IETF Logo Mail Archive

Re: [GNAP] "Access Token" when calling AS is really a cookie

Dick Hardt <dick.hardt@gmail.com> Mon, 23 November 2020 17:38 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC76F3A0A47 for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 09:38:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XvCtA2_aMK8g for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 09:38:36 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9981C3A0A3E for <txauth@ietf.org>; Mon, 23 Nov 2020 09:38:35 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id u18so24891578lfd.9 for <txauth@ietf.org>; Mon, 23 Nov 2020 09:38:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8+6/MhWY/tDPBckfr0g3gXdiHvgNBiBOzBqbwP3juoo=; b=kg1UFR9QA9NcqSuCEqTjijY/AMsJleVR8hyXxkGoj9lkh50UfukpSZHjPDyiZS1KWl tbI3r76lc8WLCUJu4IEJSrNWhEwmszDqTmP+jSULmob0akNcUF30PwhHCfRhxxo2fDJB hi4ufGm5m3wwSiJFSeA+Pu6k97Xw8i4g7qFPbS43R7k1iNsEqvioqOGn02KCOhPVhF2D 07ale6YyPbfd8qyJkK28gcnGgp0x5w9ClXABVcO+0+HnbGyEV16+nOzItA2YemBmUKIi d9+/xLDtEXrYf5j4VfQRR4G6njS1NABME72ZDDiaheSHo3Qi0gCetumrUWf1sDpRK7NP nMTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8+6/MhWY/tDPBckfr0g3gXdiHvgNBiBOzBqbwP3juoo=; b=ZRW/QM5WpRNhYL5BO5c2q64oCNLTMQpcGoX5sb7EPinF1sLszKWwBfPSv/KZrDfLR0 YmgzHIlfD/2LeNnaoxLixupJAgFMlZVClvefTgP7RuOvVLl9PPrwRxtsjanaRtm8RQZf MRouXLjSOV8VYDqyAqV6k8EKQqWrrhEVym5jtNzELDcxMr7UyY6B8SrZXQPTCYhOCkzZ Mf52yZFh7VfJ3f6GFqh60xo3Q0d2IR2uZI+5dWj+AK/OtuSwqVILCSlVanU4UOa61vhd dP7C4GM+VJm/OL5Veb9miFGa7ShdwKap5tALfnknfhYc0ZxfGqzavqihL/POjNH/ccN5 X2tw==
X-Gm-Message-State: AOAM530nzQw2e3eSbeTqhIWAabWmL/bP+9ab2GLX7G4rQNCvcKCmxGJN anwGh9bjbafT2dvx+MQvdAkJhviSfQpRiCGnm9E=
X-Google-Smtp-Source: ABdhPJxj8NAIWpv0IGzlEqby+0HR/m+xXeH6jMs7nZvQny7yCeh5mEAIAM+fAeuYw+T/4SKHCqAwVWom/yZb0ZxfIf4=
X-Received: by 2002:a19:88a:: with SMTP id 132mr123079lfi.316.1606153113657; Mon, 23 Nov 2020 09:38:33 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-vKSpV6eC3CUPzwFog5yOb+zeshLJC7+8RgNeF9CNFiww@mail.gmail.com> <CAM8feuSh0q3mf+KapqV7Sxo+k9GSaibAbGwK7J2vPh-EAAprwQ@mail.gmail.com> <CAD9ie-vpURieTiZpeCfLscPCtU1VY_CrtOP3UAxFogku6gL0iw@mail.gmail.com> <CAM8feuRLNwvN9VP2w9L9WYtSTpyUR1Wbe8nT88RKb6jhaMWY6w@mail.gmail.com>
In-Reply-To: <CAM8feuRLNwvN9VP2w9L9WYtSTpyUR1Wbe8nT88RKb6jhaMWY6w@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 23 Nov 2020 09:37:56 -0800
Message-ID: <CAD9ie-vnZH-zexJ8yiRyozzbCLJKe1sVVfoeKtgysUG32UhAGQ@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cb63bd05b4c9a927"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/-ED3pMptvpRd3HJeP1kGGwKjcVc>
Subject: Re: [GNAP] "Access Token" when calling AS is really a cookie
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 17:38:39 -0000

To clarify, I am talking about HTTP cookies, which are effectively opaque
to the web browser, and used by the web server to store state.

https://en.wikipedia.org/wiki/HTTP_cookie

A client may use local storage for saving state, but that is completely
different from an HTTP cookie which is issued by the server.
ᐧ

On Mon, Nov 23, 2020 at 8:30 AM Fabien Imbault <fabien.imbault@gmail.com>
wrote:

> If the client was directly managing/storing its state, then it would
> indeed effectively work as a cookie.
> But here the access token merely provides a map to the current state
> (opaque to the client), as managed/controlled by the AS.
> It's a very different use case compared to what cookies are used for in
> webapps.
>
> Having a unique URL is a different design (XAuth was more aligned with
> that idea).
>
> Fabien
>
>
> On Mon, Nov 23, 2020 at 5:09 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> If all the access token is doing is expressing "please continue" ... why
>> do we need an access token?
>>
>> Why not just have a unique URL for the grant request? The URL is the
>> identifier for the grant request that allows the client to delete, update,
>> etc.
>>
>> How the access token is being used is just like a cookie. The AS gives a
>> string to the client and the client must pass the string back to the AS
>> when it calls it, the AS may then give a new string to the client for the
>> next call. Works like a cookie. I don't know why you think there are legal
>> issues around this.
>>
>> /Dick
>>
>>
>>
>> ᐧ
>>
>> On Sun, Nov 22, 2020 at 11:40 PM Fabien Imbault <fabien.imbault@gmail.com>
>> wrote:
>>
>>> Hi Dick,
>>>
>>> In GNAP, the client isn't managing state (unlike a web app), the entire
>>> point is that the lifecycle should be managed by the AS.
>>>
>>> As in any state machine, there are states and transitions. Here we're
>>> not passing state, merely expressing "please continue". The client can be
>>> completely unaware of the underlying state.
>>> In effect the client only has the ability to ask the server to generate
>>> the next transition.
>>>
>>> So I don't think you can compare that to cookies. It's a different
>>> behavior. BTW if it was the case it would lead to a whole new class of
>>> issues, because there's an entire legal framework around cookies...
>>>
>>> To avoid confusion with a standard access token, we have the "key"
>>> field. My proposal would be to make it more explicitly (cf comment in issue
>>> 67).
>>>
>>> Fabien
>>>
>>>
>>> Le lun. 23 nov. 2020 à 02:06, Dick Hardt <dick.hardt@gmail.com> a
>>> écrit :
>>>
>>>> When I look at how GNAP is using access tokens for continuation
>>>> requests, and the pull request #129
>>>> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129>
>>>>
>>>> Those "access tokens" look a lot more like cookies (managing state)
>>>> than how access tokens are usually used (representing authorization). See
>>>> table below.
>>>>
>>>> If there is a real requirement for passing state back and forth between
>>>> a server (the AS in this case) and the client when making API calls, then I
>>>> suggest that is out of scope for GNAP as I see it being a general purpose
>>>> mechanism for any API.
>>>>
>>>> /Dick
>>>>
>>>>
>>>>
>>>> *cookies*- issued by server being accessed
>>>> - are not presented to other servers
>>>> - issued after first access
>>>> - may be different for different URLs
>>>> - may be updated on each access
>>>> - represents the context of a session (state)
>>>>
>>>>
>>>> *access tokens*- issued by an independent service (AS)
>>>> - may be used at any URL at the RS
>>>> - new ones issued by AS as needed
>>>> - represents authorization granted to a client at an RS
>>>> ᐧ
>>>> --
>>>> TXAuth mailing list
>>>> TXAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>>

v2.23.0 | Report a Bug | By Email