IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Warren Parad <wparad@rhosys.ch> Mon, 14 December 2020 20:11 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C56B73A1AB4 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 12:11:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.186
X-Spam-Level:
X-Spam-Status: No, score=-0.186 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id asjE1DW451Tz for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 12:11:20 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FB963A1AB0 for <txauth@ietf.org>; Mon, 14 Dec 2020 12:11:20 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id y5so18156134iow.5 for <txauth@ietf.org>; Mon, 14 Dec 2020 12:11:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eCLxK2KkDTMIWu705jyzW8amm9npcDvNI/HnR6xRkk0=; b=DrDrs4T1CxzlD6jPidqh1cEhZcbHGAhqwAKOmVfLciyPku5z6ZNTGGDHdj53DfT+uI KMTI042pozuilO6WxsIRaCEFuB/iixTopRlRWVx4bXqybPGXFiWKFt51Dy8JPSMvCk0w qf06tBamYHBCM6+e+O/9IeProcWwp0+DVcm8Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eCLxK2KkDTMIWu705jyzW8amm9npcDvNI/HnR6xRkk0=; b=f6EO/0xsS3SQs/ai7BKrKLCRlITtdr6aaSIlYWsjccNYzV8xYbc6uGCYjThBccAwAv btJNqC5+p4Sx4vQbJPobx8rWK+4msfFps5oZK4JfJWmJfddsbBmcHcbktGPnnoafVWie wdBwKO6VzEpJBfdNnOBbYyEwdNttQqBJJCkfzd9pDnErm2oHeBhk+LzvjxQ0UIhOQIZh HSdDohVVdAa8pv902T0Uf5cDaR8GDXJRJCfbt2ET+eVAh0+4k5jIAejkscNgHfcI099Y J1dzk2A0kOjTILbWag1KBRbf+Cz/D0vM/z4Jf/iplbTpTZ7jntIcnBjC6YFJebpJ6Qtw 68mA==
X-Gm-Message-State: AOAM533BZGz2Lq5XJev22fi3T2b9GvNtSaXipdu9+a9tgxlr2qTeK/SL CT51bKGxSSfaOt5KISDQ4qogP2iMfg57Dj3T0mEa
X-Google-Smtp-Source: ABdhPJzKO0TZcyKe6dJ4eusx03fhR45AmS2wXEKjOBzYAVLx47ReRBSKCFLc5BOfYoKnyFmf4zJp0lanYBLovVl35ow=
X-Received: by 2002:a5d:84cf:: with SMTP id z15mr30709063ior.81.1607976679131; Mon, 14 Dec 2020 12:11:19 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com> <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com>
In-Reply-To: <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Mon, 14 Dec 2020 21:11:08 +0100
Message-ID: <CAJot-L0WAn2EqYO=mCVoq4Qm5TPTO7FNjtohriOn8tZHsNCJHQ@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
Cc: Dick Hardt <dick.hardt@gmail.com>, Fabien Imbault <fabien.imbault@gmail.com>, txauth gnap <txauth@ietf.org>, Justin Richer <jricher@mit.edu>, Stephen Moore <srmoore@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000c4774405b6723e9d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ZbuVFeqnPngqcTU_RzksPDftysw>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 20:11:22 -0000

Here's a terrible alternative:

It would seem to me that one compromise could be making the object
extensible by authorization servers (and their corresponding SDK). In a
similar way that JWTs are extensible, we could require explicitly the URI
in the spec, and an optional object to be defined by the AS.

--------

One source of the problem could be that the language for taking the
response object and converting it back into a request one is not well
defined.
Instead if we allowed an optional headers object to be returned:
{
    uri: "https://as/grant/{grantId}",
    headers: {
        'Authorization': 'Bearer ${accessToken}
    }
}

Thereby explicitly telling the client what they need to return back. It
avoids the problem of "what to name these things" and also ensures that the
data is exactly what the server expects. Additionally it sidesteps the
naming issue, where to include tokens, and whether to include them at all.

Otherwise it sucks to be in a situation where the benefits/detriments
aren't clear to everyone, and potentially we can choose a path forward
where both approaches could be used without requiring other clients to jump
over arbritrary hurdles suchs as custom implementations.

Warren Parad

Founder, CTO
Secure your user data and complete your authorization architecture.
Implement Authress <https://bit.ly/37SSO1p>.


On Mon, Dec 14, 2020 at 8:46 PM Aaron Parecki <aaron@parecki.com> wrote:

> Thanks for the clear description. However saying "has no security
> concerns" is a bold claim. Can you clarify how you will ensure that there
> are no security concerns with this method?
>
> My main worry with this is people will start to get "creative" with the
> values of the things in this URL. We've seen this over and over, everything
> from using plaintext data in JWT access tokens in OAuth (now the access
> token contents are visible to clients), to putting data in the OAuth
> "state" parameter (easy to exploit unless it's signed/encrypted), and I'm
> sure someone somewhere is putting things in the authorization code that
> they shouldn't.
>
> Aaron
>
>
> On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>>
>> I am proposing a URI that is straight forward, and has no
>> security concerns.
>>
>> For example, the URI could be:
>>
>> <as uri>/grant/<unique grant id>
>>
>> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f
>>
>> The routing code in the AS then is:
>>
>> router.post(      '/', grant.create);
>> router.get(        '/grant/:grant', grant.read);
>> router.post(      '/grant/:grant', grant.update);
>> router.delete(   '/grant/:grant', grant.delete);
>> router.options( '/grant/:grant', grant.options);
>>
>>
>> Where there is a "grant" module to manage for working with grant requests.
>>
>> /Dick
>>
>> ps: your previous email, and this one, are making the discussion
>> personal. Happy to discuss privately.
>>
>> ᐧ
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email