Re: [GNAP] "Access Token" when calling AS is really a cookie
Dick Hardt <dick.hardt@gmail.com> Mon, 23 November 2020 16:09 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED7363A03FC for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 08:09:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tAKDSeq3lz3Y for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 08:09:11 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CFAA3A03F8 for <txauth@ietf.org>; Mon, 23 Nov 2020 08:09:11 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id o24so18571594ljj.6 for <txauth@ietf.org>; Mon, 23 Nov 2020 08:09:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=28IC1gatJrmEoVLBdEv/dAs7B6PD6CxceCSgomr1GEA=; b=LM74lpy9vq/64A1B4QF06JlDwHpgfJjF0Ks8Mhn+fiz9NJ3xtwdCQXUuZb6MZeYIdD TObkV+IpPhFmWiyyQ3dBmxbB6IPSXpOFah7+RFI/oq3k8maDoo/ncohcp3+3nszNkhtO VfG7zPcMH9oq/GK08f21ZUZwEzuHvwcVUH80SC5tBbu/JPSN4qtbfXjVldkuLLhOjppZ z3MUivT7xXwIPSQioTbcgOmmtwTOiKeBeK5q+VQOWzEx3A/R00APfx//f94DCuI+nnLV WNvXiKF6Ydb8jumQjJW5ITkKtFfmFY6LNnfQueMiG2xRWGCAMJECE44qiJDsbIO+hFyj XV6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=28IC1gatJrmEoVLBdEv/dAs7B6PD6CxceCSgomr1GEA=; b=B2hq9HAzI7rQqvrtmnzcSbrrmOuKxvsVNW+euOgIpLgqxDSzIDLQ5+f160+jOLaqNz deHpJE4BmmZhfCboX9Ess+nk/CxAHT4KbzALXA4ivWiZbjX9uxp1cnp4+fLpFBBF/dn2 +D2FMcjp/RUmgdfTBgOsdyniF+GyqpcfhglbCf8NzoRn+GJERDa6A+Fv/xxUIQmvF5Lz 7AFXC/mxwp92VhvxiFrc6xyO9PjpNO/uRNkYstp0ZmQMJu3PrypmkN2wSw2e+qF56zSG dQFf5QWagtFw3+yZhYstQO8VRlwHj0MkS7VG9UV0EA5Md+CWseS1EnxUUhKgihrPc/I7 BrjQ==
X-Gm-Message-State: AOAM531AuZ/nPbIik7A9lbAdcjql/mBKhEilmc44HVyB+LTvXHBFfVRb /LPXDP1KOC79zO1RpVKhc6LHEK2/lAhXhAORtxAVlSrd8Lw=
X-Google-Smtp-Source: ABdhPJxwwy8PkiDrYBJDfKRALy3tJOUmyfaiHW4Bq7pmcZwiCX2iWllyktmogl60Pk1+YkVqoA8I/ZxiwBy7ukw7pEA=
X-Received: by 2002:a2e:7a0a:: with SMTP id v10mr46126ljc.5.1606147749367; Mon, 23 Nov 2020 08:09:09 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-vKSpV6eC3CUPzwFog5yOb+zeshLJC7+8RgNeF9CNFiww@mail.gmail.com> <CAM8feuSh0q3mf+KapqV7Sxo+k9GSaibAbGwK7J2vPh-EAAprwQ@mail.gmail.com>
In-Reply-To: <CAM8feuSh0q3mf+KapqV7Sxo+k9GSaibAbGwK7J2vPh-EAAprwQ@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 23 Nov 2020 08:08:32 -0800
Message-ID: <CAD9ie-vpURieTiZpeCfLscPCtU1VY_CrtOP3UAxFogku6gL0iw@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000ed33505b4c86ad2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/-0kgEOP36J08dy1jzAg1fQocv2I>
Subject: Re: [GNAP] "Access Token" when calling AS is really a cookie
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 16:09:14 -0000
If all the access token is doing is expressing "please continue" ... why do we need an access token? Why not just have a unique URL for the grant request? The URL is the identifier for the grant request that allows the client to delete, update, etc. How the access token is being used is just like a cookie. The AS gives a string to the client and the client must pass the string back to the AS when it calls it, the AS may then give a new string to the client for the next call. Works like a cookie. I don't know why you think there are legal issues around this. /Dick ᐧ On Sun, Nov 22, 2020 at 11:40 PM Fabien Imbault <fabien.imbault@gmail.com> wrote: > Hi Dick, > > In GNAP, the client isn't managing state (unlike a web app), the entire > point is that the lifecycle should be managed by the AS. > > As in any state machine, there are states and transitions. Here we're not > passing state, merely expressing "please continue". The client can be > completely unaware of the underlying state. > In effect the client only has the ability to ask the server to generate > the next transition. > > So I don't think you can compare that to cookies. It's a different > behavior. BTW if it was the case it would lead to a whole new class of > issues, because there's an entire legal framework around cookies... > > To avoid confusion with a standard access token, we have the "key" field. > My proposal would be to make it more explicitly (cf comment in issue 67). > > Fabien > > > Le lun. 23 nov. 2020 à 02:06, Dick Hardt <dick.hardt@gmail.com> a écrit : > >> When I look at how GNAP is using access tokens for continuation requests, >> and the pull request #129 >> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129> >> >> Those "access tokens" look a lot more like cookies (managing state) than >> how access tokens are usually used (representing authorization). See table >> below. >> >> If there is a real requirement for passing state back and forth between a >> server (the AS in this case) and the client when making API calls, then I >> suggest that is out of scope for GNAP as I see it being a general purpose >> mechanism for any API. >> >> /Dick >> >> >> >> *cookies*- issued by server being accessed >> - are not presented to other servers >> - issued after first access >> - may be different for different URLs >> - may be updated on each access >> - represents the context of a session (state) >> >> >> *access tokens*- issued by an independent service (AS) >> - may be used at any URL at the RS >> - new ones issued by AS as needed >> - represents authorization granted to a client at an RS >> ᐧ >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> >
- [GNAP] "Access Token" when calling AS is really a… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Justin Richer
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt