[GNAP] RS-Token Introspection or RC-Token Introspection
Denis <denis.ietf@free.fr> Fri, 11 December 2020 11:04 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96D163A0A26 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 03:04:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0MKf25j5RY7 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 03:04:17 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D7783A0A2C for <txauth@ietf.org>; Fri, 11 Dec 2020 03:04:17 -0800 (PST)
Received: from [192.168.1.11] ([90.91.135.71]) by mwinf5d26 with ME id 2z4C2400F1Ybo4i03z4CTC; Fri, 11 Dec 2020 12:04:13 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 11 Dec 2020 12:04:13 +0100
X-ME-IP: 90.91.135.71
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
References: <7f06d460-a4bb-652a-bba0-fe5fe5e6478f@free.fr> <CAM8feuQd3TkD0-hYfJQW0f4C9pnZO1J646hg9cumbb22D2XK5g@mail.gmail.com> <CAM8feuSRoUvKaDkheuQa5kp52hFhK+=TBp+1dq9qQrFweGf7vg@mail.gmail.com> <56f50921-a88f-230a-20d1-aee187f09b6e@free.fr> <CAM8feuSeXjJwVdjaAP-B=mKVDePyPcx3Vpd7Ef6GFY1YwbMJ6A@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <21cf7c30-c42a-f29c-a407-7badde5c0151@free.fr>
Date: Fri, 11 Dec 2020 12:04:12 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0
MIME-Version: 1.0
In-Reply-To: <CAM8feuSeXjJwVdjaAP-B=mKVDePyPcx3Vpd7Ef6GFY1YwbMJ6A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------1276A06051D1816DA3C09C1B"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/VLUQhYgp17wad72JA6Asplgwohs>
Subject: [GNAP] RS-Token Introspection or RC-Token Introspection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 11:04:20 -0000
Hi Fabien, This is a response only to the point 7 from the "Quick review of draft-ietf-gnap-core-protocol-00". The full original text with your comments is copied after my reply. In order to allow the RC to understand the content of an opaque token, you are proposing to support a Token Introspection query from the RC to the AS. This does not solve the concerns of a RC that wants to make sure that the access token does not contain claims that have not been requested. Let us illustrate the case by using an example: The RC asks to the AS to deliver an access token that contains an identifier only unique to the RS. In reality, the AS delivers an access token that does contain an identifier only unique to the RS but in addition a globally unique identifier. Since the access token is supposed to be opaque to the RC, the RC calls the AS to perform a Token Introspection operation. In its response, the AS presents an identifier that is indeed only unique to the RS but the AS voluntarily *omits *to present the globally unique identifier to the RC. In the same way, if Token Introspection is supported by a RS, that does not provide confidence to the end-user or to the RC. Let us illustrate the case by using another example: The AS delivers to the RC an access token that only contains an identifier unique to the RS. Since the access token is supposed to be opaque to the RS, the RS calls the AS to perform a Token Introspection operation. In its response, the AS presents an identifier that is indeed only unique to the RS but the AS voluntarily *adds *a globally unique identifier. _Conclusion_: In both cases, a globally unique identifier will be used by the RS without the RC or the end-user knowing it. Opaque tokens are in contradiction with the end-user's privacy. For end-users caring about their privacy (or for systems willing to protect the user's privacy), access tokens should not be considered to be opaque to RCs, nor to RSs, and ASs should not support Token Introspection, whether it is RS-Token Introspection or RC-Token Introspection. Denis >> 7.The content and the format of access tokens shall not >> be considered to be opaque to the RC so that the RC can >> inspect it. >> This is a matter of confidence to make sure for the >> RC (and for the user) that no "extra" information has >> been included by the AS into the access token. >> >> [FI] This might go a bit further than the GNAP's mandate >> (especially if it becomes a mandatory requirement). But supposing >> we support non-opaque tokens, >> does it preclude supporting opaque tokens? It's just a different >> trust model, which makes sense if people agree with your premises >> (previous items), >> but that are less relevant if people still consider the AS as the >> central piece. Also one great thing with opaque tokens is that it >> makes the system easier to upgrade >> (you don't really care about what a token is). > > [Denis] Privacy is not more relevant for an AS-centric model than > for a RS-centric model. In particular, a RC should be able to > verify which kind of end-user identifier claim > has been incorporated into the access token by the AS, in > particular whether it is globally unique, unique to the AS only, > unique to the RS only or ephemeral (valid for > that RS during a session with the AS). > > [FI2] ok, see discussion on whether tokens should be opaque or not. > > I suppose that the use of structured access tokens should be > recommended. This means,in particular, that from the very > beginning, we should incorporate a version number > inside each access token. > > >> One alternative way would be to allow RS call to AS for >> verification (including revocation status) and include a checksum. > > [Denis] The RC, i.e. not the RS, should be able to perform such > verification before presenting the access token to the RS. So this > alternative way would not work. > > [FI2] then there could be a similar API for the client (cf discussion > on similarities between introspection/management APIs). >
- [GNAP] Quick review of draft-ietf-gnap-core-proto… Denis
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Fabien Imbault
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Fabien Imbault
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Denis
- Re: [GNAP] Quick review of draft-ietf-gnap-core-p… Fabien Imbault
- [GNAP] RS-Token Introspection or RC-Token Introsp… Denis
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Fabien Imbault
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Denis
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Fabien Imbault
- Re: [GNAP] RS-Token Introspection or RC-Token Int… Fabien Imbault