Re: [GNAP] Consensus Call on Continuation Request
Dick Hardt <dick.hardt@gmail.com> Fri, 11 December 2020 23:34 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35AA03A1034 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 15:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ee5R58tiT860 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 15:34:56 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EF573A1033 for <txauth@ietf.org>; Fri, 11 Dec 2020 15:34:55 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id m12so15628498lfo.7 for <txauth@ietf.org>; Fri, 11 Dec 2020 15:34:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=itlyyY74cIsndXNAvzQYuR41t8/NKg4L94BtDvECJAY=; b=HI/VMBOKMYHmy2X3Bse4OmRyHbo2/LAC77pZlHIWyMvCOW7JYpHoHl62aZGD26Q/GV NdazmYGKZxCoGGHHP4R5z0lKLAV6tJuqa8X6D62J9rMe8w6f9/jGZhSPJBqF6hazVzIL uEdDRiPDXJVe7FFj/Wf8FgiJGBlOA9BUqk0jcVlfDPQHKhy50/3KEALI1FS9DiBuPsn5 eHnaUGw74o6LHaBOF+dZlW7HnnesU9hJlkdXe1EI5e8h58fHASIkXlzkKiL3g8XepP6J 8VbMDMD25krS2CJeTCmxlG+zvt25tOamSWMVYrHChw4pHdlUpXWgSoO2Ae6aprgVHFhS 3yPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=itlyyY74cIsndXNAvzQYuR41t8/NKg4L94BtDvECJAY=; b=q4Su2hr+jXWFr5NDwBqw7RYLdwPT8x/vtFhKpXUWIZZxOx5sgDOg0GRo5KuGaOaGcb 7S1gB3Q7i0yD1e0l3VsvWjTcZoWB5hH9SdIjLAaJcLNV9VvLKeLfYn1FVbag23Z6CvMI VVOtDglt7VcViLwNnG04eMTx7gDD7ixCWJeouuxTitDif7/+H7WgmvvvzSLE+3YHRC+p 5+0Seru4wNkXy15uR0Kg6qiDKv+1Txhy5yAbLmG+Gshaj2ZjA5kZrW85RCfGXXtjnUhD NXb4M9yoMc6NSKxHyRwC4sIDz+e2k3GepSLGdr5t5uVYYln8gNkYoGYJ4Tn7dnZV4jzP CMgw==
X-Gm-Message-State: AOAM532ZW8ZK9ribIUcC8DCPggDZQH67IBPmVRDMU2ZOJmtFKaf5+u0G jJJz2I+ZkAkOZE8qWX31ZCO7iSb2fHkRrgkwsrI=
X-Google-Smtp-Source: ABdhPJwfCtaVC6eFiohjBTydwxBbdF/E9fHJDyJfunSTa1OYHTQoYwM3ijQ+3rdV8wU3knzQ67ywydtpfKlWCRrz/rc=
X-Received: by 2002:a19:3818:: with SMTP id f24mr3178514lfa.89.1607729688038; Fri, 11 Dec 2020 15:34:48 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com>
In-Reply-To: <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 11 Dec 2020 15:34:11 -0800
Message-ID: <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com>
To: Stephen Moore <srmoore@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, txauth gnap <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f352d405b638bc40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/U-sYLf5qM_MmwyQnVaSgjaQKafo>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 23:34:58 -0000
On Fri, Dec 11, 2020 at 2:53 PM Stephen Moore <srmoore@gmail.com> wrote: > But from the spec: > " > When sending a non-continuation request to the AS, the RC MUST identify > itself by including the client field of the request... > ... > key (object / string) : The public key of the RC to be used in this > request as described in {{request-key}}. This field is REQUIRED. > ... > " > So on the initial request, the key will be there. > The client field can be an object or a string. If the client is pre-registered, then a string could be provided instead of an object. > > > If you don't have the access token, then how do you differentiate between > two requests from the same web application by two different users? Is the > web application supposed to have different credentials for every request? > The AS returns a URI for manipulating the request. I would change the spec so that each request would have a unique URI. This is the usually RESTful pattern that the resource (the grant request) has an URI. > So in this case, the easy way out is to pass the access token to the > client, who then, as i stated before, treats the continue request as a RS > call (albeit a specialized version of the RS where the RS is the AS) OR to > use the unique URL, > but that seems open to a brute force attack by a malicious RC. (What would > be the point of that attack, I don't know, I guess if someone had the > client credentials but not any subjects/resources they could try to > intercept the grant via continue... I just don't feel right locking things > down to unique URLs that way.) > If someone has the client credentials, they can impersonate the client, and all bets are off. LOTS of RS servers return a resource specific URL -- my proposal is no different. > -steve > > On Fri, Dec 11, 2020 at 5:33 PM Dick Hardt <dick.hardt@gmail.com> wrote: > >> Hi Stephen >> >> The client is signing the first request. The key *might* be in the body. >> The client is signing all the subsequent requests as well. The "access >> token" is not needed by the client to prove it is authorized as the client >> is proving it is the same client again. >> >> In other words, I don't see the need for an access token, so it does not >> need to be put in a URL or an auth header. >> >> If a developer really, really wants to hand context back to the client >> for subsequent calls, they can put it in the URL or some other method. >> Putting it in the HTTP Authorization header is confusing because it is NOT >> an access token -- it is the context of the request. >> >> ᐧ >> >> On Fri, Dec 11, 2020 at 2:01 PM Stephen Moore <srmoore@gmail.com> wrote: >> >>> Even though I've only been lightly following things, I feel the need to >>> voice my preference as a developer since I will probably someday have to >>> either write a RC or RS... >>> >>> The way I see it is the RC makes the initial request to the AS as part >>> of this request, it provides it's key in the body... (So no use of the >>> Authorization header) >>> At this point that request, represented by the continue URL + "Access >>> Token", from my lazy developer standpoint, is a Resource Endpoint and >>> Access Token, and the AS is acting as a specialized RS in this case. >>> So my client posts to whatever URL with the 'access token' in the >>> authorization header, just like acting on any other resource I have a token >>> for. YES, I get a new token value to use every call, and there is a >>> decision point of "Do I have another continue, or do I have a real token >>> for the resource..." But the mechanism is the same to me in the client. >>> Personally I like that, because if I have an access_token, I already >>> think "Put it in the auth header." >>> >>> So my vote would be +1 for the pull request at this time. >>> -steve >>> >>> On Fri, Dec 11, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com> wrote: >>> >>>> inline ... >>>> >>>> On Fri, Dec 11, 2020 at 9:58 AM Justin Richer <jricher@mit.edu> wrote: >>>> >>>>> Others had already responded to this previous thread, but I wanted to >>>>> add a couple points to clarify some things. >>>>> >>>>> 3) What the client has to do with the "access token" is not the same >>>>> as access tokens for an RS. The client gets a new "access token" for each >>>>> grant request, and for each API call to the AS, and the client learns it >>>>> can not make any more API calls for that specific request when it does not >>>>> get an "access token" back. This is a completely different design pattern >>>>> than calling an RS API with an access token, and is a new design pattern >>>>> for calling APIs. This adds complexity to the client that it would not >>>>> normally have, and I don't think GNAP is the right place to start a new >>>>> design pattern. >>>>> >>>>> >>>>> I’m not sure what you mean by these being different — the whole point >>>>> of the design is that the client would be doing the same thing with the >>>>> access token at the AS that it does with the RS by re-using the access >>>>> token structure. Can you please describe what the differences are, apart >>>>> from the rotation? Presentation of the token and signing of the message are >>>>> identical. >>>>> >>>> >>>> The client is getting the "access token" from its API. It is not using >>>> an "access_token" in other API calls to the AS. >>>> >>>> >>>>> >>>>> Rotation of the access token and artifacts for ongoing continuation >>>>> responses is a separate issue to be discussed: >>>>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/87 >>>>> >>>>> And for what it’s worth, GNAP is absolutely the right place to have >>>>> new designs — not that this is one. >>>>> >>>> >>>> You are proposing a new way for an API to provide context for >>>> subsequent API calls. Looks out of scope to me. >>>> >>>> >>>>> >>>>> 4) Clients that only want claims from the AS and no access tokens will >>>>> be required to support an API calling mechanism they would not have to >>>>> support otherwise. >>>>> >>>>> >>>>> Correct, but the delta between the calls a client would make with and >>>>> without an access token is vanishingly small. The client has to sign the >>>>> initial request in some fashion, and it will sign the continuation request >>>>> in the same exact fashion, but now include an access token in that request. >>>>> >>>> >>>> Per my other point, there is no value to me in my implementations of >>>> passing context back and forth between the client and AS -- so it is extra >>>> work providing no value. >>>> >>>> Also, any client authentication mechanism that wants to use the HTTP >>>> Authentication header is precluded from using it. >>>> >>>> >>>> >>>>> >>>>> Clients making a request to an AS and not getting an access token is a >>>>> new design pattern. I think it has value and should be included, but OAuth >>>>> today shows us the immense value of getting access tokens for calling APIs, >>>>> and so we shouldn’t optimize away from that pattern. >>>>> >>>>> >>>>> 5) If the AS does not provide an "access token", there is no mechanism >>>>> for a client to delete the request, as the client is not allowed to make a >>>>> call without an "access token". >>>>> >>>>> >>>>> More properly, if the AS does not provide a “continue” field then the >>>>> client can’t delete the request — and yes, that’s intentional. The AS is >>>>> telling this client instance that it can’t do anything else with this >>>>> ongoing request. If the AS wants to allow the client to manage it, it will >>>>> include the mechanisms to do so in the “continue” field. >>>>> >>>> >>>> There is nuance in that intention. A related concern is that deleting a >>>> request does not seem like it is a "continue" operation. >>>> >>>> >>>>> >>>>> >>>>> 6) There is no standard identifier for the request. Debugging and >>>>> auditing are hampered by the client and AS having no standard way to >>>>> identifying a request. While one AS may provide a unique URL for each grant >>>>> request, another AS may use a persistent "access token" to identify the >>>>> grant request, and other ASs may issue a new "access token" on each API >>>>> call, providing no persistent identifier for the request. >>>>> >>>>> >>>>> Debugging and auditing this kind of thing are functions of the AS. How >>>>> is interoperability harmed by different ASs having different methods to >>>>> identify their internal data elements? The client doesn’t need any >>>>> knowledge of the AS’s identifiers, it just needs to know the next steps for >>>>> continuing the negotiation. >>>>> >>>> >>>> Debugging between the client and the AS was what I was referring to. >>>> How does a client developer identify the request when communicating to the >>>> AS developer. Seems complicated. >>>> >>>> ᐧ >>>> -- >>>> TXAuth mailing list >>>> TXAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/txauth >>>> >>> ᐧ
- [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Denis
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Stephen Moore
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Stephen Moore
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Stephen Moore
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Torsten Lodderstedt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Aaron Parecki
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Torsten Lodderstedt
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Dick Hardt
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Dave Tonge
- Re: [GNAP] Consensus Call on Continuation Request Warren Parad
- Re: [GNAP] Consensus Call on Continuation Request Fabien Imbault
- Re: [GNAP] Consensus Call on Continuation Request Justin Richer
- Re: [GNAP] Consensus Call on Continuation Request Aaron Parecki
- Re: [GNAP] Consensus Call on Continuation Request Mike Varley