Re: [GNAP] draft-hardt-xauth-protocol-14 update - reworked introduction
Denis <denis.ietf@free.fr> Tue, 18 August 2020 19:46 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A35153A0B13 for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 12:46:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.212, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UTALFSb-YUWz for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 12:46:13 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp06.smtpout.orange.fr [80.12.242.128]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B53EB3A0A74 for <txauth@ietf.org>; Tue, 18 Aug 2020 12:46:12 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d86 with ME id H7m8230022bcEcA037m8Ft; Tue, 18 Aug 2020 21:46:10 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 18 Aug 2020 21:46:10 +0200
X-ME-IP: 90.79.51.120
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
References: <CAD9ie-v_1GHHJWVeXb5cXiUELj-Un7BN6uCdqSRz4qjL_rq=UQ@mail.gmail.com> <af835def-624b-bad3-1c86-9eb55443d8fe@free.fr> <CAD9ie-sJFELQo9jd=W9234dnhcAngBk2TdEofWSswcTNX2pg1Q@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <27879318-fde2-85e4-fd9b-67da34b8be43@free.fr>
Date: Tue, 18 Aug 2020 21:46:06 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CAD9ie-sJFELQo9jd=W9234dnhcAngBk2TdEofWSswcTNX2pg1Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------43E8E3E4E028B988AF7D2E5A"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/67sHvUD4MYlxqTXMGS6GZGr0g_w>
Subject: Re: [GNAP] draft-hardt-xauth-protocol-14 update - reworked introduction
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 19:46:18 -0000
Hi Dick, > Hi Denis > > Thanks for taking the time to review the latest draft > > While *your* cases may require certain conditions, other use cases > have other conditions. > > For example, existing OAuth 2 flows do NOT have the client query the > RS first. Per the charter, supporting OAuth 2 use cases is in scope. I don't believe so. The charter states: "It will *expand *upon the uses cases currently supported by OAuth 2.0 and OpenID Connect ..." The charter also states: "This group is not chartered to develop extensions to OAuth 2.0, and as such *will focus on new technological solutions ** **not necessarily compatible with OAuth 2.0*". We are not necessarily going to support all the current OAuth 2.0 uses cases, since such use cases can already be supported using OAuth 2.0. Denis > ᐧ > > On Tue, Aug 18, 2020 at 10:29 AM Denis <denis.ietf@free.fr > <mailto:denis.ietf@free.fr>> wrote: > > Hi Dick, > > I have taken a look at the specification and there are good news > but unfortunately also bad news. > > The good news: There is a Privacy considerations section (section 11) > > The bad news: There is the title of that section, but no text in it. > > The good news: The first exchange is now between the client and > the RS: > > (1) The GC may query the RS to determine what the RS requires > from a GS for resource access. > > The bad news: The text is using a "may" and continues with: "This > step is not in scope for this document". > > This first flow is fundamental and if the client has never > contacted the RS before, that step shall be performed. > Hence, the use of the word "may" is inappropriate. In addition, > using the singular "for a GS" is also inappropriate since a RS > may trust more than one GS. > > Please take a look at the uses cases I have posted today called: > "Enterprise servers and Internet servers use cases" > The document is available at : > https://github.com/ietf-wg-gnap/general/wiki/Enterprise-servers-and-Internet-servers-use-cases > > This post attempts to explain why this first flow is the most > important. IMHO, it should be within the scope. > > BTW, I don't like the wording "Grant Client" since it is ambiguous > as it does not make any difference between what I call > a "User Client" and an "Enterprise Client". > > The text then uses the following sentence which is inappropriate > for various reasons: > > The Grant Client may be interacting with a human end-user (User), > > A user client *must *be interacting with a human end-user (User). > The User must interact using, what I call, a "User Agent". > > and the Grant Client may need to get authorization to release > the Grant from the User, > > Further down, a grant is defined as: "the user identity claims > and/or resource access the GS has granted to the Client". > > Such a definition is inappropriate since a grant is first of all > an access token issued by an AS that contains attributes and/or > capabilities that allow to perform some method(s) on a data object. > > Before an access token is issued for a User, a User Consent, as > well as some choices, made by the User shall be obtained. > This does not apply when an access token is issued for a client > (i.e. a piece of software). The vocabulary that is being used > does not allow to make these major differences. > > or from the owner of the resources at the Resource Server, the > Resource Owner (RO). > > No authorization is needed by the owner of the resource. A > Resource Controller (RC) is a piece of software that applies a set > of rules > to grant or to deny access to a data object using some method. No > human interaction from a human being sitting next to the RS is > ever needed. > > The uses cases I posted today contain a more detailed model that > is able to support both capabilities and ABAC (Attribute-based > Access Control). > > Denis > >> Hello >> >> I just pushed an updated version of XAuth: >> >> https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html >> >> Highlights: >> >> * renamed Client -> Grant Client >> * Introduced Client Owner, Grant Server Owner as new entities >> * renamed Authorizations -> Access >> * An Access contains an array of RAR objects now >> * Reworked diagram an intro to focus on Grant, and separate >> protocol roles from human interactions. >> >> New introduction included below for your convenience >> >> /Dick >> >> * >> >> >> 1. >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1>Introduction >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-introduction> >> >> *EDITOR NOTE* >> >> /This document captures a number of concepts that may be adopted >> by the proposed GNAP working group. Please refer to this document >> as:/ >> >> *XAuth* >> >> /The use of GNAP in this document is not intended to be a >> declaration of it being endorsed by the GNAP working group./ >> >> This document describes the core Grant Negotiation and >> Authorization Protocol (GNAP). The protocol supports the widely >> deployed use cases supported by OAuth 2.0 [RFC6749 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>] & >> [RFC6750 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6750>], >> OpenID Connect [OIDC >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] - >> an extension of OAuth 2.0, as well as other extensions. Related >> documents include: GNAP - Advanced Features [GNAP_Advanced >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#GNAP_Advanced>] and >> JOSE Authentication [JOSE_Authentication >> <https://tools.ietf..org/id/draft-hardt-xauth-protocol-14.html#JOSE_Authentication>] that >> describes the JOSE mechanisms for client authentication. >> >> The technology landscape has changed since OAuth 2.0 was >> initially drafted. More interactions happen on mobile devices >> than PCs. Modern browsers now directly support asymetric >> cryptographic functions. Standards have emerged for signing and >> encrypting tokens with rich payloads (JOSE) that are widely deployed. >> >> GNAP simplifies the overall architectural model, takes advantage >> of today's technology landscape, provides support for all the >> widely deployed use cases, offers numerous extension points, and >> addresses many of the security issues in OAuth 2.0 by passing >> parameters securely between parties rather than via a browser >> redirection. >> >> While GNAP is not backwards compatible with OAuth 2.0, it strives >> to minimize the migration effort. >> >> The suggested pronunciation of GNAP is "guh-nap". >> >> >> 1.1. >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.1>The >> Grant >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-the-grant> >> >> The Grant is at the center of the protocol between a client and a >> server. A Grant Client requests a Grant from a Grant Server. The >> Grant Client and Grant Server negotiate the Grant. The Grant >> Server acquires authorization to grant the Grant to the Grant >> Client. The Grant Server then returns the Grant to the Grant Client. >> >> The Grant Request may contain information about the User, the >> Grant Client, the interaction modes supported by the Grant >> Client, the requested identity claims, and the requested resource >> access. Extensions may define additional information to be >> included in the Grant Request. >> >> >> 1.2. >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.2>Protocol >> Roles >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-protocol-roles> >> >> There are three roles in GNAP: the Grant Client (GC), the Grant >> Server (GS), and the Resource Server (RS). Below is how the roles >> interact: >> >> +--------+ +------------+ >> | Grant | - - - - - - -(1)- - - - - - ->| Resource | >> | Client | | Server | >> | (GC) | +---------------+ | (RS) | >> | |--(2)->| Grant | | | >> | |<-(3)->| Server |- (6) -| | >> | |<-(4)--| (GS) | | | >> | | +---------------+ | | >> | | | | >> | |--------------(5)------------->| | >> +--------+ +------------+ >> >> (1) The GC may query the RS to determine what the RS requires >> from a GS for resource access. This step is not in scope for this >> document. >> >> (2) The GC makes a Grant request to the GS (Create Grant Section >> 3.2 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#CreateGrant>). >> How the GC authenticates to the GS is not in scope for this >> document. One mechanism is [JOSE_Authentication >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#JOSE_Authentication>]. >> >> (3) The GC and GS may negotiate the Grant. >> >> (4) The GS returns a Grant to the GC (Grant Response Section 4.1 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#GrantResponse>). >> >> (5) The GC accesses resources at the RS (RS Access Section 6 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RSAccess>). >> >> (6) The RS evaluates access granted by the GS to determine access >> granted to the GC. This step is not in scope for this document. >> >> >> 1.3. >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.3>Human >> Interactions >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-human-interactions> >> >> The Grant Client may be interacting with a human end-user (User), >> and the Grant Client may need to get authorization to release the >> Grant from the User, or from the owner of the resources at the >> Resource Server, the Resource Owner (RO) >> >> Below is when the human interactions may occur in the protocol: >> >> +--------+ +------------+ >> | User | | Resource | >> | | | Owner (RO) | >> +--------+ +------------+ >> + + + >> + + + >> (A) (B) (C) >> + + + >> + + + >> +--------+ + + +------------+ >> | Grant | - - -+- - - -(1)- - - -+- - ->| Resource | >> | Client | + + | Server | >> | (GC) | +---------------+ | (RS) | >> | |--(2)->| Grant | | | >> | |<-(3)->| Server |- (6) -| | >> | |<-(4)--| (GS) | | | >> | | +---------------+ | | >> | | | | >> | |--------------(5)------------->| | >> +--------+ +------------+ >> >> Legend >> + + + indicates an interaction with a human >> ----- indicates an interaction between protocol roles >> >> Steps (1) - (6) are the same as Section 1.2 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#ProtocolRoles>. >> The addition of the human interactions (A) - (C) are *bolded* below. >> >> *(A) The User is interacting with a GC, and the GC needs resource >> access and/or identity claims (a Grant)* >> >> (1) The GC may query the RS to determine what the RS requires >> from a GS for resource access >> >> (2) The GC makes a Grant request to the GS >> >> (3) The GC and GS may negotiate the Grant >> >> *(B) The GS may interact with the User for grant authorization* >> >> *(C) The GS may interact with the RO for grant authorization* >> >> (4) The GS returns a Grant to the GC >> >> (5) The GC accesses resources at the RS >> >> (6) The RS evaluates access granted by the GS to determine access >> granted to the GC >> >> Alternatively, the Resource Owner could be a legal entity that >> has a software component that the Grant Server interacts with for >> Grant authorization. This interaction is not in scope of this >> document. >> >> >> 1.4. >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.4>Trust >> Model >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-trust-model> >> >> In addition to the User and the Resource Owner, there are three >> other entities that are part of the trust model: >> >> * *Client Owner* (CO) - the legal entity that owns the Grant >> Client. >> * *Grant Server Owner* (GSO) - the legal entity that owns the >> Grant Server. >> * *Claims Issuer* (Issuer) - a legal entity that issues >> identity claims about the User. The Grant Server Owner may be >> an Issuer, and the Resource Owner may be an Issuer. >> >> These three entities do not interact in the protocol, but are >> trusted by the User and the Resource Owner: >> >> +------------+ +--------------+----------+ >> | User | >> (A) >> | Grant Server | | >> | | | Owner (GSO) | | >> +------------+ > +--------------+ | >> V / ^ | Claims | >> (B) (C) (E) | Issuer | >> V / ^ | (Issuer) | >> +------------+ > +--------------+ | >> | Client | | Resource | | >> | Owner (CO) | >> (D) >> | Owner (RO) | | >> +------------+ +--------------+----------+ >> >> (A) User trusts the GSO to acquire authorization before making a >> grant to the CO >> >> (B) User trusts the CO to act in the User's best interest with >> the Grant the GSO grants to the CO >> >> (C) CO trusts claims issued by the GSO >> >> (D) CO trusts claims issued by the RO >> >> (E) RO trusts the GSO to manage access to the RO resources >> >> >> 1.5. >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1..5>Terminology >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-terminology> >> >> *Roles* >> >> * >> >> *Grant Client* (GC) >> >> o may want access to resources at a Resource Server >> o may be interacting with a User and want identity claims >> about the User >> o requests the Grant Service to grant resource access and >> identity claims >> * >> >> *Grant Server* (GS) >> >> o accepts Grant requests from the GC for resource access >> and identity claims >> o negotiates the interaction mode with the GC if >> interaction is required with the User >> o acquires authorization from the User before granting >> identity claims to the GC >> o acquires authorization from the RO before granting >> resource access to the GC >> o grants resource access and identity claims to the GC >> * >> >> *Resource Server* (RS) >> >> o has resources that the GC may want to access >> o expresses what the GC must obtain from the GS for access >> through documentation or an API. This is not in scope for >> this document >> o verifies the GS granted access to the GC, when the GS >> makes resource access requests >> >> *Humans* >> >> * >> >> *User* >> >> o the person interacting with the Grant Client. >> o has delegated access to identity claims about themselves >> to the Grant Server. >> o may authenticate at the GS.. >> * >> >> *Resource Owner* (RO) >> >> o the legal entity that owns resources at the Resource >> Server (RS). >> o has delegated resource access management to the GS. >> o may be the User, or may be a different entity that the GS >> interacts with independently. >> >> *Reused Terms* >> >> * *access token* - an access token as defined in [RFC6749 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>] Section >> 1.4.. An GC uses an access token for resource access at a RS. >> * *Claim* - a Claim as defined in [OIDC >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] Section >> 5. Claims are issued by a Claims Issuer. >> * *Client ID* - a GS unique identifier for a Registered Client >> as defined in [RFC6749 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>] Section >> 2.2. >> * *ID Token* - an ID Token as defined in [OIDC >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] Section >> 2. ID Tokens are issued by the GS. The GC uses an ID Token to >> authenticate the User. >> * *NumericDate* - a NumericDate as defined in [RFC7519 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC7519>] Section >> 2. >> * *authN* - short for authentication. >> * *authZ* - short for authorization. >> >> *New Terms* >> >> * *GS URI* - the endpoint at the GS the GC calls to create a >> Grant, and is the unique identifier for the GS. >> * *Registered Client* - a GC that has registered with the GS >> and has a Client ID to identify itself, and can prove it >> possesses a key that is linked to the Client ID. The GS may >> have different policies for what different Registered Clients >> can request. A Registered Client MAY be interacting with a User. >> * *Dynamic Client* - a GC that has not been previously >> registered with the GS, and each instance will generate it's >> own asymetric key pair so it can prove it is the same >> instance of the GC on subsequent requests.. The GS MAY return >> a Dynamic Client a Client Handle for the Dynamic Client to >> identify itself in subsequent requests. A single-page >> application with no active server component is an example of >> a Dynamic Client. >> * *Client Handle* - a unique identifier at the GS for a Dynamic >> Client for the Dynamic Client to refer to itself in >> subsequent requests. >> * *Interaction* - how the GC directs the User to interact with >> the GS. This document defines the interaction modes: >> "redirect", "indirect", and "user_code" in Section 5 >> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#InteractionModes>. >> * *Grant* - the user identity claims and/or resource access the >> GS has granted to the Client. The GS MAY invalidate a Grant >> at any time. >> * *Grant URI* - the URI that represents the Grant. The Grant >> URI MUST start with the GS URI. >> * *Access* - the access granted by the RO to the GC and >> contains an access token. The GS may invalidate an Access at >> any time. >> * *Access URI* - the URI that represents the Access the GC was >> granted by the RO. The Access URI MUST start with the GS >> URI.. The Access URI is used to refresh an access token. >> >> >> >> > > -- > TXAuth mailing list > TXAuth@ietf.org <mailto:TXAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/txauth >
- [GNAP] draft-hardt-xauth-protocol-14 update - rew… Dick Hardt
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Francis Pouatcha
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Dick Hardt
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Tom Jones
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Mark Lizar
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Francis Pouatcha
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Fabien Imbault
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Fabien Imbault
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Francis Pouatcha
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Fabien Imbault
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Francis Pouatcha
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Fabien Imbault
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Denis
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Dick Hardt
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Denis
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Dick Hardt
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Francis Pouatcha
- Re: [GNAP] draft-hardt-xauth-protocol-14 update -… Denis