IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Fabien Imbault <fabien.imbault@gmail.com> Sat, 12 December 2020 02:35 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F243A0D6B for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 18:35:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2jqUqvVXD5G for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 18:35:11 -0800 (PST)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA6C93A09BD for <txauth@ietf.org>; Fri, 11 Dec 2020 18:35:11 -0800 (PST)
Received: by mail-io1-xd2b.google.com with SMTP id y5so11496898iow.5 for <txauth@ietf.org>; Fri, 11 Dec 2020 18:35:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uXxHJAwAmzzL2OeKsTaGqmmYsCfvU6oiHoBDvRyJriI=; b=a/NRXwHjXw4bNSBRfRgTUnekXKMqEcgQN2QXg+F6T40vlH/feSL3j5QYjHM9sa7CxN hE+x5ddzWM/4ojddo9yNxeJHYjCEYcNQaLv50HvUFCbnkYZOO52FerQcsv7hXSeglwRb RxBnH4bHIebGi2JLLDSq5rCOuvJy59St7iaNNiNZxgGd3yMD3DwHmQw5cg0hP4sqr7Nd f9EMEL/ea+wf/BfKd3A8zxOhptC0WFDFeWwNJ2HqkJykoioyMlmqg/yGdLn+MiVCCnt+ qgjyF4V3oZ+5bOZX/dlIGOkwmvgle5tnLM3peiAgaxTXIbHjc3Q2vZGKR9+9oXADTksW 8oHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uXxHJAwAmzzL2OeKsTaGqmmYsCfvU6oiHoBDvRyJriI=; b=tDpdS+QU0hW40zTHg2XWmKN4qhkdfSL/m55nmRYl7PWzBnAq5AAfJEeMn+NpVI1HG6 w1Jy4L6RJDOdIxrk2Ev9bRVQnJrc4cbO6gzPjg3t3QyqVCXAareMdrkrqJQfQYvI6egZ qIbu93pp2fi8aZB4PiglvEwOc1RADSz3fmTzrzmqn8kxvP/8C7G99rJ6nKLuHMutC3Ud IvEDux7AUEk5cDCakquQJlYzMQ+tVeehvN9Zda24V1CLaRtujdnaENhTzH6Cl7JBvD49 VoSC0Gbck3ZGc1L3Ua9WodOolIZ2jpXxUSbOHEnGIX4ykZVXeBpWwt3Iah/D+Wwp5JCU MRJQ==
X-Gm-Message-State: AOAM533/cH5lts2qIzg6f96dCna7ww60pV4ynY3htuN1kT4vDycBW55a 4ALikScdMYLUI/JpBeDLTGOglNGlh+h1AQfQDFo=
X-Google-Smtp-Source: ABdhPJxZ6Oxv/LQHec0Oce94w+kshIsHJtTTD//SJPs4HeBtNlBRbs1tpMSsCARPBl7Kx57AMaGDEuGdMm0J057WUm8=
X-Received: by 2002:a6b:dd13:: with SMTP id f19mr18840372ioc.74.1607740510509; Fri, 11 Dec 2020 18:35:10 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAK5Vu_CoU2AN+c9eZBFVRjG69U20DKJzNg+rYcqbPijs4pw3-Q@mail.gmail.com>
In-Reply-To: <CAK5Vu_CoU2AN+c9eZBFVRjG69U20DKJzNg+rYcqbPijs4pw3-Q@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Sat, 12 Dec 2020 03:34:58 +0100
Message-ID: <CAM8feuSVX9dqfGXtmywBUz=wRkHRqaSOkvzmX0pvQuM6T=10nA@mail.gmail.com>
To: Stephen Moore <srmoore@gmail.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, txauth gnap <txauth@ietf.org>, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="000000000000051daf05b63b424a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Hf4LFCK1ykfWG60Q8JzLd0ZMTDA>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2020 02:35:14 -0000

You're completely right. Allowing the dev to be lazy is a very good thing
in general, because it's what we know will work :-)

Le sam. 12 déc. 2020 à 03:15, Stephen Moore <srmoore@gmail.com> a écrit :

> Hi Fabien,
>
> For #3) Even after I typed out the hypothetical attack, that was sort of
> in the back of my mind, it isn't a huge risk there. So I actually agree
> with Dick there. Something doesn't sit right with me for the unique URL
> solution, so I don't like it and came up with a hypothetical that seems
> like it could be a down side.
>
> I still think the access token model with the signed request is the way
> I'd like to go, because again, it's a mechanism I'd be implementing anyway
> to talk to any 'normal' resource. The fact is there is _something_
> representing context that has to pass back and forth here, whether that is
> an access token (which I feel like is more flexible for extensions etc), a
> unique url, or even a cookie sent in the cookie header. So just to
> re-iterate, I'm a +1 on this pull request, speaking as a lazy developer ;)
> -steve
>
> On Fri, Dec 11, 2020 at 8:51 PM Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
>
>> Again speaking in my own name here.
>>
>> Dick, we know you'd prefer to have a different design, but this PR
>> shouldn't be about that.
>>
>> Back on your 3 items :
>>
>> 1) yes we could make pre-register mandatory, but we already decided that
>> wouldn't be how that would work. We have a client instance that allows a
>> more generic and flexible pattern (which BTW also allows what you want)
>>
>> 2) instead of blame arguments of who's less restful/HATEOAS/whatever that
>> have the tenancy to flame conversations, I suggest we speak in less
>> abstract terms and ask ourselves what that means in practice for devs.
>> Stephen and several others (myself included) have expressed that it
>> wouldn't be harder to implement, it would even simplify things quite a lot.
>> If you disagree please send us a code sample to really show that point by
>> example, because that's really not obvious.
>>
>> 3) "If someone has the client credentials, they can impersonate the
>> client, and all bets are off." Are you seriously making this argument?
>> Because if you have a better proposal than using cryptographic keys, I'm
>> all hears. You make it look like there's a problem, while in reality we're
>> only relying on the basic assumption of all modern digital communications.
>>
>> And more importantly you never responded to the issues of how to avoid
>> the security pitfalls of what you proposed.
>>
>> Fabien
>>
>>
>> Le sam. 12 déc. 2020 à 00:35, Dick Hardt <dick.hardt@gmail.com> a écrit :
>>
>>>
>>>
>>> On Fri, Dec 11, 2020 at 2:53 PM Stephen Moore <srmoore@gmail.com> wrote:
>>>
>>>> But from the spec:
>>>> "
>>>> When sending a non-continuation request to the AS, the RC MUST identify
>>>> itself by including the client field of the request...
>>>> ...
>>>> key (object / string) : The public key of the RC to be used in this
>>>> request as described in {{request-key}}. This field is REQUIRED.
>>>> ...
>>>> "
>>>>
>>> So on the initial request, the key will be there.
>>>>
>>>
>>> The client field can be an object or a string. If the client is
>>> pre-registered, then a string could be provided instead of an object.
>>>
>>>>
>>>
>>>>
>>>> If you don't have the access token, then how do you differentiate
>>>> between two requests from the same web application by two different users?
>>>> Is the web application supposed to have different credentials for every
>>>> request?
>>>>
>>>
>>> The AS returns a URI for manipulating the request. I would change the
>>> spec so that each request would have a unique URI. This is the usually
>>> RESTful pattern that the resource (the grant request) has an URI.
>>>
>>>
>>>
>>>> So in this case, the easy way out is to pass the access token to the
>>>> client, who then, as i stated before, treats the continue request as a RS
>>>> call (albeit a specialized version of the RS where the RS is the AS) OR to
>>>> use the unique URL,
>>>> but that seems open to a brute force attack by a malicious RC. (What
>>>> would be the point of that attack, I don't know, I guess if someone had the
>>>> client credentials but not any subjects/resources they could try to
>>>> intercept the grant via continue... I just don't feel right locking things
>>>> down to unique URLs that way.)
>>>>
>>>
>>> If someone has the client credentials, they can impersonate the client,
>>> and all bets are off.
>>>
>>> LOTS of RS servers return a resource specific URL -- my proposal is no
>>> different.
>>>
>>>
>>>
>>>
>>>> -steve
>>>>
>>>> On Fri, Dec 11, 2020 at 5:33 PM Dick Hardt <dick.hardt@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Stephen
>>>>>
>>>>> The client is signing the first request. The key *might* be in the
>>>>> body. The client is signing all the subsequent requests as well. The
>>>>> "access token" is not needed by the client to prove it is authorized as the
>>>>> client is proving it is the same client again.
>>>>>
>>>>> In other words, I don't see the need for an access token, so it does
>>>>> not need to be put in a URL or an auth header.
>>>>>
>>>>> If a developer really, really wants to hand context back to the client
>>>>> for subsequent calls, they can put it in the URL or some other method.
>>>>> Putting it in the HTTP Authorization header is confusing because it is NOT
>>>>> an access token -- it is the context of the request.
>>>>>
>>>>> ᐧ
>>>>>
>>>>> On Fri, Dec 11, 2020 at 2:01 PM Stephen Moore <srmoore@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Even though I've only been lightly following things, I feel the need
>>>>>> to voice my preference as a developer since I will probably someday have to
>>>>>> either write a RC or RS...
>>>>>>
>>>>>> The way I see it is the RC makes the initial request to the AS as
>>>>>> part of this request, it provides it's key in the body... (So no use of the
>>>>>> Authorization header)
>>>>>> At this point that request, represented by the continue URL + "Access
>>>>>> Token", from my lazy developer standpoint, is a Resource Endpoint and
>>>>>> Access Token, and the AS is acting as a specialized RS in this case.
>>>>>> So my client posts to whatever URL with the 'access token' in the
>>>>>> authorization header, just like acting on any other resource I have a token
>>>>>> for. YES, I get a new token value to use every call, and there is a
>>>>>> decision point of "Do I have another continue, or do I have a real token
>>>>>> for the resource..." But the mechanism is the same to me in the client.
>>>>>> Personally I like that, because if I have an access_token, I already
>>>>>> think "Put it in the auth header."
>>>>>>
>>>>>> So my vote would be +1 for the pull request at this time.
>>>>>> -steve
>>>>>>
>>>>>> On Fri, Dec 11, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> inline ...
>>>>>>>
>>>>>>> On Fri, Dec 11, 2020 at 9:58 AM Justin Richer <jricher@mit.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Others had already responded to this previous thread, but I wanted
>>>>>>>> to add a couple points to clarify some things.
>>>>>>>>
>>>>>>>> 3) What the client has to do with the "access token" is not the
>>>>>>>> same as access tokens for an RS. The client gets a new "access token" for
>>>>>>>> each grant request, and for each API call to the AS, and the client learns
>>>>>>>> it can not make any more API calls for that specific request when it does
>>>>>>>> not get an "access token" back. This is a completely different design
>>>>>>>> pattern than calling an RS API with an access token, and is a new design
>>>>>>>> pattern for calling APIs. This adds complexity to the client that it would
>>>>>>>> not normally have, and I don't think GNAP is the right place to start a new
>>>>>>>> design pattern.
>>>>>>>>
>>>>>>>>
>>>>>>>> I’m not sure what you mean by these being different — the whole
>>>>>>>> point of the design is that the client would be doing the same thing with
>>>>>>>> the access token at the AS that it does with the RS by re-using the access
>>>>>>>> token structure. Can you please describe what the differences are, apart
>>>>>>>> from the rotation? Presentation of the token and signing of the message are
>>>>>>>> identical.
>>>>>>>>
>>>>>>>
>>>>>>> The client is getting the "access token" from its API. It is not
>>>>>>> using an "access_token" in other API calls to the AS.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Rotation of the access token and artifacts for ongoing continuation
>>>>>>>> responses is a separate issue to be discussed:
>>>>>>>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/87
>>>>>>>>
>>>>>>>> And for what it’s worth, GNAP is absolutely the right place to have
>>>>>>>> new designs — not that this is one.
>>>>>>>>
>>>>>>>
>>>>>>> You are proposing a new way for an API to provide context for
>>>>>>> subsequent API calls. Looks out of scope to me.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> 4) Clients that only want claims from the AS and no access tokens
>>>>>>>> will be required to support an API calling mechanism they would not have to
>>>>>>>> support otherwise.
>>>>>>>>
>>>>>>>>
>>>>>>>> Correct, but the delta between the calls a client would make with
>>>>>>>> and without an access token is vanishingly small. The client has to sign
>>>>>>>> the initial request in some fashion, and it will sign the continuation
>>>>>>>> request in the same exact fashion, but now include an access token in that
>>>>>>>> request.
>>>>>>>>
>>>>>>>
>>>>>>> Per my other point, there is no value to me in my implementations of
>>>>>>> passing context back and forth between the client and AS -- so it is extra
>>>>>>> work providing no value.
>>>>>>>
>>>>>>> Also, any client authentication mechanism that wants to use the HTTP
>>>>>>> Authentication header is precluded from using it.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> Clients making a request to an AS and not getting an access token
>>>>>>>> is a new design pattern. I think it has value and should be included, but
>>>>>>>> OAuth today shows us the immense value of getting access tokens for calling
>>>>>>>> APIs, and so we shouldn’t optimize away from that pattern.
>>>>>>>>
>>>>>>>>
>>>>>>>> 5) If the AS does not provide an "access token", there is no
>>>>>>>> mechanism for a client to delete the request, as the client is not allowed
>>>>>>>> to make a call without an "access token".
>>>>>>>>
>>>>>>>>
>>>>>>>> More properly, if the AS does not provide a “continue” field then
>>>>>>>> the client can’t delete the request — and yes, that’s intentional. The AS
>>>>>>>> is telling this client instance that it can’t do anything else with this
>>>>>>>> ongoing request. If the AS wants to allow the client to manage it, it will
>>>>>>>> include the mechanisms to do so in the “continue” field.
>>>>>>>>
>>>>>>>
>>>>>>> There is nuance in that intention. A related concern is that
>>>>>>> deleting a request does not seem like it is a "continue" operation.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> 6) There is no standard identifier for the request. Debugging and
>>>>>>>> auditing are hampered by the client and AS having no standard way to
>>>>>>>> identifying a request. While one AS may provide a unique URL for each grant
>>>>>>>> request, another AS may use a persistent "access token" to identify the
>>>>>>>> grant request, and other ASs may issue a new "access token" on each API
>>>>>>>> call, providing no persistent identifier for the request.
>>>>>>>>
>>>>>>>>
>>>>>>>> Debugging and auditing this kind of thing are functions of the AS.
>>>>>>>> How is interoperability harmed by different ASs having different methods to
>>>>>>>> identify their internal data elements? The client doesn’t need any
>>>>>>>> knowledge of the AS’s identifiers, it just needs to know the next steps for
>>>>>>>> continuing the negotiation.
>>>>>>>>
>>>>>>>
>>>>>>> Debugging between the client and the AS was what I was referring to.
>>>>>>> How does a client developer identify the request when communicating to the
>>>>>>> AS developer. Seems complicated.
>>>>>>>
>>>>>>> ᐧ
>>>>>>> --
>>>>>>> TXAuth mailing list
>>>>>>> TXAuth@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>>>>
>>>>>> ᐧ
>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>>

v2.23.0 | Report a Bug | By Email