Re: [GNAP] DID as sub_id or assertion?
Fabien Imbault <fabien.imbault@gmail.com> Thu, 18 March 2021 17:28 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7D813A303E for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 10:28:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gW2XRELHioc3 for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 10:28:35 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E584D3A303B for <txauth@ietf.org>; Thu, 18 Mar 2021 10:28:34 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id x16so3124555iob.1 for <txauth@ietf.org>; Thu, 18 Mar 2021 10:28:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cd2PIRcDoVAGKeKohKakN/tIx+0MPny6Q8S7eNQKBuw=; b=X2/I7qAhPAmSOwBRrDPT3Hb5utzHPsYKFveU8vyIgK+6plC+xtmvI94Y8+tb/k3IAM myBHyvWaVmG5JwFwhzQkFBZBAhHFZ2gmobn+FgrmjU+AJFZjBAVT4Jf/OIsl/dcULjkY /QI+NcqeIkm2vEdf0HA7h9p1VYWa3wMe1+Sg7VaI7GkmJacaU17yjvJ4ZeePsACy2AK7 HfXYbtCUErA9BnN8DuWYrMjW/m/imFbqVWHvb3ZD0r5laEXiXaXnOMfq31Sqn7BbBB1b tH2QaBHiPgB2IoWsJTSiBmMP5S7aFrP32Ew4fl4hHM0Oc42ApBoeaUC3nn0YRMtGl7cP Jyww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cd2PIRcDoVAGKeKohKakN/tIx+0MPny6Q8S7eNQKBuw=; b=F8SpLXbNOte3N9SYw1Ut3BgHanxhJla3sY6QVbrtq5cmrPWHsfDdQkO2aTkbF4obEv /e+E4t9lInQyuaQUFXkiyg4EF5WMT6fqJQy/p7QxyaQSXTGdIjsEp5xTG1v6OQOKYM0P 3ey7go4HeJDf0iaxC9s6zomLJbY9+Dh2m7fagxwhH+6geoISuIeQ9Sqgk9MdozGFPPIq +hYGXCXCh1x+h1moru60rG7E7eSnn/tWWOsoOB5q/yNpqD84JGVc7eIdCH3QuqKvSywe IaE4DEXi+Excn1XSoHIjJI4hPghnOLz9NkWtrApdX/F5tt6uNrqZZmTwOwL6/vDNVf8E 3DDg==
X-Gm-Message-State: AOAM532YcmGrCMZ3DdhyN3+w45dUcK8nLwLbJESOFt8chwfUZ0idQYIP Q/aHXCoYLf9GQ1HELMPfwtNib0nrXalgdWb27mI=
X-Google-Smtp-Source: ABdhPJyBAyEDQCv/hOKsyYrD/V4KvL25MNtKzdJIp1Mm3PzouQ94xkVSM4Ky1TXsVn6NnFlErdi0mRl3OcT6Fa7X0NE=
X-Received: by 2002:a02:ca13:: with SMTP id i19mr8014502jak.47.1616088513514; Thu, 18 Mar 2021 10:28:33 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuQ5Q1LrGtniCH3WN5gyf6QhBa-9e+2kzaV0fxzA5D5m7w@mail.gmail.com> <B3A02C1B-5DF6-46AE-B806-8DBBF5F6B701@mit.edu> <CAM8feuRuCyKGCDNYXP_gwc=wk986q6m_-DDOcXR8T9k+LdoX9g@mail.gmail.com> <CAM8feuRHQJF6sWGBcvt41kH6V6fwXK0-O15aUgvRRiK9q8vefA@mail.gmail.com> <CAJmmfSSY03c1nn3qtQDhY+Zk490d++zftyftSWPOGPdgPOnkag@mail.gmail.com> <CAM8feuTSWko8q+Agn+0+tLmSAOG6NYH_dMCV697NLna1U-Sxew@mail.gmail.com> <CANYRo8immAFJ08pvd00U6zT6-zRsrHkJ28NuKyC28Fdx=F=USQ@mail.gmail.com> <CAM8feuQbDJfPqym-2VAb4VyDuL8rm_Yk-sGyrb8_qAapUBtEuw@mail.gmail.com> <CAM8feuS332Ng_Bi=doXzq0WEgLc7_+tOmB4uE71+bpJ_g4P-aw@mail.gmail.com> <CANYRo8jG+ZutU6Bhy7zSrKcgnVxjMze7i-y_UpU3+PWvsWfLvA@mail.gmail.com> <CAM8feuSixNA2oFTtYR0Y3vngc+3UbsOSqSBCA6RUEEByB25eNA@mail.gmail.com> <CANYRo8hts6P_4QNjjcUr-H9B9wGJeVckWw+3V3N9hdPHf_idLQ@mail.gmail.com> <CAM8feuQEQyCEOErds8rpcipaqyPm3L3XMdrbQ6X2t3y9xcO4dQ@mail.gmail.com> <CAJmmfSQKZWm=YsjBVV8O+vU9zzC+eka0CCaQO-xFP-GcWzEigw@mail.gmail.com> <CANYRo8jw9gHQESDk__aKM3jK-C9FvYTFYOzb-8iYzbc_hVjMPA@mail.gmail.com> <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu> <CANYRo8inRJa0bAe6gqOkLKqHnt-qxPrzhDufBLwXd-S4wfjdxg@mail.gmail.com> <CAM8feuS98hqZ36hjCHg_=wpueDyXHb7t156OXnL_8MXtzpiyjA@mail.gmail.com> <CANYRo8i4gVpV5Fv7Yr9AFLNSq658EayHK5yJ+vp2ecUaRJ6fYw@mail.gmail.com> <CAM8feuSC2EDHbVHXjHAkgV8jfYP9+gQ_ZV-+y=aoEjf97Rbyqg@mail.gmail.com> <CANYRo8hdA0vLRXwOMDDg99qQHWC=DAzk+ht=ykjZ42bPmUxdPA@mail.gmail.com> <CANpA1Z2jv1ye234SKXa3n=z1yoVY5nW72Xqzj2bk_+_KjnK-+g@mail.gmail.com> <C4DC413B-32C7-432C-AE14-FC743D45319A@mit.edu> <CANpA1Z1b8FVXNgJKbv9wDyWsuva5PRrWvrgsoymCK9bj_Zt1wg@mail.gmail.com> <43447446-4061-49F2-8486-5A196C3C75E2@mit.edu> <CAM8feuSncUCkqWAA975kCTUdv69VG41a9s7HYD2LP5xCVmkkiQ@mail.gmail.com> <714CB4F1-DF58-4841-AAA5-93D3B89979E5@mit.edu>
In-Reply-To: <714CB4F1-DF58-4841-AAA5-93D3B89979E5@mit.edu>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Thu, 18 Mar 2021 18:28:22 +0100
Message-ID: <CAM8feuRdcXdQgzBZYNsguhyDv_MHOsL8Nh0vdZErOaZzcDc5_Q@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: Alan Karp <alanhkarp@gmail.com>, Adrian Gropper <agropper@healthurl.com>, Tobias Looker <tobias.looker@mattr.global>, GNAP Mailing List <txauth@ietf.org>, Mark Miller <erights@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000c614ac05bdd2eda1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/Y8LHeoBneIU4M7qAPnTWJHi73RY>
Subject: Re: [GNAP] DID as sub_id or assertion?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 17:28:38 -0000
+1 with that On Thu, Mar 18, 2021 at 6:25 PM Justin Richer <jricher@mit.edu> wrote: > Fabien, > > Exactly, this is why I am more and more thinking that the core protocol > should focus on the client instance->AS / client instance->RS connections > (for which the token is opaque) and a secondary document would talk about > the AS<->RS connection (for which the token is not opaque). > > The mapping of the AS and RS roles is also key. In OAuth 1, these were a > single entity known as the “server”. In OAuth 2, we decided to split the > roles to ease the discussion of how to deploy them. OAuth 2 doesn’t say > anything about how they relate to each other except that the RS trusts > tokens coming from the AS. An AS could have multiple RS’s that it protects, > an RS could accept tokens from multiple AS’s, these relationships could be > statically configured, they could be dynamic at runtime, etc. The community > has come up with two key extensions — JWTs and Introspection — that allow > for interoperable ways to make this connection, but OAuth 2’s core doesn’t > actually care how this happens and it could be proprietary or internal (and > often times is in practice). But in all cases, the RS has outsourced its > trust to the AS to create tokens the RS will accept. > > — Justin > > On Mar 18, 2021, at 1:13 PM, Fabien Imbault <fabien.imbault@gmail.com> > wrote: > > Hi Justin, > > "The access token is fundamentally a conversational artifact between the > AS and the RS which the client is the carrier of." > That's right, and a good opportunity to distinguish between the need for > token inspection (i.e. a runtime verification, wherever that may be) and > the need to negotiate the token format (a discovery). That last part could > very well be an extension, as a way to open up the ecosystem beyond JWTs > (which are fine, but come with their own limitations). > > Fabien > > On Thu, Mar 18, 2021 at 5:59 PM Justin Richer <jricher@mit.edu> wrote: > >> On Mar 18, 2021, at 11:30 AM, Alan Karp <alanhkarp@gmail.com> wrote: >> >> >> Justin Richer <jricher@mit.edu> wrote: >> >>> On Mar 18, 2021, at 12:08 AM, Alan Karp <alanhkarp@gmail.com> wrote: >>> >>> >>> Adrian Gropper <agropper@healthurl.com> wrote: >>> >>>> >>>> Is there an AS involved in the delegation? How and where in the >>>> lifecycle of the protected resource? >>>> >>> >>> If tokens are certificates, the AS need not be involved in subsequent >>> delegations. The AS must be involved if the tokens are opaque. >>> >>> >>> Tokens are opaque to the client instance. They are not opaque to the AS. >>> They might be opaque to the RS, but that depends on the kind of >>> relationship the RS and AS have. GNAP should allow different options here >>> as there are different use cases for that. >>> >> >> Tokens are not opaque to the client in SPKI, zcap-ld, Orie's >> implementation with VCs, or our Zebra Copy work. Why must they be in GNAP? >> >> >> The existence of the AS is exactly the reason for this. The AS is the >> role that “knowledge about the token contents” has been outsourced to in >> the GNAP model (which is based on the OAuth model). >> >> It brings significant simplicity for the client developer. The question I >> have is — why does the client need to know what’s in the token? Not if they >> could possibly know, but why would we expect a client to know and manage >> the contents of the token? >> >> The access token is fundamentally a conversational artifact between the >> AS and the RS which the client is the carrier of. The client is not the >> audience of the token, nor the creator of the token, nor even the manager >> of the token and the rights it represents. The client as a simple carrier >> is a powerful model that allows the security layer to get out of the way of >> the actual application logic that developers want to do. >> >> — Justin >> >> >> -------------- >> Alan Karp >> >> >> On Thu, Mar 18, 2021 at 4:56 AM Justin Richer <jricher@mit.edu> wrote: >> >>> On Mar 18, 2021, at 12:08 AM, Alan Karp <alanhkarp@gmail.com> wrote: >>> >>> >>> Adrian Gropper <agropper@healthurl.com> wrote: >>> >>>> >>>> Is there an AS involved in the delegation? How and where in the >>>> lifecycle of the protected resource? >>>> >>> >>> If tokens are certificates, the AS need not be involved in subsequent >>> delegations. The AS must be involved if the tokens are opaque. >>> >>> >>> Tokens are opaque to the client instance. They are not opaque to the AS. >>> They might be opaque to the RS, but that depends on the kind of >>> relationship the RS and AS have. GNAP should allow different options here >>> as there are different use cases for that. >>> >>> It would probably be worthwhile to separate the portions of the spec >>> that talk about the RS-AS relationship into its own standalone document. A >>> similar approach was taken in UMA2 and it was helpful. (Though admittedly, >>> as with anything, there are missteps there that we can hopefully learn >>> from.) >>> >>> — Justin >>> >>> >>> -------------- >>> Alan Karp >>> >>> >>> On Wed, Mar 17, 2021 at 8:54 PM Adrian Gropper <agropper@healthurl.com> >>> wrote: >>> >>>> Sure! >>>> >>>> Is there an AS involved in the delegation? How and where in the >>>> lifecycle of the protected resource? >>>> >>>> Also your use of "the client" seems to imply that either there is only >>>> one client or the client doesn't matter. Which is it? >>>> >>>> Adrian >>>> >>>> On Wed, Mar 17, 2021 at 11:43 PM Fabien Imbault < >>>> fabien.imbault@gmail.com> wrote: >>>> >>>>> Thanks for that. >>>>> >>>>> Trying to reframe it: >>>>> GNAP is defined as a delegation protocol so the main intent is related >>>>> to a delegate of the RO (i.e. the end user) that wishes to access the RO's >>>>> protected resources, through the client. >>>>> >>>>> Fabien >>>>> >>>>> Le jeu. 18 mars 2021 à 04:29, Adrian Gropper <agropper@healthurl.com> >>>>> a écrit : >>>>> >>>>>> At various points in the lifecycle of the protected resource the >>>>>> client at the resource server (RS) might be: >>>>>> >>>>>> - The RO (subject) user agent trading payment for a service >>>>>> promise >>>>>> - The RO user agent using the promise to access the protected >>>>>> resource >>>>>> - A delegate of the RO user agent using a different client >>>>>> >>>>>> What's vague is where the GNAP AS enters the picture as described >>>>>> above. How would you describe it? >>>>>> >>>>>> Adrian >>>>>> >>>>>> >>>>>> On Wed, Mar 17, 2021 at 10:20 PM Fabien Imbault < >>>>>> fabien.imbault@gmail.com> wrote: >>>>>> >>>>>>> Hi Adrian >>>>>>> >>>>>>> I'm still confused why you're saying the terminology is vague. >>>>>>> I get the "power" neutrality is not to your liking, but RQ / user >>>>>>> agent is no better in my view. >>>>>>> >>>>>>> Can you elaborate? >>>>>>> >>>>>>> Fabien >>>>>>> >>>>>>> Le jeu. 18 mars 2021 à 00:18, Adrian Gropper <agropper@healthurl.com> >>>>>>> a écrit : >>>>>>> >>>>>>>> I'm sure you're right. Our vague terminology around >>>>>>>> client and end-user leads to my confusion. If GNAP is primarily about >>>>>>>> delegation then, of course, we should avoid any incentives to impersonate >>>>>>>> or we're wasting our time. This is partly why I'm trying to study up on >>>>>>>> capabilities and asking for expert advice from folks like Alan Karp and >>>>>>>> Mark Miller (cc'd) >>>>>>>> >>>>>>>> As best I can understand it, the RS has only two choices, it can: >>>>>>>> >>>>>>>> - store an attribute of the RO a [DID, email address, GNAP AS >>>>>>>> URL], or >>>>>>>> - hand the RO a capability as a sort-of promise and avoid >>>>>>>> making any entries in an ACL or equivalent. >>>>>>>> >>>>>>>> When a token comes back to the RS, it will either be: >>>>>>>> >>>>>>>> - validated according to something associated with the stored >>>>>>>> RO attribute, or >>>>>>>> - signed by the RS itself. >>>>>>>> >>>>>>>> Either way, trust in the client seems moot. >>>>>>>> >>>>>>>> Adrian >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 17, 2021 at 5:29 PM Justin Richer <jricher@mit.edu> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> On Mar 17, 2021, at 4:55 PM, Adrian Gropper < >>>>>>>>> agropper@healthurl.com> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> On Wed, Mar 17, 2021 at 4:23 PM Tobias Looker < >>>>>>>>> tobias.looker@mattr.global> wrote: >>>>>>>>> >>>>>>>>>> <snip> >>>>>>>>>> > A client might not have a DID but it could have a VC as a >>>>>>>>>> certificate of authenticity linked to some audit mechanism. >>>>>>>>>> >>>>>>>>>> To me a VC would come under the assertions umbrella (that is to >>>>>>>>>> say a VC could be one type of valid assertion). The client may possess or >>>>>>>>>> been presented with a VC that it could include in its request to the AS as >>>>>>>>>> a way to identify the subject and perhaps prove authentication and >>>>>>>>>> authorization. >>>>>>>>>> >>>>>>>>> >>>>>>>>> I do not assume that the client that interacts with the AS to make >>>>>>>>> a request and receive a token is the same as the client that will present >>>>>>>>> the token to the RS. In the US HIPAA use-case, for example, the root of >>>>>>>>> trust is a contract between the patient-subject and the doctor-requesting >>>>>>>>> party but the doctor workflow is expected to delegate the token to some >>>>>>>>> other end-user that may be using a totally different client such as an EHR. >>>>>>>>> >>>>>>>>> >>>>>>>>> If the client that gets the token is not same as the client that >>>>>>>>> uses the token, that is a violation of core security principles as it >>>>>>>>> allows for (and really designs for) impersonation by client software. I >>>>>>>>> would have no reason to trust client software that would hand its >>>>>>>>> credentials over to another piece of software, and in fact I shouldn’t >>>>>>>>> trust it. >>>>>>>>> >>>>>>>>> I think you may be conflating several different kinds of parties >>>>>>>>> under the “client” umbrella here, though. It’s entirely possible that one >>>>>>>>> client might call an RS that in turn acts as a client for something else >>>>>>>>> down stream. But each of those hops is different from the last. >>>>>>>>> >>>>>>>>> — Justin >>>>>>>>> >>>>>>>>> >>> >> >
- [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Denis
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Tobias Looker
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Denis
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] DID as sub_id or assertion? Adrian Gropper
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Alan Karp
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- [GNAP] Should access tokens be opaque or not for … Denis
- Re: [GNAP] DID as sub_id or assertion? Justin Richer
- Re: [GNAP] DID as sub_id or assertion? Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Stephen Moore
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Stephen Moore
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Alejandro Iacobelli
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Alejandro Iacobelli
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper
- Re: [GNAP] Should access tokens be opaque or not … Justin Richer
- Re: [GNAP] Should access tokens be opaque or not … Fabien Imbault
- Re: [GNAP] Should access tokens be opaque or not … Adrian Gropper