IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Dick Hardt <dick.hardt@gmail.com> Fri, 11 December 2020 23:34 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35AA03A1034 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 15:34:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ee5R58tiT860 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 15:34:56 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6EF573A1033 for <txauth@ietf.org>; Fri, 11 Dec 2020 15:34:55 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id m12so15628498lfo.7 for <txauth@ietf.org>; Fri, 11 Dec 2020 15:34:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=itlyyY74cIsndXNAvzQYuR41t8/NKg4L94BtDvECJAY=; b=HI/VMBOKMYHmy2X3Bse4OmRyHbo2/LAC77pZlHIWyMvCOW7JYpHoHl62aZGD26Q/GV NdazmYGKZxCoGGHHP4R5z0lKLAV6tJuqa8X6D62J9rMe8w6f9/jGZhSPJBqF6hazVzIL uEdDRiPDXJVe7FFj/Wf8FgiJGBlOA9BUqk0jcVlfDPQHKhy50/3KEALI1FS9DiBuPsn5 eHnaUGw74o6LHaBOF+dZlW7HnnesU9hJlkdXe1EI5e8h58fHASIkXlzkKiL3g8XepP6J 8VbMDMD25krS2CJeTCmxlG+zvt25tOamSWMVYrHChw4pHdlUpXWgSoO2Ae6aprgVHFhS 3yPQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=itlyyY74cIsndXNAvzQYuR41t8/NKg4L94BtDvECJAY=; b=q4Su2hr+jXWFr5NDwBqw7RYLdwPT8x/vtFhKpXUWIZZxOx5sgDOg0GRo5KuGaOaGcb 7S1gB3Q7i0yD1e0l3VsvWjTcZoWB5hH9SdIjLAaJcLNV9VvLKeLfYn1FVbag23Z6CvMI VVOtDglt7VcViLwNnG04eMTx7gDD7ixCWJeouuxTitDif7/+H7WgmvvvzSLE+3YHRC+p 5+0Seru4wNkXy15uR0Kg6qiDKv+1Txhy5yAbLmG+Gshaj2ZjA5kZrW85RCfGXXtjnUhD NXb4M9yoMc6NSKxHyRwC4sIDz+e2k3GepSLGdr5t5uVYYln8gNkYoGYJ4Tn7dnZV4jzP CMgw==
X-Gm-Message-State: AOAM532ZW8ZK9ribIUcC8DCPggDZQH67IBPmVRDMU2ZOJmtFKaf5+u0G jJJz2I+ZkAkOZE8qWX31ZCO7iSb2fHkRrgkwsrI=
X-Google-Smtp-Source: ABdhPJwfCtaVC6eFiohjBTydwxBbdF/E9fHJDyJfunSTa1OYHTQoYwM3ijQ+3rdV8wU3knzQ67ywydtpfKlWCRrz/rc=
X-Received: by 2002:a19:3818:: with SMTP id f24mr3178514lfa.89.1607729688038; Fri, 11 Dec 2020 15:34:48 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com>
In-Reply-To: <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 11 Dec 2020 15:34:11 -0800
Message-ID: <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com>
To: Stephen Moore <srmoore@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, txauth gnap <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f352d405b638bc40"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/U-sYLf5qM_MmwyQnVaSgjaQKafo>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 23:34:58 -0000

On Fri, Dec 11, 2020 at 2:53 PM Stephen Moore <srmoore@gmail.com> wrote:

> But from the spec:
> "
> When sending a non-continuation request to the AS, the RC MUST identify
> itself by including the client field of the request...
> ...
> key (object / string) : The public key of the RC to be used in this
> request as described in {{request-key}}. This field is REQUIRED.
> ...
> "
>
So on the initial request, the key will be there.
>

The client field can be an object or a string. If the client is
pre-registered, then a string could be provided instead of an object.

>

>
> If you don't have the access token, then how do you differentiate between
> two requests from the same web application by two different users? Is the
> web application supposed to have different credentials for every request?
>

The AS returns a URI for manipulating the request. I would change the spec
so that each request would have a unique URI. This is the usually
RESTful pattern that the resource (the grant request) has an URI.



> So in this case, the easy way out is to pass the access token to the
> client, who then, as i stated before, treats the continue request as a RS
> call (albeit a specialized version of the RS where the RS is the AS) OR to
> use the unique URL,
> but that seems open to a brute force attack by a malicious RC. (What would
> be the point of that attack, I don't know, I guess if someone had the
> client credentials but not any subjects/resources they could try to
> intercept the grant via continue... I just don't feel right locking things
> down to unique URLs that way.)
>

If someone has the client credentials, they can impersonate the client, and
all bets are off.

LOTS of RS servers return a resource specific URL -- my proposal is no
different.




> -steve
>
> On Fri, Dec 11, 2020 at 5:33 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> Hi Stephen
>>
>> The client is signing the first request. The key *might* be in the body.
>> The client is signing all the subsequent requests as well. The "access
>> token" is not needed by the client to prove it is authorized as the client
>> is proving it is the same client again.
>>
>> In other words, I don't see the need for an access token, so it does not
>> need to be put in a URL or an auth header.
>>
>> If a developer really, really wants to hand context back to the client
>> for subsequent calls, they can put it in the URL or some other method.
>> Putting it in the HTTP Authorization header is confusing because it is NOT
>> an access token -- it is the context of the request.
>>
>> ᐧ
>>
>> On Fri, Dec 11, 2020 at 2:01 PM Stephen Moore <srmoore@gmail.com> wrote:
>>
>>> Even though I've only been lightly following things, I feel the need to
>>> voice my preference as a developer since I will probably someday have to
>>> either write a RC or RS...
>>>
>>> The way I see it is the RC makes the initial request to the AS as part
>>> of this request, it provides it's key in the body... (So no use of the
>>> Authorization header)
>>> At this point that request, represented by the continue URL + "Access
>>> Token", from my lazy developer standpoint, is a Resource Endpoint and
>>> Access Token, and the AS is acting as a specialized RS in this case.
>>> So my client posts to whatever URL with the 'access token' in the
>>> authorization header, just like acting on any other resource I have a token
>>> for. YES, I get a new token value to use every call, and there is a
>>> decision point of "Do I have another continue, or do I have a real token
>>> for the resource..." But the mechanism is the same to me in the client.
>>> Personally I like that, because if I have an access_token, I already
>>> think "Put it in the auth header."
>>>
>>> So my vote would be +1 for the pull request at this time.
>>> -steve
>>>
>>> On Fri, Dec 11, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>>
>>>> inline ...
>>>>
>>>> On Fri, Dec 11, 2020 at 9:58 AM Justin Richer <jricher@mit.edu> wrote:
>>>>
>>>>> Others had already responded to this previous thread, but I wanted to
>>>>> add a couple points to clarify some things.
>>>>>
>>>>> 3) What the client has to do with the "access token" is not the same
>>>>> as access tokens for an RS. The client gets a new "access token" for each
>>>>> grant request, and for each API call to the AS, and the client learns it
>>>>> can not make any more API calls for that specific request when it does not
>>>>> get an "access token" back. This is a completely different design pattern
>>>>> than calling an RS API with an access token, and is a new design pattern
>>>>> for calling APIs. This adds complexity to the client that it would not
>>>>> normally have, and I don't think GNAP is the right place to start a new
>>>>> design pattern.
>>>>>
>>>>>
>>>>> I’m not sure what you mean by these being different — the whole point
>>>>> of the design is that the client would be doing the same thing with the
>>>>> access token at the AS that it does with the RS by re-using the access
>>>>> token structure. Can you please describe what the differences are, apart
>>>>> from the rotation? Presentation of the token and signing of the message are
>>>>> identical.
>>>>>
>>>>
>>>> The client is getting the "access token" from its API. It is not using
>>>> an "access_token" in other API calls to the AS.
>>>>
>>>>
>>>>>
>>>>> Rotation of the access token and artifacts for ongoing continuation
>>>>> responses is a separate issue to be discussed:
>>>>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/87
>>>>>
>>>>> And for what it’s worth, GNAP is absolutely the right place to have
>>>>> new designs — not that this is one.
>>>>>
>>>>
>>>> You are proposing a new way for an API to provide context for
>>>> subsequent API calls. Looks out of scope to me.
>>>>
>>>>
>>>>>
>>>>> 4) Clients that only want claims from the AS and no access tokens will
>>>>> be required to support an API calling mechanism they would not have to
>>>>> support otherwise.
>>>>>
>>>>>
>>>>> Correct, but the delta between the calls a client would make with and
>>>>> without an access token is vanishingly small. The client has to sign the
>>>>> initial request in some fashion, and it will sign the continuation request
>>>>> in the same exact fashion, but now include an access token in that request.
>>>>>
>>>>
>>>> Per my other point, there is no value to me in my implementations of
>>>> passing context back and forth between the client and AS -- so it is extra
>>>> work providing no value.
>>>>
>>>> Also, any client authentication mechanism that wants to use the HTTP
>>>> Authentication header is precluded from using it.
>>>>
>>>>
>>>>
>>>>>
>>>>> Clients making a request to an AS and not getting an access token is a
>>>>> new design pattern. I think it has value and should be included, but OAuth
>>>>> today shows us the immense value of getting access tokens for calling APIs,
>>>>> and so we shouldn’t optimize away from that pattern.
>>>>>
>>>>>
>>>>> 5) If the AS does not provide an "access token", there is no mechanism
>>>>> for a client to delete the request, as the client is not allowed to make a
>>>>> call without an "access token".
>>>>>
>>>>>
>>>>> More properly, if the AS does not provide a “continue” field then the
>>>>> client can’t delete the request — and yes, that’s intentional. The AS is
>>>>> telling this client instance that it can’t do anything else with this
>>>>> ongoing request. If the AS wants to allow the client to manage it, it will
>>>>> include the mechanisms to do so in the “continue” field.
>>>>>
>>>>
>>>> There is nuance in that intention. A related concern is that deleting a
>>>> request does not seem like it is a "continue" operation.
>>>>
>>>>
>>>>>
>>>>>
>>>>> 6) There is no standard identifier for the request. Debugging and
>>>>> auditing are hampered by the client and AS having no standard way to
>>>>> identifying a request. While one AS may provide a unique URL for each grant
>>>>> request, another AS may use a persistent "access token" to identify the
>>>>> grant request, and other ASs may issue a new "access token" on each API
>>>>> call, providing no persistent identifier for the request.
>>>>>
>>>>>
>>>>> Debugging and auditing this kind of thing are functions of the AS. How
>>>>> is interoperability harmed by different ASs having different methods to
>>>>> identify their internal data elements? The client doesn’t need any
>>>>> knowledge of the AS’s identifiers, it just needs to know the next steps for
>>>>> continuing the negotiation.
>>>>>
>>>>
>>>> Debugging between the client and the AS was what I was referring to.
>>>> How does a client developer identify the request when communicating to the
>>>> AS developer. Seems complicated.
>>>>
>>>> ᐧ
>>>> --
>>>> TXAuth mailing list
>>>> TXAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>> ᐧ

v2.23.0 | Report a Bug | By Email