Re: [Txauth] Multiple Access Tokens in XYZ
Dick Hardt <dick.hardt@gmail.com> Fri, 20 March 2020 18:45 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 157E13A0D5C for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 11:45:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.099
X-Spam-Level:
X-Spam-Status: No, score=-0.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, PDS_OTHER_BAD_TLD=1.998, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBdNJ0lZ2tFB for <txauth@ietfa.amsl.com>; Fri, 20 Mar 2020 11:45:51 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB2FD3A0D84 for <txauth@ietf.org>; Fri, 20 Mar 2020 11:45:50 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id s1so5380973lfd.3 for <txauth@ietf.org>; Fri, 20 Mar 2020 11:45:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VxpY+edCV5F+g86xb2GLOCLOfGp7uPwvdUNcJ1aB76U=; b=k5Wu75Y/fvv5toI+PSqkEaPqrgbmBq5HXVrPN07WzLpFtaMnjX4BRxwmY+kwQGcwnP GTe1zVjhvCggJj9H5AJj3MPL4nyRireSUuDGE+w+YssUvTc0fTslRrDfcilsvmQvtrHu wcHpJlJu178qy8turluhlui5AuO8O8s6qUhu6uoVmxAJE/pXQki7OO1N5/qdXoOW9NVp 7B5kfvzXtGYD1jA4HcfS9ps7xt13s4FfFk1uWj1q2GYUGTGDEY/rRFtPVn9tsjWHMSUa zPaI4+tJitj60dUJBId0VF3gD56EaAeBy678/B+Bm7q8e07M6UzWPn015wRny2/HSoyX FlOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VxpY+edCV5F+g86xb2GLOCLOfGp7uPwvdUNcJ1aB76U=; b=WTVXpdZMWLynpTBB76y2WGqUo7LTdfQyicxLcvWJTBabwfrJ7f+1PaqJL8Rra/MPVP zHDELGL7kvzc48A4BNNt384IqwMwRyzGYe88qPmV18xYuTr1DmFxcnxZ3uF1CPwS4FaE Vrzuo1eb3KWcLHxTHAcjvPFoj3wB1hOqb42/MQ2E6Tsbk6JujQSVNIAdsLVoKFoVvmUd +3sUOyV+9xG6mJxi6DE3HMVgPbitkGWERm426PeNwXNA/FbIIVI/Dl6lfdRWsemTNvIw 9HkjMW2eKXO1JM2OkQEfEQ/3bx7Hb1nmpQcdWyIdBN4mhGA9vpspUwRdfZ9YYWh2v3x3 O4qA==
X-Gm-Message-State: ANhLgQ3ZIb1XTkjLS9QpnbcORULRUdX6xAJcZBhStzSWUBxJisEEpAXt DLK7uDMAVXbMYPbEf8S+1o5F67nfq/uEtKHj68DYi9cY
X-Google-Smtp-Source: ADFU+vs5l+oJXKm1I52IUOl/Z7iOU+5xviExVzDGeYmSAzRas3tq7Jc60eg3TH4tE8FhBDFDg8/UidPwwvAwc7dukCE=
X-Received: by 2002:a19:4cc2:: with SMTP id z185mr6238914lfa.0.1584729948903; Fri, 20 Mar 2020 11:45:48 -0700 (PDT)
MIME-Version: 1.0
References: <6750F9C8-425E-45B1-BCE8-52674F7BCDC5@mit.edu>
In-Reply-To: <6750F9C8-425E-45B1-BCE8-52674F7BCDC5@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 20 Mar 2020 11:45:22 -0700
Message-ID: <CAD9ie-uVjxFotSDK=gtu-E0c3gRRr2F+V_pfmORRKsaEUBhQ0Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ab5d8a05a14db13d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/VGcAQoCWTAq_R7uMufORv2O47Cs>
Subject: Re: [Txauth] Multiple Access Tokens in XYZ
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2020 18:46:04 -0000
Justin: How are each of the access tokens refreshed in the multiple access token scenario? On Fri, Mar 13, 2020 at 3:13 PM Justin Richer <jricher@mit.edu> wrote: > I took some time to implement an idea that was tossed out on the list here > recently, and that’s how we might support requests and responses for *multiple > access tokens*. I’ve got a method that I think works pretty well without > getting in the way of the common, simple case of requesting a single access > token. I’ve implemented this in our Java implementation of XYZ and I’ve > updated the *https://oauth.xyz/ <https://oauth.xyz/>* website with more > details. I’ll update my ID spec text when I get a chance to reflect this, > but I wanted to start this discussion first. Everything in here is based on > the XYZ protocol. > > Normally, the “resources” element of a tx request is an array of items: > > resources: [ > { > actions: ["read", "write", "dolphin"], > locations: ["https://server.example.net/", " > https://resource.local/other"], > datatypes: ["metadata", "images"] > }, > { > actions: ["foo", "bar", "dolphin"], > locations: ["https://resource.other/"], > datatypes: ["data", "pictures"] > } > ] > > > This tells the AS that the client is asking for a single access token with > multiple, perhaps orthogonal sets of access. This is in parallel to RAR > being developed in OAuth 2. However, if we allow the “resources” item to be > an object instead of an array, we can let the client signal to the AS that > it wants multiple access tokens. The client picks “labels” for these access > tokens, in this case “token1” and “token2”, and sends a request like this. > > resources: { > token1: [{ > actions: ["read", "write", "dolphin"], > locations: ["https://server.example.net/", " > https://resource.local/other"], > datatypes: ["metadata", "images"] > }], > token2: [{ > actions: ["foo", "bar", "dolphin"], > locations: ["https://resource.other/"], > datatypes: ["data", "pictures"] > }] > } > > > The client could request multiple kinds of access within each sub-object’s > array (the value of the “token1” and “token2” fields), but I wanted to keep > it simple here. This example is the same total set of resources that the > client is asking for in the first case, but here the client’s saying it > wants them as two different access tokens instead of a single one. The AS > can tell the difference in the request because the first type is an array > at the top and the second type is an object at the top. So that means that > the AS can send back a single access token in a tx response like this: > > { > access_token: { > value: "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", > type: "bearer" > } > } > > > Or multiple access tokens in a tx response like this: > > { > multiple_access_tokens: { > token1: { > value: "OS9M2PMHKUR64TB8N6BW7OZB8CDFONP219RP1LT0", > type: "bearer" > }, > token2: { > value: "UFGLO2FDAFG7VGZZPJ3IZEMN21EVU71FHCARP4J1", > type: "bearer" > } > } > } > > > These fields are mutually exclusive, so you either get a single unnamed > token or a set of named tokens. Since the client pics the labels for the > access tokens, it’s clear which part of the request maps to which part of > the response. It’s more complexity for the client to track, but that > complexity is only seen and borne by clients that need it. Simple clients > get to stay simple while letting a complex problem get solved. > > *A note about the polymorphic JSON *that’s in user here, though it’s > already a key part of XYZ’s protocol design. For those unfamiliar with the > concept, this is when a given field can have a value that takes multiple > different types: a string, a boolean, an object, an array, etc. This is > pretty simple to deal with in dynamically typed languages, you just check > the type of the resulting object and it will tell you what you’re dealing > with. It’s trickier in statically typed languages, but I’ve found that > pretty much every platform and library has hooks for custom serialization > and deserialization that will let you dispatch to different types during > the process, so you can still call your top-level parser and toString > methods and things will work as expected. This is one of the reasons that I > did an implementation in Java, to prove that we could do this kind of thing > in a strongly typed language that’s not very flexible about what goes in > objects, and I’ve done it without resorting to generic collections for the > dynamic fields. Previously, I’ve used this feature in XYZ to allow a single > string to stand in as a reference for an object — something XYZ calls > “handles”. These let you have constructs akin to a client_id, a scope, a > refresh token, and a few other items without having to create explicit > elements for these, since they always stand in for the object they replace > there’s no ambiguity. So for things like a resource request, each of these > can be replaced by a string using resource handles and polymorphic JSON > (see note below) to act like a scope in OAuth2. > > resources: [ “metadata-readwrite”, “foobar-pictures” ] > > > Polymorphic JSON is great for things like this because it means you don’t > have to have multiple fields and normative rules for mutual exclusivity, > like we’d have to have otherwise. The type switching only works when the > base type is significantly different, though — that’s why I have > “access_token” and “multiple_access_tokens” above, since both are objects > at the top level and you can’t cleanly switch at the parser level, and you > don’t want to have to dig down into the object to see what to do with it. > > > > People have been asking for a good way to do multiple access tokens with > OAuth for years, but we’ve never had a good or clean way to pull it off > because of OAuth’s model and the assumptions that it makes. I think TxAuth > gives us the opportunity to solve this in a way that’s consistent with the > rest of the protocol, and do so in a way that doesn’t make the simple cases > we know and love too complicated for average developers. > > — Justin > > -- > Txauth mailing list > Txauth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth >
- [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Torsten Lodderstedt
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Torsten Lodderstedt
- Re: [Txauth] Multiple Access Tokens in XYZ Vladimir Dzhuvinov
- Re: [Txauth] Multiple Access Tokens in XYZ David Skaife
- Re: [Txauth] Multiple Access Tokens in XYZ Torsten Lodderstedt
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Vladimir Dzhuvinov
- Re: [Txauth] Multiple Access Tokens in XYZ Torsten Lodderstedt
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Torsten Lodderstedt
- Re: [Txauth] [EXTERNAL] Re: Multiple Access Token… Mike Jones
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Dick Hardt
- Re: [Txauth] Multiple Access Tokens in XYZ Dick Hardt
- Re: [Txauth] Multiple Access Tokens in XYZ Richard Backman, Annabelle
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Torsten Lodderstedt
- Re: [Txauth] Multiple Access Tokens in XYZ Torsten Lodderstedt
- Re: [Txauth] Multiple Access Tokens in XYZ Justin Richer
- Re: [Txauth] Multiple Access Tokens in XYZ Richard Backman, Annabelle