Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model
Bron Gondwana <brong@fastmailteam.com> Tue, 23 February 2021 21:55 UTC
Return-Path: <brong@fastmailteam.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B89D3A0CF9 for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 13:55:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.09
X-Spam-Level:
X-Spam-Status: No, score=-2.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=dbdb61pc; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=oV/JjqHb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WU6LlKf3LgEn for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 13:55:01 -0800 (PST)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D234C3A0CF1 for <oauth@ietf.org>; Tue, 23 Feb 2021 13:55:01 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.west.internal (Postfix) with ESMTP id 93258528; Tue, 23 Feb 2021 16:55:00 -0500 (EST)
Received: from imap7 ([10.202.2.57]) by compute2.internal (MEProxy); Tue, 23 Feb 2021 16:55:00 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=mime-version:message-id:in-reply-to :references:date:from:to:cc:subject:content-type; s=fm2; bh=3MrP 0s7RGYC3N3MvhUL635VHvmGLzc5wMNwYQvP11Zs=; b=dbdb61pcbSgEC2sFypOl zxY2bfIGCfknr6iQB6L2L5R54dMxtoeOfpDsJbzL4S4hW6JBtdJLo5horoqJyA3E CLiHM9Y8MNYSphuoFy48UThc9mhR5XKgIxrHLmYBW1xQ9RgT2K0ccsuQJBCP8rgK tqUSl6VnlOoIUxSSs9XYf3flQp1Wogkp15EXITCopoFr9+smELO+Dx+guSrFDG8q bNcpx8uT847ZEjwzjw5ntZGCWFMcJiAPugvdrlnsBIVm4848e2Q9+gj7vV7ulm1M GhtQwvXyTXIAfIiq6he6ryYPlJf8LKuN9or96JWgZ1vxvvJAUvAU3hQbbfKbcizI Yw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=3MrP0s 7RGYC3N3MvhUL635VHvmGLzc5wMNwYQvP11Zs=; b=oV/JjqHb2L7R+GbhRzjHWy Lt4o2HpCrR/2pEXIAw2O6PshvDgcYrGIphQCH3+6vPF/rZDabUPZSf7svRv0BSZ3 x2ArOCabAIbPMyDwWxq5txwbv9WP51hRXsjkhJvCtZHwDCuaW5nKwQadI0AEWTUN 82RTI9KC9iMlc+LYn2YzvRF3b7F9HRmh1lI7RFK670bPlE1E/SO93FpJE1Q5qyju tTvfmhnXas4pWuPGZOqpEXNKwpiOVKMtum4ZXiPEAaH/SJfLBxafmSEEBxh/BAcr UV/dnQfn5at3MX97hS62G390r1DhTtoNkMe+UZUsE4gFdTIh2iOHEUsGiKQtIN+g ==
X-ME-Sender: <xms:s3k1YJhYNuA7zpbW9Na8Z1N_DWvzlPa2tg3Qmz7SvuzOU8_7BqkYUQ> <xme:s3k1YOBk0g52e0Up9HFgsA7lU13qvXRzNmdTNzi5whWXPsCPmRDvvXYnite0sSB1K h5FR5FeDNM>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrkeehgdduheegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne goufhushhpvggtthfkmhhgffhomhgrihhnucdlfedtmdenucfjughrpefofgggkfgjfhff hffvufgtsegrtderreerreejnecuhfhrohhmpedfuehrohhnucfiohhnugifrghnrgdfuc eosghrohhnghesfhgrshhtmhgrihhlthgvrghmrdgtohhmqeenucggtffrrghtthgvrhhn peekuefhffejgfffueeuueettdeguedtueelteetieelgfehhfdtiedufeduffehieenuc ffohhmrghinhephhhtthhprdhlihhkvgdphhhtthhprghnuggruhhthhgvnhhtihgtrght ihhonhhtvggthhhnihhquhgvshgvvhholhhvvghovhgvrhhtihhmvgdrohhnvgdpihgvth hfrdhorhhgpdgruhhthhhrvghsshdrihhonecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomhepsghrohhnghesfhgrshhtmhgrihhlthgvrghmrdgtoh hm
X-ME-Proxy: <xmx:s3k1YJGLFox-NN_On06naolk3I5BOZt0tjG_jlDXGb9dvcjUsH2agQ> <xmx:s3k1YOQejZOjoiYRsji-CpQdS-D-fvayVrHY7cnms2Zus4jSJ3JQNw> <xmx:s3k1YGzDSgt7NlmdGEBn3jIIMeq9BtZZ4zFzzblbUJaf3X-ISyknjA> <xmx:tHk1YLqiq9mSBxCXHQFeRrWcBvknh7CdzZrVyecNv4Ldwpie7R6Ntw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id F0176360512; Tue, 23 Feb 2021 16:54:58 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-179-g81f7aba968-fm-20210222.002-g81f7aba9
Mime-Version: 1.0
Message-Id: <50a62bd2-5a1c-481a-b58b-3f90ec703f88@dogfood.fastmail.com>
In-Reply-To: <24452E46-B957-4C35-BAEC-BC2D75B25923@independentid.com>
References: <37eecb9b-f0eb-e21c-b162-b1f0339e4981@si6networks.com> <3c2d646d-f18d-4d88-b458-29dbd486432b@beta.fastmail.com> <AM0PR08MB371669108E9CEA561BEC9EF6FA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <d6648437-332b-4668-a1c7-591f2c287539@dogfood.fastmail.com> <AM0PR08MB371608D64FF113417D8B3C2DFA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <98f539f4-1207-4a03-ae1f-f377d6964122@dogfood.fastmail.com> <CAJot-L2wyN0eQTHYeJVN0kg-7erKMWbtWwxf3+uHwYwLmUu7tQ@mail.gmail.com> <76e71db0-5cd5-4f95-8c44-9c476a1adb24@dogfood.fastmail.com> <CAJot-L2th=moqiRvKBw=-1AaVU15EicTQnx3PoajQoAc8kbZzw@mail.gmail.com> <CA+k3eCQNbNei2c4LSEbrxLo4H4xTEjd2cCy2KhZnEDbn-7xvpw@mail.gmail.com> <24452E46-B957-4C35-BAEC-BC2D75B25923@independentid.com>
Date: Wed, 24 Feb 2021 08:54:36 +1100
From: Bron Gondwana <brong@fastmailteam.com>
To: Phil Hunt <phil.hunt@independentid.com>, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="1e68cbf0b5d446da9f9eca03f27ba384"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/VA-cB1IyQ4wAa9qUZ_hWhgeqKck>
Subject: Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 21:55:05 -0000
Yeah - the discussion has wandered into the weeds (and I'm largely responsible for this) about whether the way JMAP was proposing doing Authentication was the right way, rather than the meta topic which started this which was "my impression on joining the IETF was that OAuth working group was toxic and unwelcoming to new work, and taking anything there was a sure-fire way to make sure nothing got progressed". And my experience of being a tourist in the OAuth face-to-face meetings was consistent with that impression. There was an awfully large amount of talking and an awfully small amount of listening going on - with the IETF102 Thursday meeting being particularly bad (I had a clash for Tuesday's meeting, so I don't know how that one went). Maybe it's a completely different place now - but one of two things must be true: a) the OAuth group is insular and unwelcoming; or b) there's a false impression of the OAuth group that's been circulating for years, at least within the applications area which is where I spend most of my time. Back on the specifics... I do want to quote this: *"The challenge therefor becomes one of deployment and configuration rather than implementation."* because that's part of the impression that I got of OAuth. I come from a world where deployment and configuration are major hurdles, and in fact OAuth interoperability is a major mess because it's such a flexible toolkit. Just this week I've run into issues where Yahoo's SMTP "XOAUTH2" is behaving differently from Google's and we had delivery issues for authenticated sending. If every client and every server needs to implement "*all the popular mechanisms*" then that's not such a big deal when you're shipping the client code for your own server as part of a website, but it's a big deal if you're trying to create a general client and don't want to have to hard-code the specific magic for each server provider. So the reason to encode the authentication mechanism into JMAP was precisely to reduce the number of possibilities. Bron. On Wed, Feb 24, 2021, at 07:02, Phil Hunt wrote: > Bron, > > I notice that JMAP is a protocol built on top of HTTP. Like JMAP, when the SCIM WG was developing SCIM (RFC7643/7644) we had a lot of participants wanting to define authentication within SCIM too. This in part came from the popular use of the LDAP “bind” feature as a general purpose authentication database. “Bind” was never intended to be used this way, it just happened. In the HTTP world, we recognized we were building on top of HTTP with an already diverse set of authentication schemes. > > The trade-off is that you ignore all of the schemes built on top of HTTP (RFC7230) *and* you loose any natural agility in the spec as HTTP and authentication techniques evolve over time. One limitation of IETF specs is that “versioning” specs is difficult. They are intended to reflect long-term stabilized practices after a period of agile-like ID spec iteration. > > The downside to saying “any HTTP mechanism” is usable is that it does create point-in-time interop challenges as parties have to agree on authentication schemes. However, this is less of an implementation problem as one might think. Most platforms (e.g. Spring, Quarkus) offer all of the popular mechanisms. The challenge therefor becomes one of deployment and configuration rather than implementation. > > As an example, as OAuth evolves, the libraries pick up the changes and dependent systems like SCIM pick it up transparently. This speaks to some of the “existing applications” concerns that Hannes mentioned. > > So yes, you could narrowly define authentication in JMAP but it’s lifespan will become severely limited as authentication requirements and risks evolve over time. Case in point. the OAuth WG has had to maintain a sustained evolution of specs and best practices. Why bog JMAP down with such a huge domain as authentication? > > Hope this helps. > > Phil Hunt > @independentid > phil.hunt@independentid.com > > > >> On Feb 23, 2021, at 7:09 AM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote: >> >> Just to add a little context - this is an offshoot of a discussion that's happening over on the ietf@ list: https://mailarchive.ietf.org/arch/msg/ietf/pTFOZjhuZfj45pnUNOr7Pt-YnGc/ >> >> On Tue, Feb 23, 2021 at 6:36 AM Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org> wrote: >>> I admit I haven't been present that long in this group, however it might help to start at the beginning. So far I see rfc8620 <https://tools.ietf.org/html/rfc8620> already exists, is there a draft or something else you want to discuss? >>> >>> Are you hoping to introduce a new authentication protocol? >>> >>> Any additional information would be appreciated. >>> >>> >>> *Warren Parad* >>> Founder, CTO >>> Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>. >>> >>> >>> On Tue, Feb 23, 2021 at 2:25 PM Bron Gondwana <brong@fastmailteam.com> wrote: >>>> __ >>>> On Wed, Feb 24, 2021, at 00:13, Warren Parad wrote: >>>>> Hey Bron, >>>>> >>>>> (caveat: I only skimmed the other conversation) >>>>> >>>>> I'm trying to figure out how best to digest your message. I feel like I'm missing context in your message, is there something about JMAP required authentication that you're asking to be considered in OAuth. Help me figure out what I'm missing. >>>> >>>> We were told at the time "if you're doing an authentication protocol over HTTP, it's going have to go to OAuth group". >>>> >>>> -- >>>> Bron Gondwana, CEO, Fastmail Pty Ltd >>>> brong@fastmailteam.com >>>> >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.*_______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth -- Bron Gondwana, CEO, Fastmail Pty Ltd brong@fastmailteam.com
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- [OAUTH-WG] JMAP's experience with proposing an Au… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Roman Danyliw
- Re: [OAUTH-WG] JMAP's experience with proposing a… Brian Campbell
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Kathleen Moriarty
- Re: [OAUTH-WG] JMAP's experience with proposing a… Phil Hunt
- Re: [OAUTH-WG] JMAP's experience with proposing a… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Rifaat Shekh-Yusef
- Re: [OAUTH-WG] JMAP's experience with proposing a… Evert Pot
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Eric Rescorla
- Re: [OAUTH-WG] JMAP's experience with proposing a… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Phillip Hallam-Baker
- [OAUTH-WG] Building Real Internet Platforms Mark Nottingham
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Larry Masinter
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Jim Manico
- [OAUTH-WG] We appear to still be litigating OAuth… Bron Gondwana
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Hannes Tschofenig
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] Diversity and Inclusiveness in the… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Carsten Bormann
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Neil Madden
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jim Willeke
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Michael Richardson
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hunt
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… Seán Kelleher
- Re: [OAUTH-WG] We appear to still be litigating O… ST GERMAIN
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Evert Pot
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Justin Richer
- Re: [OAUTH-WG] We appear to still be litigating O… Warren Parad
- Re: [OAUTH-WG] We appear to still be litigating O… Tim Bray
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- [OAUTH-WG] How to tell people... Was: We appear t… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Christian Huitema
- Re: [OAUTH-WG] We appear to still be litigating O… David Waite
- Re: [OAUTH-WG] We appear to still be litigating O… Aaron Parecki
- Re: [OAUTH-WG] We appear to still be litigating O… Jeff Craig
- Re: [OAUTH-WG] We appear to still be litigating O… Phillip Hallam-Baker
- Re: [OAUTH-WG] We appear to still be litigating O… Bron Gondwana
- Re: [OAUTH-WG] We appear to still be litigating O… Vittorio Bertola