IETF Logo Mail Archive

Re: [Txauth] XYZ vs XAuth: Discovery

David Skaife <blue.ringed.octopus.guy@gmail.com> Wed, 18 March 2020 22:12 UTC

Return-Path: <blue.ringed.octopus.guy@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6905F3A1D27 for <txauth@ietfa.amsl.com>; Wed, 18 Mar 2020 15:12:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MnCdCD4Ga5B4 for <txauth@ietfa.amsl.com>; Wed, 18 Mar 2020 15:12:17 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FAC93A1C8A for <txauth@ietf.org>; Wed, 18 Mar 2020 15:12:17 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id a20so120595edj.2 for <txauth@ietf.org>; Wed, 18 Mar 2020 15:12:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qb5hDgxmkAepRg61L7GOT7TAzIevxICLX8s+5WBuK7Q=; b=QJar0iwBN8SyznEjx0T+WgnbPVI63ZRfj578/YBtfInhfI9EF7IvullLF0ApI50Xyt DAkag3sFS7fBcxtbgkHa0Ac4wCZQCsPru4+7hVu1/RsJg8RQ/krOHdxO4brzn/8D3wsN wldJsptBSblVRMXXNDEy32j6KjhYIevEwaEeGIeyMrZQ9W89U3TumF4KRxAWzXgCc4g3 n2QB6l+VeHnK9baHaImm5fqCvxOiuJZ8XOGJXKCfMYBD3brZPL/NfdnOZ76zIRJ7OjLK LhIe03HwySnlIfycS+TAsICCSYiuSy5UMGe3dbmXj0FfMzENRTegSc7KKNQzyLNscaY3 +B+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qb5hDgxmkAepRg61L7GOT7TAzIevxICLX8s+5WBuK7Q=; b=NyEnznxt/U9HQupt8+6HuFo6DBE5cD3/Bue/718BObEY+p6oJGoFBN0xYBnL1gm7Iw UV/08wjYj/XUCSHiDhyoNEILp/O+X8zWEGqN8vTVXYFOol12gA6bt5n6HeNVj8C4Lktx /xNZQC5xX6hG54AoARknIXPWHDaeGkCWZCHONt6SZu9Zz2lOxrMin/7SlLrXB/QZqio5 4wrKO4fW5hY5MtSqxE0RqxQ5OsIoRY1XIafHB5IRowox+uALdDw7dp/UX9lDnFgCU8ws s/jGdynlrT/0oSEl7IVQMAxL76Nfs3XSU4UAF9LtkqWcyzz3Jxqrqq9MW695589n6ERw 25xA==
X-Gm-Message-State: ANhLgQ2hQHix5RU/8h+8Mke6mRiVaaBc4wvAQcr5/cSabiSQqA1jtZSa i36j5VS+zwSyxavoWQGL3NXNVHtTidgsI3901+g=
X-Google-Smtp-Source: ADFU+vuf+toHPmuuJH0ggDtram8SZ2EZ1FbPenoPqirkuxJfVbQMCNcvRnAZT43Ff5uifxY+NJQwdwUDZJG2ZCEjWGY=
X-Received: by 2002:aa7:cf01:: with SMTP id a1mr6415806edy.282.1584569535873; Wed, 18 Mar 2020 15:12:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-u0YWoTJC8FBRtPu1O=8_KFrMBFD44ey1tr_6LZYwX2OQ@mail.gmail.com> <CAKiOsZtheMW-oTQWj-mMfWOv5z2SCfYaGc33-1LHq38ip73YPw@mail.gmail.com> <2E748537-841E-4C1C-8787-145DC1CCA6BF@mit.edu> <CAKiOsZtGKDEw_JNqgT846++UbJUN9d-gf3Q3QBWhFQSz9MZyzQ@mail.gmail.com> <807F99DF-11EE-4904-9688-86059BC249D4@mit.edu> <30E67E8A-CD0F-40CD-92C5-12D23E6FB1FA@mit.edu> <CAK5Vu_D+2YZgXCBHnLU9nbPr_Q1sfpLLyGteVs5Ww22QS08AeA@mail.gmail.com>
In-Reply-To: <CAK5Vu_D+2YZgXCBHnLU9nbPr_Q1sfpLLyGteVs5Ww22QS08AeA@mail.gmail.com>
From: David Skaife <blue.ringed.octopus.guy@gmail.com>
Date: Wed, 18 Mar 2020 22:12:04 +0000
Message-ID: <CAKiOsZuySNit6kPym79cMZJhb+K9g-cKiGT2=+8bGHn1Q++gVg@mail.gmail.com>
To: Stephen Moore <srmoore@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, txauth@ietf.org, Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000004ec61905a1285841"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/CAiWW2CXnD3lkxuMBdVu0cW6nDg>
Subject: Re: [Txauth] XYZ vs XAuth: Discovery
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2020 22:12:21 -0000

Thanks for explaining further Justin - that makes more sense now.

I think the confusion was that the topic here is simply "Discovery" and
also the XAuth rationale section in the original email says "Client can
make unauthenticated call to GS URI to learn what GS supports, *such as
authentication mechanisms*" - which sounds like an example where the
options would potentially be mutually exclusive. So certainly in my mind I
was focusing on the mutually exclusive scenarios, which I now appreciate
isn't what you intended for the XYZ capabilities feature.

Was a useful discussion, thanks.

David Skaife

On Wed, Mar 18, 2020 at 9:24 PM Stephen Moore <srmoore@gmail.com> wrote:

> That makes more sense to me now. Thanks Justin!
> I also like that particular solution, rather basically relying on caching
> or re-discovery before the transaction begins since, I think, that allows
> for more flexible client 'requirements'.
> -steve
>
> On Wed, Mar 18, 2020 at 5:18 PM Justin Richer <jricher@mit.edu> wrote:
>
>> Speaking with someone on another channel, let me explain it this way.
>>
>> This isn’t like “I will send this to you in JSON or CBOR, which do you
>> want?” It’s more like “I can take a signed ID token” and “I speak French”.
>> So there isn’t an order or a preference or an exclusivity. If you can do
>> either of them, or both of them, you just do them.
>>
>> Doing the OPTIONS call would let the client fetch from the server all of
>> that at once, if it wanted too. Allowing it inline lets the client do all
>> of that without making a second network call or remembering anything. But
>> it always has the option to do so.
>>
>>  — Justin
>>
>> On Mar 18, 2020, at 5:04 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>> I wasn’t showing just the happy path, but I think my example might have
>> been too simple. Also, I think we've got a different model for what’s in
>> the capabilities. It’s not about a set of mutually exclusive options that
>> the client has to choose from.
>>
>> Thanks Stephen and Justin for your responses.
>>
>> I certainly accept some of the points you've raised here. One thing I'd
>> like to add though is that the examples you've provided only show the
>> happy-path scenario (from a client's perspective) - where the AS
>> conveniently supports only one of the capabilities provided by the client.
>> What about if we consider the following scenario:
>>
>> - Client can do A, B, C and D. The AS can do A, B, C, D and E.
>> - The client sends [A, B, C, D].
>> - Does the AS now send back [A, B, C, D]
>>
>>
>> Yes, the AS sends back [A, B, C, D] because that’s the subset of the
>> client’s capabilities.
>>
>> , and then force the client to make a decision (i.e. complexity on the
>> client)? Or instead, does the AS make a decision itself and then only send
>> one result back? If the latter, then how would the AS make this decision,
>> and could this potentially result in an undesirable outcome from a client's
>> perspective?
>>
>>
>> The client is already declaring that it can do all of those, and so it
>> needs to figure out which of those it’s going to use and how they work
>> together. My intent wasn’t to say that the client could only do one of
>> those at a time, but rather that these were different things that the
>> client could support that were optional at the AS, and the AS is telling
>> the client which bits that it knows about and can handle. Maybe this is a
>> list of extensions, maybe it’s a list of optional features, but it’s on top
>> of the “core” portions of the protocol.
>>
>> I’ll also say that this is completely separate from the discussion on how
>> to handle interaction — I think the information patterns on that (which are
>> in a different thread) are much clearer.
>>
>>
>> As you've mentioned, in reality the client would likely "remember" the
>> capabilities that the AS supports. So if the AS were instead probed by the
>> client to retrieve the list of its capabilities, this additional complexity
>> needed on the client side would not be something that is present in every
>> interaction - as the client would simply need to pass it's preferred
>> (supported) method on each interaction, rather than having to keep probing
>> and filtering on each request. Additionally, this concept of the client
>> remembering what the AS supports would negate the argument about there
>> being an increase in network traffic raised by Stephen.
>>
>>
>> The reality is that most clients aren’t really going to discover and
>> declare things, especially if the client can start the whole protocol with
>> just one bit of information. XYZ originally started with zero discovery,
>> because all of the important parts are revealed during the protocol.
>>
>>
>> I don't think it's as clear-cut as you've presented in your responses,
>> but I do accept that there are merits to trying to push complexity to the
>> server.
>>
>>
>> I agree that it’s not that clear cut yet — but that’s largely because
>> there aren’t a lot of concrete things that would go in this “discovery”
>> document yet. At least with XYZ, we deliberately minimized what the client
>> would need to know going in, for both simplicity and security. When you
>> make the core protocol such that you don’t need a lot of extra bits in
>> order for things to function, then you aren’t creating problems that you
>> need solutions for.
>>
>> Thanks for raising the discussion!
>>
>>
>> Many thanks,
>> David Skaife
>>
>> On Wed, Mar 18, 2020 at 8:22 PM Justin Richer <jricher@mit.edu> wrote:
>>
>>> OAuth 2 has taught us that wherever possible, you should push the
>>> complexity to the server, not the client. That’s the idea behind the kind
>>> of publication/negotiation here where the client can do something simple
>>> and the AS needs to make the actual comparison and decision, whatever that
>>> is. Clients need to stay simple because, for the most part, the focus of
>>> the client is on calling whatever API and implementing whatever
>>> functionality it is doing, not on the security layer. The AS is a dedicated
>>> security component, so it’s got the mandate to figure this stuff out. This
>>> mindset is one of OAuth 2’s biggest strengths.
>>>
>>> So how would this work in XYZ? I’ll say that we haven’t really :used:
>>> this feature beyond making sure the protocol can be passed back and forth,
>>> since there’s not a lot of optionality that really needs to be negotiated
>>> here.
>>>
>>> So let’s say the client can do A, B, and C. The AS can do B, D, and X.
>>> If the client doesn’t know anything at all about the AS, the client sends:
>>>
>>> [A, B, C]
>>>
>>> And the server looks at that, compares with what it can do, and returns:
>>>
>>> [B]
>>>
>>> The server doesn’t send D, or X, because the client wouldn’t have any
>>> clue what to do about that. The client can remember that if it wants to
>>> cache that part of the response.
>>>
>>> So the question is, what if the client knew that only B would be
>>> successful for this server? That’s pretty common because a lot of clients
>>> get written and configured with a static set of capabilities for a server.
>>> And with the negotiation above, the client just needs to remember after the
>>> first call. So in both cases, the client would only send [B], or leave it
>>> off entirely because it doesn’t need to negotiate, and you’re done.
>>>
>>> But the thing is, you could do both styles with one simple twist. If you
>>> want to do the discovery portion in a pre-flight request, I think it’s a
>>> good idea to allow OPTIONS on the tx endpoint. It doesn’t make any sense to
>>> me to allow it on any other endpoints, especially because some of those are
>>> going to be user-facing (so the client is not going to be talking to the
>>> URL itself). The client makes this call and gets back:
>>>
>>> [B, D, X]
>>>
>>> And now the client has to put together its possible capabilities from
>>> that list and what it knows it can do. By putting OPTIONS on the endpoint
>>> then we can stick with the same mantra of the client having one piece of
>>> info to get started — the tx endpoint’s URL — and learning everything else
>>> from that. I think that part is simple enough to potentially work, and XYZ
>>> doesn’t have other endpoints or aspects that need to be discovered out of
>>> band, unlike OAuth 2.
>>>
>>>  — Justin
>>>
>>>
>>>
>>> On Mar 18, 2020, at 3:44 PM, David Skaife <
>>> blue.ringed.octopus.guy@gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> My thoughts on these different approaches are:
>>>
>>> 1. For XYZ, it feels a bit strange and unnecessary to require the client
>>> to have to state it's full set of capabilities to the AS. It feels like it
>>> should be the other way around - i.e. the client is able to probe what the
>>> AS supports. In my view it's more natural for the AS to be "advertising"
>>> its capabilities rather than the client.
>>>
>>> 2. I prefer the XYZ approach of having a single URL that the client
>>> knows it needs to interact to start the transaction, vs the more complex
>>> approach provided by XAuth.
>>>
>>> 3. Hopefully there is a middle ground between the two approaches that
>>> addresses the two points above.
>>>
>>>
>>> Many thanks,
>>> David Skaife
>>>
>>> On Mon, Mar 16, 2020 at 11:06 PM Dick Hardt <dick.hardt@gmail.com>
>>> wrote:
>>>
>>>>
>>>> *Discovery*
>>>> XYZ
>>>>  - Client always starts at the tx endpoint, all other information is
>>>> dispatched from responses from the endpoint
>>>>  - Clients sends capabilities list in transaction request, AS selects
>>>> and returns which capabilities are supported
>>>>
>>>> XYZ Rationale: client needs a single URL to start talking to an AS,
>>>> giving developers multiple ways to get information is confusing and can
>>>> lead to serious errors (see OAuth2’s mix-up attack caused by OIDC’s
>>>> discovery approach)
>>>>
>>>> XAuth
>>>>  - Client sends an OPTIONS call to the GS URI, Grant URI, or
>>>> Authorization URI
>>>>
>>>> XAuth Rationale: Client can make unauthenticated call to GS URI to
>>>> learn what GS supports, such as authentication mechanisms. Authenticated
>>>> calls return what a specific Client can do.
>>>>
>>>>
>>>> ᐧ
>>>> --
>>>> Txauth mailing list
>>>> Txauth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>>
>>>
>> --
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>>
>> --
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>

v2.23.0 | Report a Bug | By Email