IETF Logo Mail Archive

Re: [Txauth] Is it a transaction? (was Framework vs Protocol)

"Richard Backman, Annabelle" <richanna@amazon.com> Wed, 08 January 2020 19:10 UTC

Return-Path: <prvs=269947d74=richanna@amazon.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2F1E1200B8 for <txauth@ietfa.amsl.com>; Wed, 8 Jan 2020 11:10:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.8
X-Spam-Level:
X-Spam-Status: No, score=-11.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7VJ2r4drLNtu for <txauth@ietfa.amsl.com>; Wed, 8 Jan 2020 11:10:40 -0800 (PST)
Received: from smtp-fw-33001.amazon.com (smtp-fw-33001.amazon.com [207.171.190.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D978E12003E for <txauth@ietf.org>; Wed, 8 Jan 2020 11:10:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1578510641; x=1610046641; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=TbdrmhDz9Vr5Ol88ouz5dqge8RhF3rMaRA/CV2Js44Y=; b=cnOLDGpaF44Anl/qFO0bCdNp7FLgcnImbZBNMiT6Xo/1PHpDx+zfbUHW 1o5aoybxELjYvVFK5o2qtg5x/eW7VRHl/ByFBKXSIog4w8ZqWVdRBz4UQ Y0buo0EGvO+TS9juJwut2ozFoarEOajsA+mUjSpJAXFln48Qms3bhPSNC E=;
IronPort-SDR: b/WEzlymtihlwl0uIpu6aVKvKk5TLCigDPAew68RSSZslikq0pss98paJe/fzHBqQKeEpgrOYJ U5HgOa0De6DA==
X-IronPort-AV: E=Sophos;i="5.69,411,1571702400"; d="scan'208";a="18906570"
Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-1e-57e1d233.us-east-1.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-33001.sea14.amazon.com with ESMTP; 08 Jan 2020 19:10:20 +0000
Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan3.iad.amazon.com [10.40.159.166]) by email-inbound-relay-1e-57e1d233.us-east-1.amazon.com (Postfix) with ESMTPS id 66CE81417DF; Wed, 8 Jan 2020 19:10:19 +0000 (UTC)
Received: from EX13D11UWC003.ant.amazon.com (10.43.162.162) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 8 Jan 2020 19:10:18 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC003.ant.amazon.com (10.43.162.162) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 8 Jan 2020 19:10:18 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Wed, 8 Jan 2020 19:10:18 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Aaron Parecki <aaron@parecki.com>, Justin Richer <jricher@mit.edu>
CC: Dick Hardt <dick.hardt@gmail.com>, David Waite <david@alkaline-solutions.com>, "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: [Txauth] Is it a transaction? (was Framework vs Protocol)
Thread-Index: AQHVxlDPFqGOU1NMQESaxIDr86LqiafhGTgA//+CkQA=
Date: Wed, 08 Jan 2020 19:10:18 +0000
Message-ID: <AB08230F-EF21-4695-B3A5-1761FEAFBEBD@amazon.com>
References: <CAD9ie-vAcwPrq-P=_0DE5869UWAJLxFMzHMeAHkeXn1g4gcfzw@mail.gmail.com> <FB2655ED-92C7-4CAD-9846-64D50AAD8542@mit.edu> <CAD9ie-twHHz69KMGGDq5k5ag5aERNRPzyaLp_V=ZPG6s5KFWCg@mail.gmail.com> <CA0B45C5-0421-49D3-81F7-B736915DFB2D@mit.edu> <6DFD1CA6-D334-4FCA-9881-834571A5DE7C@amazon.com> <9C6149E5-144F-442E-862E-D849A9A9FF57@alkaline-solutions.com> <C841437D-F8C7-40CB-9892-9A4DC5BC4B25@amazon.com> <5D7A9B1D-20A4-4F9F-8586-BFA5CCF38B38@mit.edu> <CAD9ie-uonLdi3q2xcYzxXQvbbymsXc5nm5xA1rV8K4hZ5fjnJg@mail.gmail.com> <E3DB30B8-42DB-46BD-A976-886A4A0DE68F@mit.edu> <CAGBSGjo3JdjvWBikJyDp4uue4=jjC_vAL7GvzZSSJc3r0oqvpA@mail.gmail.com>
In-Reply-To: <CAGBSGjo3JdjvWBikJyDp4uue4=jjC_vAL7GvzZSSJc3r0oqvpA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.160.109]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2808401213279E4C913EBD15D3F544B3@amazon.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/UyjsASvMGl2BTkw-xFfwA8fK2nE>
Subject: Re: [Txauth] Is it a transaction? (was Framework vs Protocol)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jan 2020 19:10:43 -0000

Transaction is still a heavily overloaded term and there’s a lot of room for confusion, as illustrated by the naming conversation. The fact that RAR has use cases for authorizing distinct (e.g., financial) transactions as opposed to more traditional general access to a resource does not help. I don’t have a better alternative though. The one word that comes to mind that I think better captures what you’re describing is “session”, but that’s arguably just as overloaded as transaction. 🤷🏻‍♀️

The conversation around implicit grant has me thinking though… The value of TxAuth comes from the isolation of the core protocol from the external communication channels. A lot of OAuth 2.0's problems arise from tight coupling between the protocol and the communication channel between the user agent and the AS, which is ironic considering the UA/AS interaction is explicitly outside the scope of the protocol! Shoving authorization requests into redirect URLs constrains us in terms of request structure and size, and forces us to protect requests as they go through untrusted channels. Likewise with authorization responses.

In contrast, TxAuth always runs everything over the connection between the client and AS, bridging into other channels in minimal ways, only as needed.  This gives rise to the "handle" as the minimum piece of information needed to be transmitted across other channels, which in turn leads to the "transaction" concept. Also, since we're no longer constrained by more limited channels, we can start making complex structured requests, which enables all the other fun things TxAuth supports, such as inline client registration and key establishment, rich authorization requests, etc. But again, all of this comes from the consistent use of the client-AS channel, and the decoupling of the protocol from other channels.

I don't know if there is a way to capture this in a name (and don't really want to get back into the naming conversation), but I think it's a useful perspective for the "framework" vs "protocol" discussion. A lot of OAuth 2.0's "frameworkness" comes from its coupling with various channels. OAuth 2.0 plus Device Flow plus PAR starts to resemble SAML, with a variety of "bindings" for authentication requests and responses. We can and should avoid that with TxAuth by emphasizing channel decoupling: protocol messages only go between the client and the AS, and other channels are only used in an "artifact binding" style.

– 
Annabelle Richard Backman
AWS Identity
 

On 1/8/20, 10:39 AM, "Aaron Parecki" <aaron@parecki.com> wrote:

    This is a very good description of the motivation for using the term,
    and it would be great to include this description in the abstract or
    elsewhere in the spec!
    
    ----
    Aaron Parecki
    aaronparecki.com
    
    
    On Wed, Jan 8, 2020 at 12:24 PM Justin Richer <jricher@mit.edu> wrote:
    >
    > On Jan 6, 2020, at 4:33 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
    >
    >
    > On Mon, Jan 6, 2020 at 8:08 AM Justin Richer <jricher@mit.edu> wrote:
    >>
    >> <snip>
    >> And in all truth, the answer might be “something else entirely”. We can’t solve every problem and use case, and I don’t think it does this work any favors to over-generalize it at the expense of a set of things we do understand. Grounding us like that is one of the reasons that I put the “transactional” language in the proposed charter text. I am proposing that we approach not just a certain set of problems but do so in a particular way, without necessarily presuming the solution. I think we would all want this new work to be focused on something tractable.
    >
    >
    > I completely agree we don't want to solve every problem and use case, and we need to scope the problem space in some way.
    >
    > As I've thought about the term "transaction", it seems to be a misnomer, particularly when database semantics are applied, where a transaction is all or nothing.
    >
    > As I understand it, we would like the client to request scoped access to multiple resources. Not all of the request is required, which is not aligned with the definition of transaction above.
    >
    > Additionally, in the XYZ draft, the transaction handle is used to refresh tokens. I would consider this a new interaction, as the AS will be running policy again, and the refresh may be denied.
    >
    > I don't have a better suggestion at this time, but "transaction" does not quite seem right.
    >
    >
    > As I’ve said before, naming things is hard. I think “transactional” has many aspects that fit, and some connotations that don’t.
    >
    > I stuck to the word “transaction” because for me it captured an aspect that I hadn’t seen reified in this work before: that there is an ongoing process between parties who are exchanging things, passing information back and forth over time. The RO and client both provide information to the AS to modify the request over time, and the AS can respond with what it thinks is needed next. So it’s like a commercial transaction in some ways: “I want to buy that gum”, “that’ll be $0.50”, “here’s the money”, “here’s your change”, etc. It’s a conversation between parties, but a specific one in that one party (the client) is trying to get something (a token) from another party (the AS). This doesn’t mean that I think this only fits financial APIs — you’ll notice that the API didn’t come into the conversation at all here.
    >
    > But in a way the “transactions” in XYZ are all or nothing, in the end. You get a token or you don’t, at the end of things. But more importantly, there’s an explicit “I’m starting now” step with the transaction request, and the explicit “I’m continuing something that I already started” with the transaction handle. In XYZ, the request creates something, what I’m calling a transaction, and that ultimately results in something else, what I’m calling a token. If something goes amiss, like the user denies the request or the client asks for more than it’s allowed to, then the transaction stops. The fact that the client doesn’t get everything it asked for doesn’t mean the transaction failed, it just means the results were modified by something within the process.
    >
    > So it’s not just the database sense, and it’s not just the commerce sense either. Neither is a perfect fit, though, I totally admit. If we had a better name for it I’d be all for picking something that’s more descriptive, but nothing I’ve heard or thought of matches the process better than “transaction” for me.
    >
    >  — Justin
    > --
    > Txauth mailing list
    > Txauth@ietf.org
    > https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email