IETF Logo Mail Archive

Re: [Txauth] Additional implementation

Fabien Imbault <fabien.imbault@gmail.com> Fri, 03 July 2020 08:19 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E8DF3A08CD for <txauth@ietfa.amsl.com>; Fri, 3 Jul 2020 01:19:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1nVLQAlQD9RD for <txauth@ietfa.amsl.com>; Fri, 3 Jul 2020 01:19:47 -0700 (PDT)
Received: from mail-il1-x131.google.com (mail-il1-x131.google.com [IPv6:2607:f8b0:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 021583A0839 for <txauth@ietf.org>; Fri, 3 Jul 2020 01:19:46 -0700 (PDT)
Received: by mail-il1-x131.google.com with SMTP id r12so19392721ilh.4 for <txauth@ietf.org>; Fri, 03 Jul 2020 01:19:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iKmegSuuaZWCR3i2ESzJP2ZHxXMhRMWw9pl3l+8THts=; b=uJomChMnV/S/eCVFmEmDJG+cPZv9fJqZeNYbuZ7W+Wur6GpBS62IpY5+vDoCEhJ0jf WuoYG5HeChHrrLA7v+PitnugIFPmqR41ABDD7U6HakGuB6PSnmBfQvyjGClPf4Xw5oYS 0joaro4Os3geyPgRWfW4nfyjwurq8ZgUEbPTmGl+uHTYlx3GWYP14A/KNJehz3h8WheF TXl4AwE86zFUCl3PnDGsS7JC2vbFPocJvvwV21QwbiLQ+lQMF42gAWcbGVLesYIKVl8J eaEYMzVnPuwvU8GVkn/bYiLhrsnNu69SHxM8GzGyTFPWjCMxveM9juZb2DrVnV97T1Ox SdZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iKmegSuuaZWCR3i2ESzJP2ZHxXMhRMWw9pl3l+8THts=; b=uN9L8k0j9kvWBi/oygKblM+gyFcnsY1eQWDig+DIsngyyIiCDmjTgvfD3DE9bghbm+ E1AZyH5+65i4CN144IkpQDcYApWNo5DCO+2Kqhu0uQDJlS6jPYD79OJN/i76xFyfLXKJ 3V1V/Jb3U7mXPgaNap0R3mH13y9A3JB08YiVNAXin2HSOO6oZggJ37VKJLUmpYKXH884 vgU9D+R8t/B9cmmsA31tokKhU2XFfQmvMO9PG6IcVyxm9I3gPBA7eqDlyMHexgmrmqx5 8txjGHkjo8raQA/xY33ODAXRwXpjpBdW+ncO4mlVZC14R5WljE/QJlbjvGy6io9bIbtJ bvjQ==
X-Gm-Message-State: AOAM531qKro/qnHzyr49lhi4vw5tTsmDYd0BovUDtGcMYaE035/dQj3w cR7KIodBTI7MsGrT4+WT40Z5bE7N7eExdhC2UAw=
X-Google-Smtp-Source: ABdhPJxz/HpCjb2IXPai5B3z8gkAKNJedxO93ciON08GYjzkn8Xp220u48eZQyHBN0i3dnikTUF9wDulV7V1AjU5QNM=
X-Received: by 2002:a05:6e02:682:: with SMTP id o2mr15576145ils.188.1593764386299; Fri, 03 Jul 2020 01:19:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuRA1VfPs6bdrGgssBeBNe4wPySHjKcjiP6HexKMUff4DQ@mail.gmail.com> <CAD9ie-t7Lzt8S09YKPqwhc__7fKU6XpsyL1m8CGYUqfQwj8+ww@mail.gmail.com> <CAM8feuQK7HnKWd4TuusKy6z5q0K8V1+fO7xdqnLwOckThgtfNw@mail.gmail.com> <CAM8feuT5VO3w-PJWX-SWL0tdoCH4TfzfTnabD5kNLfZ=T8nAZw@mail.gmail.com> <CAD9ie-vUGGRcsv2mC6OD=p2P-jRLbpWo1dOfq3AVYc9gU1S8hA@mail.gmail.com>
In-Reply-To: <CAD9ie-vUGGRcsv2mC6OD=p2P-jRLbpWo1dOfq3AVYc9gU1S8hA@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 03 Jul 2020 10:19:34 +0200
Message-ID: <CAM8feuRc_arjH-mKyXo+4k_PzRZ0Pq83fkNsN3_YM0mZ8VmmMg@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000019e41105a9853089"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Q1wxlzxQ5wq6SwfnTuO7RgPqgps>
Subject: Re: [Txauth] Additional implementation
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Jul 2020 08:19:49 -0000

Thanks Dick.

Likewise, comments inserted (marked with "FI").

On Thu, Jul 2, 2020 at 7:34 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> Hi Fabien, sorry for the late reply
>
> Comments and questions inserted ...
>
> On Wed, Jun 17, 2020 at 3:47 AM Fabien Imbault <fabien.imbault@gmail.com>
> wrote:
> <snip>
>
>>
>> Beyond what I said on the redirect, we could probably benefit from a more
>> formal definition of the flows (a bit different between the 2 proposals),
>> as proposed recently by Francis Pouatcha for instance
>> (interact/decoupled/embedded flows, TBD).
>>
>
> Which proposal was that?
>

FI : I'll try to find it back.

>
>
>>
>> What I'm missing in both proposals (personal opinion):
>>
>> - I know that JSON is the usual format, but it would be really useful to
>> complement the schemas with some JSON-LD descriptions as well. It would
>> ease extensions and interoperability (by avoiding conflicting schemas), and
>> could even provide a more generic way of representing verifiable
>> presentations (challenge/nonce associated to a domain for instance). While
>> most of this work on linked data has been done at W3C, it would add value
>> to the current proposal so I think we should consider it.
>>
>
> I'm not understanding how JSON-LD would fit in. Would you provide an
> example?
>

FI : when it comes to extendibility, JSON-LD and JSON schemas could work
together to provide a more explicit information on the type of information
we're handling. You'll find a comparison at
https://w3c.github.io/vc-imp-guide/#benefits-of-json-ld-and-ld-proofs with
standard JWT. In practice, this comes handy as a basis for verified
credentials, would clarify the OIDC semantics and disambiguate the meaning
of specific tokens (see for instance the discussion at
https://www.rfc-editor.org/rfc/rfc8417.html#section-4 on "Preventing
Confusion between SETs and Other JWTs").
https://w3c.github.io/vc-imp-guide/#extending-jwts provides interesting
examples.


>
>>
>> - from an extensibility point of view, I'm not sure it's very useful to
>> list all possibilities. For instance, as of now, it wouldn't be possible to
>> use the protocol for constrained devices, so there's no real value in
>> saying that it could be extended with CoAP (then we need a separate
>> document, that references the current GNAP rfc). What's more useful to know
>> if the context of the current document, when you're implementing it, is
>> what behaviour can really be extended in a fairly straightforward
>> way, without changing anything in the core spec. For instance, what can I
>> do with other types of tokens than JWT? Neither proposal is very clear as
>> to how we would implement extensions in practice.
>>
>
> In XAuth I refer to CoAP not as an extension, but as an one example of
> other client authentication mechanisms. While it only applies to CoAP, I
> think it is useful to call out how we intend GNAP to be extended.
>

FI : isn't the charter already covering this?

>
> Just like OAuth 2.0, the access token is opaque to the client, and it is
> not specified, so I'm confused what you mean by "other types of tokens than
> JWT"?
>
> FI : I mean, for instance, linked data proofs, macaroons, and so on.

>
>
>>
>> - from an implementation perspective, it would make sense to decompose
>> the flow between the Grant Server (GS) and the login/consent part (as done
>> for instance by ory.sh). This way you would separate the concerns: on one
>> side you have the HTTP flows (managed by the GS, which can be very
>> optimized from a backend perspective), but you can delegate/customize the
>> interaction UI to some agreed dedicated endpoint (typically a JS site).
>> Maybe that's just a detail which doesn't have its place in the spec, but
>> since it would change the flow, it might be important to consider, at least
>> as a possibility/extension.
>>
>
> Is the interaction UI not part of the GS though? I agree that an
> implementation can decompose those, but that sounds like an implementation
> choice of the GS, and not something that requires standardization. I agree
> that we want to anticipate the decomposition.* Is there a change in the
> flow that would make that easier?
>

FI : I agree with you on the principle. We're currently testing that to
make sure the standard is supporting these kind of implementation choice.
In XYZ, it means changing the URI for the interaction, having an additional
nonce for the interact server (maybe we can remove that constraint later
on, because it changes details in the interaction), and the rest stays the
same.

>
> *One of the reasons I favor using URIs and methods for the different
> functionality of the GS API is that it is easy for a router to route a
> request to different components of the GS.
>

FI : yes, and that's something interesting that we'll need to discuss
further.

>
> /Dick
>
>>

v2.23.0 | Report a Bug | By Email