IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

Dick Hardt <dick.hardt@gmail.com> Thu, 16 January 2020 23:00 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8761A1200C3 for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 15:00:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmQAJDaU9Xeq for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 15:00:18 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F883120099 for <txauth@ietf.org>; Thu, 16 Jan 2020 15:00:17 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id y6so24479609lji.0 for <txauth@ietf.org>; Thu, 16 Jan 2020 15:00:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Q/ZAKO9n1G9wDlvI7kk2qEeYg49JiAtnBJ3Gn0Yw+Pw=; b=cqyRz8JSVEc0KpRe2vnkwZNe5P5xyfugAkTKABsSAchV6TBzOpPaJNDV7R8rFbO7fO BT4QEFqkl8E9Wil53KHCLC0ZQDTIy4ObxYqbAcucgYYeYyUR83Ku6eOgTP6T+g/+p/cW TUdPvNxKydWJ+Cn+i7bEqybRZgSXjouDX2498+Fi15EcjYWwAirynKv+kEyd8a1/zBAF 97Fd3paVbr11ogS2BU+EOqRSKcYCG37kqekBj4IMGNYbhuAUzLqj/UOyHC46fgxDgAOi q/jWPC/ggWmJgcGNeSvDNwUiXYhmNRbXjUOSLfnabrNdmbGE+pRqFgolZ5/QAb4JQz2N /h9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Q/ZAKO9n1G9wDlvI7kk2qEeYg49JiAtnBJ3Gn0Yw+Pw=; b=opPXxOeQoyDZWtYPwT0aEDwSv2qWi/RFa47hn7rzkzzQPQHkpr6T+8wRwHNgcd7e2S RjUR/5w2AhXVZFf2megrPGZoDI8gZI1izyiDuD6mNOPZiJW74bR14ZV3IHBRZNNG4/Gv cdCYwzwXvSkYyjNERJsNjNcS9iFAe1TJP+IG7BMKdSF1yhcjg8L79Z5XrsU44ujwviw7 aEH5A6VO611uavSTm9fIlIS7t79GxyflBZclrROY7XYudZAlBToxof3dlMa7Pi9yRQre d2+lGPHBq5e1RgfFh9sLvKN4uhr8yakp5xLjvIMKbVw9vBS/e6om95O+73rNGfvDJJCf iVUg==
X-Gm-Message-State: APjAAAWMTjyi/2H7mnlfx0hagX2RPAum1jZ+DuLBgiCU3IMo+634Edmg kh5zmo5RGhG2Al0Gje5zk9raMNs2dufTIstJ60GmPI5u
X-Google-Smtp-Source: APXvYqwmdHBxOR4EyJ5vs4X3RP9M7TkqSz/0JPn7iA/G6vYRW7VJtvIjLX89i5zAi/Moouwp6gtIiGUdEIrrrqFTH1g=
X-Received: by 2002:a2e:9008:: with SMTP id h8mr3560573ljg.217.1579215615533; Thu, 16 Jan 2020 15:00:15 -0800 (PST)
MIME-Version: 1.0
References: <857A822F-E819-443E-8D92-5A5BD682D3AF@mit.edu> <3CC78FFE-8115-4693-8FEF-EC9B9BDDD786@lodderstedt.net> <BFD1E625-BAEB-4367-821B-D75511928E76@mit.edu> <B6D4450B-CE5F-410B-A21D-C494CD4483A6@amazon.com> <5A7FEF06-954E-47B1-B3CE-AD5DE2329B52@mit.edu> <7A4FC2A4-9960-4A75-847C-0477FE81DB4F@amazon.com> <00C978A2-E4B1-4EEB-BA0E-5FF0A9B871F0@mit.edu>
In-Reply-To: <00C978A2-E4B1-4EEB-BA0E-5FF0A9B871F0@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 16 Jan 2020 15:00:04 -0800
Message-ID: <CAD9ie-vurKFg=yBmgeFXX_pJTM=QPsNaOe73eZ5DwEGMtdbB9w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: "Richard Backman, Annabelle" <richanna@amazon.com>, Torsten Lodderstedt <torsten@lodderstedt.net>, "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9a738059c49c996"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Q69oyIq4oB1Rats_E3EEOU3ZwDQ>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 23:00:21 -0000

I was thinking that other kinds of delegation results would be yet another
top level request, and matching response. Since it is not a widely deployed
use case today, it would be an extension to the core protocol.

Justin:  What to you mean by VoT?

wrt. returning claims, vs access to claims, I think it is an important
discussion -- but let's put a pin in that for discussion in the WG once we
are formed! I don't think that needs to be in the charter, but happy to be
convinced otherwise.
ᐧ

On Thu, Jan 16, 2020 at 2:49 PM Justin Richer <jricher@mit.edu> wrote:

> I’m cautiously Ok with having resource inlining be in scope — IF we can
> generalize it from the identity case specifically.
>
> To do what you’re asking for though, the WG can still be chartered to
> solve identity (which we know is a well-established and understood use
> case), but also allow other things.
>
> This gets back to a fundamental question that I don’t have a clear answer
> for yet: what do you get back at the end of a transaction? Right now we’ve
> got a clear call for three things:
>
> 1. Access tokens to call APIs
> 2. Transaction handles to continue the transaction later (like a refresh
> token but better)
> 3. User identity claims
>
> Maybe the mechanism we use for #3 can be generalized, or maybe there’s
> even a good way to provide switches for #1, #2, and #3.
>
> And while we’re on the topic of #3, I think there’s a strong case to be
> made that it should NOT be a user’s profile information, but rather just
> enough information to identify the user to the RP. If the RP wants to pull
> more profile info, it can do so via an API. This keeps us out of the
> anti-pattern that SAML has of always sending all claims about a user
> whether the RP needs them or not. But the RP will at least need to know if
> it has to request the claims, and we can do that by a simple enough
> structure like:
>
> user: {
>   “iss”: “http://foo.bar/“,
>   “sub”: “12387yhjfre”,
>   “last_updated”: 54239084
> }
>
>
> You can add VoT and other things that can vary per-login here as well. But
> I shouldn’t be sending you the user’s name and address every time they log
> in — as an RP you only need to get that if it’s a new account or if it’s
> been updated since you last saw it. You can’t handle that if you’re pushing
> all the claims in the response: Since the RP doesn’t know who the user is
> until after this stage, it can’t tell that information to the IdP ahead of
> time and therefore the IdP is forced to always send it just in case the RP
> might need it. But by telling the RP an identifier for the user and a tag
> of when any of their information was last updated I can make the decision
> whether or not to pull information at the RP in an intelligent fashion if I
> want to.
>
>  — Justin
>
> > On Jan 16, 2020, at 5:29 PM, Richard Backman, Annabelle <
> richanna@amazon.com> wrote:
> >
> > The same could be said for any resource, particularly in scenarios where
> the interaction was kicked off so that the SP can perform a specific action
> initiated by the user (e.g., charging a credit card or account, publishing
> a message to a message board or social media feed, retrieving a specific
> document or image).
> >
> > Consider a flow like the following:
> > 1. The end user is on a client website that provides a photo printing
> service, clicks the "Print from CloudStorageProvider" button.
> > 4. The client initates TxAuth via CloudStorageProvider's transaction
> endpoint, requesting a URL for a photo to be selected by the end user.
> > 5. CloudStorageProvider returns an interact_url pointing to its AS.
> > 6. The client redirects the user agent to the AS.
> > 7. The end user signs in, and selects the photo they want to print, and
> confirms authorization to share with the client.
> > 8. The AS redirects the user agent back to client.
> > 9. The client calls back to CloudStorageProvider's transaction endpoint
> to continue the TxAuth transaction.
> > 10. CloudStorageProvider returns confirmation that the authorization was
> granted, along with the URL for the selected photo.
> >
> > This is identical to the identity use case, we've just replaced identity
> claims with a URL to a photo. I see a lot of value in encouraging one-time
> authorization of specific actions like this, and if we're going to support
> inlining of resources for identity claims anyway, it's not a big stretch to
> allow for arbitrary resource types. I do think it's fair to narrowly scope
> the kinds of resource *schemas* the WG will define (e.g., defining core
> identity claims like OIDC did), but the inlining mechanism should be
> flexible (e.g., not limiting this to claims about the end user identity,
> like OIDC did).
> >
> > –
> > Annabelle Richard Backman
> > AWS Identity
> >
> >
> > On 1/16/20, 12:59 PM, "Txauth on behalf of Justin Richer" <
> txauth-bounces@ietf.org on behalf of jricher@mit.edu> wrote:
> >
> >    I think that’s exactly the reason — the case of getting information
> about the user directly from the TX endpoint is well established. People
> don’t want to make another round trip just to figure out who’s there, when
> a lot of time that’s the first thing they care about, and then the’d make
> the determination of whether to follow other APIs after that.
> >
> >    So if I can send you a very basic set of authn info from the
> callback, like an identifier and VoT style login information, then you can
> figure out if you need to know more about that user or not. But these basic
> claims do get elevated to the same level as other returned artifacts from
> the transaction, like the access tokens.
> >
> >     — Justin
> >
> >> On Jan 16, 2020, at 2:12 PM, Richard Backman, Annabelle <
> richanna@amazon.com> wrote:
> >>
> >> The only reason I can think of to single out identity within the
> charter is if there is some work or feature that is within scope for the
> working group, but only for identity claims (e.g., returning identity
> claims from the transaction endpoint). Repeating a question I posed
> earlier, what is it about identity claims that make them worthy of special
> consideration?
> >>
> >> –
> >> Annabelle Richard Backman
> >> AWS Identity
> >>
> >>
> >> On 1/16/20, 8:51 AM, "Justin Richer" <jricher@mit.edu> wrote:
> >>
> >>   On Jan 16, 2020, at 11:15 AM, Torsten Lodderstedt <
> torsten@lodderstedt.net> wrote:
> >>>
> >>>
> >>>
> >>>> Am 16.01.2020 um 16:45 schrieb Justin Richer <jricher@mit.edu>:
> >>>>
> >>>> - Approval of identity claims and multiple resources in a single
> interaction
> >>>
> >>> This sounds a bit incomplete to me. I assume the user would approve
> „the attestation of identity claims“. I furthermore think the user would
> approve „access to multiple APIs“. I would prefer API over resource because
> it is more universal. For example, the protocol could also be used to
> create resources.
> >>
> >>   Point taken, but this isn’t meant to be an exhaustive list of what it
> can do, merely the list of things we’re positive we want it to do. I also
> prefer “API” over “resource”, but concede that “resource” can be a
> writeable thing too. Even then I’m happy to tweak the language here.
> >>
> >>    — Justin
> >>
> >
> >    --
> >    Txauth mailing list
> >    Txauth@ietf.org
> >    https://www.ietf.org/mailman/listinfo/txauth
> >
> >
>
>

v2.23.0 | Report a Bug | By Email