From nobody Tue Aug 18 10:46:07 2020
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 8858F3A08EB
 for <txauth@ietfa.amsl.com>; Tue, 18 Aug 2020 10:46:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level: 
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id JDBd3dk1HGXs for <txauth@ietfa.amsl.com>;
 Tue, 18 Aug 2020 10:46:00 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com
 [IPv6:2a00:1450:4864:20::22a])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 27D013A08E4
 for <txauth@ietf.org>; Tue, 18 Aug 2020 10:45:59 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id f26so22380474ljc.8
 for <txauth@ietf.org>; Tue, 18 Aug 2020 10:45:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; 
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=SN5jjz9n57li62TcWigvNXYFoVLEQhOfpamB844mu/M=;
 b=afeZpfDM0mFcdNGN2ibHA3AScqizGkjomfOoyF8lgxS07k5iSxsSI+dlo1JXIZUjpZ
 ozIOP15y5d94lapc/VZMGSl7Kn3iXVQxa8zNa4rjn+BKeEjgUWF4OW58QTPZA4yl3KDZ
 2vDeIEqt3sIw7SrIunZkkpcDVg01yczKnVL+udEFft1BLRfY7sHycfZ4j9FoPEpnY2aO
 1F/+6wy0OKfZDQnOEyaTeuZ1leP1J0sDurt3EdaCgVmfsFyI7CUNy5Cp2L/vKwCgZw+M
 QEMbvW/w7ctbYa2m78llcdPZP/im2T64QeOOU78ceMjl28Nci4C1lrXYlxkP4QN+0/NW
 9N7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=SN5jjz9n57li62TcWigvNXYFoVLEQhOfpamB844mu/M=;
 b=e2ysnN/+kiaF3/azax+6wnB1SuvLjX4ZCLlaytaToU4sGR3NVliQQ7DYp9hyts0yVX
 5n3p65BTwLCjpvBcEmHeHiMcjKK2TwH2KpwWrrqUwrVPMw8qbTwY/SBx7TTghxb5LcPh
 WGnedyvG6UQ+VkvmUIP58hxVRv62oRB/Iiqxx8P9/4LRScEoWjadGg85T6mFtStXIRQz
 DiRtdrbbTcMXTSDgpftQ3g3srWdbagpxoHX3RMGGEstatNn3M19FPqrdOJt1yiEqcB8Q
 IDCcwRT5Zg4cGhL6tXALkW/ObIyERmvS0WqSg4GJ9vtDOGkdY3TC1tOOHzSR6UIa7M8f
 6VBA==
X-Gm-Message-State: AOAM531jQ6UmizYVYGwc6N8WbkbZZRPsXnxYi/tOXlAjw4gBx2/EndfX
 tRiCjBFXYuFrd4F7j/3ojT3CodbmyAPiAroSLfWdYgWvRJ8=
X-Google-Smtp-Source: ABdhPJwEYzrvjwqGPViTMfV+Dfv2tyljHCPDc81hGS4o9daSna88C0YslmoDsfUThAMvpgXZ7nB3ycvP6FRVaDROVjw=
X-Received: by 2002:a2e:2283:: with SMTP id
 i125mr10119558lji.142.1597772757444; 
 Tue, 18 Aug 2020 10:45:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-v_1GHHJWVeXb5cXiUELj-Un7BN6uCdqSRz4qjL_rq=UQ@mail.gmail.com>
 <af835def-624b-bad3-1c86-9eb55443d8fe@free.fr>
In-Reply-To: <af835def-624b-bad3-1c86-9eb55443d8fe@free.fr>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 18 Aug 2020 10:45:21 -0700
Message-ID: <CAD9ie-sJFELQo9jd=W9234dnhcAngBk2TdEofWSswcTNX2pg1Q@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a3c67105ad2a752b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/MNJRtelHvef4A-uH8uS6fQrnFwg>
Subject: Re: [GNAP] draft-hardt-xauth-protocol-14 update - reworked
 introduction
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>,
 <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>,
 <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 17:46:05 -0000

--000000000000a3c67105ad2a752b
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Denis

Thanks for taking the time to review the latest draft

While *your* cases may require certain conditions, other use cases have
other conditions.

For example, existing OAuth 2 flows do NOT have the client query the RS
first. Per the charter, supporting OAuth 2 use cases is in scope.


=E1=90=A7

On Tue, Aug 18, 2020 at 10:29 AM Denis <denis.ietf@free.fr> wrote:

> Hi Dick,
>
> I have taken a look at the specification and there are good news but
> unfortunately also bad news.
>
> The good news: There is a Privacy considerations section (section 11)
>
> The bad news: There is the title of that section, but no text in it.
>
> The good news: The first exchange is now between the client and the RS:
>
> (1) The GC may query the RS to determine what the RS requires from a GS
> for resource access.
>
> The bad news: The text is using a "may" and continues with: "This step is
> not in scope for this document".
>
> This first flow is fundamental and if the client has never contacted the
> RS before, that step shall be performed.
> Hence, the use of the word "may" is inappropriate. In addition, using the
> singular "for a GS" is also inappropriate since a RS
> may trust more than one GS.
>
> Please take a look at the uses cases I have posted today called:
> "Enterprise servers and Internet servers use cases"
> The document is available at :
> https://github.com/ietf-wg-gnap/general/wiki/Enterprise-servers-and-Inter=
net-servers-use-cases
>
> This post attempts to explain why this first flow is the most important.
> IMHO, it should be within the scope.
>
> BTW, I don't like the wording "Grant Client" since it is ambiguous as it
> does not make any difference between what I call
> a "User Client" and an "Enterprise Client".
>
> The text then uses the following sentence which is inappropriate for
> various reasons:
>
> The Grant Client may be interacting with a human end-user (User),
>
> A user client *must *be interacting with a human end-user (User). The
> User must interact using, what I call, a "User Agent".
>
> and the Grant Client may need to get authorization to release the Grant
> from the User,
>
> Further down, a grant is defined as: "the user identity claims and/or
> resource access the GS has granted to the Client".
>
> Such a definition is inappropriate since a grant is first of all an acces=
s
> token issued by an AS that contains attributes and/or
> capabilities that allow to perform some method(s) on a data object.
>
> Before an access token is issued for a User, a User Consent, as well as
> some choices, made by the User shall be obtained.
> This does not apply when an access token is issued for a client (i.e. a
> piece of software). The vocabulary that is being used
> does not allow to make these major differences.
>
> or from the owner of the resources at the Resource Server, the Resource
> Owner (RO).
>
> No authorization is needed by the owner of the resource. A Resource
> Controller (RC) is a piece of software that applies a set of rules
> to grant or to deny access to a data object using some method. No human
> interaction from a human being sitting next to the RS is ever needed.
>
> The uses cases I posted today contain a more detailed model that is able
> to support both capabilities and ABAC (Attribute-based Access Control).
>
> Denis
>
> Hello
>
> I just pushed an updated version of XAuth:
>
> https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html
>
> Highlights:
>
>    - renamed Client -> Grant Client
>    - Introduced Client Owner, Grant Server Owner as new entities
>    - renamed Authorizations -> Access
>    - An Access contains an array of RAR objects now
>    - Reworked diagram an intro to focus on Grant, and separate protocol
>    roles from human interactions.
>
> New introduction included below for your convenience
>
> /Dick
>
>    -
>
> 1.
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1>
> Introduction
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-introd=
uction>
>
> *EDITOR NOTE*
>
> *This document captures a number of concepts that may be adopted by the
> proposed GNAP working group. Please refer to this document as:*
>
> *XAuth*
>
> *The use of GNAP in this document is not intended to be a declaration of
> it being endorsed by the GNAP working group.*
>
> This document describes the core Grant Negotiation and Authorization
> Protocol (GNAP). The protocol supports the widely deployed use cases
> supported by OAuth 2.0 [RFC6749
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>] &
> [RFC6750
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6750>],
> OpenID Connect [OIDC
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] - an
> extension of OAuth 2.0, as well as other extensions. Related documents
> include: GNAP - Advanced Features [GNAP_Advanced
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#GNAP_Advanc=
ed>
> ] and JOSE Authentication [JOSE_Authentication
> <https://tools.ietf..org/id/draft-hardt-xauth-protocol-14.html#JOSE_Authe=
ntication>
> ] that describes the JOSE mechanisms for client authentication.
>
> The technology landscape has changed since OAuth 2.0 was initially
> drafted. More interactions happen on mobile devices than PCs. Modern
> browsers now directly support asymetric cryptographic functions. Standard=
s
> have emerged for signing and encrypting tokens with rich payloads (JOSE)
> that are widely deployed.
>
> GNAP simplifies the overall architectural model, takes advantage of
> today's technology landscape, provides support for all the widely deploye=
d
> use cases, offers numerous extension points, and addresses many of the
> security issues in OAuth 2.0 by passing parameters securely between parti=
es
> rather than via a browser redirection.
>
> While GNAP is not backwards compatible with OAuth 2.0, it strives to
> minimize the migration effort.
>
> The suggested pronunciation of GNAP is "guh-nap".
> 1.1.
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.1=
>The
> Grant
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-the-gr=
ant>
>
> The Grant is at the center of the protocol between a client and a server.
> A Grant Client requests a Grant from a Grant Server. The Grant Client and
> Grant Server negotiate the Grant. The Grant Server acquires authorization
> to grant the Grant to the Grant Client. The Grant Server then returns the
> Grant to the Grant Client.
>
> The Grant Request may contain information about the User, the Grant
> Client, the interaction modes supported by the Grant Client, the requeste=
d
> identity claims, and the requested resource access. Extensions may define
> additional information to be included in the Grant Request.
> 1.2.
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.2=
>Protocol
> Roles
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-protoc=
ol-roles>
>
> There are three roles in GNAP: the Grant Client (GC), the Grant Server
> (GS), and the Resource Server (RS). Below is how the roles interact:
>
>     +--------+                               +------------+
>     | Grant  | - - - - - - -(1)- - - - - - ->|  Resource  |
>     | Client |                               |   Server   |
>     |  (GC)  |       +---------------+       |    (RS)    |
>     |        |--(2)->|     Grant     |       |            |
>     |        |<-(3)->|     Server    |- (6) -|            |
>     |        |<-(4)--|      (GS)     |       |            |
>     |        |       +---------------+       |            |
>     |        |                               |            |
>     |        |--------------(5)------------->|            |
>     +--------+                               +------------+
>
> (1) The GC may query the RS to determine what the RS requires from a GS
> for resource access. This step is not in scope for this document.
>
> (2) The GC makes a Grant request to the GS (Create Grant Section 3.2
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#CreateGrant=
>).
> How the GC authenticates to the GS is not in scope for this document. One
> mechanism is [JOSE_Authentication
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#JOSE_Authen=
tication>
> ].
>
> (3) The GC and GS may negotiate the Grant.
>
> (4) The GS returns a Grant to the GC (Grant Response Section 4.1
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#GrantRespon=
se>
> ).
>
> (5) The GC accesses resources at the RS (RS Access Section 6
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RSAccess>).
>
> (6) The RS evaluates access granted by the GS to determine access granted
> to the GC. This step is not in scope for this document.
> 1.3.
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.3=
>Human
> Interactions
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-human-=
interactions>
>
> The Grant Client may be interacting with a human end-user (User), and the
> Grant Client may need to get authorization to release the Grant from the
> User, or from the owner of the resources at the Resource Server, the
> Resource Owner (RO)
>
> Below is when the human interactions may occur in the protocol:
>
>     +--------+                               +------------+
>     |  User  |                               |  Resource  |
>     |        |                               | Owner (RO) |
>     +--------+                               +------------+
>         +     +                             +
>         +      +                           +
>        (A)     (B)                       (C)
>         +        +                       +
>         +         +                     +
>     +--------+     +                   +     +------------+
>     | Grant  | - - -+- - - -(1)- - - -+- - ->|  Resource  |
>     | Client |       +               +       |   Server   |
>     |  (GC)  |       +---------------+       |    (RS)    |
>     |        |--(2)->|     Grant     |       |            |
>     |        |<-(3)->|     Server    |- (6) -|            |
>     |        |<-(4)--|      (GS)     |       |            |
>     |        |       +---------------+       |            |
>     |        |                               |            |
>     |        |--------------(5)------------->|            |
>     +--------+                               +------------+
>
> Legend
> + + + indicates an interaction with a human
> ----- indicates an interaction between protocol roles
>
> Steps (1) - (6) are the same as Section 1.2
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#ProtocolRol=
es>.
> The addition of the human interactions (A) - (C) are *bolded* below.
>
> *(A) The User is interacting with a GC, and the GC needs resource access
> and/or identity claims (a Grant)*
>
> (1) The GC may query the RS to determine what the RS requires from a GS
> for resource access
>
> (2) The GC makes a Grant request to the GS
>
> (3) The GC and GS may negotiate the Grant
>
> *(B) The GS may interact with the User for grant authorization*
>
> *(C) The GS may interact with the RO for grant authorization*
>
> (4) The GS returns a Grant to the GC
>
> (5) The GC accesses resources at the RS
>
> (6) The RS evaluates access granted by the GS to determine access granted
> to the GC
>
> Alternatively, the Resource Owner could be a legal entity that has a
> software component that the Grant Server interacts with for Grant
> authorization. This interaction is not in scope of this document.
> 1.4.
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.4=
>Trust
> Model
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-trust-=
model>
>
> In addition to the User and the Resource Owner, there are three other
> entities that are part of the trust model:
>
>    - *Client Owner* (CO) - the legal entity that owns the Grant Client.
>    - *Grant Server Owner* (GSO) - the legal entity that owns the Grant
>    Server.
>    - *Claims Issuer* (Issuer) - a legal entity that issues identity
>    claims about the User. The Grant Server Owner may be an Issuer, and th=
e
>    Resource Owner may be an Issuer.
>
> These three entities do not interact in the protocol, but are trusted by
> the User and the Resource Owner:
>
>   +------------+           +--------------+----------+
>   |    User    | >> (A) >> | Grant Server |          |
>   |            |           | Owner (GSO)  |          |
>   +------------+         > +--------------+          |
>         V              /          ^       |  Claims  |
>        (B)          (C)          (E)      |  Issuer  |
>         V          /              ^       | (Issuer) |
>   +------------+ >         +--------------+          |
>   |  Client    |           |   Resource   |          |
>   | Owner (CO) | >> (D) >> |  Owner (RO)  |          |
>   +------------+           +--------------+----------+
>
> (A) User trusts the GSO to acquire authorization before making a grant to
> the CO
>
> (B) User trusts the CO to act in the User's best interest with the Grant
> the GSO grants to the CO
>
> (C) CO trusts claims issued by the GSO
>
> (D) CO trusts claims issued by the RO
>
> (E) RO trusts the GSO to manage access to the RO resources
> 1.5.
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1..=
5>
> Terminology
> <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-termin=
ology>
>
> *Roles*
>
>    -
>
>    *Grant Client* (GC)
>    - may want access to resources at a Resource Server
>       - may be interacting with a User and want identity claims about the
>       User
>       - requests the Grant Service to grant resource access and identity
>       claims
>    -
>
>    *Grant Server* (GS)
>    - accepts Grant requests from the GC for resource access and identity
>       claims
>       - negotiates the interaction mode with the GC if interaction is
>       required with the User
>       - acquires authorization from the User before granting identity
>       claims to the GC
>       - acquires authorization from the RO before granting resource
>       access to the GC
>       - grants resource access and identity claims to the GC
>    -
>
>    *Resource Server* (RS)
>    - has resources that the GC may want to access
>       - expresses what the GC must obtain from the GS for access through
>       documentation or an API. This is not in scope for this document
>       - verifies the GS granted access to the GC, when the GS makes
>       resource access requests
>
> *Humans*
>
>    -
>
>    *User*
>    - the person interacting with the Grant Client.
>       - has delegated access to identity claims about themselves to the
>       Grant Server.
>       - may authenticate at the GS..
>    -
>
>    *Resource Owner* (RO)
>    - the legal entity that owns resources at the Resource Server (RS).
>       - has delegated resource access management to the GS.
>       - may be the User, or may be a different entity that the GS
>       interacts with independently.
>
> *Reused Terms*
>
>    - *access token* - an access token as defined in [RFC6749
>    <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>=
] Section
>    1.4.. An GC uses an access token for resource access at a RS.
>    - *Claim* - a Claim as defined in [OIDC
>    <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] S=
ection
>    5. Claims are issued by a Claims Issuer.
>    - *Client ID* - a GS unique identifier for a Registered Client as
>    defined in [RFC6749
>    <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>=
] Section
>    2.2.
>    - *ID Token* - an ID Token as defined in [OIDC
>    <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] S=
ection
>    2. ID Tokens are issued by the GS. The GC uses an ID Token to authenti=
cate
>    the User.
>    - *NumericDate* - a NumericDate as defined in [RFC7519
>    <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC7519>=
] Section
>    2.
>    - *authN* - short for authentication.
>    - *authZ* - short for authorization.
>
> *New Terms*
>
>    - *GS URI* - the endpoint at the GS the GC calls to create a Grant,
>    and is the unique identifier for the GS.
>    - *Registered Client* - a GC that has registered with the GS and has a
>    Client ID to identify itself, and can prove it possesses a key that is
>    linked to the Client ID. The GS may have different policies for what
>    different Registered Clients can request. A Registered Client MAY be
>    interacting with a User.
>    - *Dynamic Client* - a GC that has not been previously registered with
>    the GS, and each instance will generate it's own asymetric key pair so=
 it
>    can prove it is the same instance of the GC on subsequent requests.. T=
he GS
>    MAY return a Dynamic Client a Client Handle for the Dynamic Client to
>    identify itself in subsequent requests. A single-page application with=
 no
>    active server component is an example of a Dynamic Client.
>    - *Client Handle* - a unique identifier at the GS for a Dynamic Client
>    for the Dynamic Client to refer to itself in subsequent requests.
>    - *Interaction* - how the GC directs the User to interact with the GS.
>    This document defines the interaction modes: "redirect", "indirect", a=
nd
>    "user_code" in Section 5
>    <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#Interact=
ionModes>
>    .
>    - *Grant* - the user identity claims and/or resource access the GS has
>    granted to the Client. The GS MAY invalidate a Grant at any time.
>    - *Grant URI* - the URI that represents the Grant. The Grant URI MUST
>    start with the GS URI.
>    - *Access* - the access granted by the RO to the GC and contains an
>    access token. The GS may invalidate an Access at any time.
>    - *Access URI* - the URI that represents the Access the GC was granted
>    by the RO. The Access URI MUST start with the GS URI.. The Access URI =
is
>    used to refresh an access token.
>
>
>
>
>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

--000000000000a3c67105ad2a752b
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Denis<div><br></div><div>Thanks for taking the time to =
review the latest=C2=A0draft</div><div><br></div><div>While *your* cases ma=
y require certain conditions, other use cases have other conditions.</div><=
div><br></div><div>For example, existing OAuth 2 flows do NOT have the clie=
nt query the RS first. Per the charter, supporting OAuth 2 use cases is in =
scope.</div><div><br></div><div><br></div></div><div hspace=3D"streak-pt-ma=
rk" style=3D"max-height:1px"><img alt=3D"" style=3D"width:0px;max-height:0p=
x;overflow:hidden" src=3D"https://mailfoogae.appspot.com/t?sender=3DaZGljay=
5oYXJkdEBnbWFpbC5jb20%3D&amp;type=3Dzerocontent&amp;guid=3Da6633067-150f-42=
b1-acfc-c4910a3a9bae"><font color=3D"#ffffff" size=3D"1">=E1=90=A7</font></=
div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On=
 Tue, Aug 18, 2020 at 10:29 AM Denis &lt;<a href=3D"mailto:denis.ietf@free.=
fr">denis.ietf@free.fr</a>&gt; wrote:<br></div><blockquote class=3D"gmail_q=
uote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,2=
04);padding-left:1ex">
 =20
   =20
 =20
  <div>
    <div><font face=3D"Arial">Hi Dick,</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">I have taken a look
        at the specification and there are good news but unfortunately
        also bad news.</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">The good news: There
        is a Privacy considerations section (section 11)<br>
        <br>
      </font></div>
    <div><font face=3D"Arial">The bad news: There
        is the title of that section, but no text in it.</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">The good news: The
        first exchange is now between the client and the RS:</font></div>
    <blockquote>
      <div><font face=3D"Arial">(1) The GC may
          query the RS to determine what the RS requires from a GS for
          resource access.</font></div>
    </blockquote>
    <div><font face=3D"Arial">The bad news: The
        text is using a &quot;may&quot; and continues with: &quot;This step=
 is not in
        scope for this document&quot;.</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">This first flow is
        fundamental and if the client has never contacted the RS before,
        that step shall be performed. <br>
        Hence, the use of the word &quot;may&quot; is inappropriate. In add=
ition,
        using the singular &quot;for a GS&quot; is also inappropriate since=
 a RS <br>
        may trust more than one GS.</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">Please take a look
        at the uses cases I have posted today called: &quot;Enterprise
        servers and Internet servers use cases&quot;</font></div>
    <div><font face=3D"Arial">The document is
        available at : <font color=3D"#0000ff"><a href=3D"https://github.co=
m/ietf-wg-gnap/general/wiki/Enterprise-servers-and-Internet-servers-use-cas=
es" target=3D"_blank">https://github.com/ietf-wg-gnap/general/wiki/Enterpri=
se-servers-and-Internet-servers-use-cases</a></font></font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">This post attempts
        to explain why this first flow is the most important. IMHO, it
        should be within the </font><font face=3D"Arial"><font face=3D"Aria=
l">scope.</font></font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">BTW, I don&#39;t like
        the wording &quot;Grant Client&quot; since it is ambiguous as it do=
es not
        make any difference between what I call <br>
        a &quot;User Client&quot; and an &quot;Enterprise Client&quot;.</fo=
nt></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">The text then uses
        the following sentence which is inappropriate for various
        reasons: <br>
      </font></div>
    <blockquote>
      <div><font face=3D"Arial">The Grant Client
          may be interacting with a human end-user (User), <br>
        </font></div>
    </blockquote>
    <div><font face=3D"Arial">A user client <b>must
        </b>be interacting with a human end-user (User). The User must
        interact using, what I call, a &quot;User Agent&quot;.<br>
      </font></div>
    <blockquote>
      <div><font face=3D"Arial">and the Grant
          Client may need to get authorization to release the Grant from
          the User, <br>
        </font></div>
    </blockquote>
    <div><font face=3D"Arial">Further down, a
        grant is defined as: &quot;the user identity claims and/or resource
        access the GS has granted to the Client&quot;.</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">Such a definition is
        inappropriate since a grant is first of all an access token
        issued by an AS that contains attributes and/or <br>
        capabilities that allow to perform some method(s) on a data
        object.</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">Before an access
        token is issued for a User, a User Consent, as well as some
        choices, made by the User shall be obtained. <br>
        This does not apply when an access token is issued for a client
        (i.e. a piece of software). The vocabulary that is being used <br>
        does not allow to make these major differences.<br>
      </font></div>
    <blockquote>
      <div><font face=3D"Arial">or from the owner
          of the resources at the Resource Server, the Resource Owner
          (RO).</font></div>
    </blockquote>
    <div><font face=3D"Arial">No authorization is
        needed by the owner of the resource. A Resource Controller (RC)
        is a piece of software that applies a set of rules<br>
        to grant or to deny access to a data object using some method.
        No human interaction from a human being sitting next to the RS
        is ever needed.</font></div>
    <div><font face=3D"Arial"><br>
      </font></div>
    <div><font face=3D"Arial">The </font><font face=3D"Arial"><font face=3D=
"Arial">uses cases I posted today
          contain a more detailed model that is able to support both
          capabilities and ABAC (Attribute-based Access Control).</font></f=
ont></div>
    <p><font face=3D"Arial">Denis</font></p>
    <blockquote type=3D"cite">
     =20
      <div dir=3D"ltr">
        <div dir=3D"ltr">
          <div dir=3D"ltr">
            <div dir=3D"ltr">
              <div dir=3D"ltr">
                <div>Hello</div>
                <div><br>
                </div>
                <div>I just pushed an updated version of XAuth:</div>
                <div><br>
                </div>
                <div><a href=3D"https://tools.ietf.org/id/draft-hardt-xauth=
-protocol-14.html" target=3D"_blank">https://tools.ietf.org/id/draft-hardt-=
xauth-protocol-14.html</a><br>
                </div>
                <div><br>
                </div>
                <div>Highlights:</div>
                <ul>
                  <li>renamed Client -&gt; Grant Client</li>
                  <li>Introduced Client Owner, Grant Server Owner as new
                    entities</li>
                  <li>renamed=C2=A0Authorizations -&gt; Access</li>
                  <li>An Access contains=C2=A0an array of RAR objects now</=
li>
                  <li>Reworked diagram an intro to focus on Grant, and
                    separate protocol roles from human interactions.</li>
                </ul>
                <div>New introduction included below for your
                  convenience</div>
                <div><br>
                </div>
                <div>/Dick</div>
                <div>
                  <div id=3D"gmail-m_-3015586587154810638gmail-toc">
                    <ul style=3D"padding:0px;margin:0px 0.5em 1em 0px;list-=
style:none;line-height:normal">
                      <li id=3D"gmail-m_-3015586587154810638gmail-section-t=
oc.1-1.18" style=3D"margin:0.75em 0px;list-style-type:none;line-height:1.3e=
m;padding-left:1.2em"><br>
                      </li>
                    </ul>
                  </div>
                  <div id=3D"gmail-m_-3015586587154810638gmail-introduction=
">
                    <h2 id=3D"gmail-m_-3015586587154810638gmail-name-introd=
uction" style=3D"line-height:1.3;font-size:22px;padding-top:31px"><a href=
=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1"=
 style=3D"text-decoration-line:none;padding-right:0.5em;color:rgb(34,34,34)=
" target=3D"_blank">1.=C2=A0</a><a href=3D"https://tools.ietf.org/id/draft-=
hardt-xauth-protocol-14.html#name-introduction" style=3D"text-decoration-li=
ne:none;color:rgb(34,34,34)" target=3D"_blank">Introduction</a></h2>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-1"=
 style=3D"padding:0px;margin:0px 0px 1em"><strong>EDITOR
                        NOTE</strong></p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-2"=
 style=3D"padding:0px;margin:0px 0px 1em"><em>This
                        document captures a number of concepts that may
                        be adopted by the proposed GNAP working group.
                        Please refer to this document as:</em></p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-3"=
 style=3D"padding:0px;margin:0px 0px 1em"><strong>XAuth</strong></p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-4"=
 style=3D"padding:0px;margin:0px 0px 1em"><em>The use
                        of GNAP in this document is not intended to be a
                        declaration of it being endorsed by the GNAP
                        working group.</em></p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-5"=
 style=3D"padding:0px;margin:0px 0px 1em">This
                      document describes the core Grant Negotiation and
                      Authorization Protocol (GNAP). The protocol
                      supports the widely deployed use cases supported
                      by OAuth 2.0=C2=A0<span>[<a href=3D"https://tools.iet=
f.org/id/draft-hardt-xauth-protocol-14.html#RFC6749" style=3D"text-decorati=
on-line:none;color:rgb(34,34,238)" target=3D"_blank">RFC6749</a>]</span>=C2=
=A0&amp;=C2=A0<span>[<a href=3D"https://tools.ietf.org/id/draft-hardt-xauth=
-protocol-14.html#RFC6750" style=3D"text-decoration-line:none;color:rgb(34,=
34,238)" target=3D"_blank">RFC6750</a>]</span>,
                      OpenID Connect=C2=A0<span>[<a href=3D"https://tools.i=
etf.org/id/draft-hardt-xauth-protocol-14.html#OIDC" style=3D"text-decoratio=
n-line:none;color:rgb(34,34,238)" target=3D"_blank">OIDC</a>]</span>=C2=A0-=
 an
                      extension of OAuth 2.0, as well as other
                      extensions. Related documents include: GNAP -
                      Advanced Features=C2=A0<span>[<a href=3D"https://tool=
s.ietf.org/id/draft-hardt-xauth-protocol-14.html#GNAP_Advanced" style=3D"te=
xt-decoration-line:none;color:rgb(34,34,238)" target=3D"_blank">GNAP_Advanc=
ed</a>]</span>=C2=A0and
                      JOSE Authentication=C2=A0<span>[<a href=3D"https://to=
ols.ietf..org/id/draft-hardt-xauth-protocol-14.html#JOSE_Authentication" st=
yle=3D"text-decoration-line:none;color:rgb(34,34,238)" target=3D"_blank">JO=
SE_Authentication</a>]</span>=C2=A0that
                      describes the JOSE mechanisms for client
                      authentication.</p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-6"=
 style=3D"padding:0px;margin:0px 0px 1em">The
                      technology landscape has changed since OAuth 2.0
                      was initially drafted. More interactions happen on
                      mobile devices than PCs. Modern browsers now
                      directly support asymetric cryptographic
                      functions. Standards have emerged for signing and
                      encrypting tokens with rich payloads (JOSE) that
                      are widely deployed.</p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-7"=
 style=3D"padding:0px;margin:0px 0px 1em">GNAP
                      simplifies the overall architectural model, takes
                      advantage of today&#39;s technology landscape,
                      provides support for all the widely deployed use
                      cases, offers numerous extension points, and
                      addresses many of the security issues in OAuth 2.0
                      by passing parameters securely between parties
                      rather than via a browser redirection.</p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-8"=
 style=3D"padding:0px;margin:0px 0px 1em">While GNAP
                      is not backwards compatible with OAuth 2.0, it
                      strives to minimize the migration effort.</p>
                    <p id=3D"gmail-m_-3015586587154810638gmail-section-1-9"=
 style=3D"padding:0px;margin:0px 0px 1em">The
                      suggested pronunciation of GNAP is &quot;guh-nap&quot=
;.</p>
                    <div id=3D"gmail-m_-3015586587154810638gmail-the-grant"=
 style=3D"margin:0px">
                      <h3 id=3D"gmail-m_-3015586587154810638gmail-name-the-=
grant" style=3D"line-height:1.3;font-size:18px;padding-top:24px"><a href=3D=
"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.1" =
style=3D"text-decoration-line:none;padding-right:0.5em;color:rgb(34,34,34)"=
 target=3D"_blank">1.1.=C2=A0</a><a href=3D"https://tools.ietf.org/id/draft=
-hardt-xauth-protocol-14.html#name-the-grant" style=3D"text-decoration-line=
:none;color:rgb(34,34,34)" target=3D"_blank">The Grant</a></h3>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
1-1" style=3D"padding:0px;margin:0px 0px 1em">The Grant
                        is at the center of the protocol between a
                        client and a server. A Grant Client requests a
                        Grant from a Grant Server. The Grant Client and
                        Grant Server negotiate the Grant. The Grant
                        Server acquires authorization to grant the Grant
                        to the Grant Client. The Grant Server then
                        returns the Grant to the Grant Client.</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
1-2" style=3D"padding:0px;margin:0px 0px 1em">The Grant
                        Request may contain information about the User,
                        the Grant Client, the interaction modes
                        supported by the Grant Client, the requested
                        identity claims, and the requested resource
                        access. Extensions may define additional
                        information to be included in the Grant Request.</p=
>
                    </div>
                    <div id=3D"gmail-m_-3015586587154810638gmail-ProtocolRo=
les" style=3D"margin:0px">
                      <h3 id=3D"gmail-m_-3015586587154810638gmail-name-prot=
ocol-roles" style=3D"line-height:1.3;font-size:18px;padding-top:24px"><a hr=
ef=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-=
1.2" style=3D"text-decoration-line:none;padding-right:0.5em;color:rgb(34,34=
,34)" target=3D"_blank">1.2.=C2=A0</a><a href=3D"https://tools.ietf.org/id/=
draft-hardt-xauth-protocol-14.html#name-protocol-roles" style=3D"text-decor=
ation-line:none;color:rgb(34,34,34)" target=3D"_blank">Protocol Roles</a></=
h3>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
2-1" style=3D"padding:0px;margin:0px 0px 1em">There are
                        three roles in GNAP: the Grant Client (GC), the
                        Grant Server (GS), and the Resource Server (RS).
                        Below is how the roles interact:</p>
                      <div id=3D"gmail-m_-3015586587154810638gmail-section-=
1.2-2" style=3D"margin:1em 0px 0px;break-before:avoid-page;break-after:auto=
">
                        <pre style=3D"background-color:rgb(249,249,249);fon=
t-family:&quot;Roboto Mono&quot;,monospace;border:1px solid rgb(238,238,238=
);margin-top:0.5px;margin-bottom:0px;padding:1em;overflow-x:auto;font-size:=
13.3px;break-before:avoid-page;break-after:auto;line-height:1.12">    +----=
----+                               +------------+
    | Grant  | - - - - - - -(1)- - - - - - -&gt;|  Resource  |
    | Client |                               |   Server   |
    |  (GC)  |       +---------------+       |    (RS)    |
    |        |--(2)-&gt;|     Grant     |       |            |
    |        |&lt;-(3)-&gt;|     Server    |- (6) -|            |
    |        |&lt;-(4)--|      (GS)     |       |            |
    |        |       +---------------+       |            |
    |        |                               |            |
    |        |--------------(5)-------------&gt;|            |
    +--------+                               +------------+
</pre>
                      </div>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
2-3" style=3D"padding:0px;margin:0px 0px 1em">(1) The
                        GC may query the RS to determine what the RS
                        requires from a GS for resource access. This
                        step is not in scope for this document.</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
2-4" style=3D"padding:0px;margin:0px 0px 1em">(2) The
                        GC makes a Grant request to the GS (Create
                        Grant=C2=A0<a href=3D"https://tools.ietf.org/id/dra=
ft-hardt-xauth-protocol-14.html#CreateGrant" style=3D"text-decoration-line:=
none;color:rgb(34,34,238)" target=3D"_blank">Section 3.2</a>). How
                        the GC authenticates to the GS is not in scope
                        for this document. One mechanism is=C2=A0<span>[<a =
href=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#JOSE_A=
uthentication" style=3D"text-decoration-line:none;color:rgb(34,34,238)" tar=
get=3D"_blank">JOSE_Authentication</a>]</span>.</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
2-5" style=3D"padding:0px;margin:0px 0px 1em">(3) The
                        GC and GS may negotiate the Grant.</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
2-6" style=3D"padding:0px;margin:0px 0px 1em">(4) The
                        GS returns a Grant to the GC (Grant Response=C2=A0<=
a href=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#Gran=
tResponse" style=3D"text-decoration-line:none;color:rgb(34,34,238)" target=
=3D"_blank">Section 4.1</a>).</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
2-7" style=3D"padding:0px;margin:0px 0px 1em">(5) The
                        GC accesses resources at the RS (RS Access=C2=A0<a =
href=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RSAcce=
ss" style=3D"text-decoration-line:none;color:rgb(34,34,238)" target=3D"_bla=
nk">Section 6</a>).</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
2-8" style=3D"padding:0px;margin:0px 0px 1em">(6) The
                        RS evaluates access granted by the GS to
                        determine access granted to the GC. This step is
                        not in scope for this document.</p>
                    </div>
                    <div id=3D"gmail-m_-3015586587154810638gmail-human-inte=
ractions" style=3D"margin:0px">
                      <h3 id=3D"gmail-m_-3015586587154810638gmail-name-huma=
n-interactions" style=3D"line-height:1.3;font-size:18px;padding-top:24px"><=
a href=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#sect=
ion-1.3" style=3D"text-decoration-line:none;padding-right:0.5em;color:rgb(3=
4,34,34)" target=3D"_blank">1.3.=C2=A0</a><a href=3D"https://tools.ietf.org=
/id/draft-hardt-xauth-protocol-14.html#name-human-interactions" style=3D"te=
xt-decoration-line:none;color:rgb(34,34,34)" target=3D"_blank">Human Intera=
ctions</a></h3>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-1" style=3D"padding:0px;margin:0px 0px 1em">The Grant
                        Client may be interacting with a human end-user
                        (User), and the Grant Client may need to get
                        authorization to release the Grant from the
                        User, or from the owner of the resources at the
                        Resource Server, the Resource Owner (RO)</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-2" style=3D"padding:0px;margin:0px 0px 1em">Below is
                        when the human interactions may occur in the
                        protocol:</p>
                      <div id=3D"gmail-m_-3015586587154810638gmail-section-=
1.3-3" style=3D"margin:1em 0px 0px;break-before:avoid-page;break-after:auto=
">
                        <pre style=3D"background-color:rgb(249,249,249);fon=
t-family:&quot;Roboto Mono&quot;,monospace;border:1px solid rgb(238,238,238=
);margin-top:0.5px;margin-bottom:0px;padding:1em;overflow-x:auto;font-size:=
13.3px;break-before:avoid-page;break-after:auto;line-height:1.12">    +----=
----+                               +------------+
    |  User  |                               |  Resource  |
    |        |                               | Owner (RO) |
    +--------+                               +------------+
        +     +                             +
        +      +                           +
       (A)     (B)                       (C)
        +        +                       +
        +         +                     +
    +--------+     +                   +     +------------+
    | Grant  | - - -+- - - -(1)- - - -+- - -&gt;|  Resource  |
    | Client |       +               +       |   Server   |
    |  (GC)  |       +---------------+       |    (RS)    |
    |        |--(2)-&gt;|     Grant     |       |            |
    |        |&lt;-(3)-&gt;|     Server    |- (6) -|            |
    |        |&lt;-(4)--|      (GS)     |       |            |
    |        |       +---------------+       |            |
    |        |                               |            |
    |        |--------------(5)-------------&gt;|            |
    +--------+                               +------------+

Legend
+ + + indicates an interaction with a human
----- indicates an interaction between protocol roles
</pre>
                      </div>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-4" style=3D"padding:0px;margin:0px 0px 1em">Steps (1)
                        - (6) are the same as=C2=A0<a href=3D"https://tools=
.ietf.org/id/draft-hardt-xauth-protocol-14.html#ProtocolRoles" style=3D"tex=
t-decoration-line:none;color:rgb(34,34,238)" target=3D"_blank">Section 1.2<=
/a>. The
                        addition of the human interactions (A) - (C)
                        are=C2=A0<strong>bolded</strong>=C2=A0below.</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-5" style=3D"padding:0px;margin:0px 0px 1em"><strong>(A)
                          The User is interacting with a GC, and the GC
                          needs resource access and/or identity claims
                          (a Grant)</strong></p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-6" style=3D"padding:0px;margin:0px 0px 1em">(1) The
                        GC may query the RS to determine what the RS
                        requires from a GS for resource access</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-7" style=3D"padding:0px;margin:0px 0px 1em">(2) The
                        GC makes a Grant request to the GS</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-8" style=3D"padding:0px;margin:0px 0px 1em">(3) The
                        GC and GS may negotiate the Grant</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-9" style=3D"padding:0px;margin:0px 0px 1em"><strong>(B)
                          The GS may interact with the User for grant
                          authorization</strong></p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-10" style=3D"padding:0px;margin:0px 0px 1em"><strong>(C)
                          The GS may interact with the RO for grant
                          authorization</strong></p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-11" style=3D"padding:0px;margin:0px 0px 1em">(4) The
                        GS returns a Grant to the GC</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-12" style=3D"padding:0px;margin:0px 0px 1em">(5) The
                        GC accesses resources at the RS</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-13" style=3D"padding:0px;margin:0px 0px 1em">(6) The
                        RS evaluates access granted by the GS to
                        determine access granted to the GC</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
3-14" style=3D"padding:0px;margin:0px 0px 1em">Alternatively,
                        the Resource Owner could be a legal entity that
                        has a software component that the Grant Server
                        interacts with for Grant authorization. This
                        interaction is not in scope of this document.</p>
                    </div>
                    <div id=3D"gmail-m_-3015586587154810638gmail-trust-mode=
l" style=3D"margin:0px">
                      <h3 id=3D"gmail-m_-3015586587154810638gmail-name-trus=
t-model" style=3D"line-height:1.3;font-size:18px;padding-top:24px"><a href=
=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.=
4" style=3D"text-decoration-line:none;padding-right:0.5em;color:rgb(34,34,3=
4)" target=3D"_blank">1.4.=C2=A0</a><a href=3D"https://tools.ietf.org/id/dr=
aft-hardt-xauth-protocol-14.html#name-trust-model" style=3D"text-decoration=
-line:none;color:rgb(34,34,34)" target=3D"_blank">Trust Model</a></h3>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
4-1" style=3D"padding:0px;margin:0px 0px 1em">In
                        addition to the User and the Resource Owner,
                        there are three other entities that are part of
                        the trust model:</p>
                      <ul style=3D"padding:0px;margin:0px 0px 1em 2em">
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.4-2.1" style=3D"margin:0px 0px 0.25em"><strong>Client Owner</strong>=C2=
=A0(CO)
                          - the legal entity that owns the Grant Client.</l=
i>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.4-2.2" style=3D"margin:0px 0px 0.25em"><strong>Grant Server Owner</stron=
g>=C2=A0(GSO)
                          - the legal entity that owns the Grant Server.</l=
i>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.4-2.3" style=3D"margin:0px 0px 0.25em"><strong>Claims Issuer</strong>=C2=
=A0(Issuer)
                          - a legal entity that issues identity claims
                          about the User. The Grant Server Owner may be
                          an Issuer, and the Resource Owner may be an
                          Issuer.</li>
                      </ul>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
4-3" style=3D"padding:0px;margin:0px 0px 1em">These
                        three entities do not interact in the protocol,
                        but are trusted by the User and the Resource
                        Owner:</p>
                      <div id=3D"gmail-m_-3015586587154810638gmail-section-=
1.4-4" style=3D"margin:1em 0px 0px;break-before:avoid-page;break-after:auto=
">
                        <pre style=3D"background-color:rgb(249,249,249);fon=
t-family:&quot;Roboto Mono&quot;,monospace;border:1px solid rgb(238,238,238=
);margin-top:0.5px;margin-bottom:0px;padding:1em;overflow-x:auto;font-size:=
13.3px;break-before:avoid-page;break-after:auto;line-height:1.12">  +------=
------+           +--------------+----------+
  |    User    | &gt;&gt; (A) &gt;&gt; | Grant Server |          |
  |            |           | Owner (GSO)  |          |
  +------------+         &gt; +--------------+          |
        V              /          ^       |  Claims  |
       (B)          (C)          (E)      |  Issuer  |
        V          /              ^       | (Issuer) |
  +------------+ &gt;         +--------------+          |
  |  Client    |           |   Resource   |          |
  | Owner (CO) | &gt;&gt; (D) &gt;&gt; |  Owner (RO)  |          |
  +------------+           +--------------+----------+
</pre>
                      </div>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
4-5" style=3D"padding:0px;margin:0px 0px 1em">(A) User
                        trusts the GSO to acquire authorization before
                        making a grant to the CO</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
4-6" style=3D"padding:0px;margin:0px 0px 1em">(B) User
                        trusts the CO to act in the User&#39;s best interes=
t
                        with the Grant the GSO grants to the CO</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
4-7" style=3D"padding:0px;margin:0px 0px 1em">(C) CO
                        trusts claims issued by the GSO</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
4-8" style=3D"padding:0px;margin:0px 0px 1em">(D) CO
                        trusts claims issued by the RO</p>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
4-9" style=3D"padding:0px;margin:0px 0px 1em">(E) RO
                        trusts the GSO to manage access to the RO
                        resources</p>
                    </div>
                    <div id=3D"gmail-m_-3015586587154810638gmail-terminolog=
y" style=3D"margin:0px">
                      <h3 id=3D"gmail-m_-3015586587154810638gmail-name-term=
inology" style=3D"line-height:1.3;font-size:18px;padding-top:24px"><a href=
=3D"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.=
.5" style=3D"text-decoration-line:none;padding-right:0.5em;color:rgb(34,34,=
34)" target=3D"_blank">1.5.=C2=A0</a><a href=3D"https://tools.ietf.org/id/d=
raft-hardt-xauth-protocol-14.html#name-terminology" style=3D"text-decoratio=
n-line:none;color:rgb(34,34,34)" target=3D"_blank">Terminology</a></h3>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
5-1" style=3D"padding:0px;margin:0px 0px 1em"><strong>Roles</strong></p>
                      <ul style=3D"padding:0px;margin:0px 0px 1em 2em">
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-2.1" style=3D"margin:0px 0px 0.25em">
                          <p id=3D"gmail-m_-3015586587154810638gmail-sectio=
n-1.5-2.1.1" style=3D"padding:0px;margin:0px 0px 1em"><strong>Grant
                              Client</strong>=C2=A0(GC)</p>
                          <ul style=3D"padding:0px;margin-top:initial;margi=
n-right:0px;margin-bottom:1em;margin-left:1em">
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.1.2.1" style=3D"margin:0px 0px 0.25em">may want
                              access to resources at a Resource Server</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.1.2.2" style=3D"margin:0px 0px 0.25em">may be
                              interacting with a User and want identity
                              claims about the User</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.1.2.3" style=3D"margin:0px 0px 0.25em">requests the
                              Grant Service to grant resource access and
                              identity claims</li>
                          </ul>
                        </li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-2.2" style=3D"margin:0px 0px 0.25em">
                          <p id=3D"gmail-m_-3015586587154810638gmail-sectio=
n-1.5-2.2.1" style=3D"padding:0px;margin:0px 0px 1em"><strong>Grant
                              Server</strong>=C2=A0(GS)</p>
                          <ul style=3D"padding:0px;margin-top:initial;margi=
n-right:0px;margin-bottom:1em;margin-left:1em">
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.2.2.1" style=3D"margin:0px 0px 0.25em">accepts
                              Grant requests from the GC for resource
                              access and identity claims</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.2.2.2" style=3D"margin:0px 0px 0.25em">negotiates
                              the interaction mode with the GC if
                              interaction is required with the User</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.2.2.3" style=3D"margin:0px 0px 0.25em">acquires
                              authorization from the User before
                              granting identity claims to the GC</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.2.2.4" style=3D"margin:0px 0px 0.25em">acquires
                              authorization from the RO before granting
                              resource access to the GC</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.2.2.5" style=3D"margin:0px 0px 0.25em">grants
                              resource access and identity claims to the
                              GC</li>
                          </ul>
                        </li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-2.3" style=3D"margin:0px 0px 0.25em">
                          <p id=3D"gmail-m_-3015586587154810638gmail-sectio=
n-1.5-2.3.1" style=3D"padding:0px;margin:0px 0px 1em"><strong>Resource
                              Server</strong>=C2=A0(RS)</p>
                          <ul style=3D"padding:0px;margin-top:initial;margi=
n-right:0px;margin-bottom:1em;margin-left:1em">
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.3.2.1" style=3D"margin:0px 0px 0.25em">has
                              resources that the GC may want to access</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.3.2.2" style=3D"margin:0px 0px 0.25em">expresses
                              what the GC must obtain from the GS for
                              access through documentation or an API.
                              This is not in scope for this document</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-2.3.2.3" style=3D"margin:0px 0px 0.25em">verifies the
                              GS granted access to the GC, when the GS
                              makes resource access requests</li>
                          </ul>
                        </li>
                      </ul>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
5-3" style=3D"padding:0px;margin:0px 0px 1em"><strong>Humans</strong></p>
                      <ul style=3D"padding:0px;margin:0px 0px 1em 2em">
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-4.1" style=3D"margin:0px 0px 0.25em">
                          <p id=3D"gmail-m_-3015586587154810638gmail-sectio=
n-1.5-4.1.1" style=3D"padding:0px;margin:0px 0px 1em"><strong>User</strong>=
</p>
                          <ul style=3D"padding:0px;margin-top:initial;margi=
n-right:0px;margin-bottom:1em;margin-left:1em">
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-4.1.2.1" style=3D"margin:0px 0px 0.25em">the person
                              interacting with the Grant Client.</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-4.1.2.2" style=3D"margin:0px 0px 0.25em">has
                              delegated access to identity claims about
                              themselves to the Grant Server.</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-4.1.2.3" style=3D"margin:0px 0px 0.25em">may
                              authenticate at the GS..</li>
                          </ul>
                        </li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-4.2" style=3D"margin:0px 0px 0.25em">
                          <p id=3D"gmail-m_-3015586587154810638gmail-sectio=
n-1.5-4.2.1" style=3D"padding:0px;margin:0px 0px 1em"><strong>Resource
                              Owner</strong>=C2=A0(RO)</p>
                          <ul style=3D"padding:0px;margin-top:initial;margi=
n-right:0px;margin-bottom:1em;margin-left:1em">
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-4.2.2.1" style=3D"margin:0px 0px 0.25em">the legal
                              entity that owns resources at the Resource
                              Server (RS).</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-4.2.2.2" style=3D"margin:0px 0px 0.25em">has
                              delegated resource access management to
                              the GS.</li>
                            <li id=3D"gmail-m_-3015586587154810638gmail-sec=
tion-1.5-4.2..2.3" style=3D"margin:0px 0px 0.25em">may be the
                              User, or may be a different entity that
                              the GS interacts with independently.</li>
                          </ul>
                        </li>
                      </ul>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
5-5" style=3D"padding:0px;margin:0px 0px 1em"><strong>Reused
                          Terms</strong></p>
                      <ul style=3D"padding:0px;margin:0px 0px 1em 2em">
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-6.1" style=3D"margin:0px 0px 0.25em"><strong>access token</strong>=C2=
=A0- an
                          access token as defined in=C2=A0<span>[<a href=3D=
"https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749" styl=
e=3D"text-decoration-line:none;color:rgb(34,34,238)" target=3D"_blank">RFC6=
749</a>]</span>=C2=A0Section
                          1.4.. An GC uses an access token for resource
                          access at a RS.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-6.2" style=3D"margin:0px 0px 0.25em"><strong>Claim</strong>=C2=A0- a C=
laim
                          as defined in=C2=A0<span>[<a href=3D"https://tool=
s.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC" style=3D"text-decora=
tion-line:none;color:rgb(34,34,238)" target=3D"_blank">OIDC</a>]</span>=C2=
=A0Section
                          5. Claims are issued by a Claims Issuer.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-6.3" style=3D"margin:0px 0px 0.25em"><strong>Client ID</strong>=C2=A0-=
 a GS
                          unique identifier for a Registered Client as
                          defined in=C2=A0<span>[<a href=3D"https://tools.i=
etf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749" style=3D"text-decora=
tion-line:none;color:rgb(34,34,238)" target=3D"_blank">RFC6749</a>]</span>=
=C2=A0Section
                          2.2.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-6.4" style=3D"margin:0px 0px 0.25em"><strong>ID Token</strong>=C2=A0- =
an ID
                          Token as defined in=C2=A0<span>[<a href=3D"https:=
//tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC" style=3D"text-=
decoration-line:none;color:rgb(34,34,238)" target=3D"_blank">OIDC</a>]</spa=
n>=C2=A0Section
                          2. ID Tokens are issued by the GS. The GC uses
                          an ID Token to authenticate the User.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-6.5" style=3D"margin:0px 0px 0.25em"><strong>NumericDate</strong>=C2=
=A0- a
                          NumericDate as defined in=C2=A0<span>[<a href=3D"=
https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC7519" style=
=3D"text-decoration-line:none;color:rgb(34,34,238)" target=3D"_blank">RFC75=
19</a>]</span>=C2=A0Section
                          2.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-6.6" style=3D"margin:0px 0px 0.25em"><strong>authN</strong>=C2=A0- sho=
rt for
                          authentication.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-6.7" style=3D"margin:0px 0px 0.25em"><strong>authZ</strong>=C2=A0- sho=
rt for
                          authorization.</li>
                      </ul>
                      <p id=3D"gmail-m_-3015586587154810638gmail-section-1.=
5-7" style=3D"padding:0px;margin:0px 0px 1em"><strong>New
                          Terms</strong></p>
                      <ul style=3D"padding:0px;margin:0px 0px 1em 2em">
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.1" style=3D"margin:0px 0px 0.25em"><strong>GS URI</strong>=C2=A0- th=
e
                          endpoint at the GS the GC calls to create a
                          Grant, and is the unique identifier for the
                          GS.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.2" style=3D"margin:0px 0px 0.25em"><strong>Registered Client</strong=
>=C2=A0-
                          a GC that has registered with the GS and has a
                          Client ID to identify itself, and can prove it
                          possesses a key that is linked to the Client
                          ID. The GS may have different policies for
                          what different Registered Clients can request.
                          A Registered Client MAY be interacting with a
                          User.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.3" style=3D"margin:0px 0px 0.25em"><strong>Dynamic Client</strong>=
=C2=A0-
                          a GC that has not been previously registered
                          with the GS, and each instance will generate
                          it&#39;s own asymetric key pair so it can prove i=
t
                          is the same instance of the GC on subsequent
                          requests.. The GS MAY return a Dynamic Client
                          a Client Handle for the Dynamic Client to
                          identify itself in subsequent requests. A
                          single-page application with no active server
                          component is an example of a Dynamic Client.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.4" style=3D"margin:0px 0px 0.25em"><strong>Client Handle</strong>=C2=
=A0- a
                          unique identifier at the GS for a Dynamic
                          Client for the Dynamic Client to refer to
                          itself in subsequent requests.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.5" style=3D"margin:0px 0px 0.25em"><strong>Interaction</strong>=C2=
=A0- how
                          the GC directs the User to interact with the
                          GS. This document defines the interaction
                          modes: &quot;redirect&quot;, &quot;indirect&quot;=
, and &quot;user_code&quot;
                          in=C2=A0<a href=3D"https://tools.ietf.org/id/draf=
t-hardt-xauth-protocol-14.html#InteractionModes" style=3D"text-decoration-l=
ine:none;color:rgb(34,34,238)" target=3D"_blank">Section 5</a>.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.6" style=3D"margin:0px 0px 0.25em"><strong>Grant</strong>=C2=A0- the=
 user
                          identity claims and/or resource access the GS
                          has granted to the Client. The GS MAY
                          invalidate a Grant at any time.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.7" style=3D"margin:0px 0px 0.25em"><strong>Grant URI</strong>=C2=A0-=
 the
                          URI that represents the Grant. The Grant URI
                          MUST start with the GS URI.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.8" style=3D"margin:0px 0px 0.25em"><strong>Access</strong>=C2=A0- th=
e
                          access granted by the RO to the GC and
                          contains an access token. The GS may
                          invalidate an Access at any time.</li>
                        <li id=3D"gmail-m_-3015586587154810638gmail-section=
-1.5-8.9" style=3D"margin:0px 0px 0.25em"><strong>Access URI</strong>=C2=A0=
- the
                          URI that represents the Access the GC was
                          granted by the RO. The Access URI MUST start
                          with the GS URI.. The Access URI is used to
                          refresh an access token.</li>
                      </ul>
                    </div>
                  </div>
                </div>
                <div><br>
                </div>
                <div><br>
                </div>
              </div>
            </div>
          </div>
        </div>
      </div>
      <br>
      <fieldset></fieldset>
    </blockquote>
    <p><br>
    </p>
  </div>

-- <br>
TXAuth mailing list<br>
<a href=3D"mailto:TXAuth@ietf.org" target=3D"_blank">TXAuth@ietf.org</a><br=
>
<a href=3D"https://www.ietf.org/mailman/listinfo/txauth" rel=3D"noreferrer"=
 target=3D"_blank">https://www.ietf.org/mailman/listinfo/txauth</a><br>
</blockquote></div>

--000000000000a3c67105ad2a752b--

