IETF Logo Mail Archive

Re: [GNAP] RS-Token Introspection or RC-Token Introspection

Fabien Imbault <fabien.imbault@gmail.com> Fri, 11 December 2020 18:12 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 234D23A0DAE for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 10:12:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69LR-BpIzDqn for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 10:12:33 -0800 (PST)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D643A0DAD for <txauth@ietf.org>; Fri, 11 Dec 2020 10:12:33 -0800 (PST)
Received: by mail-io1-xd31.google.com with SMTP id n4so10371087iow.12 for <txauth@ietf.org>; Fri, 11 Dec 2020 10:12:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pEAZpIzFS8+afgmEzNFiBwRdqWGCFIZnp6B15YxDTX0=; b=LTqMqPdgfq6JyvSlvdBrwusgI/ngao9tCZlGJ5HV1pEpVuchlJpsaKKEzLkPr+YKkV yFg8ixeg8pjRR81M509uYitWpZW656b/erKOWAnOzYOm+18e2QnYgNOwnP564AcuOymO vz9auojAWUaHhyAWCT3tiSdl6K3MrbGDeGmr54Ew0zVYs2gZHSuOtuebj+mVSL0NILPU 8fhDBm26QPszKddd0CbK9lLQn/O9H1MlgVrcqYQLcvK/OiACVxXcZg4uo5rHjki1miB/ H2iXsxRI4aq570WaI61qD2O8dnF5u/5sTTwiGW92q5NeLHF14FtZZvlbyuRmuIHbhX4m dp3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pEAZpIzFS8+afgmEzNFiBwRdqWGCFIZnp6B15YxDTX0=; b=EwVKc2+yLILJAFSQIG03qN8+J4w0Av72mgJduKwMnKUiB3sMmOZnokAWEqrPQYdClM +pPtNkREC/wLfPLRUCnVHl7izeyWmYPSHu5I9yaW4JOtbvk9W8jyT7rDNWeZ3QwVdyNf VgDK6++l8ebePi3DQsGCzuOu7TKrWgPXP1J5/PO+9gZEaZusKX3dPAVCY10bU9zlwLte ysoMlvqROXSrecbDJ6Ah88OH6YrEzHC3BqYluOq2KMJVCMLkRKHU7NKmDiqqzId9t9/U rp0eVgPKmBI0bjrjkZIvl5PNeAvDTCzBSjS8N2KNIJzzu5ZGfTZcKAj2oOJGnqwDP1ao 2JLA==
X-Gm-Message-State: AOAM530DFv4QvtuK62GitwzS96YmdcJNCq2noQLHWZzYQQ0pqUxgGeB3 5GO4ZbghH66+8ZM9wlKR3wtyYf6nk6TDJ3rYS7w=
X-Google-Smtp-Source: ABdhPJzusFxquqe0+a6MVVTwhNxkrwdWkPiHrnEUXWQkyelAqwXROm90sSVXbSyQJglinci6z1vJq+RSbq+DNtpV/Dc=
X-Received: by 2002:a05:6602:214b:: with SMTP id y11mr16555501ioy.78.1607710352726; Fri, 11 Dec 2020 10:12:32 -0800 (PST)
MIME-Version: 1.0
References: <7f06d460-a4bb-652a-bba0-fe5fe5e6478f@free.fr> <CAM8feuQd3TkD0-hYfJQW0f4C9pnZO1J646hg9cumbb22D2XK5g@mail.gmail.com> <CAM8feuSRoUvKaDkheuQa5kp52hFhK+=TBp+1dq9qQrFweGf7vg@mail.gmail.com> <56f50921-a88f-230a-20d1-aee187f09b6e@free.fr> <CAM8feuSeXjJwVdjaAP-B=mKVDePyPcx3Vpd7Ef6GFY1YwbMJ6A@mail.gmail.com> <21cf7c30-c42a-f29c-a407-7badde5c0151@free.fr> <CAM8feuTnu6F6V8e6Fa=RP4wn2ZXocpShU1GH9UD951PFLk1avA@mail.gmail.com> <c2d6c307-d7b4-d32a-7c34-a7131e5bdc6b@free.fr>
In-Reply-To: <c2d6c307-d7b4-d32a-7c34-a7131e5bdc6b@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 11 Dec 2020 19:12:21 +0100
Message-ID: <CAM8feuQbcFPYBu7fd8DiOpDA46xjOqPEL2aOn_R77=Sctr+XpA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000079e3b205b6343c44"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/G4wX5AtP-8JtXfxg0lijHgWGyhY>
Subject: Re: [GNAP] RS-Token Introspection or RC-Token Introspection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 18:12:36 -0000

Hi Denis,

I agree that what you're saying makes sense.

I'm just asking more broadly what people think of it (and trying to balance
the risks and benefits of each approach).

Fabien

On Fri, Dec 11, 2020 at 6:56 PM Denis <denis.ietf@free.fr> wrote:

> Hi Fabien,
>
> Hi Denis,
>
> Please note that the token introspection is not a new idea, it's already
> present in OAuth2 world (rfc 7662), and allows the RS to verify the access
> token.
>
> I am pretty aware that token introspection is already present in the
> OAuth2 world (rfc 7662). :-)
>
> In important point : RFC 7662 states "the contents of tokens are opaque to
> clients".
> The text does *not* state : "the contents of tokens are opaque to both
> clients and Resource Servers (RSs).
>
> In the current version of GNAP, there is also section 6 that introduces
> management endpoints, which could potentially be extended in a similar way
> (currently this is not specified, the management endpoint is here for
> rotation/revocation). Then the client could require more information on
> what is included in the opaque token, but of course, this relies on the
> assumption that the client trusts the AS. There is also the discussion on
> the "resource" description in the response, that may provide a simpler
> scheme (https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/141).
>
> But if we assume the AS may be malevolent (which is more likely if the AS
> becomes a less central point, at least for some implementations),
> then indeed receiving opaque tokens wouldn't provide all the guarantees,
> as it may lie on what is really in the token (too many claims for
> instance).
>
>
> More specifically, while I recon there might be a risk which we'd rather
> not have, I don't really think an opaque token is really an unmanageable
> issue with privacy.
> Suppose someone adds a field in a JWT, most likely you'll be able to
> detect that.
>
> RFC 7662 has been made available primarily for "lazy" RSs. :-)
>
> Let us consider a case where the contents of access tokens are opaque to
> both RCs and RSs.
> Let us suppose that opaque access tokens contains only a temporary handle
> to the set of claims related to the end-user, e.g. a 128 bits handle.
>
> Neither the RC, nor the RS would be able to understand it and the RS would
> be forced to call back the AS.
> Not only this call back will be bad in terms of the user's privacy because
> the AS will be able to know exactly when the access token has been used
> by the end-user but it would be impossible to detect it to prevent some
> damage on the RS side.
> We cannot assume that all future ASs in the world, while still providing
> the requested claims, will never deliver more attributes than the ones
> requested
> by the RC and thus allow RSs (and possibly other servers) link their
> users.
>
>
> But suppose we go for non opaque tokens, then we'd need a way of
> describing its format. Which might limit a bit the use cases if we're not
> careful.
>
> In OAuth 2.0, it has been possible to describe a token format (JSON Web
> Token (JWT) Profile for OAuth 2.0 Access Tokens).
> I don't believe it would a "mission impossible" in this WG to describe a
> GNAP format for access tokens.
>
> The IETF is supposed to standardize protocols at the bit level and this
> has made its success.
>
> Denis
>
>
> I'd be interested to know what others think, since it is diverging quite a
> bit from the OAuth2 world (not a bad thing in itself but still).
>
> Fabien
>
> On Fri, Dec 11, 2020 at 12:04 PM Denis <denis.ietf@free.fr> wrote:
>
>> Hi Fabien,
>>
>> This is a response only to the point 7 from the "Quick review of
>> draft-ietf-gnap-core-protocol-00".
>> The full original text with your comments is copied after my reply.
>>
>> In order to allow the RC to understand the content of an opaque token,
>> you are proposing to support a Token Introspection query from the RC to the
>> AS.
>> This does not solve the concerns of a RC that wants to make sure that the
>> access token does not contain claims that have not been requested.
>>
>> Let us illustrate the case by using an example:
>>
>> The RC asks to the AS to deliver an access token that contains an
>> identifier only unique to the RS.
>> In reality, the AS delivers an access token that does contain an
>> identifier only unique to the RS
>> but in addition a globally unique identifier. Since the access token is
>> supposed to be opaque to the RC,
>> the RC calls the AS to perform a Token Introspection operation. In its
>> response, the AS presents an identifier
>> that is indeed only unique to the RS but the AS voluntarily *omits *to
>> present the globally unique identifier to the RC.
>>
>> In the same way, if Token Introspection is supported by a RS, that does
>> not provide confidence to the end-user or to the RC.
>>
>> Let us illustrate the case by using another example:
>>
>> The AS delivers to the RC an access token that only contains an
>> identifier unique to the RS. Since the access token
>> is supposed to be opaque to the RS, the RS calls the AS to perform a
>> Token Introspection operation. In its response,
>> the AS presents an identifier that is indeed only unique to the RS but
>> the AS voluntarily *adds *a globally unique identifier.
>>
>> *Conclusion*: In both cases, a globally unique identifier will be used
>> by the RS without the RC or the end-user knowing it.
>>                       Opaque tokens are in contradiction with the
>> end-user's privacy.
>>
>> For end-users caring about their privacy (or for systems willing to
>> protect the user's privacy), access tokens should not be considered
>> to be opaque to RCs, nor to RSs, and ASs should not support Token
>> Introspection, whether it is RS-Token Introspection or RC-Token
>> Introspection.
>>
>> Denis
>>
>>
>> 7. The content and the format of access tokens shall not be considered
>>>>> to be opaque to the RC so that the RC can inspect it.
>>>>>     This is a matter of confidence to make sure for the RC (and for
>>>>> the user) that no "extra" information has been included by the AS into the
>>>>> access token.
>>>>>
>>>> [FI] This might go a bit further than the GNAP's mandate (especially if
>>> it becomes a mandatory requirement). But supposing we support non-opaque
>>> tokens,
>>> does it preclude supporting opaque tokens? It's just a different trust
>>> model, which makes sense if people agree with your premises (previous
>>> items),
>>> but that are less relevant if people still consider the AS as the
>>> central piece. Also one great thing with opaque tokens is that it makes the
>>> system easier to upgrade
>>> (you don't really care about what a token is).
>>>
>>> [Denis] Privacy is not more relevant for an AS-centric model than for a
>>> RS-centric model. In particular, a RC should be able to verify which kind
>>> of end-user identifier claim
>>> has been incorporated into the access token by the AS, in particular
>>> whether it is globally unique, unique to the AS only, unique to the RS only
>>> or ephemeral (valid for
>>> that RS during a session with the AS).
>>>
>> [FI2] ok, see discussion on whether tokens should be opaque or not.
>>
>>> I suppose that the use of structured access tokens should be
>>> recommended. This means,in particular, that from the very beginning, we
>>> should incorporate a version number
>>> inside each access token.
>>>
>>> One alternative way would be to allow RS call to AS for verification
>>> (including revocation status) and include a checksum.
>>>
>>> [Denis]  The RC, i.e. not the RS, should be able to perform such
>>> verification before presenting the access token to the RS. So this
>>> alternative way would not work.
>>>
>> [FI2] then there could be a similar API for the client (cf discussion on
>> similarities between introspection/management APIs).
>>
>>>
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email