IETF Logo Mail Archive

Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)

Denis <denis.ietf@free.fr> Mon, 29 June 2020 07:13 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB803A0953 for <txauth@ietfa.amsl.com>; Mon, 29 Jun 2020 00:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.619
X-Spam-Level:
X-Spam-Status: No, score=-0.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8VB7InLLGSNL for <txauth@ietfa.amsl.com>; Mon, 29 Jun 2020 00:13:54 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBE053A0936 for <txauth@ietf.org>; Mon, 29 Jun 2020 00:13:53 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d28 with ME id wvDr2200P4FMSmm03vDrVy; Mon, 29 Jun 2020 09:13:52 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 29 Jun 2020 09:13:52 +0200
X-ME-IP: 86.238.65.197
To: Justin Richer <jricher@mit.edu>, txauth@ietf.org
Cc: Dick Hardt <dick.hardt@gmail.com>
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr> <CAD9ie-vrMk_D8WSz7h5aAw_FmnBJDkRJyWQeXTTsAP3ofH0iNg@mail.gmail.com> <353AF4E4-4939-4994-960E-54B0AADC6253@mit.edu>
From: Denis <denis.ietf@free.fr>
Message-ID: <624d15e8-48c0-4ef6-9429-d8fb79407d81@free.fr>
Date: Mon, 29 Jun 2020 09:13:53 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <353AF4E4-4939-4994-960E-54B0AADC6253@mit.edu>
Content-Type: multipart/alternative; boundary="------------37267049F4897C115452165B"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/-DDGy_nRVTw9zFaWVOeLIrsPjEI>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 07:13:58 -0000

Justin,

> Removing the IESG as this is really a more internal-to-the-group 
> discussion, as it comes down to the scope of use cases that we want to 
> address here in GNAP.
>
> While it is definitely important to understand how and why OAuth 2 
> does things, we do need to keep use cases like Denis’s in mind.
Thanks.
> It’s not unheard of today for a single OAuth 2 RS to accept tokens 
> from multiple AS’s.

We are preparing the future. A simple case is to prove "who you are" and 
since banks "need to know their customers"
they would be well placed to provide an access token containing some 
verified personal attributes.

For example, a student would like to change university and would need to 
present his prior graduations.
In such a case, each university or school would be well placed to 
produce such a proof by issuing an access token.

> In fact, we’ve even got cases with things like the Solid project where 
> the RS will take a token from :any: AS so long as it can verify that 
> it’s approved by the resource owner. While the Solid platform has its 
> own special layering in place to allow this, our model should not 
> assume a closely-tied connection between an RS and any single AS. The 
> question of :how: we solve that is, of course, up to the WG to figure 
> out over time.

Would this mean that we strongly agree together that the model should 
not assume a closely-tied connection between an RS and any single AS ?

> Taking that even further, I think the idea of an AS that’s personal to 
> the user, to promote privacy and control, is a very good one.

In a previous message, I indicated that I have been able to understand 
what you mean by: an "AS that’s personal to the user" ?

> In fact, this is one of the main selling points of UMA2 and its 
> federated authorization mechanisms. With GNAP, we might be able to 
> deliver
> on this promise even more than UMA has been able to, and it’s my hope 
> that we can have a cohesive protocol that allows both user-to-self
> and user-to-another delegation sharing without needing to use 
> different mechanisms.
>
> Additionally, the RS-first method is also something from the UMA2 work 
> that we should be working on, as it touches on AS discovery, AS/RS 
> communication, and a few other aspects of the protocol design. It’s 
> not a trivial problem by any stretch, and there are huge privacy and 
> security implications, but there’s both need for it and some good 
> prior art to pull from. In fact, XYZ’s whole notion of a “transaction 
> handle” is an adaptation of UMA2’s “permission ticket”. In UMA, this 
> ticket is first issued to the RS by the AS, and the RS then hands it 
> to the client, which starts the negotiation for access. I envision 
> something very similar happening here with GNAP, where a client can 
> get something to bootstrap the process at the AS. The important thing, 
> to me, is that we don’t have to jump through a bunch of weird hoops 
> such that the AS-first and RS-first cases look completely different, 
> as they do in UMA2 and OAuth 2 respectively today. We’ve got the 
> chance to have a clean and cohesive protocol here, let’s not miss that 
> opportunity.
>
> So in sum, the trust model of OAuth 2 is not sufficient to cover 
> everything, and the model that Denis is proposing is something we 
> should at least look at as a use case.
> Where Denis and I seem to disagree is whether this trust model should 
> be the :only: one that we address with the protocol.

Any trust relationship may be described using the following 
construction:  entity A trusts entity B for some action C.
If you have in mind additional trust relationships, would you be able to 
express them using this construction ?
Maybe you also have in mind some relationships that do not imply a form 
of trust ?

> I strongly believe, as I believe much of this group does, that we 
> can’t discount or ignore (or make things overly difficult for)
> the tightly bound AS/RS combos, or any type of static setup where the 
> RS offloads its trust fully to the AS.
> But it’s my belief that we should be able to do so without needlessly 
> throwing out all of the OAuth 2 use cases.

Reading these sentences confuses me again since they seem to mean that 
the model should assume a closely-tied connection between RSs and ASs.

In OAuth 2.0, the scope parameter allows the client to specify the 
desired scope of the requested security token in the context of the 
service or resource
where the token will be used. The values and associated semantics of 
scope are service specific and and expected to be described in the 
relevant service
documentation [RFC 8693]. Since the scope is RS dependent, the client 
MUST inform the AS about the identity of the RS, but this should be 
avoided for
privacy reasons.

Currently in OAuth 2.0, there is no protocol being defined to be able to 
know which attributes correspond to a given scope for a given RS.
IMHO, the main idea is the following:  rather than using the scope 
parameter, the client should be able to inform directly the AS about
which attributes it needs. In this way, the client would not need to 
inform the AS for which RS these attributes are needed.

A major difference with OAuth 2.0 would be that attributes could be 
requested directly to an AS without using the pair scope/RS.
Such an approach would make the architecture scalable.

Denis

>
> We shouldn’t let “OAuth 2 doesn’t do it that way” be the limiting 
> factor here. We need to understand the what and wherefore of things 
> that OAuth 2 is bad at, otherwise we’re just going to re-invent OAuth 
> 2 and inherit its problems.
>
>  — Justin
>
>> On Jun 26, 2020, at 1:39 PM, Dick Hardt <dick.hardt@gmail.com 
>> <mailto:dick.hardt@gmail.com>> wrote:
>>
>> Denis, thanks for sharing your thoughts, some clarifications on your 
>> statements inserted:
>>
>> On Fri, Jun 26, 2020 at 9:42 AM Denis <denis.ietf@free.fr 
>> <mailto:denis.ietf@free.fr>> wrote:
>> <snip>
>>
>>         *New proposed charter*
>>
>> <snip>
>>
>>
>>         Resource servers inform their clients about which access
>>         token formats are acceptable and depending upon the king of
>>         operation
>>         that is requested, which kind of attributes are needed and
>>         from which ASs that my be obtained.
>>
>> While at times this may be appropriate, at other times disclosing the 
>> attributes the RS requires is not needed by the client. For example, 
>> an enterprise client accessing a resource does not need to know which 
>> groups a user belongs to, but the RS may require that to determine if 
>> the user running the client has access..
>>
>>
>>         A major difference with OAuth 2.0 is that there is no
>>         bilateral trust relationship between an authorization server
>>         and a resource server:
>>         for a given category of attributes, a resource server may
>>         trust one or more authorization servers. Another major
>>         difference with OAuth 2.0.
>>         is that the content of an attributes token is meant to be
>>         accessible to the client.
>>
>> This is not how OAuth 2.0 works. See slides 7 and 8 from my original 
>> IETF presentation on what became OAuth 2.0
>>
>> https://www.slideshare.net/gueste648b/ietf-77-oauth-wrap-presentation
>>
>> The AS may not even know who the RS (or PR in the slides) is.
>>
>> <snip>
>>
>>
>>     I got rid of the word "delegation": the client does not delegate
>>     anything to an authorization server. If it would, this would mean
>>     that the authorization server
>>     would be able to act as the client and could know everything that
>>     the client will do, which comes into contradiction with the
>>     user's privacy.
>>
>>
>> The above is not true.
>> The Resource Owner is delegating access control to the AS in 
>> authorization use cases.
>>
>> The client is may be delegating user authentication to the AS in 
>> identity claim use cases.
>>
>> The AS can act as the client in many OAuth deployments, as the access 
>> token is a bearer token. That does not mean the AS knows what the 
>> client is doing.
>>
>> /Dick
>> ᐧ
>> -- 
>> Txauth mailing list
>> Txauth@ietf.org <mailto:Txauth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email