Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))

Denis <> Mon, 13 July 2020 19:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D25533A0842 for <>; Mon, 13 Jul 2020 12:36:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.629
X-Spam-Status: No, score=-0.629 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.267, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0HMBCHns5RfF for <>; Mon, 13 Jul 2020 12:36:22 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0FC953A059F for <>; Mon, 13 Jul 2020 12:36:20 -0700 (PDT)
Received: from [] ([]) by mwinf5d74 with ME id 2jcH2300D4FMSmm03jcJeM; Mon, 13 Jul 2020 21:36:19 +0200
X-ME-Helo: []
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 13 Jul 2020 21:36:19 +0200
To: Justin Richer <>, Dick Hardt <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Denis <>
Message-ID: <>
Date: Mon, 13 Jul 2020 21:36:14 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------1058B1C07B3B780341D94618"
Content-Language: en-GB
Archived-At: <>
Subject: Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 13 Jul 2020 19:36:30 -0000


Since the "sub" claim has been "diverted" from it original semantics, we 
will need to define four types of identifiers for a user,whether it is:

    (1) temporarily unique,
    (2) unique to the resource server,
    (3) unique to the authorization server (this was the original
    semantics of the "sub" claim) or
    (4) globally unique (e.g. a distinguished name or an email address).

In terms of privacy, for each of them, the consequences are quite different.


> I am saying that GNAP, it its definition within this working group, 
> should be limited to identifier claims. Other claims can come from 
> other protocols properly layered on top of GNAP. GNAP shouldn’t stop 
> them from being built, but in my opinion we shouldn’t be defining 
> those here. See the discussion below on the extensibility avenues of 
> this approach.
>  — Justin
>> On Jul 13, 2020, at 2:12 PM, Dick Hardt < 
>> <>> wrote:
>> I agree that an API to return claims is useful. I think we have 
>> agreed on that.
>> Using the SubjectIdentifiers schema is another schema that would be 
>> useful for GNAP to support.
>> I disagree that GNAP should be limited to identifier claims.
>> ᐧ
>> On Mon, Jul 13, 2020 at 7:16 AM Justin Richer < 
>> <>> wrote:
>>     One thing I think we should learn from OIDC is that returning
>>     claims from an API, and not just an assertion or direct response,
>>     is a powerful and useful pattern. We have an opportunity to
>>     separate these cleanly, where OIDC didn’t have the opportunity in
>>     defining the “claims” request parameter.
>>     As an alternative to the current XYZ and XAuth syntaxes, over the
>>     weekend I’ve been playing with something that would look like
>>     this strawman in the request:
>>         {
>>            subject: {
>>               id: [ “account”, “email”, “iss-sub”],
>>               assertion: [ “odic_id_token”, “verifiable_credential”,
>>         “saml" ]
>>            }
>>         }
>>     This request says that I’d like some subset of these identifiers
>>     (as plain text in the response) and some subset of signed
>>     assertions in the given formats. Each one would have an
>>     associated space in the return. I’m not picturing that the “id”
>>     field values would affect the contents of the assertions: so I
>>     could ask for an email address identifier but get back an ID
>>     token that had only the subject identifier. Maybe that’s not the
>>     right model? But it’s at least simple and deterministic this way,
>>     and it’s something to play with.
>>     Note: The “id” names are taken from
>>     the “assertion” names are made up as I didn’t see a source that
>>     collected them. If you wanted specific bundles of claims about
>>     the user from a UserInfoEndpoint, for example, you’d have
>>     something like:
>>         {
>>            subject: {
>>               id: [ “account”, “email”, “iss-sub”],
>>               assertion: [ “odic_id_token”, “verifiable_credential”,
>>         “saml" ]
>>            },
>>            resources: [{
>>                type: “userinfo”,
>>                datatypes: [ “openid”, “profile”, “phone”, “email” ]
>>           }]
>>         }
>>     This is an example for a specific kind of resource, and I don’t
>>     think that GNAP should define the “userinfo” schema here, or the
>>     datatype values therein. That should be work outside of GNAP,
>>     probably for the OIDF.
>>     This approach is extensible in several ways, each of them for a
>>     specific reason that I think is clear:
>>      - new values in the “id” field to give new identifiers
>>      - new values in the “assertion” field to give new assertion formats
>>      - new fields under the “subject” heading
>>      - new resource types besides “userinfo” (like “scim-v1” or
>>     “facebook-profile” for instance)
>>      - new datatypes within the “userinfo” resource type
>>      - new top-level request parameters
>>     As per the other thread, if you wanted to use the OIDC query
>>     language, you’d package it separately as a top-level request
>>     parameter since it can include both the ID token response and the
>>     access token response and we shouldn’t be encouraging mixing
>>     these things together.
>>      — Justin
>>>     On Jul 10, 2020, at 5:00 PM, Dick Hardt <
>>>     <>> wrote:
>>>     It looks to me that our different views of what is in scope for
>>>     GNAP are the differences below.
>>>     Per the subject line, I'm looking at how the client acquires
>>>     claims about the user. You don't think that is in scope, and
>>>     that a different layer will solve that.
>>>     I think we should learn from OIDC being on top of OAuth, and
>>>     GNAP should be able return ANY claim, not just identifier
>>>     claims. There are use cases that may be difficult to support if
>>>     we do not have that functionality in scope, such as some of the
>>>     ones I list below, and it seems pretty straightforward to
>>>     support ANY claim if we are supporting identifiers.
>>>     /Dick
>>>     On Fri, Jul 10, 2020 at 1:09 PM Justin Richer <
>>>     <>> wrote:
>>>>         On Jul 10, 2020, at 2:15 PM, Dick Hardt
>>>>         < <>> wrote:
>>>>         inline ...
>>>>         On Thu, Jul 9, 2020 at 5:44 PM Justin Richer
>>>>         < <>> wrote:
>>>>             Yes, the core idea is to not have to parse an assertion
>>>>             to get back the core authentication information, which
>>>>             consists of an identifier (iss/sub pair in OIDC, but
>>>>             could be a number of things). Sometimes the client is
>>>>             going to want the rest of the identity information,
>>>>             but If the user’s logged into the client before, the
>>>>             client has likely cached that info and probably won’t
>>>>             need it, and sending it would be a violation of privacy
>>>>             principles.. The client would want the info pretty much
>>>>             just in these cases:
>>>>              1. The client has never seen the user before.
>>>>              2. The user’s information has been updated since the
>>>>             last time the client saw it.
>>>>         Agreed
>>>>             Now for case (1), how would the client know if it wants
>>>>             to request the user’s profile info or not, since it
>>>>             doesn’t know who the user is?
>>>>         But the client could know who the user is. The client may
>>>>         have used a different AS to authenticate the user.
>>>         In these cases, the client is not going to be requesting
>>>         identity information from the AS to log the user in, so it’s
>>>         not relevant to the use case. The client will have an
>>>         opportunity to push that information to the AS.
>>>>         The User may have self identified to the client. The client
>>>>         may have a cookie saying who the user was and the user said
>>>>         that was them. While the latter cases are really a strong
>>>>         hint, they are likely right most of the time and can lead
>>>>         to a user experience basde on that hint
>>>         In these cases, the AS might be able to guess if the client
>>>         has info about the user already, but probably not. And the
>>>         assumptions fall apart if it’s in fact a different user that
>>>         ends up logging in, which is of course possible (the hint
>>>         you gave doesn’t match the identity of the current user
>>>         after the AS validates them). This possibility leads to
>>>         clients always asking for everything every time and the
>>>         server providing everything every time. That’s a pattern I
>>>         think we should avoid in an ultimate solution — but
>>>         ultimately, I don’t think that this kind of protocol
>>>         decision is inside of GNAP.
>>>>             And the AS won’t know if client is going to want the
>>>>             profile info, since the AS won’t know if the client has
>>>>             the user’s info or not. Sure, the AS might have seen
>>>>             that client and that user combo previously, but it
>>>>             doesn’t know if the client needs an update.
>>>>         The client can share with the AS the user it knows or
>>>>         thinks it is dealing with, which could let the AS respond
>>>>         if the information was new. This could be the case for an
>>>>         AS that is providing claims, but not authentication, and
>>>>         could happen silently. The user would only interact if the
>>>>         user information had changed, and the client wanted the
>>>>         updated information.
>>>         See above.
>>>>             And for (2), the client won’t know if the user’s info
>>>>             has been updated or not because it doesn’t know who the
>>>>             user is yet. If the AS can provide some time of updated
>>>>             stamp to the client, the client can pull the new info
>>>>             when it needs it.
>>>>         See above.
>>>         See above.
>>>>             If you ignore both of these cases and put all the user
>>>>             information inline with the main request/response, you
>>>>             end up in a situation where the client always requests
>>>>             everything and the server always provides everything,
>>>>             since you can’t be sure you’re not in situation (1) or
>>>>             (2) ahead of time.
>>>>         See above. There are a number of other states the client
>>>>         could be in.
>>>>         For example, the client could be stateless about user
>>>>         information, so it knows it is ALWAYS in state 1.
>>>         A stateless client would need to fetch appropriate user
>>>         information every time, then. But that’s an optimization for
>>>         a very specific case.
>>>>             This is really what I mean about the two-stage identity
>>>>             protocol.
>>>>         I know what it is. Per above, GNAP lets us support a wider
>>>>         set of use cases. Why limit ourselves to what OIDC supported?
>>>         We aren’t limiting the protocol, but instead limiting the
>>>         scope of what we define internal to the GNAP protocol.
>>>         There’s a lot of room for innovation on top of it.
>>>>             In the first stage, you push the bare minimum of what
>>>>             you need to get the user known to the client. In the
>>>>             second stage, the client uses its access token to call
>>>>             an API to get whatever else it needs to know about the
>>>>             user.
>>>>         From a privacy perspective in non-enterprise use cases, I
>>>>         think the user should give consent to any updated personal
>>>>         information to a client. In general, the client should not
>>>>         be able to get the latest information about a user whenever
>>>>         it wants.
>>>         This is about the rights associated with the access token,
>>>         then. And an access token doesn’t have to keep working if
>>>         the AS has a policy that says it won’t. The AS/RS could
>>>         easily decide that a particular access token will only
>>>         return data that hasn’t been changed. Maybe it stops working
>>>         after the data changes, or it just returns old data, or any
>>>         number of things. This is for the AS/RS to decide and this
>>>         is pretty standard interpretation of the token, nothing
>>>         special here because we’re dealing with identity.
>>>          — Justin
>>>>         /Dick
>>>>         ᐧ