[GNAP] "Access Token" when calling AS is really a cookie

Dick Hardt <dick.hardt@gmail.com> Mon, 23 November 2020 01:06 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03AE13A10DD for <txauth@ietfa.amsl.com>; Sun, 22 Nov 2020 17:06:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.514
X-Spam-Level:
X-Spam-Status: No, score=0.514 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_IMAGE_ONLY_20=0.7, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9N8eyL5szoP for <txauth@ietfa.amsl.com>; Sun, 22 Nov 2020 17:06:34 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84FA43A10DE for <txauth@ietf.org>; Sun, 22 Nov 2020 17:06:34 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id s27so1536485lfp.5 for <txauth@ietf.org>; Sun, 22 Nov 2020 17:06:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=7a2O0GjJt4NXYmP7IUk0S9IzeE8bNDrBOnKubvdB7d4=; b=V+6TDdt6enWEW+6ItaVGhfTNDqTQS44UFvwX0cGXqSIl5tVq4Tv/WtBeg7BbY5YCHs Nkr45XrhKB3JS8IJwkHgqYToyrhjVAMytnhCwmLdj31R/nYqbLhsQ8Fl/z73wglghGDP P4CDR5sx0YOHr+9dbqssfxk+RBtolboHEv/SkFRRhokjsKA0x8uzsV+1HMoch3BsOGGC 3vRxN+RQrNnUo+QztM8g/Z3O63AIuwSMHNB0vnFgA3Gu344vIMaBnFR6paT+DD5S9m8s 4zth/wqLvrzE5UCylG+k0clZfLUDQU/Rs+sU5PYljTCrkriyyEL78Idh8QbI9//TeuvM 638Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7a2O0GjJt4NXYmP7IUk0S9IzeE8bNDrBOnKubvdB7d4=; b=XBLGkLNPzVxBTeG95HhsknJH21aPJoRjNP5ybUbC+WgpORleXVa0dzPXPS1aS76YUr 9I+DIW3Wp6eQcUub98bnRd3oV8RbbJHzyTQgceNSt5iz53zmUGWOqFsMyb4+KuXUvpgp dAWqKGg65q/Sf9XCkqtJn6pA2BUMESrTEeD8yIQdTsOaQQ1Aiw6HfMC9q0qtnWUFZ7Hl 620cXMKFh1ZXWUlnuemowkAf+VzxNoAs182/BsXMyGPnIRG9J8F9l6v/U7s97Z7xlj5e Vp/N9g0rJKZtfOR8ayHU5VMoaJaOv3XdWgngAx3wPu7zC+nuYHldO1jpfcvLSX9Wc8rE I2xQ==
X-Gm-Message-State: AOAM533IlaCADGsyHu8IdRqSOFF9WwPyOue3ZR9K1yO3ft3EEw/TPzxJ sjLCK3/6XHpm20ZQfkPp45qWGfSS3ipdwdhnP4W/VbHOrhmjBA==
X-Google-Smtp-Source: ABdhPJwCgOQ96AgKhKVwxcy04/wFr0vDsVDbd28hDtpiaOcC34lamytxl5hPGXSj6WI7/h5yQJyjbzYm9Ii3nbOlyks=
X-Received: by 2002:a19:6b02:: with SMTP id d2mr11315091lfa.221.1606093591974; Sun, 22 Nov 2020 17:06:31 -0800 (PST)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 22 Nov 2020 17:05:55 -0800
Message-ID: <CAD9ie-vKSpV6eC3CUPzwFog5yOb+zeshLJC7+8RgNeF9CNFiww@mail.gmail.com>
To: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000006998c05b4bbcefb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/DGT4CWFlEQxhthLU3joBR99i2dE>
Subject: [GNAP] "Access Token" when calling AS is really a cookie
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 01:06:36 -0000

When I look at how GNAP is using access tokens for continuation requests,
and the pull request #129
<https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129>

Those "access tokens" look a lot more like cookies (managing state) than
how access tokens are usually used (representing authorization). See table
below.

If there is a real requirement for passing state back and forth between a
server (the AS in this case) and the client when making API calls, then I
suggest that is out of scope for GNAP as I see it being a general purpose
mechanism for any API.

/Dick



*cookies*- issued by server being accessed
- are not presented to other servers
- issued after first access
- may be different for different URLs
- may be updated on each access
- represents the context of a session (state)


*access tokens*- issued by an independent service (AS)
- may be used at any URL at the RS
- new ones issued by AS as needed
- represents authorization granted to a client at an RS
ᐧ