IETF Logo Mail Archive

Re: [Txauth] alternative charter writeup

"Richard Backman, Annabelle" <richanna@amazon.com> Thu, 16 January 2020 22:29 UTC

Return-Path: <prvs=277cd68f8=richanna@amazon.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15422120086 for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 14:29:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O7P3dZoIuWgF for <txauth@ietfa.amsl.com>; Thu, 16 Jan 2020 14:29:37 -0800 (PST)
Received: from smtp-fw-9101.amazon.com (smtp-fw-9101.amazon.com [207.171.184.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7529712004A for <txauth@ietf.org>; Thu, 16 Jan 2020 14:29:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1579213778; x=1610749778; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=qFoGF9AnZSjMhQ/ByaLbsOkDqaLW07mWLd05GJpkdXU=; b=E0jj1lrCK2x5l0SBDEujtVLcGwbp/sZig9UnUDfSYBX6ISCwXwzWwHzF z8qQXDnrnwX/C04iAUMZOzRD7k8yvQzGfbXj010ioP02VXF9MfzjcFJTl zjVVIO2Bf/RpECFkgGb0KjDlVf+UsIYJBhaf/IBoGMt+oSBzAS/4C3hQ0 0=;
IronPort-SDR: f7Uc1hSuue/c9Llrv69Dx/P77kSDb8zkD8rxQr9N792wyHkuxYD19cCMhnPaVWFUvVkvz0WAWK HcDL310DJU8w==
X-IronPort-AV: E=Sophos;i="5.70,327,1574121600"; d="scan'208";a="10785513"
Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-1a-807d4a99.us-east-1.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP; 16 Jan 2020 22:29:26 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162]) by email-inbound-relay-1a-807d4a99.us-east-1.amazon.com (Postfix) with ESMTPS id 934CCA315F; Thu, 16 Jan 2020 22:29:25 +0000 (UTC)
Received: from EX13D11UWC001.ant.amazon.com (10.43.162.151) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 16 Jan 2020 22:29:24 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC001.ant.amazon.com (10.43.162.151) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Thu, 16 Jan 2020 22:29:24 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Thu, 16 Jan 2020 22:29:24 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Justin Richer <jricher@mit.edu>
CC: Torsten Lodderstedt <torsten@lodderstedt.net>, "txauth@ietf.org" <txauth@ietf.org>, Dick Hardt <dick.hardt@gmail.com>
Thread-Topic: [Txauth] alternative charter writeup
Thread-Index: AQHVx9g9cyOj1MRzqU6+3+Goa7VakafkXaAAgABoEICAA/l4gIAAld0A//+QawCAAI5HAIAALucAgAPVjwCAAAhfAIAAChsA//+hWgCAAKOzAP//k04A
Date: Thu, 16 Jan 2020 22:29:24 +0000
Message-ID: <7A4FC2A4-9960-4A75-847C-0477FE81DB4F@amazon.com>
References: <857A822F-E819-443E-8D92-5A5BD682D3AF@mit.edu> <3CC78FFE-8115-4693-8FEF-EC9B9BDDD786@lodderstedt.net> <BFD1E625-BAEB-4367-821B-D75511928E76@mit.edu> <B6D4450B-CE5F-410B-A21D-C494CD4483A6@amazon.com> <5A7FEF06-954E-47B1-B3CE-AD5DE2329B52@mit.edu>
In-Reply-To: <5A7FEF06-954E-47B1-B3CE-AD5DE2329B52@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.162.95]
Content-Type: text/plain; charset="utf-8"
Content-ID: <9053AE562C422046AE6CFB60899A037A@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/QghvGaGL7Iq4IAUD2b7r9ucZIeY>
Subject: Re: [Txauth] alternative charter writeup
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 22:29:39 -0000

The same could be said for any resource, particularly in scenarios where the interaction was kicked off so that the SP can perform a specific action initiated by the user (e.g., charging a credit card or account, publishing a message to a message board or social media feed, retrieving a specific document or image).

Consider a flow like the following:
1. The end user is on a client website that provides a photo printing service, clicks the "Print from CloudStorageProvider" button.
4. The client initates TxAuth via CloudStorageProvider's transaction endpoint, requesting a URL for a photo to be selected by the end user.
5. CloudStorageProvider returns an interact_url pointing to its AS.
6. The client redirects the user agent to the AS.
7. The end user signs in, and selects the photo they want to print, and confirms authorization to share with the client.
8. The AS redirects the user agent back to client.
9. The client calls back to CloudStorageProvider's transaction endpoint to continue the TxAuth transaction.
10. CloudStorageProvider returns confirmation that the authorization was granted, along with the URL for the selected photo.

This is identical to the identity use case, we've just replaced identity claims with a URL to a photo. I see a lot of value in encouraging one-time authorization of specific actions like this, and if we're going to support inlining of resources for identity claims anyway, it's not a big stretch to allow for arbitrary resource types. I do think it's fair to narrowly scope the kinds of resource *schemas* the WG will define (e.g., defining core identity claims like OIDC did), but the inlining mechanism should be flexible (e.g., not limiting this to claims about the end user identity, like OIDC did).

– 
Annabelle Richard Backman
AWS Identity
 

On 1/16/20, 12:59 PM, "Txauth on behalf of Justin Richer" <txauth-bounces@ietf.org on behalf of jricher@mit.edu> wrote:

    I think that’s exactly the reason — the case of getting information about the user directly from the TX endpoint is well established. People don’t want to make another round trip just to figure out who’s there, when a lot of time that’s the first thing they care about, and then the’d make the determination of whether to follow other APIs after that. 
    
    So if I can send you a very basic set of authn info from the callback, like an identifier and VoT style login information, then you can figure out if you need to know more about that user or not. But these basic claims do get elevated to the same level as other returned artifacts from the transaction, like the access tokens.
    
     — Justin
    
    > On Jan 16, 2020, at 2:12 PM, Richard Backman, Annabelle <richanna@amazon.com> wrote:
    > 
    > The only reason I can think of to single out identity within the charter is if there is some work or feature that is within scope for the working group, but only for identity claims (e.g., returning identity claims from the transaction endpoint). Repeating a question I posed earlier, what is it about identity claims that make them worthy of special consideration?
    > 
    > – 
    > Annabelle Richard Backman
    > AWS Identity
    > 
    > 
    > On 1/16/20, 8:51 AM, "Justin Richer" <jricher@mit.edu> wrote:
    > 
    >    On Jan 16, 2020, at 11:15 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
    >> 
    >> 
    >> 
    >>> Am 16.01.2020 um 16:45 schrieb Justin Richer <jricher@mit.edu>:
    >>> 
    >>> - Approval of identity claims and multiple resources in a single interaction
    >> 
    >> This sounds a bit incomplete to me. I assume the user would approve „the attestation of identity claims“. I furthermore think the user would approve „access to multiple APIs“. I would prefer API over resource because it is more universal. For example, the protocol could also be used to create resources.
    > 
    >    Point taken, but this isn’t meant to be an exhaustive list of what it can do, merely the list of things we’re positive we want it to do. I also prefer “API” over “resource”, but concede that “resource” can be a writeable thing too. Even then I’m happy to tweak the language here. 
    > 
    >     — Justin
    > 
    
    -- 
    Txauth mailing list
    Txauth@ietf.org
    https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email