IETF Logo Mail Archive

Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00

Dick Hardt <dick.hardt@gmail.com> Tue, 17 November 2020 19:02 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7630E3A1563 for <txauth@ietfa.amsl.com>; Tue, 17 Nov 2020 11:02:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tG7LMCPpGd9G for <txauth@ietfa.amsl.com>; Tue, 17 Nov 2020 11:02:50 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 485FB3A155A for <txauth@ietf.org>; Tue, 17 Nov 2020 11:02:50 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id y4so17795411edy.5 for <txauth@ietf.org>; Tue, 17 Nov 2020 11:02:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=W9XT98BJS/eVwQGCyd4oPxcfGBCovi+tN0wAwt1u9Y0=; b=FuKJ9PmypD1gIK3JFYS9z70R57WDhJVzxrOwKrgO+WC11pyvZgDc/3YoIlnPmuzd5g Q/UOKtt4qfsD7nqttTD3f5xYg7BgTWFD8ANHJS9RI9J7Ss11rTPSSTeIjGht61ZMumQu pu+zd2szILkCzhHG7HI9Y1Y5k+fr6kReApxJ0WFApMQzI8gcE+idRhRJk0QTtXSA2lpY 54cisuK7eQ5zp7eTQ+5If2l8c+h5AWuHboR3HhDWLOS5G2FSPN9Qn8GuahcIQMas/tid dGMjRCbB+tDCuWqYhyEk+jcQU+3Ee65AjPLkP0zt3VlKgv1j5cU3y+L7qDf+4CUfmUB9 gyfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=W9XT98BJS/eVwQGCyd4oPxcfGBCovi+tN0wAwt1u9Y0=; b=l79CF9K1Dyg8V5mP6dNYOIUJYLvYkKBCK8Oyk3Zks2bHb7GmG90072Uzb+ZpGlOa5x NFST9do9OxZ5XH3PYsTUwq+Ruc3BFK5GOsdEGUwiDB/YexaVNtqQkWLnxE1w0FNHxY15 ZGB0pivQIQKJPKCvbAeCxmV2KNAWvviLMKvKosaKm7QTgNvGaI/p9GgjClwlN3dKT4Zq XnQJecSVQtESH+/xHjByt7QjNnRKSh2sb4QNC7WTwZ181uC+B/JTdbfUAuXr1uQeYL4W Pif88NMksLCWZTT4eyiXZ954WLDqSqOrEOlo/3UuFz3FmemzM2NLfTAvburtqisOBBcq SRgQ==
X-Gm-Message-State: AOAM530cnVlvSCrOK4hpx6VCRxtzYLLb8K1QenEOeq/LYzjwjPnYQD8w pWE2FHQrmWj36GfGPG/e1GPJe4Yj+sf98k5J5Hs4oeRPR/s=
X-Google-Smtp-Source: ABdhPJyl9iQh0S4AbXYMP8ZdOB0aBwJhn0E3Kk31kO11cFaA5mF9Kyk4ziY0O3vUKnQcPwXNtjfD1glUsAryEkZ3e5o=
X-Received: by 2002:a50:f392:: with SMTP id g18mr22745168edm.140.1605639768529; Tue, 17 Nov 2020 11:02:48 -0800 (PST)
MIME-Version: 1.0
References: <160433257633.23038.15047041472414640530@ietfa.amsl.com> <AB11DC08-C6ED-4045-A8F5-872AD263035D@mit.edu> <FR2P281MB01063C2EA739E892B549611D8D110@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <CAM8feuQcCdQFGUKy-ou7H3Ta38yyN1LR+0XJd9WophRMRdPDEA@mail.gmail.com> <FR2P281MB0106C83420ED3F8DF2723BFD8DE30@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <5b8ac79b-0c0e-18e9-9f80-b5d79e9ae59b@free.fr> <CAM8feuQ346w9EL=-qpJRmMOO_YUp_14gShxcro+pVxnfXTvkzw@mail.gmail.com> <5E214281-2974-4632-AB74-4E068B7EE66B@mit.edu> <CAK2Cwb5ACMxjiph796Lq1U3FZ6Tm_2TCmsKTJZn8Fgc0rzEgZQ@mail.gmail.com> <CAD9ie-vDS9-Cc=cVRc_SDg7z6KxMqySdcfv3ZPSjAzHorZP7UQ@mail.gmail.com> <CAK2Cwb66asqy1MCtW7KNHyW5=H23fWATBds2aKC3Xi88V34=Rw@mail.gmail.com> <CAD9ie-sGRFQMj81g4oWAS=CgHOe5ReDrAXeVzqvW9UL0W0P-Qw@mail.gmail.com> <CAK2Cwb4EvfF6umL9kU+02kjTWGbV8Xe8ekOoA4X6yKnhhZNjpg@mail.gmail.com>
In-Reply-To: <CAK2Cwb4EvfF6umL9kU+02kjTWGbV8Xe8ekOoA4X6yKnhhZNjpg@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 17 Nov 2020 11:02:10 -0800
Message-ID: <CAD9ie-sne4mADF+7LGOH5n7OHdA+kbzrtLHtGHzokTwXaYx8gg@mail.gmail.com>
To: Tom Jones <thomasclinganjones@gmail.com>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000a607905b4522474"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/0RNAPctcmlSYsOmQI5Nn-uTjPao>
Subject: Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 19:02:54 -0000

It would seem that the mobile OSes would need to support a new scheme
"openid:" ... and provide a mechanism in both the mobile browser and mobile
apps to detect if an "openid:" handler has been installed.
ᐧ

On Tue, Nov 17, 2020 at 10:32 AM Tom Jones <thomasclinganjones@gmail.com>
wrote:

> yes - this is the sticking point for siop - not sure how it will get
> resolved.
> Peace ..tom
>
>
> On Tue, Nov 17, 2020 at 10:29 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> Got it.
>>
>> So web apps invoke a openid: deep link and hope there is an app to handle
>> the openid: scheme? ... and that it is the user's wallet rather than some
>> malware that has registered openid: on the mobile device?
>>
>> A native app can attempt to open a deep link associated with an app, and
>> will fail if the app is not there. If the app is there, it will be opened,
>> so this can't be used to silently test if an app is present, but it does
>> allow a native app to provide an alternative experience if an app is not
>> present. I don't think this works with custom schemes ... and I don't know
>> how it could work from a web app on the phone with the current Safari APIs.
>>
>> Apple warns against using custom schemes [1] ... but perhaps they can be
>> convinced to make openid: a managed scheme similar to mailto:, tel:,
>> sms:, facetime: ?
>>
>> [1]
>> https://developer.apple.com/documentation/xcode/allowing_apps_and_websites_to_link_to_your_content/defining_a_custom_url_scheme_for_your_app
>>
>>
>> ᐧ
>>
>> On Tue, Nov 17, 2020 at 10:06 AM Tom Jones <thomasclinganjones@gmail.com>
>> wrote:
>>
>>> You are - that is not standard which is opeind://
>>> This is the one step that still needs to be optimized for SIOP to have
>>> good UX.
>>> Peace ..tom
>>>
>>>
>>> On Tue, Nov 17, 2020 at 9:59 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>>> Hi Tom
>>>>
>>>> I watched your video (I watched at 2X speed)
>>>>
>>>> Looks like the employment website app that is using localhost:8765 to
>>>> communicate with the wallet. Am I correct?
>>>>
>>>> /Dick
>>>> ᐧ
>>>>
>>>> On Tue, Nov 17, 2020 at 9:46 AM Tom Jones <thomasclinganjones@gmail.com>
>>>> wrote:
>>>>
>>>>> Well, here's a demo. Note that in this case the AS is not online all
>>>>> of the time, so it is really implicit flow and the OIDC id-token comes from
>>>>> the siop device directly.
>>>>> (whether this is front-channel or back channel is no longer an
>>>>> interesting question.)
>>>>> Now if an always-on AS is required, that is possible, but probably
>>>>> beyond the scope of this effort and would require something like an
>>>>> agent-in-the-sky (with diamonds).
>>>>> here is the link to the 9 min video   https://youtu.be/Tq4hw7X5SW0
>>>>> <https://urldefense.us/v2/url?u=https-3A__youtu.be_Tq4hw7X5SW0&d=DwMFaQ&c=2plI3hXH8ww3j2g8pV19QHIf4SmK_I-Eol_p9P0CttE&r=D5lnfoa2MVZWELqVbbz71ooelbP7rVGCjGDSBNvUpYQ&m=ixsudGSr_dhG-SLiatb4Sz9FWslmywnYyZAOLgZxhl8&s=jdLLy0G1JTQCAOBZ6PeUgI0kiCtVJXrru0VToYWlNZ8&e=>
>>>>> Peace ..tom
>>>>>
>>>>>
>>>>> On Tue, Nov 17, 2020 at 9:20 AM Justin Richer <jricher@mit.edu> wrote:
>>>>>
>>>>>> Ultimately, in most situations like these in the real world, the
>>>>>> hurdle isn’t technical compatibility so much as it is trust compatibility.
>>>>>> The RP (client) needs to have some incentive to trust the assertions and
>>>>>> identity information that’s coming from the AS. The same is true for an RS
>>>>>> trusting tokens from the AS. The hard question is less “how” to do that
>>>>>> (which SSI answers), but more “why” to do that (which SSI doesn’t answer
>>>>>> very well, because it’s a hard question).
>>>>>>
>>>>>> Still: it’s definitely a question about how to support this “AS on
>>>>>> device” element. We’ve got the start of it more than OAuth2/OIDC have by
>>>>>> allowing the bootstrap of the process from a starting call: the interaction
>>>>>> and continuation URIs handed back by the AS don’t need to be the same URIs
>>>>>> that the client starts with, so just like SIOP the process can start in
>>>>>> HTTP and potentially move to other communication channels. A major
>>>>>> difference is that we aren’t dependent on the assumption that the user will
>>>>>> always be in a browser at some stage, and so the whole raft of
>>>>>> front-channel messages that SIOP relies on doesn’t fly. That said, we’ve
>>>>>> got an opportunity to more explicitly open up alternative communication
>>>>>> channels here, and that’s something I’d like to see engineered, even if
>>>>>> it’s an extension. I’d love to see a concrete proposal as to how that would
>>>>>> work over specific protocols, starting with what we’ve got today.
>>>>>>
>>>>>>  — Justin
>>>>>>
>>>>>> On Nov 17, 2020, at 12:03 PM, Fabien Imbault <
>>>>>> fabien.imbault@gmail.com> wrote:
>>>>>>
>>>>>> Hi Denis, hi Francis,
>>>>>>
>>>>>> At some point integration with SSI (on the authentication side) will
>>>>>> probably occur, including amongst other possibilities SIOP (since they work
>>>>>> with OpenID a part of the work will probably be made easier).
>>>>>>
>>>>>> That being said, Denis is right. It's not an AS. Technically it's
>>>>>> entirely possible to rely on a decentralized wallet (for instance on your
>>>>>> phone) and a centralized AS. I know of a few studies on how to decentralize
>>>>>> the AS itself (for instance
>>>>>> https://tools.ietf.org/html/draft-hardjono-oauth-decentralized-02).
>>>>>> Maybe it exists, but I'm still looking for real scenarios (or even
>>>>>> architectures) where an AS is deployed directly on a phone, and under the
>>>>>> sole authority of the RO, while being compatible with the rest of the
>>>>>> world.
>>>>>>
>>>>>> Cheers,
>>>>>> Fabien
>>>>>>
>>>>>> On Tue, Nov 17, 2020 at 5:45 PM Denis <denis.ietf@free.fr> wrote:
>>>>>>
>>>>>>> Hello  Francis,
>>>>>>>
>>>>>>> See two comments in line.
>>>>>>>
>>>>>>>
>>>>>>> B) Current Document
>>>>>>>
>>>>>>> Roles description shall not hold any assumption on the physical
>>>>>>> structure of the party fulfilling the roles.
>>>>>>> [FI] not sure what you mean
>>>>>>>
>>>>>>>  [FP] for example, we assume the AS is a server! In most SSI based
>>>>>>> use cases, the AS will be running on the user device. See SIOP (
>>>>>>> https://identity.foundation/did-siop/).
>>>>>>>
>>>>>>> I browsed through the two drafts, i.e. :
>>>>>>>
>>>>>>>    - Decentralized Identifiers (DIDs) v1.0 Core architecture, data
>>>>>>>    model, and representations W3C Working Draft 08 November 2020
>>>>>>>    - Self-Issued OpenID Connect Provider DID Profile v0.1. DIF
>>>>>>>    Working Group Draft
>>>>>>>
>>>>>>> At no place within these two documents, it is possible to imagine
>>>>>>> that "the AS will be running on the user device".
>>>>>>>
>>>>>>> From section 3 of the DIF Working Group Draft:
>>>>>>>
>>>>>>>       "Unlike the OIDC Authorization Code Flow as per [OIDC.Core],
>>>>>>> the SIOP will not return an access token to the RP".
>>>>>>>
>>>>>>> An Identity Wallet is not an AS.
>>>>>>>
>>>>>>>
>>>>>>> Roles:
>>>>>>> -> grant endpoint of the AS: Why is this a post request? This
>>>>>>> eliminates the chance of having user device hosted AS (no server).
>>>>>>> [FI] what would you propose instead?
>>>>>>> Would also be interested to understand better the deployment model
>>>>>>> when there is no server. That's something that was discussed several times
>>>>>>> but I'm still missing the underlying architecture and use case.
>>>>>>>
>>>>>>>  [FP] See above (SIOP). There will be a lot of identity wallets
>>>>>>> operated on end user device.
>>>>>>>
>>>>>>> See the above comment. Please, do not confuse an Identity Wallet
>>>>>>> with an Authentication Server (AS).
>>>>>>>
>>>>>>> Denis
>>>>>>>
>>>>>>>
>>>>>>> -> Resource Owner (RO) : Authorizes the request? Does it authorize
>>>>>>> the request or the access to a resource?
>>>>>>> [FI] yes, we should make the wording clearer
>>>>>>>
>>>>>>> Missing Section Interactions:
>>>>>>> --> This section shall introduce the notion of interaction before we
>>>>>>> start listing interaction types.
>>>>>>> [FI] yes
>>>>>>>
>>>>>>> Interaction Types:
>>>>>>> --> I prefer a classification with Redirect, Decoupled and Embedded
>>>>>>> is. In the draft, we have one redirect and 2 decouple interactions and
>>>>>>> nothing else.
>>>>>>> [FI] this should be handled as a specific discussion item. As a
>>>>>>> reminder, how would you define embedded?
>>>>>>>
>>>>>>> In practice there's at least these modes:
>>>>>>> - redirect and redirect back
>>>>>>> - redirect to different browser or device
>>>>>>> - user code
>>>>>>> - CIBA
>>>>>>>
>>>>>>> [FP] This classification is limited.
>>>>>>>
>>>>>>>    - Redirect: same device, same or different user agents (browser,
>>>>>>>    mobile app, desktop app, ...)
>>>>>>>    - Decoupled: different devices
>>>>>>>    - Embedded : RC carries RO authorization to AS
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Resource Access Request vs. Resource Request
>>>>>>> --> Both are mixed up. No clarification of the context of each
>>>>>>> section.
>>>>>>> [FI] could you clarify what you'd expect.  Btw on this topic,
>>>>>>> there's a more general discussion on whether we should make a distinction
>>>>>>> or not.
>>>>>>>
>>>>>>> ​[FP]: Here:
>>>>>>>
>>>>>>>    - Resource Access Request: Requesting Access to a resource.
>>>>>>>    Response is an access token (or any type of grant)
>>>>>>>    - Resource Request: Request the resource. Response is the
>>>>>>>    resource (or a corresponding execution)
>>>>>>>
>>>>>>>
>>>>>>> Token Content Negotiation
>>>>>>> --> Not expressed as such. This is central to GNAP and not
>>>>>>> represented enough  in the document.
>>>>>>> [FI] right. This should be a specific discussion item.
>>>>>>>
>>>>>>> Requesting "User" Information
>>>>>>> we identify two types of users: RQ and RO. It will be better not to
>>>>>>> refer to a user in this draft, but either to a RQ or an RO.
>>>>>>> [FI] yes that would avoid potential misunderstandings. Although in
>>>>>>> the end, people will translate RQ into user or end-user most of the time.
>>>>>>> Cf in definition, currently we have Requesting Party (RQ, aka
>>>>>>> "user")
>>>>>>>
>>>>>>>
>>>>>>> Interaction Again
>>>>>>> -> For each interaction type, we will have to describe the protocol
>>>>>>> flow and the nature and behavior of involved Roles (Parties), Elements,
>>>>>>> Requests.
>>>>>>> [FI] yes
>>>>>>>
>>>>>>>
>>>>>>> [FP] Will these and into tickets?
>>>>>>>
>>>>>>> Best regards.
>>>>>>> /Francis
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> TXAuth mailing list
>>>>>>> TXAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>>>>
>>>>>> --
>>>>>> TXAuth mailing list
>>>>>> TXAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>>>
>>>>>>
>>>>>> --
>>>>>> TXAuth mailing list
>>>>>> TXAuth@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>>>
>>>>> --
>>>>> TXAuth mailing list
>>>>> TXAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>>
>>>>

v2.23.0 | Report a Bug | By Email