IETF Logo Mail Archive

[GNAP] RS Draft Updates

Justin Richer <jricher@mit.edu> Tue, 17 October 2023 17:05 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3154C137366 for <txauth@ietfa.amsl.com>; Tue, 17 Oct 2023 10:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A42kp3k91cOh for <txauth@ietfa.amsl.com>; Tue, 17 Oct 2023 10:05:45 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A86BC151549 for <txauth@ietf.org>; Tue, 17 Oct 2023 10:05:44 -0700 (PDT)
Received: from w92exedge3.exchange.mit.edu (W92EXEDGE3.EXCHANGE.MIT.EDU [18.7.73.15]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 39HH4Y58005881 for <txauth@ietf.org>; Tue, 17 Oct 2023 13:05:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1697562343; bh=wEvfrmKGE+Udp9li04bKTLC+9TOZBeYGK6uYUGeF61g=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=a5X+dHOlG/EsS8KrSPQOlUQCj9BCgSe0Cb+IjwPbVqtaHdgJjOLAiAsYlh2RTTrlV InHc3jZTMVfzm6UADVi+kXgnvnYsDkUPz23IlSI34GufOAK362DaEzc8sRP1ETPe9q mNBGscLimGzeb8Cy5NXOFujvEAnYjhDhUaRZRzxeRNn3o8Lj5R2tBVBksj88kVytk8 r2tc8gB45vKfMxxbVrxrXmgq7y8wsyVZBVr7V1ZoDOf3t+Zgc2+Ux2tCIGB6sEwrZF F/tce1rKLF+57qqveKX7l2dC/hsN3s4PZZZ+xS3r1RmigaXT3zohmrrETfkgTi1Ip/ 7p0PWZRKlP63A==
Received: from w92exhyb3.exchange.mit.edu (18.7.71.73) by w92exedge3.exchange.mit.edu (18.7.73.15) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 17 Oct 2023 13:04:59 -0400
Received: from oc11exhyb7.exchange.mit.edu (18.9.1.112) by w92exhyb3.exchange.mit.edu (18.7.71.73) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 17 Oct 2023 13:05:10 -0400
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.169) by oc11exhyb7.exchange.mit.edu (18.9.1.112) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Tue, 17 Oct 2023 13:05:10 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by PH0PR01MB7995.prod.exchangelabs.com (2603:10b6:510:28c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6907.21; Tue, 17 Oct 2023 17:05:06 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::f8f3:7e77:4517:6b13]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::f8f3:7e77:4517:6b13%3]) with mapi id 15.20.6886.034; Tue, 17 Oct 2023 17:05:06 +0000
From: Justin Richer <jricher@mit.edu>
To: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: RS Draft Updates
Thread-Index: AQHaARwTCPRDIgkUw0yJQufnDOyhaw==
Date: Tue, 17 Oct 2023 17:05:06 +0000
Message-ID: <C2664588-A1E8-409B-A3D8-129AF3965A1B@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|PH0PR01MB7995:EE_
x-ms-office365-filtering-correlation-id: a214d502-2737-463b-296e-08dbcf33364e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: o7Y1Ele1b0pMXsk/0YdanfVTnHb7sA+K6OHyz3EKez5t6t7lBz27lbtswOLQb2zANWsiICoghl5dygvbO6z5qUI2AB3yeOI9EwnMpd4BNTkC6BRkfKDZKC1LcPyuU/MAL3anIPVsCtxFFnd6PXktPKy5uerA9pfv7ue1QnVkMqJDTZ46u5X/8MdVrGpWwBrl9JQyR3l9taphT5s6e6o7DvNEpNa0Czvl7s9RBdHTbMN1bY2biUUs6nKda5RqYmwzW/5UaJkljLZ9Uw4JMWWjGCFEyyM3Vsz+f5OUsHtkgyl+hrEQISpbHA5AASz7OCtEEw4pZIlvgfkKq//QEFJ58tyi/DK/l0Z248YsfDmeMqxaFMHIZo7+V3LgORcF+4wMw5Gjg7eaCSJ+hjsNrtaudzieTYPk0912WPkeiF6A4Llzju2ssnKUcZSR37J8bl+sdnQnnNXTUTtCQ2ix7LdmHvvtLn6uXNhYI3cKV6a5Uy6i3SH3zR3V7hgVoDUMKdf8toVrmafdsBqNV701ykLbWGaZ3cihUFfrhm8u0OMZkvqax4SPF0gYX77mMsvD7NwyxDwMDxJ2J1mF8r/mKecYMHP6pttdBR8D2STH8hAqmv6exH20x/g7BR2dfZbJulQ8ICQVvjJ3aUXzzZ+JJDmX6w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(136003)(396003)(376002)(346002)(230922051799003)(1800799009)(451199024)(186009)(64100799003)(83380400001)(166002)(38070700005)(38100700002)(6506007)(71200400001)(6512007)(26005)(2616005)(33656002)(122000001)(6486002)(966005)(478600001)(3480700007)(66556008)(66446008)(64756008)(786003)(316002)(8936002)(76116006)(66946007)(91956017)(6916009)(41300700001)(8676002)(2906002)(86362001)(15650500001)(66476007)(5660300002)(7116003)(75432002)(36756003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 0Xd/jk7W+/yuBQaju3nzFNPlDLMwVeDBp8eeLzCj5/GHy3lTfO+gxJ/BHzP7qEBQ8yOgTRHWEm/CN93rWlqp2QpXuYGc3D/Dg+Knm5/yM+bVS8swLqM9DUAP2Iy00J6ioUPrcWivandkyhPeT+54IYF9mtQgBnb18Y/nfkOJ5w0bT6x895GWmMFfpq8jtmvtYvNS50pwrM+hjTZZTH1eHXShmtVmCX0HWbuU+uDXRUsO2FryxnEhLeVrwbu+aq0tV6uooxT4HgRK5Ne/rWAt7YtwrHOsG8VQTtAUh5nPJzb6miW7q9Umt70K4Db+jk2cq9AyKlmOyvo+rj3zuSF2fiymYxqOquII4nquOwc+J3GTrsklEsTYdKm7PekFKtuxnnuICKdIBG94fST+G80coi/7GDM1HbXz/Hf3+aSnoe2Llyw/poVxKXCLtytz6ABPlp2LaMXmN1qaq3TRadFKRon/wA/InGrc64KRfRgJC4gOoond8/WdGnnipP/mGKU84OWxuuYN+Gr4sNVOOkovo7j596zrQqi6jyCX9HddbzQjRe78jhW6nqWq+eb/Fl7RxWXEeP+A4TvfrL9Lw/tz403HkGx3vzrgQfJvdu6/wpG2uhEpMqLcMqT3Dccc7iZ7lE1el8MVtWVeCxqm24ar10CReY/aoWkTNuMhomhaekLudBY43jWhZXfHBJL+Xsyj1yVVGnEm5tt7SPiCU3CvKGqz1/sZwiHHn7LKsA0BZp7V2dY6DgVWoa/F9zZ7mp8QNzSBND3CDnXV/2i3fFJcyHJ4OqtkM7E7fj+3A7KtY+pWL5y94TUpEGeBr01qvsAqOKsur8aJwtmgDcs24I5JxyavhflV12o/Nse+FpZO0rPl/LsFPrT5SfjQO2HCksNacX15NhnE1mnkzGO7ixrS0kN4mpqXsL8sfrcGwFSxiekoxhAJxEmL2i3tttR34rY9s9fvo6+AEBt3eabOv0em4wPozpyqcsOKXRLI8zL4Ffp4c4lCTgxs/evB88+5wV/N6IQShmPWfM/qa+tFQ3kSIovx6W4cDYlwCvsR2PUwQ0rA5QaP1FvC8DbD7Kso+PodnQg4sxJH9o6VGttOEpcv+T61vWh2mJRqGSoYmqGiX83gq+Xw5Vz+SpGT+bhpRBs3GhW65XYMC8BJ7Nj1734LaMb7FcuHXiVVm/PQC08FZZp40t5vfEP+xm48TByzT12sZYknU4QC/zaodbQEF0NQsSWBi+RENXBlQreMvSNClTQF1DmmVJxzz9yYc9aQMuInvOuRKSQ8znjck+XrwCON712A4ZPJMtRa4C6qBhDZu1QeMmF3+jKBi4XFeKDBxO+iOiU7XHFA72nBaoRRC28Ex1AR2qAOCayJ8tM8PUu0cBzPiDCe89rWurUkTWqHC3BIIexNx1y+a6DtYMc6Oq192Yu/Ijn7hsytS83/dMMhbthx8knKmlI7+nl+H3kfT7bjrdS4j8iBm+ceFJYsr9q/SM59ExQxT9G4qyTyiDGZ2FRvVBJTRNCPQBZ4vcKDvP+a0QHMoSaI5FiyZoNrXRyrArvBErVbDCD3XoSbd/BACwp+3UsdkYp+jwu5gx5gsCQd
Content-Type: multipart/alternative; boundary="_000_C2664588A1E8409BA3D8129AF3965A1Bmitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a214d502-2737-463b-296e-08dbcf33364e
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Oct 2023 17:05:06.3900 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zZSCCzXIhwQu8hOnCFf9ACw4Qmw1SN4rxHg6+Yxf+RwRueEF+UjSfxMjhWFCTZst
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB7995
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/QMeMvJHBxd8Hk9E3LIM7CdufD8s>
Subject: [GNAP] RS Draft Updates
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Oct 2023 17:05:48 -0000

Hi WG,

We’ve been working through the issues filed against the RS draft ahead of the Prague meeting. As you’ve probably seen on the summary, there are a number of PRs to update text. Most of these address existing issues:

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/65 - adds token format references

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/66 - updates IANA considerations sections based on other feedback

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/70 - during token derivation, require that the token being presented is applicable to the RS presenting it (built-in introspection, essentially)

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/71 - list token formats supported during resource set registration

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/72 - be more clear about token introspection responsibilities and expectations for the AS

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/73 - update the RS-facing discovery document to match the format of core



Additionally, there are a couple new features and clarifications that didn’t have issues filed but we fixed along the way:

https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/69 - add the “token management token” to the token model under the classes of special tokens, like the continuation access token


https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/74 - this small change allows an AS to use a key-bound GNAP access token to protect calls to the RS-facing API. This API already requires authentication by the RS, so this is just an additional option where it makes sense for an AS to use it. This feature is reminiscent of an UMA feature from the distributed authorization specification, which utilized a construct known as the protection API access token (PAT).


https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/75 - adds the “end user” as an entity to the token model, particularly in cases where the end user and RO are different and it’s important for the system to know about that difference. This does not map directly to an existing JWT field at this time.




We’re still working on the expanded security considerations as discussed in the wake of discussions at OSW and during the reviews, as well as some editorial rewrites for the intro and abstract. Once this is done and the above PRs are incorporated, we believe the document will be ready for WGLC. Please review the above text changes, as the editors would like to publish a new document ahead of Prague — the cutoff date for new drafts is this coming Monday.

 — Justin

v2.23.0 | Report a Bug | By Email