IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Dick Hardt <dick.hardt@gmail.com> Fri, 11 December 2020 22:33 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7958E3A0FD9 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 14:33:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YgzJhCL4YMOJ for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 14:33:13 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 948903A0FD0 for <txauth@ietf.org>; Fri, 11 Dec 2020 14:33:12 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id a1so12721948ljq.3 for <txauth@ietf.org>; Fri, 11 Dec 2020 14:33:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IJpc+FlhlBws76To7IuoWdTEneuiYTVMPVzFkR2eQwI=; b=odnMhpSONVB9mHh7cKuJ3ooKPBzdGVfo/r01eYpGe3LOVWqx0b1bRthDP+AVezlU35 T2pIg9f1rawR1XSbfoq5hL2bVWukKG8uWFpWuVVtmY855jvEnD/F6Iv8GH8XfWlCMibq Xm3qrWBHLB8AM2aVFKwsXTGLuB7BD3h6aYtkKkUUfhOpG4DpVvnaLx8VcejjoNvlrKhK GOkzeqlHU10uaMA+AM+51MYT7P/uzWkKRX91GI5ca+sDI1kCEZuEogCLIb9Z5TbP1l3J HAH6PZO1f00aDzhSLp1V4GqsHYQNQn9axqeBBgNgYX8gW2VqV1atU7v7qqziI1AMKJlo eqEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IJpc+FlhlBws76To7IuoWdTEneuiYTVMPVzFkR2eQwI=; b=jTgUAlFeEzNw2//zahIkmh+YdpIC83TYaZem2uzuQKP6jnY/61SjVMJyPi1UonbXLq TKqzPo/YqxGccoKMhQ/NSVuGPkhaIBgRCJeDqQ9Goz+4pSrNxWyNH/zzkPYjVNszIuD4 bkGWFVoPMysEZhifiPfmXw+8kfh6adPp/nVRQMgQ9FAlmmUZkGBg7JoVyjBqYUnASwLS SDSesyRHiWFxuG2iz6N6bQQH7lojPcyUiL/QbItlLYkL02R5dFqM5FNwDhQv0zChG8qH +Vi0IJjYtIzWgUMyYdkXezk4Ux12LDuSMasslXudiLKxdf5SRNMCH66p/JTfKioNvOpG 2VKA==
X-Gm-Message-State: AOAM530a4aHlWGfiOr6EH/drS2jr5LL2sNUjykRL+Gx7vMb/LaEaFlwW /hwppnhtKJyi612AfwzOVhz+LB69/K2KObWTiXk=
X-Google-Smtp-Source: ABdhPJyNlO/qGBhcA2KOlVLxsVia8zHGoUMLgO4I9kUFvuTo91b3/A7pTc8ZYbbmX4h6u3z5v42NcLYzLKb14oJvSzI=
X-Received: by 2002:a2e:7803:: with SMTP id t3mr3680824ljc.213.1607725990478; Fri, 11 Dec 2020 14:33:10 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com>
In-Reply-To: <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Fri, 11 Dec 2020 14:32:34 -0800
Message-ID: <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com>
To: Stephen Moore <srmoore@gmail.com>
Cc: Justin Richer <jricher@mit.edu>, txauth gnap <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008f097505b637e039"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/aPf-u3_M1eLNwitKJRHVsTVR1HI>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 22:33:16 -0000

Hi Stephen

The client is signing the first request. The key *might* be in the body.
The client is signing all the subsequent requests as well. The "access
token" is not needed by the client to prove it is authorized as the client
is proving it is the same client again.

In other words, I don't see the need for an access token, so it does not
need to be put in a URL or an auth header.

If a developer really, really wants to hand context back to the client for
subsequent calls, they can put it in the URL or some other method. Putting
it in the HTTP Authorization header is confusing because it is NOT an
access token -- it is the context of the request.

ᐧ

On Fri, Dec 11, 2020 at 2:01 PM Stephen Moore <srmoore@gmail.com> wrote:

> Even though I've only been lightly following things, I feel the need to
> voice my preference as a developer since I will probably someday have to
> either write a RC or RS...
>
> The way I see it is the RC makes the initial request to the AS as part of
> this request, it provides it's key in the body... (So no use of the
> Authorization header)
> At this point that request, represented by the continue URL + "Access
> Token", from my lazy developer standpoint, is a Resource Endpoint and
> Access Token, and the AS is acting as a specialized RS in this case.
> So my client posts to whatever URL with the 'access token' in the
> authorization header, just like acting on any other resource I have a token
> for. YES, I get a new token value to use every call, and there is a
> decision point of "Do I have another continue, or do I have a real token
> for the resource..." But the mechanism is the same to me in the client.
> Personally I like that, because if I have an access_token, I already think
> "Put it in the auth header."
>
> So my vote would be +1 for the pull request at this time.
> -steve
>
> On Fri, Dec 11, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> inline ...
>>
>> On Fri, Dec 11, 2020 at 9:58 AM Justin Richer <jricher@mit.edu> wrote:
>>
>>> Others had already responded to this previous thread, but I wanted to
>>> add a couple points to clarify some things.
>>>
>>> 3) What the client has to do with the "access token" is not the same as
>>> access tokens for an RS. The client gets a new "access token" for each
>>> grant request, and for each API call to the AS, and the client learns it
>>> can not make any more API calls for that specific request when it does not
>>> get an "access token" back. This is a completely different design pattern
>>> than calling an RS API with an access token, and is a new design pattern
>>> for calling APIs. This adds complexity to the client that it would not
>>> normally have, and I don't think GNAP is the right place to start a new
>>> design pattern.
>>>
>>>
>>> I’m not sure what you mean by these being different — the whole point of
>>> the design is that the client would be doing the same thing with the access
>>> token at the AS that it does with the RS by re-using the access token
>>> structure. Can you please describe what the differences are, apart from the
>>> rotation? Presentation of the token and signing of the message are
>>> identical.
>>>
>>
>> The client is getting the "access token" from its API. It is not using an
>> "access_token" in other API calls to the AS.
>>
>>
>>>
>>> Rotation of the access token and artifacts for ongoing continuation
>>> responses is a separate issue to be discussed:
>>> https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/87
>>>
>>> And for what it’s worth, GNAP is absolutely the right place to have new
>>> designs — not that this is one.
>>>
>>
>> You are proposing a new way for an API to provide context for subsequent
>> API calls. Looks out of scope to me.
>>
>>
>>>
>>> 4) Clients that only want claims from the AS and no access tokens will
>>> be required to support an API calling mechanism they would not have to
>>> support otherwise.
>>>
>>>
>>> Correct, but the delta between the calls a client would make with and
>>> without an access token is vanishingly small. The client has to sign the
>>> initial request in some fashion, and it will sign the continuation request
>>> in the same exact fashion, but now include an access token in that request.
>>>
>>
>> Per my other point, there is no value to me in my implementations of
>> passing context back and forth between the client and AS -- so it is extra
>> work providing no value.
>>
>> Also, any client authentication mechanism that wants to use the HTTP
>> Authentication header is precluded from using it.
>>
>>
>>
>>>
>>> Clients making a request to an AS and not getting an access token is a
>>> new design pattern. I think it has value and should be included, but OAuth
>>> today shows us the immense value of getting access tokens for calling APIs,
>>> and so we shouldn’t optimize away from that pattern.
>>>
>>>
>>> 5) If the AS does not provide an "access token", there is no mechanism
>>> for a client to delete the request, as the client is not allowed to make a
>>> call without an "access token".
>>>
>>>
>>> More properly, if the AS does not provide a “continue” field then the
>>> client can’t delete the request — and yes, that’s intentional. The AS is
>>> telling this client instance that it can’t do anything else with this
>>> ongoing request. If the AS wants to allow the client to manage it, it will
>>> include the mechanisms to do so in the “continue” field.
>>>
>>
>> There is nuance in that intention. A related concern is that deleting a
>> request does not seem like it is a "continue" operation.
>>
>>
>>>
>>>
>>> 6) There is no standard identifier for the request. Debugging and
>>> auditing are hampered by the client and AS having no standard way to
>>> identifying a request. While one AS may provide a unique URL for each grant
>>> request, another AS may use a persistent "access token" to identify the
>>> grant request, and other ASs may issue a new "access token" on each API
>>> call, providing no persistent identifier for the request.
>>>
>>>
>>> Debugging and auditing this kind of thing are functions of the AS. How
>>> is interoperability harmed by different ASs having different methods to
>>> identify their internal data elements? The client doesn’t need any
>>> knowledge of the AS’s identifiers, it just needs to know the next steps for
>>> continuing the negotiation.
>>>
>>
>> Debugging between the client and the AS was what I was referring to. How
>> does a client developer identify the request when communicating to the AS
>> developer. Seems complicated.
>>
>> ᐧ
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>

v2.23.0 | Report a Bug | By Email