IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Justin Richer <jricher@mit.edu> Mon, 14 December 2020 21:03 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77D863A1009 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:03:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.345
X-Spam-Level: *
X-Spam-Status: No, score=1.345 tagged_above=-999 required=5 tests=[FONT_INVIS_MSGID=1.329, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Who8IgyDxVYn for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:03:32 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06EAB3A1003 for <txauth@ietf.org>; Mon, 14 Dec 2020 13:03:31 -0800 (PST)
Received: from [192.168.1.19] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 0BEL3SLM020455 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 14 Dec 2020 16:03:29 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <ABCBE194-097B-4FBD-8F28-245CE384706F@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4F44FA63-819F-44B3-BE6F-791B05BFBA03"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Mon, 14 Dec 2020 16:03:28 -0500
In-Reply-To: <CAJot-L17nHE2kaENOKBQG+v9g7WyErvZK4gtS9RSZh5uT4wcDA@mail.gmail.com>
Cc: Aaron Parecki <aaron@parecki.com>, Dick Hardt <dick.hardt@gmail.com>, Fabien Imbault <fabien.imbault@gmail.com>, txauth gnap <txauth@ietf.org>, Steve Moore <srmoore@gmail.com>
To: Warren Parad <wparad@rhosys.ch>
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com> <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com> <CAJot-L0WAn2EqYO=mCVoq4Qm5TPTO7FNjtohriOn8tZHsNCJHQ@mail.gmail.com> <9CDE8448-B4CD-4DC5-842D-3C58C5A322ED@mit.edu> <CAJot-L17nHE2kaENOKBQG+v9g7WyErvZK4gtS9RSZh5uT4wcDA@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/7Auyl7SNDup5DWJVNTu_I7AU9eI>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 21:03:34 -0000

(As an individual):

There are a number of reasons and use cases that drive toward using an access token. A stateless, distributed AS is one of them, and an access token gives us a proven better way to shield the components from each other. While we could tell people to put that information into the URI, we’d then need to tell people how to protect all the information in the URI. This is a case where we can avoid problems in the design instead of having to fix them later. 

Then there’s the question of client authentication:  After the initial request, the AS doesn’t even need the client to “authenticate” as much as it needs to make sure that the same party is making the future call. Authentication only applies to clients that have a pre-registered key at the AS, and in that case only in the initial call. Anything after that can be tied to the context of the ongoing request, in much the same way an any other protected API just needs to know the context of the token. Now, from a client’s perspective, it’s still signing the continue request exactly like it did the initial request, it’s just including the access token as a header and covering it with the signature. And the AS can still look up the client’s instance information based on that request, just like any RS with access to that information would be able to. But at this point, the AS doesn’t :have: to do that because it can associate any rights and features for that request in the first step and carry that forward. After that first stage, it’s just modification of the ongoing request, and as long as that modification is being made by the authorized party (the client with access to the key) then it works. It’s the same argument that OAuth made for moving APIs to access tokens and away from API keys, and now that we are viewing “continue” as an API for the client to call, with multiple actions over time, then it makes sense to treat it like other APIs.

So, what does this mean for an AS to create access tokens for this step? Well, for the vast majority of AS’s out there, creating an access token is something they’re already really good at, and need to be prepared to do anyway. For an AS that isn’t dealing in access tokens at all, it’s an extra field to include, you are right.But even then, it would be trivial for an AS to create, for example, a simple signed JWT for continuation access to hand to the client. Do you want that token to last for 10 years and be good across all continuation requests for a given client? Go for it, that’s your security decision to make. And you can still use unique identifiers in your URLs, which has always been the case. But importantly, this specific use case can be supported without getting in the way of other patterns and at minimal cost. The cost to other patterns in terms of complexity and security risk is far greater if we use only URLs.

 — Justin

> On Dec 14, 2020, at 3:41 PM, Warren Parad <wparad@rhosys.ch> wrote:
> 
> So then I would say the question becomes, why force AS to create "access tokens" (or whatever we want to call them) if they don't see the benefit of doing so. I.e. right now the Warren AS (and the Dick AS) both think we would not be generating "access tokens". If the spec requires it, I would probably just hard code the same value in every request because my AS doesn't see the value in requiring it when I'm in control of the URI.
> 
> If I understand the discussion correctly, we are trying to prevent AS from exposing the uri containing the "access token", because doing so would hypothetically create an attack surface for the AS. If that's the case, then I would say, forcing the token to be in auth header only provides a negligible amount of surface decrease and thus the extra complexity is not well offset by the security improvement. So for me rather than arguing if there is any benefit at all, I'll make a stronger argument:
> If there is a benefit to using the access token, it surely can't be a meaningful amount in such a way that it's important from the GNAP protocol standpoint to provide this mechanism for improvement.
> 
> 
> Warren Parad
> Founder, CTO
> Secure your user data and complete your authorization architecture. Implement Authress <https://bit.ly/37SSO1p>.
> 
> 
> On Mon, Dec 14, 2020 at 9:29 PM Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
> Warren,
> 
> (as editor):
> 
> Your proposal below is not dissimilar to what’s in the current spec text: the URI is required, and the access token is optional. If the access token is included, the client has to include it in its request. The feedback from the working group during the IETF109 meeting, and leading up to it, was nearly universally that this optionality was not helpful, especially to client developers. The editors’ PR being discussed here removes that optionality by making both fields required with only one method of presentation, and therefore a single code path for the client.
> 
>  — Justin
> 
>> On Dec 14, 2020, at 3:11 PM, Warren Parad <wparad@rhosys.ch <mailto:wparad@rhosys.ch>> wrote:
>> 
>> Here's a terrible alternative:
>> 
>> It would seem to me that one compromise could be making the object extensible by authorization servers (and their corresponding SDK). In a similar way that JWTs are extensible, we could require explicitly the URI in the spec, and an optional object to be defined by the AS.
>> 
>> --------
>> 
>> One source of the problem could be that the language for taking the response object and converting it back into a request one is not well defined.
>> Instead if we allowed an optional headers object to be returned:
>> {
>>     uri: "https://as/grant/{grantId} <https://as/grant/%7BgrantId%7D>",
>>     headers: {
>>         'Authorization': 'Bearer ${accessToken}
>>     }
>> }
>> 
>> Thereby explicitly telling the client what they need to return back. It avoids the problem of "what to name these things" and also ensures that the data is exactly what the server expects. Additionally it sidesteps the naming issue, where to include tokens, and whether to include them at all.
>> 
>> Otherwise it sucks to be in a situation where the benefits/detriments aren't clear to everyone, and potentially we can choose a path forward where both approaches could be used without requiring other clients to jump over arbritrary hurdles suchs as custom implementations.
>> 
>> 
>> Warren Parad
>> Founder, CTO
>> Secure your user data and complete your authorization architecture. Implement Authress <https://bit.ly/37SSO1p>.
>> 
>> 
>> On Mon, Dec 14, 2020 at 8:46 PM Aaron Parecki <aaron@parecki.com <mailto:aaron@parecki.com>> wrote:
>> Thanks for the clear description. However saying "has no security concerns" is a bold claim. Can you clarify how you will ensure that there are no security concerns with this method?
>> 
>> My main worry with this is people will start to get "creative" with the values of the things in this URL. We've seen this over and over, everything from using plaintext data in JWT access tokens in OAuth (now the access token contents are visible to clients), to putting data in the OAuth "state" parameter (easy to exploit unless it's signed/encrypted), and I'm sure someone somewhere is putting things in the authorization code that they shouldn't.
>> 
>> Aaron
>> 
>> 
>> On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>> 
>> I am proposing a URI that is straight forward, and has no security concerns.
>> 
>> For example, the URI could be:
>> 
>> <as uri>/grant/<unique grant id>
>> 
>> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f <https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f>
>> 
>> The routing code in the AS then is:
>> 
>> router.post <http://router.post/>(      '/', grant.create);
>> router.get(        '/grant/:grant', grant.read);
>> router.post <http://router.post/>(      '/grant/:grant', grant.update);
>> router.delete(   '/grant/:grant', grant.delete);
>> router.options( '/grant/:grant', grant.options);
>> 
>> Where there is a "grant" module to manage for working with grant requests.
>> 
>> /Dick
>> 
>> ps: your previous email, and this one, are making the discussion personal. Happy to discuss privately.
>> 
>> ᐧ
>> -- 
>> TXAuth mailing list
>> TXAuth@ietf.org <mailto:TXAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>
>> -- 
>> TXAuth mailing list
>> TXAuth@ietf.org <mailto:TXAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>

v2.23.0 | Report a Bug | By Email