IETF Logo Mail Archive

Re: [GNAP] RS draft - some comments

Justin Richer <jricher@mit.edu> Thu, 07 September 2023 15:38 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12985C14CE30 for <txauth@ietfa.amsl.com>; Thu, 7 Sep 2023 08:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9lxRNfd6xld for <txauth@ietfa.amsl.com>; Thu, 7 Sep 2023 08:38:46 -0700 (PDT)
Received: from outgoing-exchange-7.mit.edu (outgoing-exchange-7.mit.edu [18.9.28.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54C8EC14CF1B for <txauth@ietf.org>; Thu, 7 Sep 2023 08:38:44 -0700 (PDT)
Received: from oc11exedge1.exchange.mit.edu (OC11EXEDGE1.EXCHANGE.MIT.EDU [18.9.3.17]) by outgoing-exchange-7.mit.edu (8.14.7/8.12.4) with ESMTP id 387Fcaff024767; Thu, 7 Sep 2023 11:38:42 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1694101122; bh=NAGUY/dgKvj//glRqAolzJlJPumFAQq6uxtpJAUgWVA=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=BgWRzRLcrNbFkPwQW124FJOgnGoe04yNhyWiaQphCWZgNiiuN+DtEG+VLjoj1Bi9l iTI8i0NoX8rKy/AFyIrC9aHz9ILWsP5/ljpHNxdAFDPxk5aYl62g0N6Fs8JMv88+uu FWClss1UwGrQcvcYiJJW9efn/kKICTVeLzIjcL2vICxrjqL4hHrMv3LmBJLfcp9UrS YxnuYCD7mtEay4vZYa8Vt/+76K3CL+czsCsDfmUmuDUx/p3k9H28Y0Afj70trkc2Xb Bl5dH9qZmgRxwslKEZ1kdEtl9ELKhHlh8N8uLAbz99LPL0TAXKKOz7GyFG80ttkudS Rc63ftR2Q2GaA==
Received: from oc11expo8.exchange.mit.edu (18.9.4.13) by oc11exedge1.exchange.mit.edu (18.9.3.17) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Thu, 7 Sep 2023 11:38:12 -0400
Received: from oc11exhyb5.exchange.mit.edu (18.9.1.110) by oc11expo8.exchange.mit.edu (18.9.4.13) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Thu, 7 Sep 2023 11:38:40 -0400
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.109) by oc11exhyb5.exchange.mit.edu (18.9.1.110) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Thu, 7 Sep 2023 11:38:40 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by PH0PR01MB6280.prod.exchangelabs.com (2603:10b6:510:18::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6745.34; Thu, 7 Sep 2023 15:38:38 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835%4]) with mapi id 15.20.6745.034; Thu, 7 Sep 2023 15:38:38 +0000
From: Justin Richer <jricher@mit.edu>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
CC: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: [GNAP] RS draft - some comments
Thread-Index: AQHZ2SQXj1G8tHB9cECVjFHMjBm94LAPkGiA
Date: Thu, 07 Sep 2023 15:38:38 +0000
Message-ID: <CA6F0103-0A16-494F-BC92-054803CE83FA@mit.edu>
References: <9C49C06C-84BA-4646-896F-82A916E895EB@gmail.com>
In-Reply-To: <9C49C06C-84BA-4646-896F-82A916E895EB@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|PH0PR01MB6280:EE_
x-ms-office365-filtering-correlation-id: 1d083af4-d6dc-48be-4de3-08dbafb8817a
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: f9prTZKEWU6PjsI0MVF/fRoTmzeJluWSzgMIgJPeSRilKWFk//Cuq3YJAS+qwkrL0bHc8mb/zkYxdyXadek9JqCOqF1fm58lW2IJgwWMEwgzA9oKonm/Pp7hwf+9yvBdxRZdz/94yRn06R4ADmtX2+r4/Vv1H98MQ4DZSlG+JdJJbClFp5M2gSLf6CL6wSXwPbbatBWubfE03qkY8jxgBzLuK9rmDtMwZF5TVbl/zsNb9husCD0U/iqE6pMGsctQAGawyvNGFKDiV+Y10mkPnXAPfC3yAUo8gih4yfg9G+B/U5cNcIDfIC10wHFXezoWOqsXPyLvDpg1SM1Im99dHedIIalCyLN0oTnUjnEYinPYP9irj3QUzbHXODm3JetcSESiorSNfG1xGdszGCXorAHuRdZRMTM6TrKUrk+vY0AkeEPLE6Sy3KP6Fyi2QwAYmRUbYXq1ulOg5mJdOYv1NEjrEA99gJGWEIe2n2oGzUCG+z2SkuN6Nvj9qRhMGKTU7sJ/AjSRZvI6pZmiOPxeT7ZAy+pR45YVga3HE9wv3pJFd1hoMnFXAdgcA6EN1uqbmA7tHBC4VJETGASDp4SjxVQCQVAXSwEt7K9KnP2fV8AJnGbO7xcW5vYr24GTtVpaRcCsjB+Q4V05AWzWEH24nw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(366004)(346002)(136003)(396003)(376002)(451199024)(186009)(1800799009)(478600001)(71200400001)(966005)(6512007)(91956017)(6506007)(6486002)(316002)(6916009)(786003)(2616005)(8676002)(5660300002)(26005)(41300700001)(8936002)(83380400001)(2906002)(4326008)(66556008)(76116006)(166002)(122000001)(38070700005)(38100700002)(33656002)(36756003)(64756008)(53546011)(66446008)(66946007)(86362001)(66476007)(75432002)(66899024); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: EAFrfQUlgwm1aB3jvRjBtxxB+mLUGKWEdktqypXRO97LlQvclUV8y9IU6wirSSIfxuSzoF5gz9D/iVxuA9YQZgkPrCWUE8XvSCsyV2g0xgYJrlC0OfYRlbMqrYBYoA5L8CE65skM6ImN0BQeoMgO9OxPgLibda44HhpI3XIpyh6RhMEnSuY8zsgdlsEV1NHQ7ElNOi+fJ2ZIxXAWsC5nyKEjTNEWTLChgXe8tZdYWJxjZMjdRmWV5NhBlWwzTYpIKEpx2tq6OaGfr9+o5H3uBFXBPs2WWwqPrxr0FO5wM3R0nNKPIzQCAX5vAnmlbWLlUVPGQBzyt0teO3Up9LNRQEV7TINxOiQncGqJT47MN6xw7yderb3G5N4ZbqVzuRxaNFLnT3eT/3hm53G7PH9K4BEGc1HZ+WYIKfO1MxKetjyauX7UJMo1vSGZ5xBjDlHLUs3TdB5Xnxa7vk+ODeKWp/xU9bnxRflzA7oXxZUMjVVWut3iaQNmyxYJAVUxbR9z5ihqOf9b0FcY/801eLHTcSrUX7AOSWRYED3qdyx39c3wv0W9Ccnz7r+5MHimyhDU3VVcYKE2ZFPyd5akV53BX2LOPxQSJSwzXUSJz+z4Mw/zwUOoiVOFfH5uy9ZfAu+67e+g6CnFNLswkuTbN6WHLJKudE51kJu2aOnfKYCdiy16u/YrGnbaUEVCWcWOKG8cQbVWunn68J06egeNo1iJMubTJ3SQvsFe00TIa92TNpV4LXbyneclU6T3Myp+3oJEw1tcMYiUicKTZzc7m2Co72KLofwakM6GHR0tcr8bvi4AndO+QbZuwW/AQpzAhYovTNTa/QjzTbCKyM/OLZmSm5mSKdlyIteQdBPjf1bd01A0//54xI2efOx8cPZD4MeScZidvHWE2363bezfw6Px2/yR8SMBwlIuH6dVT1bfa3yL3r8jr8HGA+KesBtTIr6EeWkOPEytLhXKywshmi+6ypal+x0YIbNpds3wpI1EVIvN5bM90Q+KocW94LtF7Mi4bzyw1kOxVRgs2UNYuqlxO3Ayl5PmQUO0qPUvE8mtS+S/u7zfaOEGBn1LxOGtXdmpB5i/EMjjx+cGNdlbcRNU0+yYrwNCOhl0Q+aXnef7Ie2C0T8NRSeiIZwGRNSTzLdyZVwQ+vs7J4eQoPSQTYkD5DDSiUQ1Famf2uJgM/f9s1MRi8VMb3jpeKy9Hb7q0p1RWV6WvyofPrM8bXNZXZo+ZQX5haYiVKyWcTZg0pQFsZKtmm+jm67tAxswgG3H72pqU2M3szOt029Njs4wZdRNIcJZQo487DTmXQAVvsbiCNQHewLrR/tW1J+sieLSUH+WBWnkPhj/ueVR5mDj9X8wp5lIOFfx0rzv1W19KB1MvnlcFxlPcoQFj9i6sslC4Gy3pz+LLEmR7jOsTYnLoenpEVYXxu+LCBeslsCwefYcMviHLO4znSOb7MM4tTYrK+VDDpo2BTu0r7gTjBFoWN/ELf8Y3jMLk26Uy/5TnJFGv0Wj6TdzqOa51DhOY8tSL6zm8loDauPok9ihugdfinHfnnmj1rzm5XZ868BeeriZ2DexI8wZsE40EqMA9wsXzs5o
Content-Type: multipart/alternative; boundary="_000_CA6F01030A16494FBC92054803CE83FAmitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 1d083af4-d6dc-48be-4de3-08dbafb8817a
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2023 15:38:38.3782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0SIZeq9Dor/jUeo67ZZ2pcQVSqwvSIb78+ZxjtDb/5S2UVcVvARIDqT6BToT2T+y
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6280
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/_wLbZJ4SQ0yJs8mjXFJSLBSeEsc>
Subject: Re: [GNAP] RS draft - some comments
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2023 15:38:48 -0000

Hi Yaron, Not a lot of contention here — responses inline.

On Aug 27, 2023, at 7:17 AM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:

Hi,

I have read the latest version of the draft (the editor’s copy). Here are some comments. Let’s discuss the on the list first, and then open issues as needed.


  *   Macaroons and Biscuits - please include references.

Agreed, let’s file an issue.

  *
  *   RS-facing discovery: I suppose the .well-known URL needs to be registered in the IANA section.

Yes, this needs to be registered explicitly.


  *
  *   RS-facing discovery: please add Optional/Required to all fields in the discovery response.

Will do, this should mirror what’s in the core.


  *
  *   Introspection: semantics of the access element in the request is not clear, and it may be easier to remove it completely. Otherwise, we should say that the access element in the response MUST be filtered per the request. On a related note: is it explicitly stated anywhere that an empto access array means no access is allowed?

This is the RS telling the AS “in order to access me (RS), the token needs to have at least these access elements”. The AS can use that information to determine whether the token in question meets that set of requirements. An empty access array (in the response) does not mean no access is allowed, it means that no access is specified. In all cases, the RS makes the final determination of whether and how to serve the request.

  *
  *   Introspection: I'm wondering about the key element in the response. How does the AS know that the token is bound, and how does it know what key the Client should be using? In fact does it (and should it) even know who the Client is? Also, if I understand the situation correctly, the RS is supposed to send a not-fully-trusted access token to the AS first, and only then validate that it's bound to the correct key. This can easily go wrong.

The AS is the party that binds the token to a key. The AS would almost certainly know who which client it sent the token to — that’s a core element of the token model. This was added to the draft here: https://github.com/ietf-wg-gnap/gnap-resource-servers/pull/57/files but it seems like the editors’ copy did not update automatically.

Yes, there are several mistakes an introspecting RS could make, but that’s for discussion in the security considerations. Additional text and thoughts on those would be most welcome!


  *
  *   Resource registration: the token_introspection_required element doesn't seem useful. If set to false but the AS receives an introspection call, should it reject it? If set to true and the call is not made, the AS would never know!

I agree of the limited utility here, but it’s mostly telling the AS about the RS’s capabilities. Ultimately the AS is in charge of whether tokens can be introspected or not, or if they need to be.

  *
  *   Resource registration: how is the returned resource_reference used? Perhaps it should also be returned in an introspection request, to allow the RS to validate that the Client is using the right token for the resource?

This needs to be aligned with changes in the core doc - the value of this field is meant to be sent as the “access” value in the discovery response from the RS as specified by core. It’s a string-type resource access rights value, according to core.

  *
  *   Deriving a downstream token: should we say that the AS MUST verify that the existing_access_token is targeted at RS1?

I think that’s reasonable to add.


  *

Thanks,
                Yaron

--
TXAuth mailing list
TXAuth@ietf.org<mailto:TXAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email