Push-Based SET Token Delivery Using HTTPAmazonrichanna@amazon.comMicrosoftmbj@microsoft.comhttp://self-issued.info/Googlemscurtescu@google.comCiscomorteza.ansari@cisco.comMicrosofttonynad@microsoft.com
Security
Security Events Working GroupInternet-Draft
This specification defines how a Security Event Token (SET)
may be delivered to an intended recipient using HTTP POST.
The SET is transmitted in the body of an HTTP POST reqest to an
endpoint operated by the recipient, and the recipient indicates
successful or failed transmission via the HTTP response.
This specification defines a mechanism by which a holder of a
Security Event Token (SET) may deliver
the SET to an intended recipient via HTTP POST.
Push-Based SET Delivery over HTTP POST is intended for scenarios where all of
the following apply:
The holder of the SET is capable of making outbound HTTP requests.
The recipient is capable of hosting an HTTP endpoint that is accessible
to the transmitter.
The transmitter and recipient are known to one another.
The transmitter and recipient have an out-of-band mechanism for exchanging
configuration metadata such as endpoint URLs and security key parameters.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14
when, and only when, they appear in all capitals, as shown here.
Throughout this documents all figures may contain spaces and
extra
line-wrapping for readability and space limitations.
This specification utilizes terminology defined in ,
as well as the terms defined below:
An entity that delivers SETs in its possession to one or more SET
Receivers.
An entity that operates an endpoint where it expects to receive
SETs from one or more SET Transmitters.
To deliver a SET to a given SET Receiver, the SET Transmitter
makes a SET Transmission Request to the SET Receiver, with the SET
itself contained within the request. The SET Receiver replies to
this request with a response either acknowledging successful
transmission of the SET, or indicating that an error occurred
while receiving, parsing, and/or validating the SET.
Upon receipt of a SET, the SET Receiver SHALL validate that all of
the following are true:
The SET Receiver can parse the SET.
The SET is authentic (i.e. it was issued by the issuer
specified within the SET).
The SET Receiver is identified as the intended audience of
the SET.
The mechanisms by which the SET Receiver performs this validation
are out-of-scope for this document. SET parsing and issuer and
audience identification are defined in .
The mechanism for validating the authenticity of a SET is implementation
specific, and may vary depending on the authentication mechanisms in
use, and whether the SET is signed and/or encrypted (See ).
The SET Receiver SHOULD ensure that the SET is persisted in a way that
is sufficient to meet the SET Receiver's own reliability requirements,
and MUST NOT expect or depend on a SET Transmitter to re-transmit or
otherwise make available to the SET Receiver a SET once the SET Receiver
acknowledges that it was received successfully.
Once the SET has been validated and persisted, the SET Receiver SHOULD
immediately return a response indicating that the SET was successfully
delivered. The SET Receiver SHOULD NOT perform extensive business logic that
processes the event expressed by the SET prior to sending this response.
Such logic SHOULD be executed asynchronously from delivery, in order to
minimize the expense and impact of SET delivery on the SET Transmitter.
The SET Transmitter SHOULD NOT re-transmit a SET, unless the response from
the SET Receiver in previous transmissions indicated a potentially recoverable
error (such as server unavailability that may be transient, or a decryption
failure that may be due to misconfigured keys on the SET Receiver's side). In
the latter case, the SET Transmitter MAY re-transmit a SET, after an appropriate
delay to avoid overwhelming the SET Receiver (see ).
The SET Transmitter MAY provide an out-of-band mechanism by which a SET Receiver
may be notified of delivery failures, and MAY retain SETs that it failed to
deliver and make them available to the SET Receiver via other means.
To transmit a SET to a SET Receiver, the SET Transmitter makes
an HTTP POST request to an HTTP endpoint provided by the SET Receiver. The
Content-Type header of this request MUST
be "application/secevent+jwt" as defined in
Sections 2.2 and 6.2 of RFC8417, and the
Accept header MUST be "application/json". The
request body MUST consist of the SET itself, represented as a
JWT.
The mechanisms by which the SET Transmitter determines the HTTP endpoint to
use when transmitting a SET to a given SET Receiver are not defined by this
specification and may be implementation-specific.
The following is a non-normative example of a SET transmission request:
POST /Events HTTP/1.1
Host: notify.examplerp.com
Accept: application/json
Content-Type: application/secevent+jwt
eyJhbGciOiJub25lIn0
.
eyJwdWJsaXNoZXJVcmkiOiJodHRwczovL3NjaW0uZXhhbXBsZS5jb20iLCJmZWV
kVXJpcyI6WyJodHRwczovL2podWIuZXhhbXBsZS5jb20vRmVlZHMvOThkNTI0Nj
FmYTViYmM4Nzk1OTNiNzc1NCIsImh0dHBzOi8vamh1Yi5leGFtcGxlLmNvbS9GZ
WVkcy81ZDc2MDQ1MTZiMWQwODY0MWQ3Njc2ZWU3Il0sInJlc291cmNlVXJpcyI6
WyJodHRwczovL3NjaW0uZXhhbXBsZS5jb20vVXNlcnMvNDRmNjE0MmRmOTZiZDZ
hYjYxZTc1MjFkOSJdLCJldmVudFR5cGVzIjpbIkNSRUFURSJdLCJhdHRyaWJ1dG
VzIjpbImlkIiwibmFtZSIsInVzZXJOYW1lIiwicGFzc3dvcmQiLCJlbWFpbHMiX
SwidmFsdWVzIjp7ImVtYWlscyI6W3sidHlwZSI6IndvcmsiLCJ2YWx1ZSI6Impk
b2VAZXhhbXBsZS5jb20ifV0sInBhc3N3b3JkIjoibm90NHUybm8iLCJ1c2VyTmF
tZSI6Impkb2UiLCJpZCI6IjQ0ZjYxNDJkZjk2YmQ2YWI2MWU3NTIxZDkiLCJuYW
1lIjp7ImdpdmVuTmFtZSI6IkpvaG4iLCJmYW1pbHlOYW1lIjoiRG9lIn19fQ
.If the SET is determined to be valid, the SET Receiver SHALL
"acknowledge" successful transmission by responding with HTTP
Response Status Code 202 (see Section
6.3.3 of RFC7231). The body of the response MUST be empty.
The following is a non-normative example of a successful
receipt of a SET.HTTP/1.1 202 AcceptedNote that the purpose of the "acknowledgement" response is to let the
SET Transmitter know that a SET has been delivered and the
information no longer needs to be retained by the SET Transmitter.
Before acknowledgement, SET Receivers SHOULD ensure they have
validated received SETs and retained them in a manner appropriate
to information retention requirements appropriate to the SET
event types signaled. The level and method of retention of SETs
by SET Receivers is out-of-scope of this specification.In the event of a general HTTP error condition, the SET Receiver
MAY respond with an appropriate HTTP Status Code as defined in
Section 6 of RFC7231.
When the SET Receiver detects an error parsing or
validating a SET transmitted in a SET Transmission Request,
the SET Receiver SHALL respond with an HTTP Response Status Code
of 400. The Content-Type header of this
response MUST be "application/json", and the body MUST be a JSON
object containing the following name/value pairs:
A Security Event Token Error Code (see ).
Human-readable text that describes the error and MAY contain
additional diagnostic information.
The following is an example non-normative error
response.HTTP/1.1 400 Bad Request
Content-Type: application/json
{
"err":"dup",
"description":"SET already received. Ignored."
}Security Event Token Delivery Error Codes are strings that identify a
specific type of error that may occur when parsing or validating a SET.
Every Security Event Token Delivery Error Code MUST have a unique name
registered in the IANA "Security Event Token Delivery Error Codes"
registry established by .The following table presents the initial set of Error Codes that are registered
in the IANA "Security Event Token Delivery Error Codes" registry:Error CodeDescriptionjsonInvalid JSON object.jwtParseInvalid or unparsable JWT or JSON structure.jwtHdrIn invalid JWT header was detected.jwtCryptoUnable to parse due to unsupported algorithm.jwsSignature was not validated.jweUnable to decrypt JWE encoded data.jwtAudInvalid audience value.jwtIssIssuer not recognized.setTypeAn unexpected Event type was received.setParseInvalid structure was encountered such as an
inability to parse or an incomplete set of Event claims.setDataSET event claims incomplete or invalid.dupA duplicate SET was received and has been ignored.The SET delivery method described in this specification is
based upon HTTP and depends on the use of TLS and/or standard
HTTP authentication and authorization schemes as per
.
Because SET Delivery describes a simple function, authorization
for the ability to pick-up or deliver SETs can be derived by
considering the identity of the SET issuer, or via other employed
authentication methods. Because SETs are
not commands (see ), SET Receivers are free to ignore SETs that
are not of interest.
Delivery reliability requirements may vary from implementation to
implementation. This specification defines the response from the SET
Receiver in such a way as to provide the SET Transmitter with the
information necessary to determine what further action is required,
if any, in order to meet their requirements. SET Transmitters with
high reliability requirements may be tempted to always retry failed
transmissions, however it should be noted that for many types of SET
delivery errors, a retry is extremely unlikely to be successful. For
example, json, jwtParse,
and setParse all indicate structural errors
in the content of the SET that are likely to remain when re-transmitting
the same SET. Others such as jws or
jwe may be transient, for example if
cryptographic material has not been properly distributed to the SET
Receiver's systems.
Implementers SHOULD evaluate their reliability requirements and the
impact of various retry mechanisms on the performance of their systems
to determine the correct strategy for various error conditions.
In scenarios where HTTP authorization or TLS mutual authentication
are not used or are considered weak, JWS signed SETs SHOULD be
used (see and
Security Considerations). This enables the SET Receiver
to validate that the SET issuer is authorized to deliver SETs.
SETs contain sensitive information that is considered PII
(e.g. subject claims). Therefore, SET Transmitters and
SET Receivers MUST require the use of a transport-layer
security mechanism. Event delivery endpoints MUST support TLS
1.2 and MAY support additional
transport-layer mechanisms meeting its security requirements.
When using TLS, the client MUST perform a TLS/SSL server
certificate check, per . Implementation
security considerations for TLS can be found in "Recommendations for
Secure Use of TLS and DTLS" .
The SET Receiver may be vulnerable to a denial-of-service attack where a
malicious party makes a high volume of requests containing invalid SETs,
causing the endpoint to expend significant resources on cryptographic
operations that are bound to fail. This may be mitigated by authenticating
SET Transmitters with a mechanism with low runtime overhead, such as mutual
TLS or statically assigned bearer tokens.
At the time of receipt, the SET Receiver can rely upon transport layer
mechanisms, HTTP authentication methods, and/or other context from the
transmission request to authenticate the SET Transmitter and validate the
authenticity of the SET. However, this context is typically unavailable to
systems that the SET Receiver forwards the SET onto, or to systems that
retrieve the SET from storage. If the SET Receiver requires the ability to
validate SET authenticity outside of the context of the transmission request,
then the SET Transmitter SHOULD sign the SET in accordance with ,
or encrypt it using an authenticated encryption scheme in accordance with .
If a SET needs to be retained for audit purposes, JWS MAY
be used to provide verification of its authenticity.When sharing personally identifiable information or information
that is otherwise considered confidential to affected users, SET
Transmitters and Receivers MUST have the appropriate legal agreements
and user consent or terms of service in place.The propagation of subject identifiers can be perceived as personally
identifiable information. Where possible, SET Transmitters and Receivers
SHOULD devise approaches that prevent propagation -- for example, the
passing of a hash value that requires the subscriber to already know
the subject.
This document defines Security Event Token Delivery Error Codes, for which IANA
is asked to create and maintain a new registry titled "Security Event Token
Delivery Error Codes". Initial values for the Security Event Token Delivery
Error Codes registry are given in . Future assignments
are to be made through the Expert Review registration policy ()
and shall follow the template presented in .
The name of the Security Event Token Delivery Error Code, as described
in . The name MUST be a case-sensitive ASCII
string consisting only of upper-case letters ("A" - "Z"), lower-case
letters ("a" - "z"), and digits ("0" - "9").
A brief human-readable description of the Security Event Token Delivery
Error Code.
For error codes registered by the IETF or its working groups, list "IETF
Secevent Working Group". For all other error codes, list the name of the
party responsible for the registration. Contact information such as
mailing address, email address, or phone number may also be provided.
A reference to the document or documents that define the Security Event
Token Delivery Error Code. The definition MUST specify the name and
description of the error code, and explain under what circumstances the
error code may be used. URIs that can be used to retrieve copies of each
document at no cost SHOULD be included.
jsonInvalid JSON object.IETF Secevent Working Group of this document.
jwtParseInvalid or unparsable JWT or JSON structure.IETF Secevent Working Group of this document.
jwtHdrAn invalid JWT header was detected.IETF Secevent Working Group of this document.
jwtCryptoUnable to parse due to unsupported algorithm.IETF Secevent Working Group of this document.
jwsSignature was not validated.IETF Secevent Working Group of this document.
jweUnable to decrypt JWE encoded data.IETF Secevent Working Group of this document.
jwtAudInvalid audience value.IETF Secevent Working Group of this document.
jwtIssIssuer not recognized. of this document.
setTypeAn unexpected Event type was received.IETF Secevent Working Group of this document.
setParse
Invalid structure was encountered such as an inability to parse or an
incomplete set of Event claims.
IETF Secevent Working Group of this document.
setDataSET event claims incomplete or invalid.IETF Secevent Working Group of this document.
dup A duplicate SET was received and has been ignored.
IETF Secevent Working Group of this document.
OpenID Connect Core 1.0NRIAssertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0Internet2[[EDITORS NOTE: This section to be removed prior to publication]]The following pub/sub, queuing, streaming systems were reviewed
as possible solutions or as input to the current draft:XMPP EventsThe WG considered the XMPP events ands its ability to provide a single
messaging solution without the need for both polling and push modes.
The feeling was the size and methodology of XMPP was to far apart from
the current capabilities of the SECEVENTs community which focuses in
on HTTP based service delivery and authorization.Amazon Simple Notification ServiceSimple Notification Service, is a pub/sub messaging product from
AWS. SNS supports a variety of subscriber types: HTTP/HTTPS endpoints,
AWS Lambda functions, email addresses (as JSON or plain text), phone
numbers (via SMS), and AWS SQS standard queues. It doesn’t directly
support pull, but subscribers can get the pull model by creating an
SQS queue and subscribing it to the topic. Note that this puts the
cost of pull support back onto the subscriber, just as it is in the
push model. It is not clear that one way is strictly better than the
other; larger, sophisticated developers may be happy to own message
persistence so they can have their own internal delivery guarantees.
The long tail of OIDC clients may not care about that, or may fail
to get it right. Regardless, I think we can learn something from the
Delivery Policies supported by SNS, as well as the delivery controls
that SQS offers (e.g. Visibility Timeout, Dead-Letter Queues). I’m
not suggesting that we need all of these things in the spec, but
they give an idea of what features people have found useful.Other information:API Reference: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/Welcome.htmlVisibility Timeouts: http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-visibility-timeout.htmlApache KafkaApache Kafka is an Apache open source project based upon TCP for
distributed streaming. It prescribes some interesting general
purpose features that seem to extend far beyond the simpler
streaming model SECEVENTs is after. A comment from MS has been that
Kafka does an acknowledge with poll combination event which seems
to be a performance advantage. See: https://kafka.apache.org/introGoogle Pub/SubGoogle Pub Sub system favours a model whereby polling and acknowledgement
of events is done as separate endpoints as separate functions.Information:Cloud Overview - https://cloud.google.com/pubsub/Subscriber Overview - https://cloud.google.com/pubsub/docs/subscriberSubscriber Pull(poll) - https://cloud.google.com/pubsub/docs/pullThe editors would like to thanks the members of the SCIM WG which
began discussions of provisioning events starting with: draft-hunt-scim-notify-00 in 2015.The editors would like to thank Phil Hunt and the other authors of draft-ietf-secevent-delivery-02,
on which this draft is based.The editor would like to thank the participants in the the SECEVENTS
working group for their support of this specification.Draft 00 - AB - Based on draft-ietf-secevent-delivery-02 with the
following changes:Renamed to "Push-Based SET Token Delivery Using HTTP"Removed references to the HTTP Polling delivery method.Removed informative reference to RFC6202.
Draft 01 - AB:
Fixed area and workgroup to match secevent.Removed unused definitions and definitions already covered by SET.Renamed Event Transmitter and Event Receiver to SET Transmitter and SET Receiver, respectively.Added IANA registry for SET Delivery Error Codes.Removed enumeration of HTTP authentication methods.Removed generally applicable guidance for HTTP, authorization tokens, and bearer tokens.Moved guidance for using authentication methods as DoS protection to Security Considerations.Removed redundant instruction to use WWW-Authenticate header.Removed further generally applicable guidance for authorization tokens.Removed bearer token from example delivery request, and text referencing it.Broke delivery method description into separate request/response sections.Added missing empty line between headers and body in example request.Removed unapplicable notes about example formatting.Removed text about SET creation and handling.Removed duplication in protocol description.Added "non-normative example" text to example transmission request.Fixed inconsistencies in use of Error Code term.
Draft 02 - AB:
Rewrote abstract and introduction.Rewrote definitions for SET Transmitter, SET Receiver.Renamed Event Delivery section to SET Delivery.Readability edits to Success Response and Failure Response sections.Consolidated definition of error response under Failure Response section.Removed Event Delivery Process section and moved its content to parent section.Readability edits to SET Delivery section and its subsections.Added callout that SET Receiver HTTP endpoint configuration is out-of-scope.Added callout that SET verification mechanisms are out-of-scope.Added retry guidance, notes regarding delivery reliability requirements.Added guidance around using JWS and/or JWE to authenticate persisted SETs.