Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
Denis <denis.ietf@free.fr> Mon, 13 July 2020 19:36 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25533A0842 for <txauth@ietfa.amsl.com>; Mon, 13 Jul 2020 12:36:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.629
X-Spam-Level:
X-Spam-Status: No, score=-0.629 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.267, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0HMBCHns5RfF for <txauth@ietfa.amsl.com>; Mon, 13 Jul 2020 12:36:22 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp13.smtpout.orange.fr [80.12.242.135]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FC953A059F for <txauth@ietf.org>; Mon, 13 Jul 2020 12:36:20 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d74 with ME id 2jcH2300D4FMSmm03jcJeM; Mon, 13 Jul 2020 21:36:19 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 13 Jul 2020 21:36:19 +0200
X-ME-IP: 86.238.65.197
To: Justin Richer <jricher@mit.edu>, Dick Hardt <dick.hardt@gmail.com>
Cc: txauth@ietf.org
References: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com> <820525FD-4556-4617-8D89-C600D8C90C33@mit.edu> <CAD9ie-uwz_Li7n9iuX_--YtWeE+HX5sWEe95nZ8Y0akYh8WTHg@mail.gmail.com> <A7E1F61B-78F8-4647-847A-E1C8909EA452@mit.edu> <CAD9ie-tSjEWT-+D43yKaFZmEdFcbL=fyM0kHuFX_fNa4zHdm1w@mail.gmail.com> <6D58464F-3EFA-4367-9033-91FCB9CF40AC@mit.edu> <CAD9ie-syw5YJVsJHncZ-PcLQbYC4r=4LLSQCKtMP=-hGKqT0SA@mail.gmail.com> <0905DCA3-1B30-429A-AB02-8ED27D37F6C3@mit.edu> <CAD9ie-vV-pH6oebREkfY5rZ=8vYZpD2irjyjJ=4mvfKKeKY4-A@mail.gmail.com> <974147F1-A9CE-4093-A170-9F4F9DFB3638@mit.edu> <CAD9ie-vy0iKn6HMD-97jd5MeFtshqpzrGtvvwOX_Ze91qusJKQ@mail.gmail.com> <1D7A02B1-E58D-44D0-9E33-5313A7367949@mit.edu> <CAD9ie-uv5FKhow9ebKHVbZwhiZwRDg3wX9KL2o5g7AvVA=g-6Q@mail.gmail.com> <174F2061-3F0F-49B2-A18F-58DF658E4473@mit.edu> <CAD9ie-vaKmOHMP6veCkyRy3Xojx+Uve9xq7=zWu0ZnnBDFepZg@mail.gmail.com> <F25C6765-C842-4A27-8323-BDCE9300DFDB@mit.edu>
From: Denis <denis.ietf@free.fr>
Message-ID: <8228eb96-eefe-e391-232e-35daccd0c2fa@free.fr>
Date: Mon, 13 Jul 2020 21:36:14 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <F25C6765-C842-4A27-8323-BDCE9300DFDB@mit.edu>
Content-Type: multipart/alternative; boundary="------------1058B1C07B3B780341D94618"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/VEOffwjYIu9gbS7RzXd95wHMxZA>
Subject: Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 19:36:30 -0000
Justin, Since the "sub" claim has been "diverted" from it original semantics, we will need to define four types of identifiers for a user,whether it is: (1) temporarily unique, (2) unique to the resource server, (3) unique to the authorization server (this was the original semantics of the "sub" claim) or (4) globally unique (e.g. a distinguished name or an email address). In terms of privacy, for each of them, the consequences are quite different. Denis > I am saying that GNAP, it its definition within this working group, > should be limited to identifier claims. Other claims can come from > other protocols properly layered on top of GNAP. GNAP shouldn’t stop > them from being built, but in my opinion we shouldn’t be defining > those here. See the discussion below on the extensibility avenues of > this approach. > > — Justin > >> On Jul 13, 2020, at 2:12 PM, Dick Hardt <dick.hardt@gmail.com >> <mailto:dick.hardt@gmail.com>> wrote: >> >> I agree that an API to return claims is useful. I think we have >> agreed on that. >> >> Using the SubjectIdentifiers schema is another schema that would be >> useful for GNAP to support. >> >> I disagree that GNAP should be limited to identifier claims. >> >> ᐧ >> >> On Mon, Jul 13, 2020 at 7:16 AM Justin Richer <jricher@mit.edu >> <mailto:jricher@mit.edu>> wrote: >> >> One thing I think we should learn from OIDC is that returning >> claims from an API, and not just an assertion or direct response, >> is a powerful and useful pattern. We have an opportunity to >> separate these cleanly, where OIDC didn’t have the opportunity in >> defining the “claims” request parameter. >> >> As an alternative to the current XYZ and XAuth syntaxes, over the >> weekend I’ve been playing with something that would look like >> this strawman in the request: >> >> >> { >> subject: { >> id: [ “account”, “email”, “iss-sub”], >> assertion: [ “odic_id_token”, “verifiable_credential”, >> “saml" ] >> } >> } >> >> >> This request says that I’d like some subset of these identifiers >> (as plain text in the response) and some subset of signed >> assertions in the given formats. Each one would have an >> associated space in the return. I’m not picturing that the “id” >> field values would affect the contents of the assertions: so I >> could ask for an email address identifier but get back an ID >> token that had only the subject identifier. Maybe that’s not the >> right model? But it’s at least simple and deterministic this way, >> and it’s something to play with. >> >> Note: The “id” names are taken from >> https://tools.ietf.org/id/draft-ietf-secevent-subject-identifiers-05.html, >> the “assertion” names are made up as I didn’t see a source that >> collected them. If you wanted specific bundles of claims about >> the user from a UserInfoEndpoint, for example, you’d have >> something like: >> >> { >> subject: { >> id: [ “account”, “email”, “iss-sub”], >> assertion: [ “odic_id_token”, “verifiable_credential”, >> “saml" ] >> }, >> resources: [{ >> type: “userinfo”, >> datatypes: [ “openid”, “profile”, “phone”, “email” ] >> }] >> } >> >> >> This is an example for a specific kind of resource, and I don’t >> think that GNAP should define the “userinfo” schema here, or the >> datatype values therein. That should be work outside of GNAP, >> probably for the OIDF. >> >> This approach is extensible in several ways, each of them for a >> specific reason that I think is clear: >> >> - new values in the “id” field to give new identifiers >> - new values in the “assertion” field to give new assertion formats >> - new fields under the “subject” heading >> - new resource types besides “userinfo” (like “scim-v1” or >> “facebook-profile” for instance) >> - new datatypes within the “userinfo” resource type >> - new top-level request parameters >> >> As per the other thread, if you wanted to use the OIDC query >> language, you’d package it separately as a top-level request >> parameter since it can include both the ID token response and the >> access token response and we shouldn’t be encouraging mixing >> these things together. >> >> — Justin >> >>> On Jul 10, 2020, at 5:00 PM, Dick Hardt <dick.hardt@gmail.com >>> <mailto:dick.hardt@gmail.com>> wrote: >>> >>> It looks to me that our different views of what is in scope for >>> GNAP are the differences below. >>> >>> Per the subject line, I'm looking at how the client acquires >>> claims about the user. You don't think that is in scope, and >>> that a different layer will solve that. >>> >>> I think we should learn from OIDC being on top of OAuth, and >>> GNAP should be able return ANY claim, not just identifier >>> claims. There are use cases that may be difficult to support if >>> we do not have that functionality in scope, such as some of the >>> ones I list below, and it seems pretty straightforward to >>> support ANY claim if we are supporting identifiers. >>> >>> /Dick >>> >>> >>> On Fri, Jul 10, 2020 at 1:09 PM Justin Richer <jricher@mit.edu >>> <mailto:jricher@mit.edu>> wrote: >>> >>> >>> >>>> On Jul 10, 2020, at 2:15 PM, Dick Hardt >>>> <dick.hardt@gmail.com <mailto:dick.hardt@gmail.com>> wrote: >>>> >>>> >>>> inline ... >>>> >>>> On Thu, Jul 9, 2020 at 5:44 PM Justin Richer >>>> <jricher@mit.edu <mailto:jricher@mit.edu>> wrote: >>>> >>>> Yes, the core idea is to not have to parse an assertion >>>> to get back the core authentication information, which >>>> consists of an identifier (iss/sub pair in OIDC, but >>>> could be a number of things). Sometimes the client is >>>> going to want the rest of the identity information, >>>> but If the user’s logged into the client before, the >>>> client has likely cached that info and probably won’t >>>> need it, and sending it would be a violation of privacy >>>> principles.. The client would want the info pretty much >>>> just in these cases: >>>> >>>> 1. The client has never seen the user before. >>>> 2. The user’s information has been updated since the >>>> last time the client saw it. >>>> >>>> >>>> Agreed >>>> >>>> >>>> Now for case (1), how would the client know if it wants >>>> to request the user’s profile info or not, since it >>>> doesn’t know who the user is? >>>> >>>> >>>> But the client could know who the user is. The client may >>>> have used a different AS to authenticate the user. >>> >>> In these cases, the client is not going to be requesting >>> identity information from the AS to log the user in, so it’s >>> not relevant to the use case. The client will have an >>> opportunity to push that information to the AS. >>> >>>> The User may have self identified to the client. The client >>>> may have a cookie saying who the user was and the user said >>>> that was them. While the latter cases are really a strong >>>> hint, they are likely right most of the time and can lead >>>> to a user experience basde on that hint >>> >>> In these cases, the AS might be able to guess if the client >>> has info about the user already, but probably not. And the >>> assumptions fall apart if it’s in fact a different user that >>> ends up logging in, which is of course possible (the hint >>> you gave doesn’t match the identity of the current user >>> after the AS validates them). This possibility leads to >>> clients always asking for everything every time and the >>> server providing everything every time. That’s a pattern I >>> think we should avoid in an ultimate solution — but >>> ultimately, I don’t think that this kind of protocol >>> decision is inside of GNAP. >>> >>>> And the AS won’t know if client is going to want the >>>> profile info, since the AS won’t know if the client has >>>> the user’s info or not. Sure, the AS might have seen >>>> that client and that user combo previously, but it >>>> doesn’t know if the client needs an update. >>>> >>>> >>>> The client can share with the AS the user it knows or >>>> thinks it is dealing with, which could let the AS respond >>>> if the information was new. This could be the case for an >>>> AS that is providing claims, but not authentication, and >>>> could happen silently. The user would only interact if the >>>> user information had changed, and the client wanted the >>>> updated information. >>> >>> See above. >>> >>>> >>>> And for (2), the client won’t know if the user’s info >>>> has been updated or not because it doesn’t know who the >>>> user is yet. If the AS can provide some time of updated >>>> stamp to the client, the client can pull the new info >>>> when it needs it. >>>> >>>> >>>> See above. >>> >>> See above. >>> >>>> >>>> If you ignore both of these cases and put all the user >>>> information inline with the main request/response, you >>>> end up in a situation where the client always requests >>>> everything and the server always provides everything, >>>> since you can’t be sure you’re not in situation (1) or >>>> (2) ahead of time. >>>> >>>> >>>> See above. There are a number of other states the client >>>> could be in. >>>> >>>> For example, the client could be stateless about user >>>> information, so it knows it is ALWAYS in state 1. >>> >>> A stateless client would need to fetch appropriate user >>> information every time, then. But that’s an optimization for >>> a very specific case. >>> >>>> >>>> This is really what I mean about the two-stage identity >>>> protocol. >>>> >>>> >>>> I know what it is. Per above, GNAP lets us support a wider >>>> set of use cases. Why limit ourselves to what OIDC supported? >>> >>> We aren’t limiting the protocol, but instead limiting the >>> scope of what we define internal to the GNAP protocol. >>> There’s a lot of room for innovation on top of it. >>> >>>> In the first stage, you push the bare minimum of what >>>> you need to get the user known to the client. In the >>>> second stage, the client uses its access token to call >>>> an API to get whatever else it needs to know about the >>>> user. >>>> >>>> >>>> From a privacy perspective in non-enterprise use cases, I >>>> think the user should give consent to any updated personal >>>> information to a client. In general, the client should not >>>> be able to get the latest information about a user whenever >>>> it wants. >>> >>> This is about the rights associated with the access token, >>> then. And an access token doesn’t have to keep working if >>> the AS has a policy that says it won’t. The AS/RS could >>> easily decide that a particular access token will only >>> return data that hasn’t been changed. Maybe it stops working >>> after the data changes, or it just returns old data, or any >>> number of things. This is for the AS/RS to decide and this >>> is pretty standard interpretation of the token, nothing >>> special here because we’re dealing with identity. >>> >>> — Justin >>> >>>> /Dick >>>> ᐧ >>> >> > >
- [Txauth] JSON Schema? Dick Hardt
- Re: [Txauth] JSON Schema? Wayne Chang
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] JSON Schema? Dick Hardt
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] JSON Schema? Benjamin Kaduk
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Tom Jones
- Re: [Txauth] TLS Dependency Wayne Chang
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Stephen Moore
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Denis
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- [Txauth] XAuth "flaws" (Was: Polymorphism (Was: J… Dick Hardt
- [Txauth] acquiring claims (was Polymorphism (Was:… Dick Hardt
- [Txauth] WG scope wrt. identity (Was: Polymorphis… Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Justin Richer
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] JSON Schema? Yaron Sheffer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Denis
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Leif Johansson
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Leif Johansson
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Francis Pouatcha
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer