Txn-Token, to remove nesting and / or reduce token bloat.¶
A Transaction Token Server replacing a Txn-Token must consider that modifying previously asserted values from existing Txn-Tokens can completely negate the benefits of Txn-Tokens. When issuing replacement Txn-Tokens, a Transaction Token Server therefore:¶
To request a replacement Txn-Token, the requester makes a Txn-Token Request Section 6.1 but includes the Txn-Token to be replaced as the value of the subject_token
parameter.¶
A successful response by the Transaction Token Server to a Replacement Txn-Token Request is a Txn-Token Response Section 6.2¶
A Replacement Txn-Token Request MAY include a Nested Txn-Token in its request. If the request is successful, the Transaction Token Server SHALL always respond with a Leaf Txn-Token.¶
If the Replacement Txn-Token Request has a Nested Txn-Token in the request's subject_token
parameter, then the Transaction Token Server MAY include information about services that had signed the Nested Txn-Token that is requested to be replaced.¶
If the Transaction Token Server wishes to include information about any nested Txn-Token signers, then it SHALL include a field named previous_signers
in the azc
value of the Txn-Token that it issues. The value of this field MUST be an array of strings. Each string is the the value of the iss
field of a Nested Txn-Tokens received in the Replacement Txn-Token Request. Note that¶
A workload within a call chain MAY create a Nested Txn-Token. It does so by embedding the Txn-Token it receives by value in a JWT Embedded Token [JWTEmbeddedTokens]. Nested Txn-Tokens are self-signed and not requested from a separate service.¶
The expiration time of a enclosing Txn-Token MUST NOT exceed the expiration time of an embedded Txn-Token.¶
This memo includes no request to IANA.¶
A Transaction Token Service MUST ensure that it authenticates any workloads requesting Txn-Tokens. In order to do so:¶
The requesting workload MUST have a pre-configured location for the Transaction Token Service. It SHOULD rely on mechanisms, such as [Spiffe], to securely authenticate the Transaction Token Service before making a Txn-Token Request.¶
Although Txn-Tokens are short-lived, they may be sender constrained as an additional layer of defence to prevent them from being re-used by a compromised or malicious workload under the control of a hostile actor.¶
When creating Txn-Tokens, the Txn-Token MUST NOT contain the Access Token presented to the resource server. If an Access Token is included in a Txn-Token, an attacker may obtain a Txn-Token, extract the Access Token, and replay it to the Resource Server. Txn-Token expiry does not protect against this attack since the Access Token may remain valid even after the Txn-Token has expired.¶