Support of resource parameter when a connector request an access token from an IDP #4668
Comments
|
Can you be more specific about what this issue refers to? The |
|
My use case is that I have a dataspace with multiple EDC connector managed by differents enterprises. I don't want that an enterprise is able to use an access token retrieved by its connector onto all others connectors in the dataspace. The RFC 8707 state that an OAuth2 client can use a Without this feature, the IDP cannot know the target audience, so it either means that a common audience is used for all connectors in the same dataspace or the audience is not set and can not be checked. Both are not good in term of security. I think it should be possible to add this parameter as part of the access token request considering the calling EDC known the called EDC. The value of the parameter is this case would be the EDC host URL. If you consider this issue ok. We can work on it and make a PR. |
|
@scandinave just to be 100% sure: you are proposing to add another property to the request in the @NotNull
private Oauth2CredentialsRequest createRequest(TokenParameters parameters, String assertion) {
return PrivateKeyOauth2CredentialsRequest.Builder.newInstance()
.url(tokenUrl)
.clientAssertion(assertion)
.scope(parameters.getStringClaim(JwtRegisteredClaimNames.SCOPE))
.resource(parameters.getStringClaim(JwtRegisteredClaimNames.AUDIENCE)) // <-- this is new!
.grantType(GRANT_TYPE)
.build();
}correct? The However, be advised that going forward, the EDC project will focus solely on the Decentralized Claims Protocol as its main identity subsystem (i.e. the We therefore strongly recommend considering a switch over to DCP. |
|
Yes, this is something like this, if We currently have a dataspace that use the old centralized model for its security, and we need to address this issue quickly. Do you mean that DCP is now considered production ready? If not, do you have provisional roadmap on it? This something we definitely have in our backlog. |
|
As for DCP, you can safely disregard the first link. That clearly is a remnant of times passed, e.g. it still contains references to ION which was a blockchain-based DID method. The DCP specification is slated for an "Editor's Draft" release in December and the implementation of the Credential Issuance Protocol in IdentityHub will likely come in 2025. DCP is actively used in production in several dataspaces, e.g. Tractus-X. I understand the need for a quick solution, and that is fine, but it is something to keep in mind. You can also checkout the MVD project if you haven't, to play around with DCP a bit. |
|
Thanks for this precious information. Can we make a PR for this little fix to allow us to resolve our problematic until we schedule the migration to DCP ? |
sure, go ahead! |
ndr-brt
added
enhancement
Feature Request
Which Areas Would Be Affected?
IAM/Oauth2
Why Is the Feature Desired?
A
resourceparameter, as defined by the RFC 8707, allows a client (EDC) to request an access token to its IDP by specify theaudclaim that should be added to the token.Without this parameter the IDP have no mean to restrict the usage of the token to a specific EDC. In a Dataspace where multiples organisations manages their connectors the missing of this feature can allow a organisation to use an access token to target another EDC that it was unintended for.Solution Proposal
Update the
org.eclipse.edc.iam.oauth2.identity.Oauth2ServiceImplto add this parameter with a value corresponding to the target EDC URL.The text was updated successfully, but these errors were encountered: