IETF Logo Mail Archive

Re: [Txauth] Multiple Access Tokens in XYZ

Dick Hardt <dick.hardt@gmail.com> Fri, 20 March 2020 18:45 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 157E13A0D5C for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 11:45:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.998, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBdNJ0lZ2tFB for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 11:45:51 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2FD3A0D84 for <txauth@ietf.org>; Fri, 20 Mar 2020 11:45:50 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id s1so5380973lfd.3 for <txauth@ietf.org>; Fri, 20 Mar 2020 11:45:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VxpY+edCV5F+g86xb2GLOCLOfGp7uPwvdUNcJ1aB76U=; b=k5Wu75Y/fvv5toI+PSqkEaPqrgbmBq5HXVrPN07WzLpFtaMnjX4BRxwmY+kwQGcwnP GTe1zVjhvCggJj9H5AJj3MPL4nyRireSUuDGE+w+YssUvTc0fTslRrDfcilsvmQvtrHu wcHpJlJu178qy8turluhlui5AuO8O8s6qUhu6uoVmxAJE/pXQki7OO1N5/qdXoOW9NVp 7B5kfvzXtGYD1jA4HcfS9ps7xt13s4FfFk1uWj1q2GYUGTGDEY/rRFtPVn9tsjWHMSUa zPaI4+tJitj60dUJBId0VF3gD56EaAeBy678/B+Bm7q8e07M6UzWPn015wRny2/HSoyX FlOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VxpY+edCV5F+g86xb2GLOCLOfGp7uPwvdUNcJ1aB76U=; b=WTVXpdZMWLynpTBB76y2WGqUo7LTdfQyicxLcvWJTBabwfrJ7f+1PaqJL8Rra/MPVP zHDELGL7kvzc48A4BNNt384IqwMwRyzGYe88qPmV18xYuTr1DmFxcnxZ3uF1CPwS4FaE Vrzuo1eb3KWcLHxTHAcjvPFoj3wB1hOqb42/MQ2E6Tsbk6JujQSVNIAdsLVoKFoVvmUd +3sUOyV+9xG6mJxi6DE3HMVgPbitkGWERm426PeNwXNA/FbIIVI/Dl6lfdRWsemTNvIw 9HkjMW2eKXO1JM2OkQEfEQ/3bx7Hb1nmpQcdWyIdBN4mhGA9vpspUwRdfZ9YYWh2v3x3 O4qA==
X-Gm-Message-State: ANhLgQ3ZIb1XTkjLS9QpnbcORULRUdX6xAJcZBhStzSWUBxJisEEpAXt DLK7uDMAVXbMYPbEf8S+1o5F67nfq/uEtKHj68DYi9cY
X-Google-Smtp-Source: ADFU+vs5l+oJXKm1I52IUOl/Z7iOU+5xviExVzDGeYmSAzRas3tq7Jc60eg3TH4tE8FhBDFDg8/UidPwwvAwc7dukCE=
X-Received: by 2002:a19:4cc2:: with SMTP id z185mr6238914lfa.0.1584729948903; Fri, 20 Mar 2020 11:45:48 -0700 (PDT)
MIME-Version: 1.0
References: <6750F9C8-425E-45B1-BCE8-52674F7BCDC5@mit.edu>
In-Reply-To: <6750F9C8-425E-45B1-BCE8-52674F7BCDC5@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 20 Mar 2020 11:45:22 -0700
Message-ID: <CAD9ie-uVjxFotSDK=gtu-E0c3gRRr2F+V_pfmORRKsaEUBhQ0Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ab5d8a05a14db13d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/VGcAQoCWTAq_R7uMufORv2O47Cs>
Subject: Re: [Txauth] Multiple Access Tokens in XYZ
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 18:46:04 -0000

Justin: How are each of the access tokens refreshed in the multiple access
token scenario?

On Fri, Mar 13, 2020 at 3:13 PM Justin Richer <jricher@mit.edu> wrote:

> I took some time to implement an idea that was tossed out on the list here
> recently, and that’s how we might support requests and responses for *multiple
> access tokens*. I’ve got a method that I think works pretty well without
> getting in the way of the common, simple case of requesting a single access
> token. I’ve implemented this in our Java implementation of XYZ and I’ve
> updated the *https://oauth.xyz/ <https://oauth.xyz/>* website with more
> details. I’ll update my ID spec text when I get a chance to reflect this,
> but I wanted to start this discussion first. Everything in here is based on
> the XYZ protocol.
>
> Normally, the “resources” element of a tx request is an array of items:
>
> resources: [
> {
>             actions: ["read", "write", "dolphin"],
>             locations: ["https://server.example.net/", "
> https://resource.local/other"],
>             datatypes: ["metadata", "images"]
>         },
> {
>             actions: ["foo", "bar", "dolphin"],
>             locations: ["https://resource.other/"],
>             datatypes: ["data", "pictures"]
>         }
> ]
>
>
> This tells the AS that the client is asking for a single access token with
> multiple, perhaps orthogonal sets of access. This is in parallel to RAR
> being developed in OAuth 2. However, if we allow the “resources” item to be
> an object instead of an array, we can let the client signal to the AS that
> it wants multiple access tokens. The client picks “labels” for these access
> tokens, in this case “token1” and “token2”, and sends a request like this.
>
> resources: {
>     token1: [{
>             actions: ["read", "write", "dolphin"],
>             locations: ["https://server.example.net/", "
> https://resource.local/other"],
>             datatypes: ["metadata", "images"]
>      }],
>      token2: [{
>             actions: ["foo", "bar", "dolphin"],
>             locations: ["https://resource.other/"],
>             datatypes: ["data", "pictures"]
>      }]
> }
>
>
> The client could request multiple kinds of access within each sub-object’s
> array (the value of the “token1” and “token2” fields), but I wanted to keep
> it simple here. This example is the same total set of resources that the
> client is asking for in the first case, but here the client’s saying it
> wants them as two different access tokens instead of a single one. The AS
> can tell the difference in the request because the first type is an array
> at the top and the second type is an object at the top. So that means that
> the AS can send back a single access token in a tx response like this:
>
> {
>         access_token: {
>             value: "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
>             type: "bearer"
>         }
> }
>
>
> Or multiple access tokens in a tx response like this:
>
> {
>     multiple_access_tokens: {
>           token1: {
>             value: "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0",
>             type: "bearer"
>           },
>           token2: {
>             value: "UFGLO2FDAFG7VGZZPJ3IZEMN21EVU71FHCARP4J1",
>             type: "bearer"
>           }
>     }
> }
>
>
> These fields are mutually exclusive, so you either get a single unnamed
> token or a set of named tokens. Since the client pics the labels for the
> access tokens, it’s clear which part of the request maps to which part of
> the response. It’s more complexity for the client to track, but that
> complexity is only seen and borne by clients that need it. Simple clients
> get to stay simple while letting a complex problem get solved.
>
> *A note about the polymorphic JSON *that’s in user here, though it’s
> already a key part of XYZ’s protocol design. For those unfamiliar with the
> concept, this is when a given field can have a value that takes multiple
> different types: a string, a boolean, an object, an array, etc. This is
> pretty simple to deal with in dynamically typed languages, you just check
> the type of the resulting object and it will tell you what you’re dealing
> with. It’s trickier in statically typed languages, but I’ve found that
> pretty much every platform and library has hooks for custom serialization
> and deserialization that will let you dispatch to different types during
> the process, so you can still call your top-level parser and toString
> methods and things will work as expected. This is one of the reasons that I
> did an implementation in Java, to prove that we could do this kind of thing
> in a strongly typed language that’s not very flexible about what goes in
> objects, and I’ve done it without resorting to generic collections for the
> dynamic fields. Previously, I’ve used this feature in XYZ to allow a single
> string to stand in as a reference for an object — something XYZ calls
> “handles”. These let you have constructs akin to a client_id, a scope, a
> refresh token, and a few other items without having to create explicit
> elements for these, since they always stand in for the object they replace
> there’s no ambiguity. So for things like a resource request, each of these
> can be replaced by a string using resource handles and polymorphic JSON
> (see note below) to act like a scope in OAuth2.
>
> resources: [ “metadata-readwrite”, “foobar-pictures” ]
>
>
> Polymorphic JSON is great for things like this because it means you don’t
> have to have multiple fields and normative rules for mutual exclusivity,
> like we’d have to have otherwise. The type switching only works when the
> base type is significantly different, though — that’s why I have
> “access_token” and “multiple_access_tokens” above, since both are objects
> at the top level and you can’t cleanly switch at the parser level, and you
> don’t want to have to dig down into the object to see what to do with it.
>
>
>
> People have been asking for a good way to do multiple access tokens with
> OAuth for years, but we’ve never had a good or clean way to pull it off
> because of OAuth’s model and the assumptions that it makes. I think TxAuth
> gives us the opportunity to solve this in a way that’s consistent with the
> rest of the protocol, and do so in a way that doesn’t make the simple cases
> we know and love too complicated for average developers.
>
>  — Justin
>
> --
> Txauth mailing list
> Txauth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email