Re: [Txauth] alternative charter writeup
Dick Hardt <dick.hardt@gmail.com> Thu, 16 January 2020 23:00 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8761A1200C3 for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 15:00:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmQAJDaU9Xeq for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 15:00:18 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F883120099 for <txauth@ietf.org>; Thu, 16 Jan 2020 15:00:17 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id y6so24479609lji.0 for <txauth@ietf.org>; Thu, 16 Jan 2020 15:00:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q/ZAKO9n1G9wDlvI7kk2qEeYg49JiAtnBJ3Gn0Yw+Pw=; b=cqyRz8JSVEc0KpRe2vnkwZNe5P5xyfugAkTKABsSAchV6TBzOpPaJNDV7R8rFbO7fO BT4QEFqkl8E9Wil53KHCLC0ZQDTIy4ObxYqbAcucgYYeYyUR83Ku6eOgTP6T+g/+p/cW TUdPvNxKydWJ+Cn+i7bEqybRZgSXjouDX2498+Fi15EcjYWwAirynKv+kEyd8a1/zBAF 97Fd3paVbr11ogS2BU+EOqRSKcYCG37kqekBj4IMGNYbhuAUzLqj/UOyHC46fgxDgAOi q/jWPC/ggWmJgcGNeSvDNwUiXYhmNRbXjUOSLfnabrNdmbGE+pRqFgolZ5/QAb4JQz2N /h9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q/ZAKO9n1G9wDlvI7kk2qEeYg49JiAtnBJ3Gn0Yw+Pw=; b=opPXxOeQoyDZWtYPwT0aEDwSv2qWi/RFa47hn7rzkzzQPQHkpr6T+8wRwHNgcd7e2S RjUR/5w2AhXVZFf2megrPGZoDI8gZI1izyiDuD6mNOPZiJW74bR14ZV3IHBRZNNG4/Gv cdCYwzwXvSkYyjNERJsNjNcS9iFAe1TJP+IG7BMKdSF1yhcjg8L79Z5XrsU44ujwviw7 aEH5A6VO611uavSTm9fIlIS7t79GxyflBZclrROY7XYudZAlBToxof3dlMa7Pi9yRQre d2+lGPHBq5e1RgfFh9sLvKN4uhr8yakp5xLjvIMKbVw9vBS/e6om95O+73rNGfvDJJCf iVUg==
X-Gm-Message-State: APjAAAWMTjyi/2H7mnlfx0hagX2RPAum1jZ+DuLBgiCU3IMo+634Edmg kh5zmo5RGhG2Al0Gje5zk9raMNs2dufTIstJ60GmPI5u
X-Google-Smtp-Source: APXvYqwmdHBxOR4EyJ5vs4X3RP9M7TkqSz/0JPn7iA/G6vYRW7VJtvIjLX89i5zAi/Moouwp6gtIiGUdEIrrrqFTH1g=
X-Received: by 2002:a2e:9008:: with SMTP id h8mr3560573ljg.217.1579215615533; Thu, 16 Jan 2020 15:00:15 -0800 (PST)
MIME-Version: 1.0
References: <857A822F-E819-443E-8D92-5A5BD682D3AF@mit.edu> <3CC78FFE-8115-4693-8FEF-EC9B9BDDD786@lodderstedt.net> <BFD1E625-BAEB-4367-821B-D75511928E76@mit.edu> <B6D4450B-CE5F-410B-A21D-C494CD4483A6@amazon.com> <5A7FEF06-954E-47B1-B3CE-AD5DE2329B52@mit.edu> <7A4FC2A4-9960-4A75-847C-0477FE81DB4F@amazon.com> <00C978A2-E4B1-4EEB-BA0E-5FF0A9B871F0@mit.edu>
In-Reply-To: <00C978A2-E4B1-4EEB-BA0E-5FF0A9B871F0@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 16 Jan 2020 15:00:04 -0800
Message-ID: <CAD9ie-vurKFg=yBmgeFXX_pJTM=QPsNaOe73eZ5DwEGMtdbB9w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9a738059c49c996"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Q69oyIq4oB1Rats_E3EEOU3ZwDQ>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 23:00:21 -0000
I was thinking that other kinds of delegation results would be yet another top level request, and matching response. Since it is not a widely deployed use case today, it would be an extension to the core protocol. Justin: What to you mean by VoT? wrt. returning claims, vs access to claims, I think it is an important discussion -- but let's put a pin in that for discussion in the WG once we are formed! I don't think that needs to be in the charter, but happy to be convinced otherwise. ᐧ On Thu, Jan 16, 2020 at 2:49 PM Justin Richer <jricher@mit.edu> wrote: > I’m cautiously Ok with having resource inlining be in scope — IF we can > generalize it from the identity case specifically. > > To do what you’re asking for though, the WG can still be chartered to > solve identity (which we know is a well-established and understood use > case), but also allow other things. > > This gets back to a fundamental question that I don’t have a clear answer > for yet: what do you get back at the end of a transaction? Right now we’ve > got a clear call for three things: > > 1. Access tokens to call APIs > 2. Transaction handles to continue the transaction later (like a refresh > token but better) > 3. User identity claims > > Maybe the mechanism we use for #3 can be generalized, or maybe there’s > even a good way to provide switches for #1, #2, and #3. > > And while we’re on the topic of #3, I think there’s a strong case to be > made that it should NOT be a user’s profile information, but rather just > enough information to identify the user to the RP. If the RP wants to pull > more profile info, it can do so via an API. This keeps us out of the > anti-pattern that SAML has of always sending all claims about a user > whether the RP needs them or not. But the RP will at least need to know if > it has to request the claims, and we can do that by a simple enough > structure like: > > user: { > “iss”: “http://foo.bar/“, > “sub”: “12387yhjfre”, > “last_updated”: 54239084 > } > > > You can add VoT and other things that can vary per-login here as well. But > I shouldn’t be sending you the user’s name and address every time they log > in — as an RP you only need to get that if it’s a new account or if it’s > been updated since you last saw it. You can’t handle that if you’re pushing > all the claims in the response: Since the RP doesn’t know who the user is > until after this stage, it can’t tell that information to the IdP ahead of > time and therefore the IdP is forced to always send it just in case the RP > might need it. But by telling the RP an identifier for the user and a tag > of when any of their information was last updated I can make the decision > whether or not to pull information at the RP in an intelligent fashion if I > want to. > > — Justin > > > On Jan 16, 2020, at 5:29 PM, Richard Backman, Annabelle < > richanna@amazon.com> wrote: > > > > The same could be said for any resource, particularly in scenarios where > the interaction was kicked off so that the SP can perform a specific action > initiated by the user (e.g., charging a credit card or account, publishing > a message to a message board or social media feed, retrieving a specific > document or image). > > > > Consider a flow like the following: > > 1. The end user is on a client website that provides a photo printing > service, clicks the "Print from CloudStorageProvider" button. > > 4. The client initates TxAuth via CloudStorageProvider's transaction > endpoint, requesting a URL for a photo to be selected by the end user. > > 5. CloudStorageProvider returns an interact_url pointing to its AS. > > 6. The client redirects the user agent to the AS. > > 7. The end user signs in, and selects the photo they want to print, and > confirms authorization to share with the client. > > 8. The AS redirects the user agent back to client. > > 9. The client calls back to CloudStorageProvider's transaction endpoint > to continue the TxAuth transaction. > > 10. CloudStorageProvider returns confirmation that the authorization was > granted, along with the URL for the selected photo. > > > > This is identical to the identity use case, we've just replaced identity > claims with a URL to a photo. I see a lot of value in encouraging one-time > authorization of specific actions like this, and if we're going to support > inlining of resources for identity claims anyway, it's not a big stretch to > allow for arbitrary resource types. I do think it's fair to narrowly scope > the kinds of resource *schemas* the WG will define (e.g., defining core > identity claims like OIDC did), but the inlining mechanism should be > flexible (e.g., not limiting this to claims about the end user identity, > like OIDC did). > > > > – > > Annabelle Richard Backman > > AWS Identity > > > > > > On 1/16/20, 12:59 PM, "Txauth on behalf of Justin Richer" < > txauth-bounces@ietf.org on behalf of jricher@mit.edu> wrote: > > > > I think that’s exactly the reason — the case of getting information > about the user directly from the TX endpoint is well established. People > don’t want to make another round trip just to figure out who’s there, when > a lot of time that’s the first thing they care about, and then the’d make > the determination of whether to follow other APIs after that. > > > > So if I can send you a very basic set of authn info from the > callback, like an identifier and VoT style login information, then you can > figure out if you need to know more about that user or not. But these basic > claims do get elevated to the same level as other returned artifacts from > the transaction, like the access tokens. > > > > — Justin > > > >> On Jan 16, 2020, at 2:12 PM, Richard Backman, Annabelle < > richanna@amazon.com> wrote: > >> > >> The only reason I can think of to single out identity within the > charter is if there is some work or feature that is within scope for the > working group, but only for identity claims (e.g., returning identity > claims from the transaction endpoint). Repeating a question I posed > earlier, what is it about identity claims that make them worthy of special > consideration? > >> > >> – > >> Annabelle Richard Backman > >> AWS Identity > >> > >> > >> On 1/16/20, 8:51 AM, "Justin Richer" <jricher@mit.edu> wrote: > >> > >> On Jan 16, 2020, at 11:15 AM, Torsten Lodderstedt < > torsten@lodderstedt.net> wrote: > >>> > >>> > >>> > >>>> Am 16.01.2020 um 16:45 schrieb Justin Richer <jricher@mit.edu>: > >>>> > >>>> - Approval of identity claims and multiple resources in a single > interaction > >>> > >>> This sounds a bit incomplete to me. I assume the user would approve > „the attestation of identity claims“. I furthermore think the user would > approve „access to multiple APIs“. I would prefer API over resource because > it is more universal. For example, the protocol could also be used to > create resources. > >> > >> Point taken, but this isn’t meant to be an exhaustive list of what it > can do, merely the list of things we’re positive we want it to do. I also > prefer “API” over “resource”, but concede that “resource” can be a > writeable thing too. Even then I’m happy to tweak the language here. > >> > >> — Justin > >> > > > > -- > > Txauth mailing list > > Txauth@ietf.org > > https://www.ietf.org/mailman/listinfo/txauth > > > > > >
- [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Adrian Hope-Bailie
- Re: [Txauth] alternative charter writeup Yaron Sheffer
- Re: [Txauth] alternative charter writeup Lee McGovern
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Torsten Lodderstedt
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Thomas Hardjono
- Re: [Txauth] alternative charter writeup Dick Hardt
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Justin Richer
- Re: [Txauth] alternative charter writeup Richard Backman, Annabelle
- Re: [Txauth] alternative charter writeup Justin Richer