Re: [GNAP] RS-Token Introspection or RC-Token Introspection
Fabien Imbault <fabien.imbault@gmail.com> Sun, 13 December 2020 09:06 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F2C3A15FD for <txauth@ietfa.amsl.com>; Sun, 13 Dec 2020 01:06:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.186
X-Spam-Level:
X-Spam-Status: No, score=-0.186 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLY42KkAsZsY for <txauth@ietfa.amsl.com>; Sun, 13 Dec 2020 01:06:27 -0800 (PST)
Received: from mail-il1-x136.google.com (mail-il1-x136.google.com [IPv6:2607:f8b0:4864:20::136]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 665713A15FC for <txauth@ietf.org>; Sun, 13 Dec 2020 01:06:27 -0800 (PST)
Received: by mail-il1-x136.google.com with SMTP id t9so12978209ilf.2 for <txauth@ietf.org>; Sun, 13 Dec 2020 01:06:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q6CbNT1Ny6zXaDGX/0v0gcLh6pWf3efef8nETZc7UBc=; b=uNd5hQqipnlw6HqzofQx8uZTWNNtKVA297TY2M0bgzfejsHvHd64EkX1H+rI75Up6d OyKDz4p0W4i1kRgCyBI4/CmdZEl26jV3DHkPqLOaARNW17YgxGEFyoBOhhUiputcka7F oyQBaN80k2pJAJR7c44LS4fFvKdD3JylB7grkuUTPxgKlBh2fNKrfo3Dq8lTskmgW4hW jBTZTNAubiQp83FkTVKcVQODTaKJYH4RDOtQpU8bNeZJRQHWn7bjByO4yiQ+1INqY3kw vbodsBlv9ZwHjjyjnQF+8EM96H0wFDj+LMTZGf5Z5QEFOQwrHG5pjz94MaPSEh6gDazH sZNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q6CbNT1Ny6zXaDGX/0v0gcLh6pWf3efef8nETZc7UBc=; b=d3U5j3g/nIgxJphkc+PdsG1ZPNdZHxmXbi1AQN28BSrDugtdjaGOSSat5aNsBPL23f +QmpQ3vzIUTH8H1fcbCWTz8PeOVUgwZlDTpMC76SWhA83hQtkyrQfNK4bsYFOn5si5Qo OWWtm7n0weV0HJ6FsGNjPN9jHPU81niXzazYaXk3RMKsuS/zbgaijcDX3vpOoB95U6aP cTujABjwd4oDZSutkhRGcZO1feQfMACzdDm9bZOE3GZ3V/oJeKxTw5ge/ppLFkmpIcqn dCEhQHXUiU8p0Vy5s6OEYwler1msMCXFavz7NI0TCR55bg/V/jyrvf4mm9fkX5CQprE/ wq1g==
X-Gm-Message-State: AOAM533seFyXMtP7aEUJtIN5dqDZLJkG4VWMW0GFdOsVv5Fj/KYCEoM4 o69XbiHmR7qcFgEt3AfS0ECz3SPDnVn9MhyxUbA=
X-Google-Smtp-Source: ABdhPJxjlja2RfHfTz1W+Srm22cPnWCBF6O6QcwVZWF+3OF61DnL3m6TupLXQusJ3/53dmO0f8572JO3xEPC6NF1g0E=
X-Received: by 2002:a92:6b05:: with SMTP id g5mr26590961ilc.289.1607850386503; Sun, 13 Dec 2020 01:06:26 -0800 (PST)
MIME-Version: 1.0
References: <7f06d460-a4bb-652a-bba0-fe5fe5e6478f@free.fr> <CAM8feuQd3TkD0-hYfJQW0f4C9pnZO1J646hg9cumbb22D2XK5g@mail.gmail.com> <CAM8feuSRoUvKaDkheuQa5kp52hFhK+=TBp+1dq9qQrFweGf7vg@mail.gmail.com> <56f50921-a88f-230a-20d1-aee187f09b6e@free.fr> <CAM8feuSeXjJwVdjaAP-B=mKVDePyPcx3Vpd7Ef6GFY1YwbMJ6A@mail.gmail.com> <21cf7c30-c42a-f29c-a407-7badde5c0151@free.fr> <CAM8feuTnu6F6V8e6Fa=RP4wn2ZXocpShU1GH9UD951PFLk1avA@mail.gmail.com> <c2d6c307-d7b4-d32a-7c34-a7131e5bdc6b@free.fr> <CAM8feuQbcFPYBu7fd8DiOpDA46xjOqPEL2aOn_R77=Sctr+XpA@mail.gmail.com>
In-Reply-To: <CAM8feuQbcFPYBu7fd8DiOpDA46xjOqPEL2aOn_R77=Sctr+XpA@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Sun, 13 Dec 2020 10:06:13 +0100
Message-ID: <CAM8feuTnBr2fMe3pSn6rwsXUSo__0vP_qmfEmkPQEjE+jtwn9g@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023bbc005b654d744"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/IvTxCMEWS8m-St3KXzcJUN6lX8U>
Subject: Re: [GNAP] RS-Token Introspection or RC-Token Introspection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Dec 2020 09:06:33 -0000
Hi Denis, I created https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/145 to follow up on that. Fabien On Fri, Dec 11, 2020 at 7:12 PM Fabien Imbault <fabien.imbault@gmail.com> wrote: > Hi Denis, > > I agree that what you're saying makes sense. > > I'm just asking more broadly what people think of it (and trying to > balance the risks and benefits of each approach). > > Fabien > > On Fri, Dec 11, 2020 at 6:56 PM Denis <denis.ietf@free.fr> wrote: > >> Hi Fabien, >> >> Hi Denis, >> >> Please note that the token introspection is not a new idea, it's already >> present in OAuth2 world (rfc 7662), and allows the RS to verify the access >> token. >> >> I am pretty aware that token introspection is already present in the >> OAuth2 world (rfc 7662). :-) >> >> In important point : RFC 7662 states "the contents of tokens are opaque >> to clients". >> The text does *not* state : "the contents of tokens are opaque to both >> clients and Resource Servers (RSs). >> >> In the current version of GNAP, there is also section 6 that introduces >> management endpoints, which could potentially be extended in a similar way >> (currently this is not specified, the management endpoint is here for >> rotation/revocation). Then the client could require more information on >> what is included in the opaque token, but of course, this relies on the >> assumption that the client trusts the AS. There is also the discussion on >> the "resource" description in the response, that may provide a simpler >> scheme (https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/141). >> >> But if we assume the AS may be malevolent (which is more likely if the AS >> becomes a less central point, at least for some implementations), >> then indeed receiving opaque tokens wouldn't provide all the guarantees, >> as it may lie on what is really in the token (too many claims for >> instance). >> >> >> More specifically, while I recon there might be a risk which we'd rather >> not have, I don't really think an opaque token is really an unmanageable >> issue with privacy. >> Suppose someone adds a field in a JWT, most likely you'll be able to >> detect that. >> >> RFC 7662 has been made available primarily for "lazy" RSs. :-) >> >> Let us consider a case where the contents of access tokens are opaque to >> both RCs and RSs. >> Let us suppose that opaque access tokens contains only a temporary handle >> to the set of claims related to the end-user, e.g. a 128 bits handle. >> >> Neither the RC, nor the RS would be able to understand it and the RS >> would be forced to call back the AS. >> Not only this call back will be bad in terms of the user's privacy >> because the AS will be able to know exactly when the access token has been >> used >> by the end-user but it would be impossible to detect it to prevent some >> damage on the RS side. >> We cannot assume that all future ASs in the world, while still providing >> the requested claims, will never deliver more attributes than the ones >> requested >> by the RC and thus allow RSs (and possibly other servers) link their >> users. >> >> >> But suppose we go for non opaque tokens, then we'd need a way of >> describing its format. Which might limit a bit the use cases if we're not >> careful. >> >> In OAuth 2.0, it has been possible to describe a token format (JSON Web >> Token (JWT) Profile for OAuth 2.0 Access Tokens). >> I don't believe it would a "mission impossible" in this WG to describe a >> GNAP format for access tokens. >> >> The IETF is supposed to standardize protocols at the bit level and this >> has made its success. >> >> Denis >> >> >> I'd be interested to know what others think, since it is diverging quite >> a bit from the OAuth2 world (not a bad thing in itself but still). >> >> Fabien >> >> On Fri, Dec 11, 2020 at 12:04 PM Denis <denis.ietf@free.fr> wrote: >> >>> Hi Fabien, >>> >>> This is a response only to the point 7 from the "Quick review of >>> draft-ietf-gnap-core-protocol-00". >>> The full original text with your comments is copied after my reply. >>> >>> In order to allow the RC to understand the content of an opaque token, >>> you are proposing to support a Token Introspection query from the RC to the >>> AS. >>> This does not solve the concerns of a RC that wants to make sure that >>> the access token does not contain claims that have not been requested. >>> >>> Let us illustrate the case by using an example: >>> >>> The RC asks to the AS to deliver an access token that contains an >>> identifier only unique to the RS. >>> In reality, the AS delivers an access token that does contain an >>> identifier only unique to the RS >>> but in addition a globally unique identifier. Since the access token is >>> supposed to be opaque to the RC, >>> the RC calls the AS to perform a Token Introspection operation. In its >>> response, the AS presents an identifier >>> that is indeed only unique to the RS but the AS voluntarily *omits *to >>> present the globally unique identifier to the RC. >>> >>> In the same way, if Token Introspection is supported by a RS, that does >>> not provide confidence to the end-user or to the RC. >>> >>> Let us illustrate the case by using another example: >>> >>> The AS delivers to the RC an access token that only contains an >>> identifier unique to the RS. Since the access token >>> is supposed to be opaque to the RS, the RS calls the AS to perform a >>> Token Introspection operation. In its response, >>> the AS presents an identifier that is indeed only unique to the RS but >>> the AS voluntarily *adds *a globally unique identifier. >>> >>> *Conclusion*: In both cases, a globally unique identifier will be used >>> by the RS without the RC or the end-user knowing it. >>> Opaque tokens are in contradiction with the >>> end-user's privacy. >>> >>> For end-users caring about their privacy (or for systems willing to >>> protect the user's privacy), access tokens should not be considered >>> to be opaque to RCs, nor to RSs, and ASs should not support Token >>> Introspection, whether it is RS-Token Introspection or RC-Token >>> Introspection. >>> >>> Denis >>> >>> >>> 7. The content and the format of access tokens shall not be considered >>>>>> to be opaque to the RC so that the RC can inspect it. >>>>>> This is a matter of confidence to make sure for the RC (and for >>>>>> the user) that no "extra" information has been included by the AS into the >>>>>> access token. >>>>>> >>>>> [FI] This might go a bit further than the GNAP's mandate (especially >>>> if it becomes a mandatory requirement). But supposing we support non-opaque >>>> tokens, >>>> does it preclude supporting opaque tokens? It's just a different trust >>>> model, which makes sense if people agree with your premises (previous >>>> items), >>>> but that are less relevant if people still consider the AS as the >>>> central piece. Also one great thing with opaque tokens is that it makes the >>>> system easier to upgrade >>>> (you don't really care about what a token is). >>>> >>>> [Denis] Privacy is not more relevant for an AS-centric model than for a >>>> RS-centric model. In particular, a RC should be able to verify which kind >>>> of end-user identifier claim >>>> has been incorporated into the access token by the AS, in particular >>>> whether it is globally unique, unique to the AS only, unique to the RS only >>>> or ephemeral (valid for >>>> that RS during a session with the AS). >>>> >>> [FI2] ok, see discussion on whether tokens should be opaque or not. >>> >>>> I suppose that the use of structured access tokens should be >>>> recommended. This means,in particular, that from the very beginning, we >>>> should incorporate a version number >>>> inside each access token. >>>> >>>> One alternative way would be to allow RS call to AS for verification >>>> (including revocation status) and include a checksum. >>>> >>>> [Denis] The RC, i.e. not the RS, should be able to perform such >>>> verification before presenting the access token to the RS. So this >>>> alternative way would not work. >>>> >>> [FI2] then there could be a similar API for the client (cf discussion on >>> similarities between introspection/management APIs). >>> >>>> >>> -- >>> TXAuth mailing list >>> TXAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/txauth >>> >> >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> >
- [GNAP] Quick review of draft-ietf-gnap-core-proto… Denis
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Fabien Imbault
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Fabien Imbault
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Denis
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Fabien Imbault
- [GNAP] RS-Token Introspection or RC-Token Introsp… Denis
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Fabien Imbault
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Denis
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Fabien Imbault
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Fabien Imbault