IETF Logo Mail Archive

Re: [Txauth] Possible Use Case for GNAP

Steinar Noem <steinar@udelt.no> Mon, 06 July 2020 16:48 UTC

Return-Path: <steinar@udelt.no>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E26F3A171A for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 09:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.886
X-Spam-Level:
X-Spam-Status: No, score=-1.886 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=udelt-no.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZ8MrCuGAHw5 for <txauth@ietfa.amsl.com>; Mon, 6 Jul 2020 09:48:29 -0700 (PDT)
Received: from mail-ot1-x341.google.com (mail-ot1-x341.google.com [IPv6:2607:f8b0:4864:20::341]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49F7D3A170E for <txauth@ietf.org>; Mon, 6 Jul 2020 09:48:28 -0700 (PDT)
Received: by mail-ot1-x341.google.com with SMTP id g37so8416579otb.9 for <txauth@ietf.org>; Mon, 06 Jul 2020 09:48:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=udelt-no.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5POpSShotbiYh1uOLD0Ggx78DNNP1HmhltRPXWUExp8=; b=MK4sxjJP+B+5LALzAnqb+bvriFBNnNoK5ONyZmbScn7O0DToNQbvF8vJzxqZKIUpRL 4kvG+m5NOrJPx82WWUTyOpjLVdu6Ge7CqLPnE0/L5tLIFtjPiKAAjoK4Mj7zMkOh8pYQ fq6OUFZY7mIFuPzghWB4eQSJtvESfsAUJF1maEHpAU+raek5LLavbKzLs3oaaUk6EaIm Sgg2XMyu6x+NcFGxKW0CnG80TGxtxgQIdjOtEidS0P110pf9E7nOtm0RRiMPIxFCXgxh rFp6CKjni6kVM4WEaaPbfnBofHCxSxwyxBlKE0CeMiKmmla5CZFBMj8uxnB1N73eWpjJ xnZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5POpSShotbiYh1uOLD0Ggx78DNNP1HmhltRPXWUExp8=; b=Ju7Ca85GV2vCaiY9hezp8xecKSZTxmLq7HIa4oC2RT8591/BZNSZiotAplwYD+DTd7 Qwh7//y/fdb96Efov/jwlQJY3/9gGH+8IhuaM22rPzCuYjWvjV89s4N6MY9YexoCM/Me SwaIYmWFa3olO836lIuHkgqVqujsZPTEiGTxD8X65j2zdtPJFezEC9M5iyIYk+rH13yh KFR3b8h+HbBPFWBr/alA0W36VLDulq1El9W3T2191KX/8BKt/DWX+LabKjzdl4PjRE3z DOHbmIF8HCndPCZNRN+l3bjNvjKyrLrkjpXihYG7dO9Nglvmeev6oypg4x6UDfbcV8wn Unyg==
X-Gm-Message-State: AOAM533/qDPLah0bQWkWMw/rotqXGCOTt4xRThWbkwgMJOWkcCXyIpkh sTDahA5nXdHTnXUD3wnkVY2XXxtGoPOPntRcf+rraQ==
X-Google-Smtp-Source: ABdhPJy00+TQBOiH6vD/QKEW/qowNFcVjVAyQSa/J40p6vvG+m6H8xhIxegST9hh1+7VuLDUYtTsC+cWwI2R6GJg2Gg=
X-Received: by 2002:a9d:2661:: with SMTP id a88mr42901645otb.74.1594054108029; Mon, 06 Jul 2020 09:48:28 -0700 (PDT)
MIME-Version: 1.0
References: <eb099963-98c3-2629-ef95-1b1aae2359b9@readycomputing.com> <CAK2Cwb7ZfDgBjU3920Nemug9ofYVfkDyw5V792cJnrO08ufc=g@mail.gmail.com> <3b8d3690-47e2-ff00-1065-29647d18555b@readycomputing.com> <CAK2Cwb7E2DQ+ykv2b+9-3csZ+z=QW2ahJkExvohsp8zy1EL0Ng@mail.gmail.com> <00827624-7361-4c5f-b34f-0edc8f7493dc@readycomputing.com> <CAK2Cwb6O3N7dZpZc7qehjgQRUaV-A_P8VWx4YwFiCjj6KFc98Q@mail.gmail.com> <5AA3C0D4-A250-4EFB-B3E9-F71E8BD959A6@mit.edu> <7d8f8a78-01c9-ec27-b5d3-d03b7fb9a159@readycomputing.com>
In-Reply-To: <7d8f8a78-01c9-ec27-b5d3-d03b7fb9a159@readycomputing.com>
From: Steinar Noem <steinar@udelt.no>
Date: Mon, 06 Jul 2020 18:48:16 +0200
Message-ID: <CAHsNOKexP99hZhgnmopORN_+CV40DnVQi3PHfa61r-oTLjsKeg@mail.gmail.com>
To: David Pyke <david.pyke=40readycomputing.com@dmarc.ietf.org>
Cc: Justin Richer <jricher@mit.edu>, Tom Jones <thomasclinganjones@gmail.com>, txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000dcc00005a9c8a4f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/EnDKmKqJ-mJvFJf3m9dyTtV7kOU>
Subject: Re: [Txauth] Possible Use Case for GNAP
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 16:48:32 -0000

Hey, we have some (sort of) similar cases and requirements today which we
have solved by implementing the token-exchange spec.
It certainly doesn’t solve all the issues discussed here, but for
traceability it does the job for us. Being able to express an
“authorization stack-trace” and the original user identity is both useful
and required  in our case.

-Steinar

man. 6. jul. 2020 kl. 16:34 skrev David Pyke <david.pyke=
40readycomputing.com@dmarc.ietf.org>:

> Those are exactly the issues I was facing.  While I can make the hops
> independent, they need to be chained so that everything is traceable.
> It's possible but ugly with OAuth.
> On 2020-07-02 3:34 p.m., Justin Richer wrote:
>
> If we look at each hop as a separately authorized request, could we define
> them in a way that they’re chained from each other down the line? Maybe it
> would be possible for the root HIN to get a new token for each of the
> downstream HINs, but this new token is in the context of the first one
>
> --
>
> *David Pyke*
>
> Manager, Strategic Consulting
>
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> [image: Logo] <http://www.readycomputing.com/>
>
> [image: LinkedIn icon] <https://www.linkedin.com/company/ready-computing> [image:
> Twitter icon] <https://twitter.com/ready_computing?lang=en> [image:
> Youtbue icon] <https://www.youtube.com/channel/UCtA7SflMXNTkY0MWL-79LDQ>
>
> Office: +1 212 877 3307 x5001
>
> * david.pyke@readycomputing.com <david.pyke@readycomputing.com>*
>
> * www.readycomputing.com <http://www.readycomputing.com/>*
>
> 150 Beekman Street, Floor 3, New York, NY 10038
> <https://www.google.com/maps/search/150%0D%0A++++++++++++++++++++++++++++Beekman+Street,+Floor+3,+New+York,+NY+10038?entry=gmail&source=g>
>
> The information in this e-mail communication together with any attachments
> is intended only for the person or entity to which it is addressed and may
> contain confidential and/or privileged material. If you are not the
> intended recipient of this communication, please notify us immediately. Any
> views expressed in this communication are those of the sender, unless
> otherwise specifically stated. Ready Computing does not represent, warrant
> or guarantee that the integrity of this communication has been maintained
> or the communication is free of errors, virus or interference.
>
> This is not a secure transmission. The information contained in this
> transmission is highly prohibited from containing privileged and
> confidential information, including patient information protected by
> federal and state privacy laws. It is intended only for the use of the
> person(s) named above. If you are not the intended recipient, you are
> hereby notified that any review, dissemination, distribution, or
> duplication of this communication is strictly prohibited. If you are not
> the intended recipient, please contact the sender by reply email and
> destroy all copies of the original message. --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>
-- 
Vennlig hilsen

Steinar Noem
Partner Udelt AS
Systemutvikler

| steinar@udelt.no | hei@udelt.no  | +47 955 21 620 | www.udelt.no |

v2.23.0 | Report a Bug | By Email