Re: [Txauth] Support of delegation
Dick Hardt <dick.hardt@gmail.com> Wed, 15 July 2020 17:19 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4B703A0CFF for <txauth@ietfa.amsl.com>; Wed, 15 Jul 2020 10:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZtDlsmz0Dl1n for <txauth@ietfa.amsl.com>; Wed, 15 Jul 2020 10:19:55 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C127E3A08A5 for <txauth@ietf.org>; Wed, 15 Jul 2020 10:19:54 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id f5so3428989ljj.10 for <txauth@ietf.org>; Wed, 15 Jul 2020 10:19:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ma/sRjxAtiXe2t2qt5hlrNEzjsx09eAAnfFQIfXPFso=; b=NkpFPjFiimpSykGaRDvXfIHXnuJ5rDd8BVD1Rvvpy4VwuW4k0u1FaQDy+bmNQkBFpI +IKXBXakm1wqY6cIYHPa143wQc4kqkloGIgm0J7hKoARk2h95hybkT5yC0OyhZa0Kn9A Mc6uKIRaGi90PjM7Ls+1++DEAALjzkGkHZxpdI6v1bmmsnIEtybMzo+c6b4gPQFTAeAg VQl+FfuUf8BKMijD/o9fDMobyhkZ84FAN3KLUNKlXBbfa929cf0tefAmLbqslyT0bzKu RGZK+r2/Pl2LnC+58qYZQClGOuDUMXTFJQv+yn+s9Wt+dFiXwAAn/xKgBpPWP3aBf8RY 9IXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ma/sRjxAtiXe2t2qt5hlrNEzjsx09eAAnfFQIfXPFso=; b=RSgTPs9+gDyXN01SgBGrpKfK/Sp0f7FqgLxEQsaJYlWimh9lVVsPkpVyT2JJMzD5GF Z+uiVm4yaLRQjvzaScAvW2TKpuk/RzM02w0wTCLE6sjgXzM9QB0VBep4LA00r2PuDmTv S/vWkkQhZ3Oj30T+noecjtIlJq9RfYKcFVqpUtDGVgltVZ7ZlgsUrmTzzHFaGd/6DQ0Y j5Q7RRb8HtNzBBMhAh4ler1HD+Qd6ay+ZITqDUcQPAZgbom4qMBho/8bQZ4h8hLdp2uj cFD1re2HbShFmfPK/WHCDCEbDJVYTsR1PNXslE7j61I9onqM8uqWEvX6EBkZhBRlUWlm Bj3A==
X-Gm-Message-State: AOAM533aFTKZQnrqR4mg81+VGHzL2a9sp2qtjToN42A7WrTbNz6JpK1z I4UdhvBkg5Bsj82g94+8tXAbSvBDOA+lOSv+JDO7hwkN
X-Google-Smtp-Source: ABdhPJyBal/kouIkoqYPBnAFFlC6/gYKdkbP4Pnqxq7DukIcDkDWLSi3nc3txpy7iEdUYk2icLr3FQtIISwm8dhjLqg=
X-Received: by 2002:a2e:b607:: with SMTP id r7mr87075ljn.5.1594833592585; Wed, 15 Jul 2020 10:19:52 -0700 (PDT)
MIME-Version: 1.0
References: <7572576d-b5b4-dea5-3383-fbbf6cc10450@free.fr> <C3A840C3-11A6-41FA-AA37-2ACEFC38315C@mit.edu>
In-Reply-To: <C3A840C3-11A6-41FA-AA37-2ACEFC38315C@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Wed, 15 Jul 2020 10:19:16 -0700
Message-ID: <CAD9ie-vCETYv74uUigByfokjgrQy6ZBGP5Z-7opW3rNUFPy09w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Denis <denis.ietf@free.fr>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c3126e05aa7e2188"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/0vtGk973T4-FXw30qAtQ6_TJilg>
Subject: Re: [Txauth] Support of delegation
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 17:19:58 -0000
+1 On Wed, Jul 15, 2020 at 10:17 AM Justin Richer <jricher@mit.edu> wrote: > The primary delegation in mind is the delegation of rights from the > resource owner to the client (in control of the user). Redelegation of > rights from one RS down to another is a design consideration, but in my > opinion that’s another layer of the protocol and process beyond the primary > concern. > > — Justin > > On Jul 15, 2020, at 12:16 PM, Denis <denis.ietf@free.fr> wrote: > > > > *Support of delegation* > > The charter is mentioning a "delegation process", but at this time it is > unclear how the delegation of an operation > originating from one Client towards two or more resource servers (RSs) > will be supported. > > Here after is a proposal to support a delegation scheme constructed along > "Privacy by Design" principles. > A key element of this scheme is the use of a "User Consent element" > supported by the Client. > > In order to support this proposed delegation scheme, (only) a sequence of > delegation tokens is needed. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > * +--------+ +------------+ | User > | | Resource | | > |\ | Owner (RO) | +--------+ \ > +------------+ | \ | > | \ | | > \ | | \ | > | \ | +-----------+ (2a) > +---------------+ +----------+ | |----->| Authorization | > | | | | (2b) | Server (AS) | | | | > Client |<-----| | | | | | (1a) > +---------------+ | | | |------------------------>| > Resource | | User | (1b) | Server 1 | | > Consent |<------------------------| (RS1) | | element | > (3a) | | (4a) +----------+ | > |------------------------>| |------>| | | > | | | (4b) | | | User > | (3b) | |<------| | | Consent > |<------------------------| | | Resource | | element > | +----------+ | Server 2 | | > | (5a) | (RS2) | | > |------------------------------------------->| | | > | (5b) | | | > |<-------------------------------------------| | > +-----------+ +----------+ * > > *DELEGATION CASES* > > Two cases are being considered, whether RS1 and RS2 do not belong to the > same service (Case A) > or whether they both belong to the same service (Case B). > > The sequence of flows up to (3a) are the same as those described in an > earlier email called : > "A model with a User Consent Element (with a clean figure)" > > > *Case A* > > Let us suppose that RS1 is unable to fulfil the operation by its own and > that it needs to contact another RS, i.e. RS2. > RS1 contacts RS2 (4a) and indicates the operation that it is willing to > perform on RS2 (that operation may not be > exactly the same as the original operation indicated by the client). > > In return (4b), RS2 informs RS1 about which kind of attributes are needed > by RS2 for performing the requested operation > and from which Attributes Servers they may be obtained. RS2 also provides > a temporary API address and an handle so that > the Client can subsequently make a call directly to an API from RS2. RS1 > forwards that information to the Client. > > This information is marked to indicate that it shall be handled by the > "User Consent element" from the Client. > The presentation of that information is up to the man machine interface > from the Client. The user can see the new requested > operation by RS1 on RS2 and which kind of attributes are requested by RS2, > as well as from which ASs. If the user consents > to release these attributes to RS2, the Client then contacts one or more > appropriate Authorization Servers. > > Once the Client has obtained the appropriate access tokens targeted to > RS2, it presents all of them to RS2 (5a) in a single request. > Then RS2 is able to provide a response to the Client (5b). > > *Some observations*: > > The user consent is captured locally by the "User Consent element" from > the Client. There are two *user consent* phases: > one for RS1 and another one for RS2. > > RS1 will know which kind of attributes types are requested by RS2, but > will be unable to know which attribute values from which AS(s) > will be presented by the Client to RS2. > > RS1 does see the flow (5b) since this flow is going directly from RS2 to > the Client. > > The "User Consent element" from the Client may use a cache of previous > user consents and may present earlier choices > to the user for speeding the user consent process. > > The relationships between RS1 and RS2 can change at any time but no AS > needs to be informed on these relationships. > > There is no protocol between any AS and any RO, including using > "out-of-bands" means. > > > *Case B* > > Let us now suppose that RS1 is unable to fulfil the operation by its own > but that it knows that the requested operation can be fulfilled > thanks to the help of another RS *from the same service*. > > In such a case, when returning the "authorization table" (see an earlier > email called "Support of FIDO and data minimization by RSs") > in the exchange (1b) for the given requested operation, RS1 will include > both its name and the name of the service. > > If the user consents to request the inclusion of the name of this service > into the access token(s) delivered to RS1, then this allows > to save the exchanges (5a) and (5b): in such a case, all the exchanges > with the Client will be carried out through RS1. > > If the user do not consent to request the inclusion of the name of this > service into the access token(s) delivered to RS1, then the previous > case A will apply. > > Denis > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth > > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] Support of delegation Denis
- Re: [Txauth] Support of delegation Justin Richer
- Re: [Txauth] Support of delegation Dick Hardt