[GNAP] Re: GNAP RS-AS interaction questions

Justin Richer <jricher@mit.edu> Wed, 04 December 2024 21:40 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1A61C14F74A for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 13:40:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id htutHLFMd52z for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 13:40:03 -0800 (PST)
Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazon11020091.outbound.protection.outlook.com [52.101.193.91]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D669C17C8A2 for <txauth@ietf.org>; Wed, 4 Dec 2024 13:40:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=f0pM5CuMdWWTlpYAR4HWU8pUeIWLWWmLuvHJyMj74YL6oIHC3AFZCklv7g2Ylag9z0dQG5it0yE/CF/KBDD/ETJ4E0mQSYpe2yyIDlTm4FsO99B6W+g5BHgnswbx9qQ2rb9pblRhbQDCl6KhoJozv1nsm8tKZk2T8EP+WbKwG0tpzyLc7YtWIoJpFlUbhr4HSKMhgDutC/edoVtcB33t+1yPWKjvML/veeGwYwp+L0q/INC4Df7CzT3RcYAQ29MPrmm8XEqyhwFCPNXi6U+6W60LLzOAfTNJWhtgfAIOF1vZLR3njLMzjed3pQVh0Pvyq0yrtivyF4xGNfCB0FlmIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=eWhnEIepoi21WR4+KKKdUGgnVKCDvRH0bs+NBHVvUlQ=; b=ih0jKvn9Ox5QrXZZbrOkJdFoEKExZwn14vE0Zngpmrwo79KZ7a8MHuNrg05BeRAV7OrpYXMNz9o1TjRGpjEouY2Y0+G/qNQhpPqtQIMXy0akzhRRoTUuEYZgXYroX4tLYj+mkTNjChI8QCGDV1YC1hq31/HK487tYmNq6ZItdn3cKQwsQYmrN8iP+magWwp+6beC6lLcqZliDsfyjWexNY1CLNfBpPPGpJVwFdepaU/8YyxGArCBzpoHufId7nRtUK5PDxgHS5M/f2mgsW07FmnQ4o4HlyiRQfeaPmZOv7/i+qCO512Bfc4EgoQ6XnaPoyk+j/oWcP8zuL9onYhtuA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eWhnEIepoi21WR4+KKKdUGgnVKCDvRH0bs+NBHVvUlQ=; b=aQssATFwEs19JBsEcho31U8xcduHwYPf1UjOKDcC8f+tJdW21FOFyC79LwGQ43jaAAz18YQjyAAz0S0j7unMld/UpP/wlPi37ZgCh2YGWlPQZ7TlHUSBg1FN4i86icQuhq/SF+cN9fhWpWxtZUXUWL8D3tlanomC7GSfBDb27wE=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by PH0PR01MB6779.prod.exchangelabs.com (2603:10b6:510:79::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.10; Wed, 4 Dec 2024 21:40:00 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%7]) with mapi id 15.20.8230.010; Wed, 4 Dec 2024 21:39:59 +0000
From: Justin Richer <jricher@mit.edu>
To: Erin Shepherd <erin.shepherd@e43.eu>
Thread-Topic: [GNAP] GNAP RS-AS interaction questions
Thread-Index: AQHbRn11y2EDwE4Yd0S5otAwUGHo6bLWeBSAgAAfM4CAAAXTAA==
Date: Wed, 04 Dec 2024 21:39:59 +0000
Message-ID: <29E364E8-5012-4F08-90A2-9E772886FDFE@mit.edu>
References: <2FE68756-A13B-4CB4-9318-26A007F261D2@e43.eu> <BCFE50BA-429A-49E3-88B4-F08436B4B49F@mit.edu> <690FE634-5657-4394-AFFB-8CB4A9C3CA5D@e43.eu>
In-Reply-To: <690FE634-5657-4394-AFFB-8CB4A9C3CA5D@e43.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|PH0PR01MB6779:EE_
x-ms-office365-filtering-correlation-id: e7f8e946-8798-4d0a-b6ae-08dd14ac3438
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|366016|1800799024|376014|8096899003|7053199007|38070700018;
x-microsoft-antispam-message-info: i/CbdJB9fLa4qS9vmNwwD52gAJsJUNkCojesr+5jg3DmyK1HqMH8IatM9Qt+tyFOei9mMFXR40ewBFHrYL/Ng0GC84sq0DRWqQtc9I6zRChZgHnz6hPYu9uZiy8rVcXWzLZIadKTxeEq95nQzo1Z8wNszfOGZjGaqsvi8hlmGyYbXmBFRMVTzDDvDuTUtBFem/Bj/35kN4H7GAzEImXI3rYSLE+v9xDTHfxD9JeuhUhKekuFP94S+Qo8aQnaWr0Fn93Vjp1ljlxNonzlRARFYpLlgG5cV7SAnWU+1H22BllbYOr3lz4ClNIfNlKx5kbDKEc2/AzLToKcx/fksGwLYWdBPjqNbYzVQ/8j+gxJb/dlOytQF8TLdt5/BTLQSEqCUr0/DwG47xgD4NNVkhDIQ5Pqvn7J3vOp94wUYMO59CcDgzUHd7iYoLLJHTFFxZWiDFo65tA7iY9pAtI8lNxvluVnHDVqctJEnliMh4t/yT0XxdoQ27+rdiG2OIR2nDszKWktVK9zjPeNcChMG2kosKB/mJfRERGq4Mn+mg0tfJPJ2y1ZODl6Izjnw2QrLZMIjToObJEOYkZASjroq/xJAIapAJvsIKqMaEfSvJ+ipkzn656jmF1IXqvYmNFN7Co92kl+gY4TN3C4j12fFyZCcGDfAWvxr02EC6cDezfc/wRJj4mIkl//buqE+DlqIQvWHrBsS53vf5ONkhgFzeokLyrhH1X6GiydnLJZqRmrv+EC+DQXhg1t+Gde2VsgofsiH/JpgDrxFQnfG4jHLMJGS2zSNXyTi/XkXo7W1u4FmykEQV1J7TATuohgG4RB50U83nmXUc35ZJHIHXBp0p3TBp5izn4wqrSaz+VA04GlBjGNI9dyGkVogvBdCqrEPs/wN06LOIUkO1JMJHwYKeEp6Z2bI6VAn4hmxIkOzgPz/zkdC1bw+m3lHB/QfhoGIxPBv3srAzdNSTKQBgP0V/ZWtiVlYqqiQwDBCmeopa1j6PALT2/gG7MGEK8JTUrSD0J08MVFtts5pX44o9oOWQMVhpINrVY2zts9g7Q8xH6iqNtaJ40WyOY1+0xx2QccY8lxoAo+fnK8Ck1PEmH4e5A53u4vvcL+xTZ1hIOWMPlu65Abh5kA/nImhMiTN4YGyHXJ4Mhs/FY5zBz0URJ5yIZjw/DKndxJxIY76I+QiCCFlUw+krA/ZTMIYhlQi18fje1yiyE2R8qZq/9R7XXbKoscDFJJJl48uHV5ctMXuTO5dvSzVcOJyZQ+ru6FNyI+QlLNfdM/188r6CBvCv5eNyiCKzRTGHNFepZCL6/IYv7Imt64+VE8/dOeyD4FaN+fgGn5ptLB7v6MlPLFQEU7V1Iew4cC+N0BDftSR3GK3Irwdsndky2a9jO5FDAIEDUKz3AQL5hcura4g9TCatFmWt6ycg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014)(8096899003)(7053199007)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: /PkQRxczz2XKzeQnNIxy/a+aH168Fl1RrCrsQQikjkM+I+R27u0JTvTbrGuoB+hls1rqs5VvqeQp1DFZxxGA7hrdEzjZ3QYGtGcO6JCccbDHuN1fdSsPTPeUFDY46bp9Zcp2slX4EVu7JNUEtTh7kz5LEIBfGEsMGcTPwczGMjpfAUwErGWjjlVT7etHIjp9FwcVTU7+vkamN1FJC4HfaYl9E4/TgZpGzEfjdo6KsjBmJy8wDox/TvHzcKcLJTt6ubhhcqU9TGa/nNGVhGKNjl/W4KubyeYZ2uPdDqJ5FXvMekB2EKS7xkOZ+AHGpfOVhS9oAyZql1LbXP0s31zo/L24UzmD3JDiDLZ9QA3wRHez2Z2jef3AxFXwjvw1sxpUX0ZjRQH8MLANEBvVZGmbp/y84WyGLOiYzivIul/nzaYWU1yNILAiykMffMR/hM9nIS53yFJS1SILvQKlBnbMooyj+CJzkDEYWIXlravi7qNyXMh8rqrNfF7G1spvd/cHZ7+kSvRlmL4LxTcgKnJW3HbBmK6/+HLexRw65VkGcEnli48Q5PliUxEI07hnyR4nUGSohon6EP8sDCuQAow8U0D3fXd2aGai0k21E7RPP26GSCOFOY1+Q8KrK741sstcfxgAh+rpj3W3CZxFp2sPXRxak2P9HuD3zJCMp3yAKtwn5vgBHPMXmgCzFisWHPwdXIlwWeq/JUdxQNHMuRs+IgLQY7mILwKDaQbY30B/OESsBOB2G23MSIcIHxS8O/C6x9S4aVYr4mChw5syyXaV14AS9fLdePLewgr9zk+sDJOtw4PxjAiEMyd5GtvKBO3N/kb72GK1msaqerbB5n4lUrXcRq48xrg28m3R3e5X0+5X55QJwL4bIT5JIWKeF/XmD/Co0Ncgp/wz55V2OUqxrGIqurLmfMqRLgNioAu8OrTX1AHukKhC2vOgHcQvr15psKWaKdIYGt+NzHupmZCwCTaVUkS9oW+83BvGntrbBlFp0UtiK70tKefz3e7nZVxJP+x2qXnDi1CrOJBzFv0hZIyqFZfMiXawtcFDspHSxrOdpIowWtrNBZlNE/mNUAb3ITfhfeVVABg3tSd/Bn4iba4Z8PffIwGt7Ij8utxz1wE5/CqV2GGLX1tqIYI8YhTzqkcDLhnyeaZE/NfoUv+5GNRFK9l0+ZZBZ7ZpOt4jL5j/4e6lfYIHMg08hPJMUzqDTPtypVdWJ17aNis1Hs6SKmK0ptrOe5pbqVWxdF6pMYcZv42sU9VA5Q1LdHexokwsxmmAeTrp4wPm+EQMNg+nN0sZXrfPoMnf2r2EWt+pbG1gUSVA6qrkXEMf+JuiUuaW3EzgEnNmCn/0zz8WmT7CLeuhWd7OJiEG4JQ+oQm5WfBPOaXhuEw2nws1ZiUX7+bIWBBftuYnXb3o/J5e5WVQWqWz1gaQSkKrz81DhJbNN8JO8rDc4Xq/eWyWPMtuKD+Wat+AbdgdSkpWfsWFEmzgLJGWrJaBYtBK6FshKGn2Mfl1VaXnYM3bE17dmRQ8vUbI2eJTlS7mTAZsznrNGtKHyqu/FzafGF9ivnOhcYToeZPiFV0yZwkLVicLYH01w2S0
Content-Type: multipart/alternative; boundary="_000_29E364E850124F0890A29E772886FDFEmitedu_"
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e7f8e946-8798-4d0a-b6ae-08dd14ac3438
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2024 21:39:59.9321 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gsl92TbUeK1T7fwxZuEsbBFYORKvgwEzip9wAOBB5SyUlMQ6e1lVrJHlmEZ9geLd
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6779
Message-ID-Hash: AVJ2SGGIHMHKZRORKPA5ZJCWGRCPAGEU
X-Message-ID-Hash: AVJ2SGGIHMHKZRORKPA5ZJCWGRCPAGEU
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "txauth@ietf.org" <txauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [GNAP] Re: GNAP RS-AS interaction questions
List-Id: GNAP <txauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/8wE3jbWgHWcTgZZH_PeN-rGQh5g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Owner: <mailto:txauth-owner@ietf.org>
List-Post: <mailto:txauth@ietf.org>
List-Subscribe: <mailto:txauth-join@ietf.org>
List-Unsubscribe: <mailto:txauth-leave@ietf.org>


On Dec 4, 2024, at 10:18 PM, Erin Shepherd <erin.shepherd@e43.eu> wrote:



On 4 Dec 2024, at 20:27, Justin Richer <jricher@mit.edu> wrote:

Hi Erin, some answers inline.

On Dec 4, 2024, at 7:49 PM, Erin Shepherd <erin.shepherd@e43.eu> wrote:

Hi,

I’ve been looking at implementing GNAP with some interest (on the whole I find it a very readable and straight-forward specification!) but I’ve spotted a few of areas of difficulty:

1. The GNAP-RS spec says, in the introspection response

iss (string): REQUIRED. Grant endpoint URL of the AS that issued this token.

This seems a little limiting? Let’s say I have an existing OAuth IDP that I’m adding GNAP support to; it seems that the spec basically requires that a GNAP RS will see different sub+iss values from an OAuth RS?


That’s likely to be the case - the issuer of a GNAP token is the AS which is itself defined by its grant endpoint URL. GNAP is largely designed to not need a discovery protocol, so starting with the single URL alone (the grant endpoint) you can kick off everything else you need with an immediate request. This was a deliberate design decision to depart from OAuth, and it prevents a host of attacks, including several forms of AS mixup that can occur in a poorly configured OAuth system.

I understand the goal, but I’m a bit concerned about the implications in heterogeneous environments. If a GNAP client asks for an ID token, what sub/iss combo do I put in there? How does it even know how to validate the ID token?

(I guess it actually doesn’t really need to validate it because it was received over a secured channel, unlike front-channel ID tokens in OIDC, but the thought remains)

One of the things I’m concerned about is - lets say we consider an RS+RP that speaks GNAP, receives OIDC ID tokens from the AS, and handles user provisioning/synchronization with SCIM - how do we ensure consistent identity mapping across all of these?


ID tokens are not access tokens - so the access token format listed in the GNAP RS document doesn’t apply. They’re assertions defined by OIDC core and would have the OIDC issuer claim in them. So a GNAP client would get an ID token as part of the subject information and validate it just like it would for core OIDC — the 'iss' claim would be different but that’s not really a problem here.

An RS+RP would be an odd combination, since the RP maps to the client in the OAuth/GNAP model. What’s the use case for this type of application where it would have multiple different roles simultaneously? And in such a case, wouldn’t it be important to distinguish between an ID token assertion and an access token, anyway? You wouldn’t want them to behave the same way or get confused with each other.



2. The GNAP-RS spec lists five different token formats that an AS can declare support for but provides no information regarding the contents or validation of those tokens. It seems like the only way (within the written text of the specification) to validate a token would be to submit it to the introspection endpoint, which seems like it rather defeats the purpose of knowing the format.

I would have liked to see some guidance on

* How to locate the AS’ token signing keys for "jwt-signed” access tokens
* How to agree encryption keys for "jwt-encrypted” access tokens
* Required JWT claims & claim values
* Similar for the other formats (with which I have less experience)

i.e. something along the lines of RFC 9068 I guess (That could perhaps even have been referenced directly, with minor differences?


In my opinion, details for that level of interoperability are better fit for a technology specific profile, than in a general specification like this. I think it would have been great to have separate specifications detailing each token type and registering them, but the most that the WG agreed on was listing the token types on their own at this level.

I don’t disagree, but I also think that perhaps the registry entries shouldn’t have been created at all in that case. The purpose of registering things like that, to me, is to say we both implement the same interoperability spec.


3. As far as I can tell, there’s no way for the AS to return subject information to the RS beyond the fixed set of introspection response values?

I would have expected something similar to the Subject Information defined in GNAP s3.4 to be returned (or requitable)

That’s a great idea, but would need to be defined by an extension at this point. Unfortunately the RS spec did not get as much attention as the core spec in its final days, and so features were fairly limited.


4. Its unfortunate that the discovery URI was not defined to work by splicing /.well-known/gnap-as-rs into the start of the path segment in the same way as OAuth Authorisation Server Metadata is. Oh well, such is life, it would appear.

This was another intentional divergence. The way that the OAuth AS Metadata document does things is problematic, as it was trying to adapt what the OIDC discovery spec did with paths — which was itself in conflict with the definition of ".well-known" in the first place. The result is a bit of an awkward compromise. We deliberately sidestepped that in the GNAP specification. I’ll also note that we did not use any .well-known path in the core specification, but the rs-facing discovery needed to be separated and so we went with .well-known here.

I almost wonder why the metadata wasn’t just added to the GNAP metadata, but alas. I’m sure reasoning was solid.

That was suggested at the time, but the consensus was that the RS-facing components would need to be sufficiently different to warrant a different document.


Anyway, thanks for the comments

- Erin