IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

Justin Richer <jricher@mit.edu> Sat, 18 January 2020 14:02 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C71B1120019 for <txauth@ietfa.amsl.com>; Sat, 18 Jan 2020 06:02:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JyN0sKiDBbT1 for <txauth@ietfa.amsl.com>; Sat, 18 Jan 2020 06:02:06 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6E14120013 for <txauth@ietf.org>; Sat, 18 Jan 2020 06:02:05 -0800 (PST)
Received: from himiko.home (pool-70-109-130-118.cncdnh.east.myfairpoint.net [70.109.130.118] (may be forged)) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 00IE21Gj031480 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 18 Jan 2020 09:02:02 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <185A1120-8A89-45D5-A703-FA85238C57C5@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9D8A0EBE-4BC0-473D-BD25-25B8DB862FDA"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 18 Jan 2020 09:02:01 -0500
In-Reply-To: <82AAD649-5A47-4A89-A32F-BCC593EEE343@amazon.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, "txauth@ietf.org" <txauth@ietf.org>
To: "Richard Backman, Annabelle" <richanna@amazon.com>
References: <857A822F-E819-443E-8D92-5A5BD682D3AF@mit.edu> <3CC78FFE-8115-4693-8FEF-EC9B9BDDD786@lodderstedt.net> <BFD1E625-BAEB-4367-821B-D75511928E76@mit.edu> <B6D4450B-CE5F-410B-A21D-C494CD4483A6@amazon.com> <5A7FEF06-954E-47B1-B3CE-AD5DE2329B52@mit.edu> <7A4FC2A4-9960-4A75-847C-0477FE81DB4F@amazon.com> <00C978A2-E4B1-4EEB-BA0E-5FF0A9B871F0@mit.edu> <CAD9ie-vurKFg=yBmgeFXX_pJTM=QPsNaOe73eZ5DwEGMtdbB9w@mail.gmail.com> <CAD0792E-AD19-4968-A869-7822DF39A20D@mit.edu> <82AAD649-5A47-4A89-A32F-BCC593EEE343@amazon.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/PMYTa59iJBEt8ZwXpPcQl5bf98g>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jan 2020 14:02:11 -0000

That’s a reasonable take, thanks for bringing up the discussion.

 — Justin

> On Jan 17, 2020, at 10:59 AM, Richard Backman, Annabelle <richanna@amazon.com> wrote:
> 
> My experience is that people will stretch and comfort the semantics of “identity claims” to fit this use cases. I’m fine with deferring the discussion to the WG, provided that we agree the charter doesn’t rule out the possibility.
> 
> Sent from my iPhone
> 
>> On Jan 17, 2020, at 5:49 AM, Justin Richer <jricher@mit.edu> wrote:
>> 
>>  I’m thinking this as well — I think it’s the kind of detail that the WG can sort out, and that’s what I mean by figuring out a way to generalize my point #3 below into Annabelle’s use cases. I’m for figuring it out if we can do it, but not at the expense of what I’m seeing as a pretty clear set of semantics already. 
>> 
>> VoT == Vectors of Trust, RFC8485. A way to communicate information about the user logging in, basically authentication context but with more dimensions.
>> 
>>  — Justin
>> 
>>> On Jan 16, 2020, at 6:00 PM, Dick Hardt <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote:
>>> 
>>> I was thinking that other kinds of delegation results would be yet another top level request, and matching response. Since it is not a widely deployed use case today, it would be an extension to the core protocol.
>>> 
>>> Justin:  What to you mean by VoT?
>>> 
>>> wrt. returning claims, vs access to claims, I think it is an important discussion -- but let's put a pin in that for discussion in the WG once we are formed! I don't think that needs to be in the charter, but happy to be convinced otherwise. 
>>> ᐧ
>>> 
>>> On Thu, Jan 16, 2020 at 2:49 PM Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>>> I’m cautiously Ok with having resource inlining be in scope — IF we can generalize it from the identity case specifically.
>>> 
>>> To do what you’re asking for though, the WG can still be chartered to solve identity (which we know is a well-established and understood use case), but also allow other things. 
>>> 
>>> This gets back to a fundamental question that I don’t have a clear answer for yet: what do you get back at the end of a transaction? Right now we’ve got a clear call for three things:
>>> 
>>> 1. Access tokens to call APIs
>>> 2. Transaction handles to continue the transaction later (like a refresh token but better)
>>> 3. User identity claims
>>> 
>>> Maybe the mechanism we use for #3 can be generalized, or maybe there’s even a good way to provide switches for #1, #2, and #3. 
>>> 
>>> And while we’re on the topic of #3, I think there’s a strong case to be made that it should NOT be a user’s profile information, but rather just enough information to identify the user to the RP. If the RP wants to pull more profile info, it can do so via an API. This keeps us out of the anti-pattern that SAML has of always sending all claims about a user whether the RP needs them or not. But the RP will at least need to know if it has to request the claims, and we can do that by a simple enough structure like:
>>> 
>>> user: {
>>>   “iss”: “http://foo.bar/ <http://foo.bar/>“,
>>>   “sub”: “12387yhjfre”,
>>>   “last_updated”: 54239084
>>> }
>>> 
>>> 
>>> You can add VoT and other things that can vary per-login here as well. But I shouldn’t be sending you the user’s name and address every time they log in — as an RP you only need to get that if it’s a new account or if it’s been updated since you last saw it. You can’t handle that if you’re pushing all the claims in the response: Since the RP doesn’t know who the user is until after this stage, it can’t tell that information to the IdP ahead of time and therefore the IdP is forced to always send it just in case the RP might need it. But by telling the RP an identifier for the user and a tag of when any of their information was last updated I can make the decision whether or not to pull information at the RP in an intelligent fashion if I want to.
>>> 
>>>  — Justin
>>> 
>>> > On Jan 16, 2020, at 5:29 PM, Richard Backman, Annabelle <richanna@amazon.com <mailto:richanna@amazon.com>> wrote:
>>> > 
>>> > The same could be said for any resource, particularly in scenarios where the interaction was kicked off so that the SP can perform a specific action initiated by the user (e.g., charging a credit card or account, publishing a message to a message board or social media feed, retrieving a specific document or image).
>>> > 
>>> > Consider a flow like the following:
>>> > 1. The end user is on a client website that provides a photo printing service, clicks the "Print from CloudStorageProvider" button.
>>> > 4. The client initates TxAuth via CloudStorageProvider's transaction endpoint, requesting a URL for a photo to be selected by the end user.
>>> > 5. CloudStorageProvider returns an interact_url pointing to its AS.
>>> > 6. The client redirects the user agent to the AS.
>>> > 7. The end user signs in, and selects the photo they want to print, and confirms authorization to share with the client.
>>> > 8. The AS redirects the user agent back to client.
>>> > 9. The client calls back to CloudStorageProvider's transaction endpoint to continue the TxAuth transaction.
>>> > 10. CloudStorageProvider returns confirmation that the authorization was granted, along with the URL for the selected photo.
>>> > 
>>> > This is identical to the identity use case, we've just replaced identity claims with a URL to a photo. I see a lot of value in encouraging one-time authorization of specific actions like this, and if we're going to support inlining of resources for identity claims anyway, it's not a big stretch to allow for arbitrary resource types. I do think it's fair to narrowly scope the kinds of resource *schemas* the WG will define (e.g., defining core identity claims like OIDC did), but the inlining mechanism should be flexible (e.g., not limiting this to claims about the end user identity, like OIDC did).
>>> > 
>>> > – 
>>> > Annabelle Richard Backman
>>> > AWS Identity
>>> > 
>>> > 
>>> > On 1/16/20, 12:59 PM, "Txauth on behalf of Justin Richer" <txauth-bounces@ietf.org <mailto:txauth-bounces@ietf.org> on behalf of jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>>> > 
>>> >    I think that’s exactly the reason — the case of getting information about the user directly from the TX endpoint is well established. People don’t want to make another round trip just to figure out who’s there, when a lot of time that’s the first thing they care about, and then the’d make the determination of whether to follow other APIs after that. 
>>> > 
>>> >    So if I can send you a very basic set of authn info from the callback, like an identifier and VoT style login information, then you can figure out if you need to know more about that user or not. But these basic claims do get elevated to the same level as other returned artifacts from the transaction, like the access tokens.
>>> > 
>>> >     — Justin
>>> > 
>>> >> On Jan 16, 2020, at 2:12 PM, Richard Backman, Annabelle <richanna@amazon.com <mailto:richanna@amazon.com>> wrote:
>>> >> 
>>> >> The only reason I can think of to single out identity within the charter is if there is some work or feature that is within scope for the working group, but only for identity claims (e.g., returning identity claims from the transaction endpoint). Repeating a question I posed earlier, what is it about identity claims that make them worthy of special consideration?
>>> >> 
>>> >> – 
>>> >> Annabelle Richard Backman
>>> >> AWS Identity
>>> >> 
>>> >> 
>>> >> On 1/16/20, 8:51 AM, "Justin Richer" <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>>> >> 
>>> >>   On Jan 16, 2020, at 11:15 AM, Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>>> >>> 
>>> >>> 
>>> >>> 
>>> >>>> Am 16.01.2020 um 16:45 schrieb Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>>:
>>> >>>> 
>>> >>>> - Approval of identity claims and multiple resources in a single interaction
>>> >>> 
>>> >>> This sounds a bit incomplete to me. I assume the user would approve „the attestation of identity claims“. I furthermore think the user would approve „access to multiple APIs“. I would prefer API over resource because it is more universal. For example, the protocol could also be used to create resources.
>>> >> 
>>> >>   Point taken, but this isn’t meant to be an exhaustive list of what it can do, merely the list of things we’re positive we want it to do. I also prefer “API” over “resource”, but concede that “resource” can be a writeable thing too. Even then I’m happy to tweak the language here. 
>>> >> 
>>> >>    — Justin
>>> >> 
>>> > 
>>> >    -- 
>>> >    Txauth mailing list
>>> >    Txauth@ietf.org <mailto:Txauth@ietf.org>
>>> >    https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>
>>> > 
>>> > 
>>> 
>> 
>> -- 
>> Txauth mailing list
>> Txauth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email