Re: [Txauth] Support of delegation
Justin Richer <jricher@mit.edu> Wed, 15 July 2020 17:16 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1014D3A0FC3 for <txauth@ietfa.amsl.com>; Wed, 15 Jul 2020 10:16:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.918
X-Spam-Level:
X-Spam-Status: No, score=-1.918 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p65OwZ8lW7Oc for <txauth@ietfa.amsl.com>; Wed, 15 Jul 2020 10:16:47 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8BCDB3A0F07 for <txauth@ietf.org>; Wed, 15 Jul 2020 10:16:37 -0700 (PDT)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 06FHGUEE030854 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 15 Jul 2020 13:16:31 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <C3A840C3-11A6-41FA-AA37-2ACEFC38315C@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C67C8FB1-4952-4100-B30C-EEEF87585778"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 15 Jul 2020 13:16:24 -0400
In-Reply-To: <7572576d-b5b4-dea5-3383-fbbf6cc10450@free.fr>
Cc: "txauth@ietf.org" <txauth@ietf.org>
To: Denis <denis.ietf@free.fr>
References: <7572576d-b5b4-dea5-3383-fbbf6cc10450@free.fr>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/SboGMpz55APZk4dPufJFFUJ0TTo>
Subject: Re: [Txauth] Support of delegation
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2020 17:16:50 -0000
The primary delegation in mind is the delegation of rights from the resource owner to the client (in control of the user). Redelegation of rights from one RS down to another is a design consideration, but in my opinion that’s another layer of the protocol and process beyond the primary concern. — Justin > On Jul 15, 2020, at 12:16 PM, Denis <denis.ietf@free.fr> wrote: > > > > Support of delegation > > The charter is mentioning a "delegation process", but at this time it is unclear how the delegation of an operation > originating from one Client towards two or more resource servers (RSs) will be supported. > > Here after is a proposal to support a delegation scheme constructed along "Privacy by Design" principles. > A key element of this scheme is the use of a "User Consent element" supported by the Client. > > In order to support this proposed delegation scheme, (only) a sequence of delegation tokens is needed. > > > +--------+ +------------+ > | User | | Resource | > | |\ | Owner (RO) | > +--------+ \ +------------+ > | \ | > | \ | > | \ | > | \ | > | \ | > +-----------+ (2a) +---------------+ +----------+ > | |----->| Authorization | | | > | | (2b) | Server (AS) | | | > | Client |<-----| | | | > | | (1a) +---------------+ | | > | |------------------------>| Resource | > | User | (1b) | Server 1 | > | Consent |<------------------------| (RS1) | > | element | (3a) | | (4a) +----------+ > | |------------------------>| |------>| | > | | | | (4b) | | > | User | (3b) | |<------| | > | Consent |<------------------------| | | Resource | > | element | +----------+ | Server 2 | > | | (5a) | (RS2) | > | |------------------------------------------->| | > | | (5b) | | > | |<-------------------------------------------| | > +-----------+ +----------+ > > > > DELEGATION CASES > > Two cases are being considered, whether RS1 and RS2 do not belong to the same service (Case A) > or whether they both belong to the same service (Case B). > > The sequence of flows up to (3a) are the same as those described in an earlier email called : > "A model with a User Consent Element (with a clean figure)" > > > Case A > > Let us suppose that RS1 is unable to fulfil the operation by its own and that it needs to contact another RS, i.e. RS2. > RS1 contacts RS2 (4a) and indicates the operation that it is willing to perform on RS2 (that operation may not be > exactly the same as the original operation indicated by the client). > > In return (4b), RS2 informs RS1 about which kind of attributes are needed by RS2 for performing the requested operation > and from which Attributes Servers they may be obtained. RS2 also provides a temporary API address and an handle so that > the Client can subsequently make a call directly to an API from RS2. RS1 forwards that information to the Client. > > This information is marked to indicate that it shall be handled by the "User Consent element" from the Client. > The presentation of that information is up to the man machine interface from the Client. The user can see the new requested > operation by RS1 on RS2 and which kind of attributes are requested by RS2, as well as from which ASs. If the user consents > to release these attributes to RS2, the Client then contacts one or more appropriate Authorization Servers. > > Once the Client has obtained the appropriate access tokens targeted to RS2, it presents all of them to RS2 (5a) in a single request. > Then RS2 is able to provide a response to the Client (5b). > > Some observations: > > The user consent is captured locally by the "User Consent element" from the Client. There are two user consent phases: > one for RS1 and another one for RS2. > > RS1 will know which kind of attributes types are requested by RS2, but will be unable to know which attribute values from which AS(s) > will be presented by the Client to RS2. > > RS1 does see the flow (5b) since this flow is going directly from RS2 to the Client. > > The "User Consent element" from the Client may use a cache of previous user consents and may present earlier choices > to the user for speeding the user consent process. > > The relationships between RS1 and RS2 can change at any time but no AS needs to be informed on these relationships. > > There is no protocol between any AS and any RO, including using "out-of-bands" means. > > > Case B > > Let us now suppose that RS1 is unable to fulfil the operation by its own but that it knows that the requested operation can be fulfilled > thanks to the help of another RS from the same service. > > In such a case, when returning the "authorization table" (see an earlier email called "Support of FIDO and data minimization by RSs") > in the exchange (1b) for the given requested operation, RS1 will include both its name and the name of the service. > > If the user consents to request the inclusion of the name of this service into the access token(s) delivered to RS1, then this allows > to save the exchanges (5a) and (5b): in such a case, all the exchanges with the Client will be carried out through RS1. > > If the user do not consent to request the inclusion of the name of this service into the access token(s) delivered to RS1, then the previous > case A will apply. > > Denis > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth
- [Txauth] Support of delegation Denis
- Re: [Txauth] Support of delegation Justin Richer
- Re: [Txauth] Support of delegation Dick Hardt