Re: [GNAP] Addition of optional 'access_token' in interact callback section
Justin Richer <jricher@mit.edu> Fri, 21 January 2022 18:42 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F5713A0958 for <txauth@ietfa.amsl.com>; Fri, 21 Jan 2022 10:42:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.497
X-Spam-Level:
X-Spam-Status: No, score=-1.497 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WgTSDSPqfM7E for <txauth@ietfa.amsl.com>; Fri, 21 Jan 2022 10:42:12 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EE323A0923 for <txauth@ietf.org>; Fri, 21 Jan 2022 10:42:12 -0800 (PST)
Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 20LIgAJS007039 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 21 Jan 2022 13:42:10 -0500
From: Justin Richer <jricher@mit.edu>
Message-Id: <EC5B1BAD-6526-434B-A6CF-9CF656124C9B@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7BE5C52E-4070-4167-9F8F-C04C6DEDCB55"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Fri, 21 Jan 2022 13:42:09 -0500
In-Reply-To: <YT1PR01MB3099EEADBB4C78C6BD0807D5E45B9@YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM>
Cc: "txauth@ietf.org" <txauth@ietf.org>
To: Mike Varley <mike.varley@securekey.com>
References: <YT1PR01MB30997386FF4252950B34E9F2E4549@YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM> <YT1PR01MB3099EEADBB4C78C6BD0807D5E45B9@YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ZKB4jHXpiD4Uvq248qc8Xsuk7iI>
Subject: Re: [GNAP] Addition of optional 'access_token' in interact callback section
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2022 18:42:17 -0000
Hi Mike, thanks for bringing this to the WG. My gut instinct is that we could potentially re-use a similar construct we have in other parts of the protocol, where we’re sending a URI and an access token to use at the URI, with all of its parameters. I think it’s important that we don’t slip into the OAuth 2 over-simplification of “access_token” being a simple string value, because then you need to invent a whole bunch of other things to talk about non-bearer tokens or other attributes. But we could take the same kind of construct we use for the continuation endpoint response and use it again with what you have below: you have a URI and an access token, and the access token is a fully defined GNAP access token structure. So the “continue” section looks like this:
{
"continue": {
"access_token": {
"value": "80UPRY5NM33OMUKMKSKU"
},
"uri": "https://server.example.com/continue",
"wait": 60
}
}
The access token here is, by default, bound to the client’s presented key — it’s the same structure that you get back from a “real” access token response, only embedded. This is what I’m thinking that might look like in the example below:
{
"client" : "protected.client.ca",
"access_token" : {
"access" : [ "idproof1"],
"flags" : "bearer"
}
"interact" : {
"start" : [ "app", "user_code" ],
"finish" : {
"method" : "push",
"nonce" : "client_nonce_random",
"uri" : "https://protected.client.ca/callback/session/abc-123",
"access_token" : {
“value”: “callback_access_token”,
“flags”: [ “bearer” ]
}
}
}
}
This way, we’re not inventing a new structure, it’s just another GNAP token. And yes, it would need to be optional, and only defined for the “push” method (at least with what’s defined in core).
I agree that the security and privacy considerations of something like this would be pretty intense, though, since now we’re having the client instance create and manage a token. Maybe it’s a good extension? But if so, how can we define the “finish” section such that it can be extended this way?
Would love to hear if anyone else has this use case, too.
— Justin
> On Jan 21, 2022, at 9:39 AM, Mike Varley <mike.varley@securekey.com> wrote:
>
> Hello GNAP’ers,
>
> I would like to float the idea of adding an optional core parameter to the ‘interact’ request object parameter called ‘access_token’. Specifically relevant to the finish.method = push function.
>
> For example:
> {
> "client" : "protected.client.ca <http://protected.client.ca/>",
> "access_token" : {
> "access" : [ "idproof1"],
> "flags" : "bearer"
> }
> "interact" : {
> "start" : [ "app", "user_code" ],
> "finish" : {
> "method" : "push",
> "uri" : "https://protected.client.ca/callback/session/abc-123 <https://protected.client.ca/callback/session/abc-123>",
> "nonce" : "client_nonce_random",
> "access_token" : "callback_access_token"
> }
> }
> }
>
> The result of the above would be that when the POST callback is made to the client API endpoint, the bearer access token would be included as authorization.
>
> The motivation is clients who have API endpoints may require that all API calls be made with an access token - there are no open server API endpoints. The motivation for including it in the core spec is too ensure there is a standard way of providing this security parameter, and AS developers are not left re-inventing this parameter for clients. Some clients I have worked with have been adverse to putting access tokens in the URI as parameters as these may get logged by proxies and gateways.
>
> There are a couple drawbacks that I see to supporting this parameter; first, it currently only covers “bearer” tokens – so other security parameters or requirements either get included (making the protocol and the AS life much more difficult), and second there wouldn’t be much guidance on how the client is expected to generate this access token (most access_token generating services require a client request to kick things off…) and then this may cascade into more complicated nuanced steps.
>
> I am very much interested in other’s experience on this topic; “this is a good idea/bad idea because…” and also “this should be core/extension because”. I believe adding lots of optional parameters for not-so-well defined use cases that may never practically occur in the wild to be detrimental to a spec as it just leads to more developer guesswork and customization, so I would like to avoid that also :)
>
> Thanks all!
>
> MV
>
> ---
> Mike Varley mike.varley@securekey.com <mailto:mike.varley@securekey.com>
> Architect – Office of the CTO
> SecureKey Technologies Inc.
>
>
>
>
> This email and any attachments are for the sole use of the intended recipients and may be privileged, confidential or otherwise exempt from disclosure under law. Any distribution, printing or other use by anyone other than the intended recipient is prohibited. If you are not an intended recipient, please contact the sender immediately, and permanently delete this email and its attachments.
>
> --
> TXAuth mailing list
> TXAuth@ietf.org <mailto:TXAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/txauth <https://www.ietf.org/mailman/listinfo/txauth>
- [GNAP] Addition of optional 'access_token' in int… Mike Varley
- Re: [GNAP] Addition of optional 'access_token' in… Justin Richer
- Re: [GNAP] Addition of optional 'access_token' in… Fabien Imbault
- Re: [GNAP] Addition of optional 'access_token' in… Mike Varley