Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
Dick Hardt <dick.hardt@gmail.com> Mon, 13 July 2020 18:13 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64FDB3A18C6 for <txauth@ietfa.amsl.com>; Mon, 13 Jul 2020 11:13:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zrhDU3HAl-PL for <txauth@ietfa.amsl.com>; Mon, 13 Jul 2020 11:13:07 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C89973A1767 for <txauth@ietf.org>; Mon, 13 Jul 2020 11:12:44 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id h19so19050024ljg.13 for <txauth@ietf.org>; Mon, 13 Jul 2020 11:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mXHvxCfhKSurLI1wbmltitwpSOF4JuO9og7aOU0hb6w=; b=XAkgiQSPyl4mxiUzp/LmvzlEfAxHETCDfQPibpZ0hwD+/t45Fc7eiZ8daDTzdaJERG GFlcbHlJjslD/5R3rYL6zF1MBBnh+Fsv5MrRKJ0sCX2SJSwVbSMYu25RmAMz9NoKlM7i IqtOwBwWI5f2pLgckDLmZEESz95utKBue4UMwveuwHrV1jCp3DK8TXr5smusoVbRIFuy wTtNUpBhffG7xoswDVFJPZi3OhadEfohHkKh1eSiCckBrXIfoISb0ce3qkNVHWoLXZRQ 6iiVoW0SrTCdTVHvQm4W6KuOhqtJbLycgLDZ2f4QOt9cCbNXg8JVpE1nbF9DguCCrEuB qmGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mXHvxCfhKSurLI1wbmltitwpSOF4JuO9og7aOU0hb6w=; b=BbzUJjI9WljlTOXS+xlou+sJdCVkJc/t7gtKEq2iKpIc4k7c7HfPCEMOhktXE6K/du fCJCmU9tPgJI5eovTssvrB5CsAmi3Vjm/VlS+9diHEL+RQ0Sco8ZKSyNm+64oKcWxm84 Ufsu24gkqfdpFrBNBthNqnspNTzqaZbwYgwvd8l4BI0aZ6hThno98KzBZweIo0qQexu+ m4JKyc4lN62jV7Cj6FCiXcjHYAVuqOHBUuD8XsK/eWDaYFaF0AfFekeyIORvNFtkK2eJ GWtNt3k0DjvGSOKjNj+MsWfkixLY2WltRwepApMRdPxTK1zidLB37G1qJpdgS+stk7Y4 0Wxg==
X-Gm-Message-State: AOAM530y9kspezVBIQTVVYMNfGUSvWL+hZE+geFCcnvXlPo3qSgpkgga 4fiuwvj9JPP2IKYI7tGn/9APhAlKZiwiCymJ3OQ=
X-Google-Smtp-Source: ABdhPJxK1ZYI0xnig3FIPVIrvOzZ+C0EMNAn39cpE+lAWDU21fnh4PHvAsStLZiWjM7cwsRarchkQEp4bURAfpkuvjg=
X-Received: by 2002:a2e:8316:: with SMTP id a22mr417816ljh.246.1594663962714; Mon, 13 Jul 2020 11:12:42 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com> <E9EC90C9-7A9A-4909-8627-A161B33E941F@mit.edu> <CAD9ie-vyB8+5jS=K_qUHfvxsF2wPV5APRo+7WUDfJxNzJONJpg@mail.gmail.com> <8CC8B466-FD6F-4C23-8DAA-99B8A9BDF548@mit.edu> <CAD9ie-u9z7Mc-wNjztoOTy4N_Z9jFDc2Sb6quLspasMGAMKdSw@mail.gmail.com> <097FB93E-96DA-4DF6-8511-0B32FD321211@mit.edu> <CAD9ie-tpuisauOFGiUj65-RcYPtcvW_gZP1CAadqq5cE6P36HQ@mail.gmail.com> <EE4A7D91-1106-44CB-92BF-C3AA3649BDFE@mit.edu> <CAD9ie-saoc2FUm46r4h1B27iYK04j_skf5-zJR7EXLmWBzj=hA@mail.gmail.com> <F41A8F88-C1B4-4CE2-8573-7A03C086D25B@mit.edu> <CAD9ie-tHCg9Ti1xWuzUP5EGLAcU2cpFALErqq98+fPnD3enZCQ@mail.gmail.com> <820525FD-4556-4617-8D89-C600D8C90C33@mit.edu> <CAD9ie-uwz_Li7n9iuX_--YtWeE+HX5sWEe95nZ8Y0akYh8WTHg@mail.gmail.com> <A7E1F61B-78F8-4647-847A-E1C8909EA452@mit.edu> <CAD9ie-tSjEWT-+D43yKaFZmEdFcbL=fyM0kHuFX_fNa4zHdm1w@mail.gmail.com> <6D58464F-3EFA-4367-9033-91FCB9CF40AC@mit.edu> <CAD9ie-syw5YJVsJHncZ-PcLQbYC4r=4LLSQCKtMP=-hGKqT0SA@mail.gmail.com> <0905DCA3-1B30-429A-AB02-8ED27D37F6C3@mit.edu> <CAD9ie-vV-pH6oebREkfY5rZ=8vYZpD2irjyjJ=4mvfKKeKY4-A@mail.gmail.com> <974147F1-A9CE-4093-A170-9F4F9DFB3638@mit.edu> <CAD9ie-vy0iKn6HMD-97jd5MeFtshqpzrGtvvwOX_Ze91qusJKQ@mail.gmail.com> <1D7A02B1-E58D-44D0-9E33-5313A7367949@mit.edu> <CAD9ie-uv5FKhow9ebKHVbZwhiZwRDg3wX9KL2o5g7AvVA=g-6Q@mail.gmail.com> <174F2061-3F0F-49B2-A18F-58DF658E4473@mit.edu>
In-Reply-To: <174F2061-3F0F-49B2-A18F-58DF658E4473@mit.edu>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 13 Jul 2020 11:12:06 -0700
Message-ID: <CAD9ie-vaKmOHMP6veCkyRy3Xojx+Uve9xq7=zWu0ZnnBDFepZg@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000008a92805aa56a30c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/avlh2GP4Auxam6zocjPgIzdjArw>
Subject: Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 18:13:12 -0000
I agree that an API to return claims is useful. I think we have agreed on that. Using the SubjectIdentifiers schema is another schema that would be useful for GNAP to support. I disagree that GNAP should be limited to identifier claims. ᐧ On Mon, Jul 13, 2020 at 7:16 AM Justin Richer <jricher@mit.edu> wrote: > One thing I think we should learn from OIDC is that returning claims from > an API, and not just an assertion or direct response, is a powerful and > useful pattern. We have an opportunity to separate these cleanly, where > OIDC didn’t have the opportunity in defining the “claims” request parameter. > > As an alternative to the current XYZ and XAuth syntaxes, over the weekend > I’ve been playing with something that would look like this strawman in the > request: > > > { > subject: { > id: [ “account”, “email”, “iss-sub”], > assertion: [ “odic_id_token”, “verifiable_credential”, “saml" ] > } > } > > > This request says that I’d like some subset of these identifiers (as plain > text in the response) and some subset of signed assertions in the given > formats. Each one would have an associated space in the return. I’m not > picturing that the “id” field values would affect the contents of the > assertions: so I could ask for an email address identifier but get back an > ID token that had only the subject identifier. Maybe that’s not the right > model? But it’s at least simple and deterministic this way, and it’s > something to play with. > > Note: The “id” names are taken from > https://tools.ietf.org/id/draft-ietf-secevent-subject-identifiers-05.html, > the “assertion” names are made up as I didn’t see a source that collected > them. If you wanted specific bundles of claims about the user from a > UserInfoEndpoint, for example, you’d have something like: > > { > subject: { > id: [ “account”, “email”, “iss-sub”], > assertion: [ “odic_id_token”, “verifiable_credential”, “saml" ] > }, > resources: [{ > type: “userinfo”, > datatypes: [ “openid”, “profile”, “phone”, “email” ] > }] > } > > > This is an example for a specific kind of resource, and I don’t think that > GNAP should define the “userinfo” schema here, or the datatype values > therein. That should be work outside of GNAP, probably for the OIDF. > > This approach is extensible in several ways, each of them for a specific > reason that I think is clear: > > - new values in the “id” field to give new identifiers > - new values in the “assertion” field to give new assertion formats > - new fields under the “subject” heading > - new resource types besides “userinfo” (like “scim-v1” or > “facebook-profile” for instance) > - new datatypes within the “userinfo” resource type > - new top-level request parameters > > As per the other thread, if you wanted to use the OIDC query language, > you’d package it separately as a top-level request parameter since it can > include both the ID token response and the access token response and we > shouldn’t be encouraging mixing these things together. > > — Justin > > On Jul 10, 2020, at 5:00 PM, Dick Hardt <dick.hardt@gmail.com> wrote: > > It looks to me that our different views of what is in scope for GNAP are > the differences below. > > Per the subject line, I'm looking at how the client acquires claims about > the user. You don't think that is in scope, and that a different layer will > solve that. > > I think we should learn from OIDC being on top of OAuth, and GNAP should > be able return ANY claim, not just identifier claims. There are use cases > that may be difficult to support if we do not have that functionality in > scope, such as some of the ones I list below, and it seems pretty > straightforward to support ANY claim if we are supporting identifiers. > > /Dick > > > On Fri, Jul 10, 2020 at 1:09 PM Justin Richer <jricher@mit.edu> wrote: > >> >> >> On Jul 10, 2020, at 2:15 PM, Dick Hardt <dick.hardt@gmail.com> wrote: >> >> >> inline ... >> >> On Thu, Jul 9, 2020 at 5:44 PM Justin Richer <jricher@mit.edu> wrote: >> >>> Yes, the core idea is to not have to parse an assertion to get back the >>> core authentication information, which consists of an identifier (iss/sub >>> pair in OIDC, but could be a number of things). Sometimes the client is >>> going to want the rest of the identity information, but If the user’s >>> logged into the client before, the client has likely cached that info and >>> probably won’t need it, and sending it would be a violation of privacy >>> principles.. The client would want the info pretty much just in these cases: >>> >>> 1. The client has never seen the user before. >>> 2. The user’s information has been updated since the last time the >>> client saw it. >>> >> >> Agreed >> >> >>> >>> Now for case (1), how would the client know if it wants to request the >>> user’s profile info or not, since it doesn’t know who the user is? >>> >> >> But the client could know who the user is. The client may have used a >> different AS to authenticate the user. >> >> >> In these cases, the client is not going to be requesting identity >> information from the AS to log the user in, so it’s not relevant to the use >> case. The client will have an opportunity to push that information to the >> AS. >> >> The User may have self identified to the client. The client may have a >> cookie saying who the user was and the user said that was them. While the >> latter cases are really a strong hint, they are likely right most of the >> time and can lead to a user experience basde on that hint >> >> >> In these cases, the AS might be able to guess if the client has info >> about the user already, but probably not. And the assumptions fall apart if >> it’s in fact a different user that ends up logging in, which is of course >> possible (the hint you gave doesn’t match the identity of the current user >> after the AS validates them). This possibility leads to clients always >> asking for everything every time and the server providing everything every >> time. That’s a pattern I think we should avoid in an ultimate solution — >> but ultimately, I don’t think that this kind of protocol decision is inside >> of GNAP. >> >> >> >>> And the AS won’t know if client is going to want the profile info, since >>> the AS won’t know if the client has the user’s info or not. Sure, the AS >>> might have seen that client and that user combo previously, but it doesn’t >>> know if the client needs an update. >>> >> >> The client can share with the AS the user it knows or thinks it is >> dealing with, which could let the AS respond if the information was new. >> This could be the case for an AS that is providing claims, but not >> authentication, and could happen silently. The user would only interact if >> the user information had changed, and the client wanted the updated >> information. >> >> >> >> See above. >> >> >>> And for (2), the client won’t know if the user’s info has been updated >>> or not because it doesn’t know who the user is yet. If the AS can provide >>> some time of updated stamp to the client, the client can pull the new info >>> when it needs it. >>> >> >> See above. >> >> >> See above. >> >> >> >>> >>> If you ignore both of these cases and put all the user information >>> inline with the main request/response, you end up in a situation where the >>> client always requests everything and the server always provides >>> everything, since you can’t be sure you’re not in situation (1) or (2) >>> ahead of time. >>> >> >> See above. There are a number of other states the client could be in. >> >> For example, the client could be stateless about user information, so it >> knows it is ALWAYS in state 1. >> >> >> A stateless client would need to fetch appropriate user information every >> time, then. But that’s an optimization for a very specific case. >> >> >> >>> >>> This is really what I mean about the two-stage identity protocol. >>> >> >> I know what it is. Per above, GNAP lets us support a wider set of use >> cases. Why limit ourselves to what OIDC supported? >> >> >> We aren’t limiting the protocol, but instead limiting the scope of what >> we define internal to the GNAP protocol. There’s a lot of room for >> innovation on top of it. >> >> >> >>> In the first stage, you push the bare minimum of what you need to get >>> the user known to the client. In the second stage, the client uses its >>> access token to call an API to get whatever else it needs to know about the >>> user. >>> >> >> From a privacy perspective in non-enterprise use cases, I think the user >> should give consent to any updated personal information to a client. In >> general, the client should not be able to get the latest information about >> a user whenever it wants. >> >> >> This is about the rights associated with the access token, then. And an >> access token doesn’t have to keep working if the AS has a policy that says >> it won’t. The AS/RS could easily decide that a particular access token will >> only return data that hasn’t been changed. Maybe it stops working after the >> data changes, or it just returns old data, or any number of things. This is >> for the AS/RS to decide and this is pretty standard interpretation of the >> token, nothing special here because we’re dealing with identity. >> >> — Justin >> >> >> /Dick >> ᐧ >> >> >> >
- [Txauth] JSON Schema? Dick Hardt
- Re: [Txauth] JSON Schema? Wayne Chang
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] JSON Schema? Dick Hardt
- Re: [Txauth] JSON Schema? Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] JSON Schema? Benjamin Kaduk
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Tom Jones
- Re: [Txauth] TLS Dependency Wayne Chang
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Stephen Moore
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Denis
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- [Txauth] XAuth "flaws" (Was: Polymorphism (Was: J… Dick Hardt
- [Txauth] acquiring claims (was Polymorphism (Was:… Dick Hardt
- [Txauth] WG scope wrt. identity (Was: Polymorphis… Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Justin Richer
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Dick Hardt
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] JSON Schema? Yaron Sheffer
- Re: [Txauth] Polymorphism (Was: JSON Schema?) Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer
- Re: [Txauth] acquiring claims (was Polymorphism (… Denis
- Re: [Txauth] WG scope wrt. identity (Was: Polymor… Leif Johansson
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Leif Johansson
- Re: [Txauth] acquiring claims (was Polymorphism (… Dick Hardt
- Re: [Txauth] acquiring claims (was Polymorphism (… Tom Jones
- Re: [Txauth] acquiring claims (was Polymorphism (… Francis Pouatcha
- Re: [Txauth] acquiring claims (was Polymorphism (… Justin Richer