Re: [Txauth] Decoupling consent and authorization

Dick Hardt <dick.hardt@gmail.com> Mon, 03 August 2020 17:28 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F3083A103C for <txauth@ietfa.amsl.com>; Mon, 3 Aug 2020 10:28:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ir8uINSWQUt9 for <txauth@ietfa.amsl.com>; Mon, 3 Aug 2020 10:28:14 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C33C3A0FF4 for <txauth@ietf.org>; Mon, 3 Aug 2020 10:28:09 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id v9so6050864ljk.6 for <txauth@ietf.org>; Mon, 03 Aug 2020 10:28:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RXff8H0m1AIhHoFY9tVE0/WqUMhfGq5p6qv789YyZMI=; b=YBhRrdmZnUCa4bYhZRkazGiaa5ihuIzIj16k2j8/e3A/rXdyW1EyhhffY+d1khOlQY 6WoBx56VM65c8oCcr0KFSMdx8Hcv8St8vrOaq/aEg3xm+Q4mao8j3YYl2Ydj/w1HgAcg VwJWrzesd/+fr1ApGFoX3NggKcmdbr/UT8XtwF92dGdm7zYxJXpqju/fqjXTJx6ZLArs DqNII4WYvBvTObrRFfJ6IOODPSWMdCxXnsFKPx1K/eIG1Z14jLLVsE5o9XLqx7QEOhYH E2SSFaZV5NgUhesU7//2Uh39nidd3FKHYUdLtRviqWyy24WvrilRkVe3Mz7QTaDcJnTg tFzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RXff8H0m1AIhHoFY9tVE0/WqUMhfGq5p6qv789YyZMI=; b=sCbxzBlpgm3Nw5/j34/ncCCCm3C/WBsqGWzvG3pu/tKejhjq2pmN90MBFQT4wa7Rcy w6cGwomZF59hqMdq8JjC/v6bE6X2qvec+BakQ0rSChxURZMcKa/hCnIfJvLptcHZTD6e FR1wUQha3nPsIQm03Lp8kinHw5U79ZfPY42ZIz1Lp2ViLXMN5ewA0wZmol51TQEdHPZq j+9y3FYVQc2209nNK/R3gylhx+sdq/fE7rKegcpjsBl+E0ChgP1Y2k+a3D1wOEbnGBdX DMmjTyZggW80/r/dOQzZcetrUshn4RulMuoAwlXQAngkQZi4ptJeRN/iO2r2zsUK2JC2 KPuA==
X-Gm-Message-State: AOAM532X4FTK22WT8MMdXijDSfcVfhzWJZTSlPC+HwoTKKdI8MRRKarm XsKMQIZEwXKHm74pafrCE4S0C8EN9RvsKnttE0FGEGkr
X-Google-Smtp-Source: ABdhPJzAanPHX7s0mGcE/vxjG9lIeu2K63tR1okGHqKFZqWU43CLKzO+CNo8a+gYv9DqrjBLckMj36gSXBQHaK+ohw8=
X-Received: by 2002:a2e:999a:: with SMTP id w26mr8585167lji.242.1596475687385; Mon, 03 Aug 2020 10:28:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQT6XVDao8VE-ZgJkZwWPaXzVTWWy7SdhjJtBRuVyjwSA@mail.gmail.com>
In-Reply-To: <CAM8feuQT6XVDao8VE-ZgJkZwWPaXzVTWWy7SdhjJtBRuVyjwSA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 3 Aug 2020 10:27:31 -0700
Message-ID: <CAD9ie-vspTxQpzjx1Ga0BPG8+6uqg1LaUrEBiFrNXtbpxpjMnA@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003d3e8d05abfc7620"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/C8vkSJ2dSxyeO-6Q3AikXg4P0E4>
Subject: Re: [Txauth] Decoupling consent and authorization
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 17:28:18 -0000

Hi Fabien

If I understand this correctly, you are factoring out the user
authentication and consent from the AS issuing the access token. Correct?

wrt. "the interaction handled by a Client endpoint" .. I think there is a
conflation of the term Client ... software that can authenticate the user
and act in the user's interest is NOT the GNAP Client. Perhaps Agent? ...
it is a different component from the Client.



On Mon, Aug 3, 2020 at 4:15 AM Fabien Imbault <fabien.imbault@gmail.com>
wrote:

> Hello,
>
> This is a new thread.
>
> I have just published a proof of concept that separates the interaction
> from the rest of the AS. The goal is to open up the door to a privacy
> preserving flow such as the one suggested by Denis (the interaction may be
> handled by a Client endpoint, if it wishes), as well as to optimize the
> implementation to each concern (UX for consent vs authorization flows).
>
> Note that it ends up being an implementation detail as far as the Client
> is concerned, as the core request/response format wasn't changed from the
> original XYZ protocol.
>
> The code and documentation is available publicly at:
> https://github.com/acertio/mvp_gnap_interact
>
> The flow is sketched and explained at
> https://github.com/acertio/mvp_gnap_interact/blob/master/Redirect.md#process
>
> Let me know what you think.
>
> Cheers
>
> Fabien
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>