IETF Logo Mail Archive

Re: [regext] Feedback to draft-ietf-regext-rdap-openid-12

"Hollenbeck, Scott" <shollenbeck@verisign.com> Mon, 11 April 2022 14:26 UTC

Return-Path: <shollenbeck@verisign.com>
X-Original-To: regext@ietfa.amsl.com
Delivered-To: regext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A2863A182E for <regext@ietfa.amsl.com>; Mon, 11 Apr 2022 07:26:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zOdTvWqIcO9w for <regext@ietfa.amsl.com>; Mon, 11 Apr 2022 07:26:44 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCD7A3A182F for <regext@ietf.org>; Mon, 11 Apr 2022 07:26:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=12234; q=dns/txt; s=VRSN; t=1649687204; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=BNdS3fgVG3Qtunj+ZJctxJ2hTKohsXedbiDr13+Chtg=; b=O7KShePsPZaYHznkHNkNkRKBq0GaIiQX0VirSje/rZWoTFS8h9OmVrUp rG0pFwsAAAXeEKcz9yswOTmB1Peuu1If1ukyY+Fixm0nyMBoR9Wl+vHZi k1oeF+p21eAi0XEBG3vF4fXuDZigHLmpu9n3GLTOFT1oIJxDKG5EKSfGr ZYazjMVC5EDORhBg132nkBKlHnUPLzKUTenoep3kxxpSMCPi4FhAaWjJL MLl54fuu7nyajeSzXGHgJVEvxYb4/YgfqzC1wfGmx8TVFbnuWkIxueadi o+4pM0LLIDoWPTlrVgvyeKnLEkOGA7sEZJKgCvsWVIAHqQo6Kc/k9HAaV A==;
IronPort-Data: A9a23:SVr3x60YqnByakYB6PbD5W1zkn2cJEfYwER7XKvMYLTBsI5bp2YGn GtOXGHXOPaDZmugf991YY6//EpVvJXUy9dlTlE/qSg9HnlHl5HIVI+TRqvS04N+DSFioGZPt Zh2hgzodZhsJpPkS5PE3oHJ9RGQ74nRLlbHILOCa3gZqTNMEn9700o/wrdh2OaEvPDia++zk YKqyyHgEAL9s9JEGjp8B3Wr8U4HUFza4Vv0j3RmDRx5lAa2e0o9VfrzEZqMw07QGeG4KAIaq 9Hrl9lV9kuBl/skIo39zuajKiXmSJaKVeSFoiI+t6RPHnGuD8H9u0o2HKN0VKtZt9mGt99g9 Plsv4a3cEAwM/GVhssTbkd0LxgraMWq+JefSZS+meap6RT5VVbcm68oEkoxJ5Ve8+oxH3tV8 7oTLzVlghKr3rrwme3gDLAx3YJ/faEHP6tG0p1k5SrZCvIiTJbJTq7JzcFVxjYrh89IW/3ZY qL1bBI2N0ibMkUTZj/7DroVmfeVm1ziLQZ7uWuKuLMRunnMygh+he2F3N39P4biqd9utl6Ru W/CuWf+HRgeNd+3yD2D9WnqjejK9QvhVY0fBKGQ9/N2jhuU3GN7NfENfVGhp6CmjEOuA4gaM FIOvC8vtu048wqhVN+kGQOiu3jCtRkZMzZNL9AHBMi24vK8y26k6qIsF1attPROWBcKeAEX
IronPort-HdrOrdr: A9a23:l1BSbqFnkqYRGHCupLqEw8eALOsnbusQ8zAXPhhKOHlom7+j5q STdZMgpGTJYVcqKQkdcL+7WZVoLUm3yXcx2/hyAV7AZnidhILLFuFfBOLZqlWKJ8S9zJ8/6U 4KScRD4ajLY2SS+vyU3ODXKbsdKZK8gceVbK/lvhFQpC9RGthd0zs=
X-IronPort-AV: E=Sophos;i="5.90,252,1643673600"; d="scan'208";a="13439044"
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2375.24; Mon, 11 Apr 2022 10:26:41 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) by BRN1WNEX02.vcorp.ad.vrsn.com ([10.173.153.49]) with mapi id 15.01.2375.024; Mon, 11 Apr 2022 10:26:41 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "pawel.kowalik@ionos.com" <pawel.kowalik@ionos.com>, "regext@ietf.org" <regext@ietf.org>
Thread-Topic: [EXTERNAL] [regext] Feedback to draft-ietf-regext-rdap-openid-12
Thread-Index: AQHYTZC889w/sAsbUk2lUM7QZ+5o9KzquDmQ
Date: Mon, 11 Apr 2022 14:26:41 +0000
Message-ID: <9138558f91b94a1baeaf0c62675a2818@verisign.com>
References: <CANYDG0uFZ7U8SSu1KdRtsEV2R=cif=R_ezYAGOpot+ggisDt9A@mail.gmail.com>
In-Reply-To: <CANYDG0uFZ7U8SSu1KdRtsEV2R=cif=R_ezYAGOpot+ggisDt9A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/regext/_VnIc0szWuNl_M-TNt9e-2IBSiA>
Subject: Re: [regext] Feedback to draft-ietf-regext-rdap-openid-12
X-BeenThere: regext@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Registration Protocols Extensions <regext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/regext>, <mailto:regext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/regext/>
List-Post: <mailto:regext@ietf.org>
List-Help: <mailto:regext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/regext>, <mailto:regext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Apr 2022 14:26:49 -0000

> -----Original Message-----
> From: regext <regext-bounces@ietf.org> On Behalf Of Pawel Kowalik
> Sent: Monday, April 11, 2022 6:41 AM
> To: regext@ietf.org
> Subject: [EXTERNAL] [regext] Feedback to draft-ietf-regext-rdap-openid-12
>
> Caution: This email originated from outside the organization. Do not click 
> links
> or open attachments unless you recognize the sender and know the content
> is safe.
>
> Hi,
>
> I joined the IETF and this working group quite recently so my comments to
> this draft may appear to come a bit late and maybe were a part of past
> discussions. Apologies if it is so.
> With 10 years of experience in the domains industry and few recent years
> activity on identity federations based on id4me protocol, which is in fact
> OpenID Connect with DNS-based identifier discovery [1][2], and also
> maintaining few implementations of OAuth/OIDC libraries and OAuth-based
> tool client software, I think I can support this draft with valuable input.

[SAH] Thanks for the feedback!

> TL; DR; Main issues I see around /session/login endpoint being a mix of
> RESTful and interactive design, userClaims passed to RDAP client, purpose
> claim from Identity Provider and necessity to always provide id parameter.
>
> In detail:
>
> 3.1.2.  Overview
> The flow has the main focus on the browser-like client use-case, whereas
> rfc7480 specifies RDAP's objective to be possible to use it with simple
> scripting tools like "bash and wget".
> This assumption introduces few design decisions, which in result render
> inconsistent behaviors.
> In this terms /session/login end-point is on one side machine-friendly 
> RESTful
> API, but in fact renders an HTTP redirect to a human-friendly interactive
> authorization website of the OP.
> On the other hand using /session/login for any scripting tool will render 
> many
> obstacles, starting from the fact that most tools and frameworks will choose
> to follow http redirect instead of grabbing the Location header as an input 
> for
> the process step.
> If the interactive part would be completed in the browser first, one would
> need to extract the cookies from the browser and inject them into the tool
> of his choice for further usage.
> Same if /session/login RESTful API would need to be used by a human-
> friendly browser front-end (AJAX), it wouldn't be able to do so because of
> the redirect issue. Afaik Javascript in a browser cannot access http 
> headers.
>
> In fact device flow remains the only working option for the scripting tool 
> like
> client, which will limit the number of OPs possible to use due to this flow 
> not
> being as common as the standard code flow.
>
> My proposal would be to either make /session/login a fully interactive flow
> for humans, without any RESTful elements, or make it fully RESTful without
> the interactive part allowing also scripting tool clients to use the code 
> flow.
> The second option would be my favorite however supporting both might be
> equally useful.
> Same design choices were actually made for OAuth2. Authorization end-
> point is interactive and meant for humans, while token end-point is for
> machine-2-machine interaction.

[SAH] I'm open to specific suggestions when you say "make /session/login a fully interactive flow for humans, without any RESTful elements, or make it fully RESTful without the interactive part". However, I believe that some interaction is required because the human user needs to be identified, authenticated, and authorized as part of the process when they request access to "protected" data. That means the human user MUST do *something*. Note that the draft already describes flows for both web-service-capable clients and clients with constrained user interfaces.

> 4.1.1.  Session
> The draft specifies "userClaims" object being made available to the RP 
> client..
> What is it good for? Why is it needed? The claims and the user identity
> information are necessary for the RDAP server to make policy decisions
> about the data access, but not necessarily to the RDAP client. Avoiding
> transmission of PII when it's not necessary would support data minimization
> principle and increase data security.
> Note that the RDAP client might not be controlled by the end user and the
> end-user gives consent (in OP authorization step) about his personal data
> being shared with the RP (RDAP server) not to the RDAP client.
>
> If there is no particular reason to keep it I propose to remove the
> "userClaims" object.

[SAH] I think it needs to be there so the client can show the end user what's being shared with the RDAP server operator and explicitly confirm that this is what the end user intends. I understand that the end user will have already provided permission to share certain bits of identifying information as part of the authentication process. Returning the claims to the client provides transparency in terms of what's been shared.

> 3.1.4.1.  Stated Purpose
> The draft proposes to state purpose in the claims of the user identity 
> issued
> by the OP. In my opinion this is very much misplaced. Purpose describes the
> reason why the user wants to access certain resources of the RDAP server.
> In the very fine-granular way this is a property of each single RDAP 
> request,
> because each request may be issued out of a different purpose. One may
> simplify the approach by attaching this property to the session.
> It must not be however attached as a property of an identity. This would
> exclude the use case that one and the same user would query RDAP with
> different purposes when acting in a different context.
> On the other hand, the RDAP server may need additional information from
> OP about an identity to determine which authorizations the user may have.
> This could be a list of purposes that OP allows the user to open a session
> with. Other claims may also be needed for certain policy decisions, this 
> shall
> however remain out of scope of this specification and be mutually agreed
> between RDAP server and OP.
>
> The proposal would be to add a "purpose" query parameter to /session/login
> and /session/device end points and at the same time add an
> optional"rdap_allowed_purposes" claim (array of strings) to the user info
> claims instead of "purpose" claim.
>
> RDAP server would also need to have certain policies when onboarding OPs,
> to know whether "rdap_allowed_purposes" claim can be trusted from the
> OP and which values OP is allowed to claim.

[SAH] The problem with using a purpose query parameter is that users will use whatever purpose gives them the "highest" level of access. The draft is currently written the way it is so that the set of allowable purposes is a function of the end-user's identity, and determination of which purposes are allowed (and which aren't) is a matter of negotiation between the end-user and their identity provider. As a server operator, I'm going to put more trust in the agreement I have with my set of acceptable identity providers than I will with any statements about query purposes received from end-users. What you've proposed above with the "rdap_allowed_purposes" claim is essentially already described in the draft, albeit using a different data structure.

> 4.2.  Client Login
> The draft mandates an id parameter/Authorization header with an identifier
> of the end-user, which is in turn used to identify the identity provider 
> used in
> the authentication process.
> This would be useful and workable if the discovery protocol would be used,
> however this is not mandated in 3.1.3.1. In practice, especially if "special
> purpose" IdPs come into play, one user identifier like email address may map
> to several IdPs and the discovery based on id won't even be possible. Also
> IdP may choose not to use identifiers at all (WebAuthN, FIDO or other kinds
> of passwordless flows) and only issue privacy-preserving pseudonymous
> "sub" claims.
>
> In these terms I think it's worth considering the authorization flow which
> would be initiated by the RDAP client passing only the indication of the 
> IdP,
> through iss parameter, same as OIDC issuer.
> id parameter would be optional in this case, I would even propose to rename
> it to id_hint to reflect the same behavior of OIDC in this respect, as there 
> is
> no obligation for id to match.

[SAH] LOL, yes, we've had some past discussion about the discovery protocol and why it might not be the best solution. We could, of course, mandate that it be supported by any provider that works with RDAP, but I don't think that's workable. Can you share some examples of what the value of the iss parameter might look like? I'm assuming you're describing a URL that's identical to the iss claim value in ID Tokens issued from this issuer.

Scott

v2.23.0 | Report a Bug | By Email