Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
Tom Jones <thomasclinganjones@gmail.com> Tue, 07 July 2020 17:07 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB3D3A115D; Tue, 7 Jul 2020 10:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jEbH-iKkdqud; Tue, 7 Jul 2020 10:07:12 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC53C3A1160; Tue, 7 Jul 2020 10:07:11 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id 5so32831607oty.11; Tue, 07 Jul 2020 10:07:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=1ufTYs/2ZkbuD1DpKxcyjtZYQisiqzGBezw8VRI+RcI=; b=Y1evX4jsrCbgcfvQS+snOBzHi0vAFIJYUs0QSgH82lUTkkrTuBCKm0XYhtw4BoOVfw 70pkVDAX+n+1JSXg7For8j3TbYLl181sfYQRWQ1A/yORY4elgB8DNd2JdraZ9cgvKTc8 drNQEATOyT6Kc1unRugrU96BcQzs0L9eKWIzFYWvfgDKVmRTjV+1qcnqBNG/QKVHnNx+ 3WqDTjv6IP3kDLq1ZTxIA7IsKMlrLcEHpWFrL3gPOliRbA6AOh4iQiX4wM/cTab/7UIZ n/r6hcX4RX8B4H4DB4uVYyI/AwLSH9yWzxb5o9Wu8WoTZhz510X83FPsRmo8qKVIcz1t ldpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=1ufTYs/2ZkbuD1DpKxcyjtZYQisiqzGBezw8VRI+RcI=; b=SAvZ5bR6WUar3zQ0tTaRMUw1yDLA8MudIIz66dX7WWfcfH6+KjBNWRgnYsJxEdbIh+ yofbgtUnJprLAILkRn2uJmyrgYeUfE1p1iq4fMfbiHk9Vl0za/Tek1WhGJFFOCJKgCeO s8xtfC2++24JfjjmUvpHm8OGbJBOJGFgx8CAREYuU7/7ndQ/p1GYHnTkIV1yjoxke6Zj jV4Z6oDuyj3iSPEb7eRhBQsiwQR/FEYlCdVKzzIEuQ/vmSGEy2K4ny644EVDirbx3B8w bTp+PfYD9hDBgW9So/9OK7WpM2salB9+I2xV+y0cN7MtSaoLSe8LjNKCr3IbE7JUjb3C ouKQ==
X-Gm-Message-State: AOAM531s309lKhVhTmZ7WUFk3BnW1WbAQJ9LYhWi0r/BCpdYEjj5rV5+ 8xhY9LQxrE/qWngQ7GFFNC8TRzjNUvW4SmbxLEY=
X-Google-Smtp-Source: ABdhPJycn1DqRqCweUE3VoFL57MBToLAON56cmwWjyrRvwVkWWpprDFwaVrXcb2AIdxcqykTYakVBYJ/GAbE8t839Ug=
X-Received: by 2002:a9d:66ca:: with SMTP id t10mr29704149otm.358.1594141630724; Tue, 07 Jul 2020 10:07:10 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <7563640e-f515-3e73-a4eb-3902ec7af50e@free.fr> <3424311c60f541b197cfda6e9f3b494e@cert.org> <36de4e6a-41fe-81b1-6c92-69fe5b63ad6f@free.fr> <B4301F3A-560D-4B25-B076-512FE7D1DC5B@mit.edu> <e728f24c-1889-bdcc-793e-b961fc84cd30@free.fr>
In-Reply-To: <e728f24c-1889-bdcc-793e-b961fc84cd30@free.fr>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Tue, 07 Jul 2020 10:06:56 -0700
Message-ID: <CAK2Cwb4=nsw_FOgub=TLCH6ZMRkacLhtRiCM1KtWsHwYkitzhA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Justin Richer <jricher@mit.edu>, Roman Danyliw <rdd@cert.org>, "iesg@ietf.org" <iesg@ietf.org>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009efd8705a9dd05f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/0CJxzvrm4UlOhgnZ4Zlaf4xVWY8>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2020 17:07:17 -0000
Again to be blunt, my flow for consent doesn't match yours. thx ..Tom (mobile) On Tue, Jul 7, 2020, 10:04 AM Denis <denis.ietf@free.fr> wrote: > Justin, > > Denis, > > A lot of what you’re describing below changes the very nature of the roles > in the system. The component that manages the consent and issues tokens is, > by definition, the AS. > > The current charter states: "the artifacts for this work are not intended > or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect". > So we are not bound to OAuth 2.0 nor OpenID Connect. Hence, we do not need > to stick with all their concepts. > > I believe that the user's consent should be given after a dialogue with > the RS which does not mean that the RS shall capture the user's consent > since it is the duty of the client. When a user selects one operation > among a choice of operations proposed by the RS, the RS should inform > the client about which attributes it needs to present and from which ASs. > It is only at this moment that the clients learns which ASs are > adequate. Before this moment, the dialogue *cannot* be handled by an AS. > Then after the duty of the client is to look for these attributes and > to get them from one or more ASs. ASs are all equal. There is no single AS > with which the user shall be bound or have a particular relationship > > Managing the authorization (and the user's consent) at the RS is simple: I > have proposed a way to do it (and FIDO U2F is even included). > > Managing the authorization at the AS would mandate a close synchronization > between the RS and all the ASs with which it has a relationship. > There would be the need to define a synch. protocol and it is much simpler > to avoid to use such a protocol and thus not to define it. > "Out-of-bands" means for such a synchronisation would not be a better > solution. But the major issue by managing the user's consent at the AS > is to allow the AS to act as Big Brother. > > A copy and paste from a document published under the "Digital Europe for > All" (DE4A) project : > > The privacy principle requires that the private life, the home and the > communications of each citizen > are respected and that no personal data are gathered without a legitimate > reason and purpose. > > Data protection and privacy should (as far as possible) be *achieved by > design*, i.e. be embedded in the > technical solutions and services in a way that misuse or illegitimate > access is made impossible or at > least very difficult through the technical approach itself, and *without > having to rely on organisational * > *measures or solely on legal measures to guarantee the compliance*. > > Main sources for this principle: CFREU, GDPR, eIDAS, eGov Action Plan, > EIF, Tallinn Declaration, and > SDGR. > > The user shouldn’t ever have to interact directly with the RS, since the > RS is, by definition, an API that is called by software, not an interactive > component. > > But it’s important to note that these are only :roles: to be played and > not strictly speaking separate pieces of software, and that these roles can > be combined and split in a variety of ways. For instance, in what you’re > talking about below, instead of saying that it’s the RS that manages the > consent, what if you saw it as the functionality of the AS that’s been > split between two components: one privacy-preserving element that issues > tokens, and another that deals with interaction and consent. This is > already a pattern that some in the WG have expressed interest in supporting > with GNAP, and the core charter tenet of separating the interaction from > the delegation channels is something that could help there. > > Would it be possible to look at your use case in this different light? > > I could see the RS (i.e. not the AS) split into two components: an API and > an MMI to manage the choices and the consent of the user. > This looks artificial but would it help ? > > Denis > > It’s always possible that we need to re-cast some of these roles, and > that’s been done before: in OAuth 2 we defined the AS and RS roles > separately, even though they can always be deployed together anyway. So > with that it’s possible that there are other distinct pieces here that are > working together that we need to tease out, but that’s something for the WG > to figure out. We can always decide to separate out the parts and allow > them to be recombined in deployment, But I do not think it is helpful to > redefine the existing roles, especially by moving key facets from one > existing role to another. > > — Justin > > On Jul 7, 2020, at 8:43 AM, Denis <denis.ietf@free.fr> wrote: > > Hi Roman, > > Hi Denis! > > Thanks for the feedback and for repeating your review on the revised > text. More inline … > > *From:* iesg <iesg-bounces@ietf.org> <iesg-bounces@ietf.org> *On Behalf > Of *Denis > *Sent:* Monday, July 6, 2020 10:55 AM > *To:* iesg@ietf.org > *Cc:* txauth@ietf.org > *Subject:* Re: [Txauth] WG Review: Grant Negotiation and Authorization > Protocol (gnap) > > Since it is today the last day to send back comments, you will find > hereafter my comments on the last charter version-05. > > BTW, I sent an email yesterday evening with the subject: *Support of FIDO* > and data minimization by RSs, where I indicated that the charter should > mention FIDO U2F so that it should be possible to logon to a RS using > either FIDO or by presenting one (or more) access tokens from one (or more) > AS. > > The original email is here : > https://mailarchive.ietf.org/arch/msg/txauth/fTwQCOfq6do9oL3iIPQczD7icwE/ > > charter-ietf-gnap-00-05 > > This group is chartered to develop a fine-grained delegation protocol for authorization, API access, user identifiers, and identity assertions. > > > > [Denis] Fine. > > > > The protocol will also allow the client to present unverified identifiers and verifiable assertions to the AS as part of its request. > > > > [Denis] This sentence is too vague because "as part of its request" is not explicit enough. If it means "as part as an access token request" > > this should be explicitly said. If, it is not the case, then it should be clearly explained. The AS should know as little as possible (including nothing) > > about what the client is doing. > > > > [Roman] The “request” here is the “access token request”. That can be made clearer. > > This would be appreciated. > > > > This protocol will allow an authorizing party to delegate access to client software through an authorization server. > > > > [Denis] The word "*privacy*" is still missing in the charter. "Delegating access to client software through an authorization server" > > is negating the fact that the user's privacy will ever be considered. IMHO, I believe that a RS may delegate some operation to another RS, > > but I don't believe that an AS should be concerned by any form of delegation, otherwise it would have the ability to act as "Big Brother". > > OAuth has not been constructed taking into consideration the user's privacy. The major difference with it should be that GNAP has been > > constructed along "*privacy by design*" principles. > > > > [Roman] I don’t exactly follow how considerations for privacy are being negated. Above and beyond use-case specific considerations that would be defined later, > RFC6973 is the IETF consensus design guidance that will guide the privacy threats and mitigations of the work. What design guidance would you recommend that > the WG should consider that aren’t captured in RFC6973? > > I believe my message is quite clear : If the AS is handling the delegation > process, it will know what the client is doing or where it is going. > On the contrary, if the RS is handling the delegation process, the AS will > be unable to know what the client is doing. In addition, an AS-centric > architecture would not be scalable and would need a lot of > synchronizations between ASs and RSs. The user consent should be handled by > the RS > and not by the AS. When a RS is unable to provide the service, it is best > placed to tell directly to the client what it could do next. > > RFC 6973 is very good document. Section 7.1 states: > > b. Data. What information does the protocol expose about > individuals, their devices, and/or their device usage (other than the > identifiers discussed in (a))? > > Data includes both the operation and the data associated with the > operation. An AS should be kept ignorant of both the operation and the data > associated with the operation. > > c. Observers. (...) Are there ways for protocol implementers to choose > to limit the information shared with each entity? > > If theses guidances were followed, the proposed architecture would not be > AS-centric. > > > > It will *expand* upon the uses cases currently supported by OAuth 2.0 and OpenID Connect (itself an extension of OAuth 2.0) to support authorizations > > scoped as narrowly as a single transaction, provide a clear framework for interaction among all parties involved in the protocol flow, and remove > > unnecessary dependence on a browser or user-agent for coordinating interactions. > > > > [Denis] There is no need to refer to OAuth 2.0 and OpenID Connect. Some existing uses cases (i.e. "*non-expanded"* use cases) should be supported > > differently from OAuth 2.0 and OpenID Connect, in particular to support the user's privacy. > > > > [Roman] I’d want to hear others on this rescoping. Building upon the use cases of OAuth 2.0 and OpenID Connect has been core, consensus-validated tenant for some time now. > > > > The delegation process will be acted upon by multiple parties in the protocol, each performing a specific role. The protocol will decouple the channels used > > by the protocol participants to communicate from the delegation channel, which happens directly between the client and the authorization server (in contrast > > with OAuth 2.0, which is initiated by the client redirecting the user’s browser). > > > > [Denis] Here again, the delegation process, if any, should be handled by RSs and not by ASs. > > The term "delegation channel" is being used but it is left undefined. It is not understandable. > > > > [Roman] This sentence was just added into -05 address Security AD feedback. In this case, it was made to distinguish between in-band signaling and the new purpose-to-be-built channel. > > Since delegation should not be handled by the AS, a delegation channel > should not exist. > > > > The protocol will include a means of specifying how the user can potentially be involved in an interactive fashion during the delegation process. > > The client and Authorization Server (AS) will use these interaction mechanisms to involve the user, as necessary, to make authorization decisions. > > > > [Denis] Here again, the delegation process, if any, should be handled by RSs and not by ASs. The AS should know as little as possible (including nothing) > > about what the client is doing. > > > > [Roman] Understood – as I understand it, you have concern with the scope of the AS behavior. I’d be interesting in hearing additional support for this rescoping. > > > > This decoupling avoids many of the security concerns and technical challenges of OAuth 2.0 and provides a non-invasive path for supporting future types > > of clients and interaction channels. > > > > [Denis] This is not understandable to me. Is such a sentence really needed in a charter ? > > > > [Roman] Can someone on the TxAuth mailing list remind us on why this sentence is here? With a fresh read, I also can’t remember why we need it. > > > > The group will define interoperability for this protocol between different parties, including > > - client and authorization server; > > - client and resource server; and > > - authorization server and resource server. > > > > [Denis] In order to support the user's privacy, there should be no interaction at all between an authorization server and a resource server > > *at the time of a client request*. > > > > The group will seek to minimize assumptions about the form of client applications, allowing for: > > - Fine-grained specification of access > > - Approval of AS attestation to identifiers and other identity claims > > - Approval of access to multiple resources and APIs in a single interaction > > - Multiple access tokens in a single request and response > > - AS-directed dispatch of access tokens to the appropriate RS > > [Denis] As-directed dispatch does not allow to support the user's privacy. However, RS-directed dispatch allows to support the user's privacy. > > It should be explicitly mentioned. > > [Roman] As above (per the AS vs. RS behavior) > > - Separation between the party authorizing access and the party operating the client requesting access > > > > [Denis] It is questionable whether such a separation would be really beneficial. In doubt, this item should be removed. > > [Roman] Could you say more on why this flexibility wouldn’t be worth it? > > Except for added complexity, there is no need to have separate channels. > It is simpler to send the access token in addition to the data > and, for additional security, to sign the data using a private key > corresponding to a public key present in the access token. > > The group will define extension points for this protocol to allow for flexibility in areas including: > > > > Cryptographic agility for keys, message signatures, and proof of possession > > - User interaction mechanisms including web and non-web methods > > - Mechanisms for conveying user, software, organization, and other information used in authorization decisions > > - Mechanisms for presenting tokens to resource servers and binding resource requests to tokens and associated cryptographic keys > > Optimized inclusion of additional information (including identifiers and identity assertions) through the delegation process > > > > Additionally, the group will provide mechanisms for management of the protocol lifecycle including: > > - Discovery of the authorization server > > - Revocation of active tokens > > Data model for granted access and mechanisms for the AS and RS to communicate the granted access model > > > > [Denis] While it is the duty for the RS to communicate the granted access model to the client *at the appropriate instant of time*, > > the AS should be kept fully ignorant of it. > > > > Although the artifacts for this work are not intended or expected to be backwards-compatible with OAuth 2.0 or OpenID Connect, > > the group will attempt to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol where possible. > > > > This group is not chartered to develop extensions to OAuth 2.0, and as such will focus on new technological solutions not necessarily > > compatible with OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be directed to the OAuth Working Group, including > > functionality back-ported from the protocol developed here to OAuth 2.0. > > > > The group is chartered to develop mechanisms for applying cryptographic methods, such as JOSE and COSE, to the delegation process. > > This group is not chartered to develop new cryptographic methods. > > > > The group is chartered to develop mechanisms for conveying identity information within the protocol including existing identifiers > > (such as email addresses, phone numbers, usernames, and subject identifiers) and assertions (such as OpenID Connect ID Tokens, > > SAML Assertions, and Verifiable Credentials). The group is not chartered to develop new formats for identifiers or assertions, nor is the group > > chartered to develop schemas for user information, profiles, or other identity attributes, unless a viable existing format is not available. > > > > The initial work will focus on using HTTPS for communication between the client and the authorization server, taking advantage > > of optimization features of HTTP/2 and HTTP/3 where possible, and will strive to enable simple mapping to other protocols such as COAP > > when doing so does not conflict with the primary focus. > > > > Milestones to include: > > - Core delegation protocol > > [Denis] Before defining a "Core delegation protocol", a simple client server-protocol involving the presentation of several access tokens to one RS should be defined. > > Privacy principles should be applied when defining the protocol. Then after, a delegation mechanism allowing one RS to forward an operation to another RS should be defined. > > - Key presentation mechanism bindings to the core protocol including TLS, detached HTTP signature, and embedded HTTP signatures > > [Denis] Bindings to TLS are now deprecated, why should they be maintained ? > > Signatures may be needed but they do not necessarily need to be "detached HTTP signature, and embedded HTTP signatures". > > This item should be either removed or reworded. > > [Roman] Noted. I’d want to hear others on this rescoping. > > As explained above, it is possible to sign the data using a private key > corresponding to a public key present in the access token. > > > > - Conveyance mechanisms for identifiers and assertions > > - Guidelines for use of protocol extension points (if needed) > > - Guidelines on migration paths, implementation, and operations > [Denis] The above three lines are rather mysterious. > [Roman] The guidelines on migration paths came from the initial IESG > review in order to have a named activity to action the design goal of “… > the group will attempt to simplify migrating from OAuth 2.0 and OpenID > Connect to the new protocol where possible” a bit earlier in the text. > Where possible, the group will seek to make use of tools to guide and > inform the standardization process including formal analysis, > architecture documents, and use case documents. These artifacts will not > be considered as working group milestones or deliverables. > The working group will cooperate and coordinate with other IETF WGs such > as OAUTH, and work with external organizations, > such as the OpenID Foundation, as appropriate. > [Denis] The charter should be shorter. > > [Roman] Definitely. Nevertheless, we have the current text through rough > consensus process achieved from two BoFs and multiple mailing list > consensus calls. > > In a previous post, I proposed a much shorter text. > > Denis > > > Regards, > Roman > > /Denis > > > A new IETF WG has been proposed in the Security Area. The IESG has not made > > any determination yet. The following draft charter was submitted, and is > > provided for informational purposes only. Please send your comments to the > > IESG mailing list (iesg@ietf.org) *by 2020-07-06*. > > > > Grant Negotiation and Authorization Protocol (gnap) > > ----------------------------------------------------------------------- > > Current status: Proposed WG > > > > Chairs: > > Yaron Sheffer <yaronf.ietf@gmail.com> <yaronf.ietf@gmail.com> > > Leif Johansson <leifj@sunet.se> <leifj@sunet.se> > > > > Assigned Area Director: > > Roman Danyliw <rdd@cert.org> <rdd@cert.org> > > > > Security Area Directors: > > Benjamin Kaduk <kaduk@mit.edu> <kaduk@mit.edu> > > Roman Danyliw <rdd@cert.org> <rdd@cert.org> > > > > Mailing list: > > Address: txauth@ietf.org > > To subscribe: https://www.ietf.org/mailman/listinfo/txauth > > Archive: https://mailarchive.ietf.org/arch/browse/txauth/ > > > > Group page: https://datatracker.ietf.org/group/gnap/ > > > > Charter: https://datatracker.ietf.org/doc/charter-ietf-gnap/ > > > > This group is chartered to develop a fine-grained delegation protocol for > > authorization and API access, as well as requesting and providing user > > identifiers and claims. This protocol will allow an authorizing party to > > delegate access to client software through an authorization server. It will > > expand upon the uses cases currently supported by OAuth 2.0 and OpenID Connect > > (itself an extension of OAuth 2.0) to support authorizations scoped as > > narrowly as a single transaction, provide a clear framework for interaction > > among all parties involved in the protocol flow, and remove unnecessary > > dependence on a browser or user-agent for coordinating interactions. > > > > The delegation process will be acted upon by multiple parties in the protocol, > > each performing a specific role. The protocol will decouple the interaction > > channels, such as the end user’s browser, from the delegation channel, which > > happens directly between the client and the authorization server (in contrast > > with OAuth 2.0, which is initiated by the client redirecting the user’s > > browser). The protocol will include a means of specifying how the user can > > potentially be involved in an interactive fashion during the delegation > > process. The client and Authorization Server (AS) will use these interaction > > mechanisms to involve the user, as necessary, to make authorization decisions. > > This decoupling avoids many of the security concerns and technical challenges > > of OAuth 2.0 and provides a non-invasive path for supporting future types of > > clients and interaction channels. > > > > The group will define interoperability for this protocol between different > > parties, including > > - client and authorization server; > > - client and resource server; and > > - authorization server and resource server. > > > > The group will seek to minimize assumptions about the form of client > > applications, allowing for: > > - Fine-grained specification of access > > - Approval of AS attestation to identifiers and other identity claims > > - Approval of access to multiple resources and APIs in a single interaction > > - Support for multiple access tokens in a single request and response > > - Support for directed, audience-restricted access tokens > > - Separation between the party authorizing access and the party operating the > > client requesting access > > > > The group will define extension points for this protocol to allow for > > flexibility in areas including: > > > > - Cryptographic agility for keys, message signatures, and proof of possession > > - User interaction mechanisms including web and non-web methods > > - Mechanisms for conveying user, software, organization, and other > > information used in authorization decisions > > - Mechanisms for presenting tokens to resource servers and binding resource > > requests to tokens and associated cryptographic keys > > - Optimized inclusion of additional information (including identifiers and > > identity assertions) through the delegation process > > > > Additionally, the group will provide mechanisms for management of the protocol > > lifecycle including: > > > > - Discovery of the authorization server > > - Revocation of active tokens > > - Mechanisms for the AS and RS to communicate the access granted by an access > > token > > > > Although the artifacts for this work are not intended or expected to be > > backwards-compatible with OAuth 2.0 or OpenID Connect, the group will attempt > > to simplify migrating from OAuth 2.0 and OpenID Connect to the new protocol > > where possible. > > > > This group is not chartered to develop extensions to OAuth 2.0, and as such > > will focus on new technological solutions not necessarily compatible with > > OAuth 2.0. Functionality that builds directly on OAuth 2.0 will be directed > > to the OAuth Working Group, including functionality back-ported from the > > protocol developed here to OAuth 2.0. > > > > The group is chartered to develop mechanisms for applying cryptographic > > methods, such as JOSE and COSE, to the delegation process. This group is not > > chartered to develop new cryptographic methods. > > > > The group is chartered to develop mechanisms for conveying identity > > information within the protocol including existing identifiers (such as email > > addresses, phone numbers, usernames, and subject identifiers) and assertions > > (such as OpenID Connect ID Tokens, SAML Assertions, and Verifiable > > Credentials). The group is not chartered to develop new formats for > > identifiers or assertions, nor is the group chartered to develop schemas for > > user information, profiles, or other identity attributes, unless a viable > > existing format is not available.<o:p cl > >
- [Txauth] WG Review: Grant Negotiation and Authori… The IESG
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Mike Varley
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer