IETF Logo Mail Archive

Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))

Tom Jones <thomasclinganjones@gmail.com> Sat, 18 July 2020 16:56 UTC

Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EB0A3A0A85 for <txauth@ietfa.amsl.com>; Sat, 18 Jul 2020 09:56:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vRmnpwAgGqPh for <txauth@ietfa.amsl.com>; Sat, 18 Jul 2020 09:56:41 -0700 (PDT)
Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B44503A0A7E for <txauth@ietf.org>; Sat, 18 Jul 2020 09:56:41 -0700 (PDT)
Received: by mail-ot1-x342.google.com with SMTP id 5so9105254oty.11 for <txauth@ietf.org>; Sat, 18 Jul 2020 09:56:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=YuOsFVqsvqlOROWlKzKkVw5Oh7ypd8bJfI0bZTYV5TA=; b=YG/krm+/NVURoN9x2vNeT7wiGzMJ2wAlKY7X4e/PSI/VWgMUCz2nDiui537Mrftjj+ 5TryHXLt6qvNkrZUQLSj5v7776DvvW8ksu/XFYt0Fn8dsIZ7xpOc9rV8GQ+2sp8rSL6a cjZhgrdwXX6LojCXxbNWKqSeDXqiAXMxAD1pIwQtXW4wHIemcbre7C1V3i8s3UuR7UN6 Wh0/KSHDJ/Z+XTahB42aWX+r5MaHKZWq1cPsnzLDijARxiGJY6d2aY+08ajCcBwealMU u2pVoHBNwrZT3N0JWQ4ag6bYMmFhgeHAU0YR+ojN/J3SSRJZD3crbHCd9S0cBpcQ3DQX gLGg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YuOsFVqsvqlOROWlKzKkVw5Oh7ypd8bJfI0bZTYV5TA=; b=p+/qgh7mWI2yaP8cGQ/7RgT6tIEHsdDgnPw6agwppmwlEmC51tkDUWhdRjFPn+t9SB GiYGuC2gpb1gVbRs9JV3qB+tCFcqEvpRvLymcK67q470VPq8rGi6Z80lcDSLjN8h6VNp 1tOIpbjXrURdi0HBkzWq0UX8wpQgF8WLfX559dWDtlbWin2OTjhJVDlN9icrTXW3I1dB IKE1mgRFdJCUphxfneUHnnyOlp8fq/rmIheWi7s+/GOWK7qfz6AzPjUaAzUDlKqh/uJ6 6Ui4I1bEtOi2XiW8ENjKeKaIXa63GNyOd7SMFnszVG2oIMJxThZKAV0Jo5txWsZF9aGo kzLw==
X-Gm-Message-State: AOAM533znTpgXyjgPvFv6N1DyiiNLsZxv3y39qS27qZ0V7QE5W3DybcZ ZacMEUWHTqhV9IoPpj+Q23xX/YBSiT8WqyVKcessG0i0
X-Google-Smtp-Source: ABdhPJxX+OyCZVb3szVYC3y4cFEp2gq32RSdVBDLylVsvP9mLClnqtFGbLAnlg1ljQfMG/ic6oGaREF7uNFdZhWzPP0=
X-Received: by 2002:a9d:66ca:: with SMTP id t10mr12878845otm.358.1595091400800; Sat, 18 Jul 2020 09:56:40 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com> <E9EC90C9-7A9A-4909-8627-A161B33E941F@mit.edu> <CAD9ie-vyB8+5jS=K_qUHfvxsF2wPV5APRo+7WUDfJxNzJONJpg@mail.gmail.com> <8CC8B466-FD6F-4C23-8DAA-99B8A9BDF548@mit.edu> <CAD9ie-u9z7Mc-wNjztoOTy4N_Z9jFDc2Sb6quLspasMGAMKdSw@mail.gmail.com> <097FB93E-96DA-4DF6-8511-0B32FD321211@mit.edu> <CAD9ie-tpuisauOFGiUj65-RcYPtcvW_gZP1CAadqq5cE6P36HQ@mail.gmail.com> <EE4A7D91-1106-44CB-92BF-C3AA3649BDFE@mit.edu> <CAD9ie-saoc2FUm46r4h1B27iYK04j_skf5-zJR7EXLmWBzj=hA@mail.gmail.com> <F41A8F88-C1B4-4CE2-8573-7A03C086D25B@mit.edu> <CAD9ie-tHCg9Ti1xWuzUP5EGLAcU2cpFALErqq98+fPnD3enZCQ@mail.gmail.com> <820525FD-4556-4617-8D89-C600D8C90C33@mit.edu> <CAD9ie-uwz_Li7n9iuX_--YtWeE+HX5sWEe95nZ8Y0akYh8WTHg@mail.gmail.com> <A7E1F61B-78F8-4647-847A-E1C8909EA452@mit.edu> <CAD9ie-tSjEWT-+D43yKaFZmEdFcbL=fyM0kHuFX_fNa4zHdm1w@mail.gmail.com> <6D58464F-3EFA-4367-9033-91FCB9CF40AC@mit.edu> <CAD9ie-syw5YJVsJHncZ-PcLQbYC4r=4LLSQCKtMP=-hGKqT0SA@mail.gmail.com> <0905DCA3-1B30-429A-AB02-8ED27D37F6C3@mit.edu> <CAD9ie-vV-pH6oebREkfY5rZ=8vYZpD2irjyjJ=4mvfKKeKY4-A@mail.gmail.com> <974147F1-A9CE-4093-A170-9F4F9DFB3638@mit.edu> <CAD9ie-vy0iKn6HMD-97jd5MeFtshqpzrGtvvwOX_Ze91qusJKQ@mail.gmail.com> <1D7A02B1-E58D-44D0-9E33-5313A7367949@mit.edu> <CAD9ie-uv5FKhow9ebKHVbZwhiZwRDg3wX9KL2o5g7AvVA=g-6Q@mail.gmail.com> <174F2061-3F0F-49B2-A18F-58DF658E4473@mit.edu> <CAD9ie-vaKmOHMP6veCkyRy3Xojx+Uve9xq7=zWu0ZnnBDFepZg@mail.gmail.com> <F25C6765-C842-4A27-8323-BDCE9300DFDB@mit.edu> <CD6BAD25-5E51-4E8D-862F-61F478B450FC@mit.edu>
In-Reply-To: <CD6BAD25-5E51-4E8D-862F-61F478B450FC@mit.edu>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Sat, 18 Jul 2020 09:56:28 -0700
Message-ID: <CAK2Cwb7w9AP5JtnEGthh4VNMJAvkXH6+gb3a+NQa3=yQeT66gQ@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Dick Hardt <dick.hardt@gmail.com>, txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000543cf705aaba289b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/CpSZfnm_evQ65z2MNz6IWbyovXc>
Subject: Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2020 16:56:45 -0000

I agree with Justin's comment " what we should do, as we define GNAP as a
protocol, is focus on this one, limited slice of the identity space and not
spiral into others."
The title "Authorization" should rule the purposes of this group above all
else.

The earlier statement that the client should know who the user is - is just
plain WRONG. The client should only know the information the user is
willing to share with the client.
It is now the law in California that the client cannot demand identity
information that is not required for a legitimate business purpose.
There are some clients that act as fiduciaries for the user (financial and
healthcare come to mind), but as a general rule the "client" is not to be
trusted by the user.
I understand most of the people on this list are paid by the client's of
the world, but you are still bound by the laws that apply to those clients.

Peace ..tom


On Mon, Jul 13, 2020 at 12:31 PM Justin Richer <jricher@mit.edu> wrote:

> A quick note, as my choice of language below seems to have been confusing.
> First there is a typo, where the word “it” should have been “in” to read:
>
> I am saying that GNAP, *in* its definition within this working group,
> should be limited to identifier claims.
>
>
> And second, there seems to be confusion around whether I’m trying to argue
> about the scope “allowed” by the charter by saying “its definition within
> this working group” here.
>
> To be clear, we as the working group are *defining* GNAP the protocol. It
> has not yet been defined, and that’s why were all here. The charter doesn’t
> define it. The input specs don’t define it. The working group defines it,
> and my stance as a contributor to this WG is that we should focus on a
> delegation protocol with some basic identifier query support and leave the
> full fledged identity protocol to different work.
>
> We’ve already got our hands full here without taking all of that on,
> especially since I do believe we need to build GNAP in such a way as to
> facilitate its extension in several known directions, including a full
> identity protocol. If we do things right here, we can see GNAP as the basis
> of a large number of things out there in the world.
>
> So my stance in what we should do, as we define GNAP as a protocol, is
> focus on this one, limited slice of the identity space and not spiral into
> others.
>
>  — Justin
>
> On Jul 13, 2020, at 2:51 PM, Justin Richer <jricher@mit.edu> wrote:
>
> I am saying that GNAP, it its definition within this working group, should
> be limited to identifier claims. Other claims can come from other protocols
> properly layered on top of GNAP. GNAP shouldn’t stop them from being built,
> but in my opinion we shouldn’t be defining those here. See the discussion
> below on the extensibility avenues of this approach.
>
>  — Justin
>
> On Jul 13, 2020, at 2:12 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
> I agree that an API to return claims is useful. I think we have agreed on
> that.
>
> Using the SubjectIdentifiers schema is another schema that would be useful
> for GNAP to support.
>
> I disagree that GNAP should be limited to identifier claims.
>
> ᐧ
>
> On Mon, Jul 13, 2020 at 7:16 AM Justin Richer <jricher@mit.edu> wrote:
>
>> One thing I think we should learn from OIDC is that returning claims from
>> an API, and not just an assertion or direct response, is a powerful and
>> useful pattern. We have an opportunity to separate these cleanly, where
>> OIDC didn’t have the opportunity in defining the “claims” request parameter.
>>
>> As an alternative to the current XYZ and XAuth syntaxes, over the weekend
>> I’ve been playing with something that would look like this strawman in the
>> request:
>>
>>
>> {
>>    subject: {
>>       id: [ “account”, “email”, “iss-sub”],
>>       assertion: [ “odic_id_token”, “verifiable_credential”, “saml" ]
>>    }
>> }
>>
>>
>> This request says that I’d like some subset of these identifiers (as
>> plain text in the response) and some subset of signed assertions in the
>> given formats. Each one would have an associated space in the return. I’m
>> not picturing that the “id” field values would affect the contents of the
>> assertions: so I could ask for an email address identifier but get back an
>> ID token that had only the subject identifier. Maybe that’s not the right
>> model? But it’s at least simple and deterministic this way, and it’s
>> something to play with.
>>
>> Note: The “id” names are taken from
>> https://tools.ietf.org/id/draft-ietf-secevent-subject-identifiers-05.html,
>> the “assertion” names are made up as I didn’t see a source that collected
>> them. If you wanted specific bundles of claims about the user from a
>> UserInfoEndpoint, for example, you’d have something like:
>>
>> {
>>    subject: {
>>       id: [ “account”, “email”, “iss-sub”],
>>       assertion: [ “odic_id_token”, “verifiable_credential”, “saml" ]
>>    },
>>    resources: [{
>>        type: “userinfo”,
>>        datatypes: [ “openid”, “profile”, “phone”, “email” ]
>>   }]
>> }
>>
>>
>> This is an example for a specific kind of resource, and I don’t think
>> that GNAP should define the “userinfo” schema here, or the datatype values
>> therein. That should be work outside of GNAP, probably for the OIDF.
>>
>> This approach is extensible in several ways, each of them for a specific
>> reason that I think is clear:
>>
>>  - new values in the “id” field to give new identifiers
>>  - new values in the “assertion” field to give new assertion formats
>>  - new fields under the “subject” heading
>>  - new resource types besides “userinfo” (like “scim-v1” or
>> “facebook-profile” for instance)
>>  - new datatypes within the “userinfo” resource type
>>  - new top-level request parameters
>>
>> As per the other thread, if you wanted to use the OIDC query language,
>> you’d package it separately as a top-level request parameter since it can
>> include both the ID token response and the access token response and we
>> shouldn’t be encouraging mixing these things together.
>>
>>  — Justin
>>
>> On Jul 10, 2020, at 5:00 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> It looks to me that our different views of what is in scope for GNAP are
>> the differences below.
>>
>> Per the subject line, I'm looking at how the client acquires claims about
>> the user. You don't think that is in scope, and that a different layer will
>> solve that.
>>
>> I think we should learn from OIDC being on top of OAuth, and GNAP should
>> be able return ANY claim, not just identifier claims. There are use cases
>> that may be difficult to support if we do not have that functionality in
>> scope, such as some of the ones I list below, and it seems pretty
>> straightforward to support ANY claim if we are supporting identifiers.
>>
>> /Dick
>>
>>
>> On Fri, Jul 10, 2020 at 1:09 PM Justin Richer <jricher@mit.edu> wrote:
>>
>>>
>>>
>>> On Jul 10, 2020, at 2:15 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>>
>>> inline ...
>>>
>>> On Thu, Jul 9, 2020 at 5:44 PM Justin Richer <jricher@mit.edu> wrote:
>>>
>>>> Yes, the core idea is to not have to parse an assertion to get back the
>>>> core authentication information, which consists of an identifier (iss/sub
>>>> pair in OIDC, but could be a number of things). Sometimes the client is
>>>> going to want the rest of the identity information, but If the user’s
>>>> logged into the client before, the client has likely cached that info and
>>>> probably won’t need it, and sending it would be a violation of privacy
>>>> principles.. The client would want the info pretty much just in these cases:
>>>>
>>>>  1. The client has never seen the user before.
>>>>  2. The user’s information has been updated since the last time the
>>>> client saw it.
>>>>
>>>
>>> Agreed
>>>
>>>
>>>>
>>>> Now for case (1), how would the client know if it wants to request the
>>>> user’s profile info or not, since it doesn’t know who the user is?
>>>>
>>>
>>> But the client could know who the user is. The client may have used a
>>> different AS to authenticate the user.
>>>
>>>
>>> In these cases, the client is not going to be requesting identity
>>> information from the AS to log the user in, so it’s not relevant to the use
>>> case. The client will have an opportunity to push that information to the
>>> AS.
>>>
>>> The User may have self identified to the client. The client may have a
>>> cookie saying who the user was and the user said that was them. While the
>>> latter cases are really a strong hint, they are likely right most of the
>>> time and can lead to a user experience basde on that hint
>>>
>>>
>>> In these cases, the AS might be able to guess if the client has info
>>> about the user already, but probably not. And the assumptions fall apart if
>>> it’s in fact a different user that ends up logging in, which is of course
>>> possible (the hint you gave doesn’t match the identity of the current user
>>> after the AS validates them). This possibility leads to clients always
>>> asking for everything every time and the server providing everything every
>>> time. That’s a pattern I think we should avoid in an ultimate solution —
>>> but ultimately, I don’t think that this kind of protocol decision is inside
>>> of GNAP.
>>>
>>>
>>>
>>>> And the AS won’t know if client is going to want the profile info,
>>>> since the AS won’t know if the client has the user’s info or not. Sure, the
>>>> AS might have seen that client and that user combo previously, but it
>>>> doesn’t know if the client needs an update.
>>>>
>>>
>>> The client can share with the AS the user it knows or thinks it is
>>> dealing with, which could let the AS respond if the information was new.
>>> This could be the case for an AS that is providing claims, but not
>>> authentication, and could happen silently. The user would only interact if
>>> the user information had changed, and the client wanted the updated
>>> information.
>>>
>>>
>>>
>>> See above.
>>>
>>>
>>>> And for (2), the client won’t know if the user’s info has been updated
>>>> or not because it doesn’t know who the user is yet. If the AS can provide
>>>> some time of updated stamp to the client, the client can pull the new info
>>>> when it needs it.
>>>>
>>>
>>> See above.
>>>
>>>
>>> See above.
>>>
>>>
>>>
>>>>
>>>> If you ignore both of these cases and put all the user information
>>>> inline with the main request/response, you end up in a situation where the
>>>> client always requests everything and the server always provides
>>>> everything, since you can’t be sure you’re not in situation (1) or (2)
>>>> ahead of time.
>>>>
>>>
>>> See above. There are a number of other states the client could be in.
>>>
>>> For example, the client could be stateless about user information, so it
>>> knows it is ALWAYS in state 1.
>>>
>>>
>>> A stateless client would need to fetch appropriate user information
>>> every time, then. But that’s an optimization for a very specific case.
>>>
>>>
>>>
>>>>
>>>> This is really what I mean about the two-stage identity protocol.
>>>>
>>>
>>> I know what it is. Per above, GNAP lets us support a wider set of use
>>> cases. Why limit ourselves to what OIDC supported?
>>>
>>>
>>> We aren’t limiting the protocol, but instead limiting the scope of what
>>> we define internal to the GNAP protocol. There’s a lot of room for
>>> innovation on top of it.
>>>
>>>
>>>
>>>> In the first stage, you push the bare minimum of what you need to get
>>>> the user known to the client. In the second stage, the client uses its
>>>> access token to call an API to get whatever else it needs to know about the
>>>> user.
>>>>
>>>
>>> From a privacy perspective in non-enterprise use cases, I think the user
>>> should give consent to any updated personal information to a client. In
>>> general, the client should not be able to get the latest information about
>>> a user whenever it wants.
>>>
>>>
>>> This is about the rights associated with the access token, then. And an
>>> access token doesn’t have to keep working if the AS has a policy that says
>>> it won’t. The AS/RS could easily decide that a particular access token will
>>> only return data that hasn’t been changed. Maybe it stops working after the
>>> data changes, or it just returns old data, or any number of things. This is
>>> for the AS/RS to decide and this is pretty standard interpretation of the
>>> token, nothing special here because we’re dealing with identity.
>>>
>>>  — Justin
>>>
>>>
>>> /Dick
>>> ᐧ
>>>
>>>
>>>
>>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email