IETF Logo Mail Archive

Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model

Phil Hunt <phil.hunt@independentid.com> Tue, 23 February 2021 20:03 UTC

Return-Path: <phil.hunt@independentid.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32A173A0853 for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 12:03:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=independentid-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TTBHgMy6VU7 for <oauth@ietfa.amsl.com>; Tue, 23 Feb 2021 12:02:58 -0800 (PST)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2F0C3A0C4C for <oauth@ietf.org>; Tue, 23 Feb 2021 12:02:10 -0800 (PST)
Received: by mail-pg1-x52a.google.com with SMTP id o63so13086636pgo.6 for <oauth@ietf.org>; Tue, 23 Feb 2021 12:02:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=independentid-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=EccP5EEh5wIkUQQQXVJdZqZGCS1jDZcm36MzwL9fDVw=; b=LdPrR7v69LaiDCzcifJbc9HEX444vh6FNR0xFAICU0LX5X2JjetS4Zz6jjwPhrc3Js OY9ebQ+d1+5uBfQO6pXFvn8Oz0ln21KpURBslt/ooVxdc+ybKae/6D8yBkCC96KbaxHN NVjZsQI1oFGMqT4Z7EjkHmfcZ4Wih6r71nMbLu/Lc0WMtK8iEoTHpBytJHu2iu8HYcb2 1RKKvZN4IynCifymlrdUFcnQWr8qUCGI54FF2GW8ysZelsRgNrdWOojcX82/6ooMQJTP 2jlMTdzAsoKMr1I6MCMF+AdBC9dOuCqLpnyrFoZSA+LNw8dagWROZQdfVHNQ+jkaeMnv 2Vng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=EccP5EEh5wIkUQQQXVJdZqZGCS1jDZcm36MzwL9fDVw=; b=tRxwdLok7QhDnxbjg8tOwMa+zgw8LRZ6TKCTeYkTvtsirjtOjWfDpb/Tfv33oStbSG 5+/9seZB0KPoFiOW9CF/GAMcCdeLUCod7TZ4AYxlrtf5edRDJwnWjLIfLVuMCW8lwM4A dNiJWFwlVtlrritenMPwBoMNqhPoXxR5PmvtDjcudbmImZrb0ffxUMUs66NfSijBZL5X jjZauANh+j6046Px8MAEgu6OGRohg1RiSmyUAmST6RlFbymbG1YsBXaixcQu5vy86PaU V15Mmsr2l68olIHTa4RiyJHHuUUJm09Y+uFiyYwTsOVPxkBpgZsdgqVjd2DwMN5rqXGC mv9A==
X-Gm-Message-State: AOAM53108LJrRsLr8l7VhZbxS2ZJCXhaPfmq88nMewYKdyJk010QmykA y25YF5KkSVXimWqBzyfSNbLAEg==
X-Google-Smtp-Source: ABdhPJxd47JSMmdJoMn9pNphNAUjhhEzZ87DTApi9zi5facWtzyNjXTA3fDdrHcnzlzMtD4bmnQC7w==
X-Received: by 2002:a63:1825:: with SMTP id y37mr2062460pgl.42.1614110530177; Tue, 23 Feb 2021 12:02:10 -0800 (PST)
Received: from node-1w7jr9qrfoxx8mseaifwz8ydd.ipv6.telus.net (node-1w7jr9qrfoxx8mseaifwz8ydd.ipv6.telus.net. [2001:569:7a71:1d00:48e1:f746:b070:5301]) by smtp.gmail.com with ESMTPSA id s18sm4288481pjr.14.2021.02.23.12.02.09 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Feb 2021 12:02:09 -0800 (PST)
From: Phil Hunt <phil.hunt@independentid.com>
Message-Id: <24452E46-B957-4C35-BAEC-BC2D75B25923@independentid.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_307C0662-66E7-413E-A319-E78876699F9C"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Tue, 23 Feb 2021 12:02:08 -0800
In-Reply-To: <CA+k3eCQNbNei2c4LSEbrxLo4H4xTEjd2cCy2KhZnEDbn-7xvpw@mail.gmail.com>
Cc: Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>, Bron Gondwana <brong@fastmailteam.com>, "oauth@ietf.org" <oauth@ietf.org>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
References: <37eecb9b-f0eb-e21c-b162-b1f0339e4981@si6networks.com> <3c2d646d-f18d-4d88-b458-29dbd486432b@beta.fastmail.com> <AM0PR08MB371669108E9CEA561BEC9EF6FA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <d6648437-332b-4668-a1c7-591f2c287539@dogfood.fastmail.com> <AM0PR08MB371608D64FF113417D8B3C2DFA809@AM0PR08MB3716.eurprd08.prod.outlook.com> <98f539f4-1207-4a03-ae1f-f377d6964122@dogfood.fastmail.com> <CAJot-L2wyN0eQTHYeJVN0kg-7erKMWbtWwxf3+uHwYwLmUu7tQ@mail.gmail.com> <76e71db0-5cd5-4f95-8c44-9c476a1adb24@dogfood.fastmail.com> <CAJot-L2th=moqiRvKBw=-1AaVU15EicTQnx3PoajQoAc8kbZzw@mail.gmail.com> <CA+k3eCQNbNei2c4LSEbrxLo4H4xTEjd2cCy2KhZnEDbn-7xvpw@mail.gmail.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xhAMLpjDCIOHYqxeT6iG5E3yTaU>
Subject: Re: [OAUTH-WG] JMAP's experience with proposing an Authentication model
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2021 20:03:00 -0000

Bron,

I notice that JMAP is a protocol built on top of HTTP.  Like JMAP, when the SCIM WG was developing SCIM (RFC7643/7644) we had a lot of participants wanting to define authentication within SCIM too.  This in part came from the popular use of the LDAP “bind” feature as a general purpose authentication database.  “Bind” was never intended to be used this way, it just happened.  In the HTTP world, we recognized we were building on top of HTTP with an already diverse set of authentication schemes.

The trade-off is that you ignore all of the schemes built on top of HTTP (RFC7230) *and* you loose any natural agility in the spec as HTTP and authentication techniques evolve over time.  One limitation of IETF specs is that “versioning” specs is difficult. They are intended to reflect long-term stabilized practices after a period of agile-like ID spec iteration.  

The downside to saying “any HTTP mechanism” is usable is that it does create point-in-time interop challenges as parties have to agree on authentication schemes. However, this is less of an implementation problem as one might think. Most platforms (e.g. Spring, Quarkus) offer all of the popular mechanisms. The challenge therefor becomes one of deployment and configuration rather than implementation.

As an example, as OAuth evolves, the libraries pick up the changes and dependent systems like SCIM pick it up transparently. This speaks to some of the “existing applications” concerns that Hannes mentioned.

So yes, you could narrowly define authentication in JMAP but it’s lifespan will become severely limited as authentication requirements and risks evolve over time.  Case in point. the OAuth WG has had to maintain a sustained evolution of specs and best practices. Why bog JMAP down with such a huge domain as authentication?

Hope this helps.

Phil Hunt
@independentid
phil.hunt@independentid.com




> On Feb 23, 2021, at 7:09 AM, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> Just to add a little context - this is an offshoot of a discussion that's happening over on the ietf@ list: https://mailarchive.ietf.org/arch/msg/ietf/pTFOZjhuZfj45pnUNOr7Pt-YnGc/ <https://mailarchive.ietf.org/arch/msg/ietf/pTFOZjhuZfj45pnUNOr7Pt-YnGc/>
> On Tue, Feb 23, 2021 at 6:36 AM Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org <mailto:40rhosys.ch@dmarc.ietf.org>> wrote:
> I admit I haven't been present that long in this group, however it might help to start at the beginning. So far I see rfc8620 <https://tools.ietf.org/html/rfc8620> already exists, is there a draft or something else you want to discuss?
> 
> Are you hoping to introduce a new authentication protocol?
> 
> Any additional information would be appreciated.
> 
> 
> Warren Parad
> Founder, CTO
> Secure your user data with IAM authorization as a service. Implement Authress <https://authress.io/>.
> 
> 
> On Tue, Feb 23, 2021 at 2:25 PM Bron Gondwana <brong@fastmailteam.com <mailto:brong@fastmailteam.com>> wrote:
> On Wed, Feb 24, 2021, at 00:13, Warren Parad wrote:
>> Hey Bron,
>> 
>> (caveat: I only skimmed the other conversation)
>> 
>> I'm trying to figure out how best to digest your message. I feel like I'm missing context in your message, is there something about JMAP required authentication that you're asking to be considered in OAuth. Help me figure out what I'm missing.
> 
> We were told at the time "if you're doing an authentication protocol over HTTP, it's going have to go to OAuth group".
> 
> --
>   Bron Gondwana, CEO, Fastmail Pty Ltd
>   brong@fastmailteam.com <mailto:brong@fastmailteam.com>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email