IETF Logo Mail Archive

Re: [GNAP] RS-Token Introspection or RC-Token Introspection

Fabien Imbault <fabien.imbault@gmail.com> Sun, 13 December 2020 09:06 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F2C3A15FD for <txauth@ietfa.amsl.com>; Sun, 13 Dec 2020 01:06:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.186
X-Spam-Level:
X-Spam-Status: No, score=-0.186 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLY42KkAsZsY for <txauth@ietfa.amsl.com>; Sun, 13 Dec 2020 01:06:27 -0800 (PST)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 665713A15FC for <txauth@ietf.org>; Sun, 13 Dec 2020 01:06:27 -0800 (PST)
Received: by mail-il1-x136.google.com with SMTP id t9so12978209ilf.2 for <txauth@ietf.org>; Sun, 13 Dec 2020 01:06:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q6CbNT1Ny6zXaDGX/0v0gcLh6pWf3efef8nETZc7UBc=; b=uNd5hQqipnlw6HqzofQx8uZTWNNtKVA297TY2M0bgzfejsHvHd64EkX1H+rI75Up6d OyKDz4p0W4i1kRgCyBI4/CmdZEl26jV3DHkPqLOaARNW17YgxGEFyoBOhhUiputcka7F oyQBaN80k2pJAJR7c44LS4fFvKdD3JylB7grkuUTPxgKlBh2fNKrfo3Dq8lTskmgW4hW jBTZTNAubiQp83FkTVKcVQODTaKJYH4RDOtQpU8bNeZJRQHWn7bjByO4yiQ+1INqY3kw vbodsBlv9ZwHjjyjnQF+8EM96H0wFDj+LMTZGf5Z5QEFOQwrHG5pjz94MaPSEh6gDazH sZNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q6CbNT1Ny6zXaDGX/0v0gcLh6pWf3efef8nETZc7UBc=; b=d3U5j3g/nIgxJphkc+PdsG1ZPNdZHxmXbi1AQN28BSrDugtdjaGOSSat5aNsBPL23f +QmpQ3vzIUTH8H1fcbCWTz8PeOVUgwZlDTpMC76SWhA83hQtkyrQfNK4bsYFOn5si5Qo OWWtm7n0weV0HJ6FsGNjPN9jHPU81niXzazYaXk3RMKsuS/zbgaijcDX3vpOoB95U6aP cTujABjwd4oDZSutkhRGcZO1feQfMACzdDm9bZOE3GZ3V/oJeKxTw5ge/ppLFkmpIcqn dCEhQHXUiU8p0Vy5s6OEYwler1msMCXFavz7NI0TCR55bg/V/jyrvf4mm9fkX5CQprE/ wq1g==
X-Gm-Message-State: AOAM533seFyXMtP7aEUJtIN5dqDZLJkG4VWMW0GFdOsVv5Fj/KYCEoM4 o69XbiHmR7qcFgEt3AfS0ECz3SPDnVn9MhyxUbA=
X-Google-Smtp-Source: ABdhPJxjlja2RfHfTz1W+Srm22cPnWCBF6O6QcwVZWF+3OF61DnL3m6TupLXQusJ3/53dmO0f8572JO3xEPC6NF1g0E=
X-Received: by 2002:a92:6b05:: with SMTP id g5mr26590961ilc.289.1607850386503; Sun, 13 Dec 2020 01:06:26 -0800 (PST)
MIME-Version: 1.0
References: <7f06d460-a4bb-652a-bba0-fe5fe5e6478f@free.fr> <CAM8feuQd3TkD0-hYfJQW0f4C9pnZO1J646hg9cumbb22D2XK5g@mail.gmail.com> <CAM8feuSRoUvKaDkheuQa5kp52hFhK+=TBp+1dq9qQrFweGf7vg@mail.gmail.com> <56f50921-a88f-230a-20d1-aee187f09b6e@free.fr> <CAM8feuSeXjJwVdjaAP-B=mKVDePyPcx3Vpd7Ef6GFY1YwbMJ6A@mail.gmail.com> <21cf7c30-c42a-f29c-a407-7badde5c0151@free.fr> <CAM8feuTnu6F6V8e6Fa=RP4wn2ZXocpShU1GH9UD951PFLk1avA@mail.gmail.com> <c2d6c307-d7b4-d32a-7c34-a7131e5bdc6b@free.fr> <CAM8feuQbcFPYBu7fd8DiOpDA46xjOqPEL2aOn_R77=Sctr+XpA@mail.gmail.com>
In-Reply-To: <CAM8feuQbcFPYBu7fd8DiOpDA46xjOqPEL2aOn_R77=Sctr+XpA@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Sun, 13 Dec 2020 10:06:13 +0100
Message-ID: <CAM8feuTnBr2fMe3pSn6rwsXUSo__0vP_qmfEmkPQEjE+jtwn9g@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023bbc005b654d744"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/IvTxCMEWS8m-St3KXzcJUN6lX8U>
Subject: Re: [GNAP] RS-Token Introspection or RC-Token Introspection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 09:06:33 -0000

Hi Denis,

I created https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/145 to
follow up on that.

Fabien

On Fri, Dec 11, 2020 at 7:12 PM Fabien Imbault <fabien.imbault@gmail.com>
wrote:

> Hi Denis,
>
> I agree that what you're saying makes sense.
>
> I'm just asking more broadly what people think of it (and trying to
> balance the risks and benefits of each approach).
>
> Fabien
>
> On Fri, Dec 11, 2020 at 6:56 PM Denis <denis.ietf@free.fr> wrote:
>
>> Hi Fabien,
>>
>> Hi Denis,
>>
>> Please note that the token introspection is not a new idea, it's already
>> present in OAuth2 world (rfc 7662), and allows the RS to verify the access
>> token.
>>
>> I am pretty aware that token introspection is already present in the
>> OAuth2 world (rfc 7662). :-)
>>
>> In important point : RFC 7662 states "the contents of tokens are opaque
>> to clients".
>> The text does *not* state : "the contents of tokens are opaque to both
>> clients and Resource Servers (RSs).
>>
>> In the current version of GNAP, there is also section 6 that introduces
>> management endpoints, which could potentially be extended in a similar way
>> (currently this is not specified, the management endpoint is here for
>> rotation/revocation). Then the client could require more information on
>> what is included in the opaque token, but of course, this relies on the
>> assumption that the client trusts the AS. There is also the discussion on
>> the "resource" description in the response, that may provide a simpler
>> scheme (https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/141).
>>
>> But if we assume the AS may be malevolent (which is more likely if the AS
>> becomes a less central point, at least for some implementations),
>> then indeed receiving opaque tokens wouldn't provide all the guarantees,
>> as it may lie on what is really in the token (too many claims for
>> instance).
>>
>>
>> More specifically, while I recon there might be a risk which we'd rather
>> not have, I don't really think an opaque token is really an unmanageable
>> issue with privacy.
>> Suppose someone adds a field in a JWT, most likely you'll be able to
>> detect that.
>>
>> RFC 7662 has been made available primarily for "lazy" RSs. :-)
>>
>> Let us consider a case where the contents of access tokens are opaque to
>> both RCs and RSs.
>> Let us suppose that opaque access tokens contains only a temporary handle
>> to the set of claims related to the end-user, e.g. a 128 bits handle.
>>
>> Neither the RC, nor the RS would be able to understand it and the RS
>> would be forced to call back the AS.
>> Not only this call back will be bad in terms of the user's privacy
>> because the AS will be able to know exactly when the access token has been
>> used
>> by the end-user but it would be impossible to detect it to prevent some
>> damage on the RS side.
>> We cannot assume that all future ASs in the world, while still providing
>> the requested claims, will never deliver more attributes than the ones
>> requested
>> by the RC and thus allow RSs (and possibly other servers) link their
>> users.
>>
>>
>> But suppose we go for non opaque tokens, then we'd need a way of
>> describing its format. Which might limit a bit the use cases if we're not
>> careful.
>>
>> In OAuth 2.0, it has been possible to describe a token format (JSON Web
>> Token (JWT) Profile for OAuth 2.0 Access Tokens).
>> I don't believe it would a "mission impossible" in this WG to describe a
>> GNAP format for access tokens.
>>
>> The IETF is supposed to standardize protocols at the bit level and this
>> has made its success.
>>
>> Denis
>>
>>
>> I'd be interested to know what others think, since it is diverging quite
>> a bit from the OAuth2 world (not a bad thing in itself but still).
>>
>> Fabien
>>
>> On Fri, Dec 11, 2020 at 12:04 PM Denis <denis.ietf@free.fr> wrote:
>>
>>> Hi Fabien,
>>>
>>> This is a response only to the point 7 from the "Quick review of
>>> draft-ietf-gnap-core-protocol-00".
>>> The full original text with your comments is copied after my reply.
>>>
>>> In order to allow the RC to understand the content of an opaque token,
>>> you are proposing to support a Token Introspection query from the RC to the
>>> AS.
>>> This does not solve the concerns of a RC that wants to make sure that
>>> the access token does not contain claims that have not been requested.
>>>
>>> Let us illustrate the case by using an example:
>>>
>>> The RC asks to the AS to deliver an access token that contains an
>>> identifier only unique to the RS.
>>> In reality, the AS delivers an access token that does contain an
>>> identifier only unique to the RS
>>> but in addition a globally unique identifier. Since the access token is
>>> supposed to be opaque to the RC,
>>> the RC calls the AS to perform a Token Introspection operation. In its
>>> response, the AS presents an identifier
>>> that is indeed only unique to the RS but the AS voluntarily *omits *to
>>> present the globally unique identifier to the RC.
>>>
>>> In the same way, if Token Introspection is supported by a RS, that does
>>> not provide confidence to the end-user or to the RC.
>>>
>>> Let us illustrate the case by using another example:
>>>
>>> The AS delivers to the RC an access token that only contains an
>>> identifier unique to the RS. Since the access token
>>> is supposed to be opaque to the RS, the RS calls the AS to perform a
>>> Token Introspection operation. In its response,
>>> the AS presents an identifier that is indeed only unique to the RS but
>>> the AS voluntarily *adds *a globally unique identifier.
>>>
>>> *Conclusion*: In both cases, a globally unique identifier will be used
>>> by the RS without the RC or the end-user knowing it.
>>>                       Opaque tokens are in contradiction with the
>>> end-user's privacy.
>>>
>>> For end-users caring about their privacy (or for systems willing to
>>> protect the user's privacy), access tokens should not be considered
>>> to be opaque to RCs, nor to RSs, and ASs should not support Token
>>> Introspection, whether it is RS-Token Introspection or RC-Token
>>> Introspection.
>>>
>>> Denis
>>>
>>>
>>> 7. The content and the format of access tokens shall not be considered
>>>>>> to be opaque to the RC so that the RC can inspect it.
>>>>>>     This is a matter of confidence to make sure for the RC (and for
>>>>>> the user) that no "extra" information has been included by the AS into the
>>>>>> access token.
>>>>>>
>>>>> [FI] This might go a bit further than the GNAP's mandate (especially
>>>> if it becomes a mandatory requirement). But supposing we support non-opaque
>>>> tokens,
>>>> does it preclude supporting opaque tokens? It's just a different trust
>>>> model, which makes sense if people agree with your premises (previous
>>>> items),
>>>> but that are less relevant if people still consider the AS as the
>>>> central piece. Also one great thing with opaque tokens is that it makes the
>>>> system easier to upgrade
>>>> (you don't really care about what a token is).
>>>>
>>>> [Denis] Privacy is not more relevant for an AS-centric model than for a
>>>> RS-centric model. In particular, a RC should be able to verify which kind
>>>> of end-user identifier claim
>>>> has been incorporated into the access token by the AS, in particular
>>>> whether it is globally unique, unique to the AS only, unique to the RS only
>>>> or ephemeral (valid for
>>>> that RS during a session with the AS).
>>>>
>>> [FI2] ok, see discussion on whether tokens should be opaque or not.
>>>
>>>> I suppose that the use of structured access tokens should be
>>>> recommended. This means,in particular, that from the very beginning, we
>>>> should incorporate a version number
>>>> inside each access token.
>>>>
>>>> One alternative way would be to allow RS call to AS for verification
>>>> (including revocation status) and include a checksum.
>>>>
>>>> [Denis]  The RC, i.e. not the RS, should be able to perform such
>>>> verification before presenting the access token to the RS. So this
>>>> alternative way would not work.
>>>>
>>> [FI2] then there could be a similar API for the client (cf discussion on
>>> similarities between introspection/management APIs).
>>>
>>>>
>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>>
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>

v2.23.0 | Report a Bug | By Email