[GNAP] Re: GNAP RS-AS interaction questions
Justin Richer <jricher@mit.edu> Wed, 04 December 2024 19:27 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35464C1E0F6F for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 11:27:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OTgKchL8Fpm0 for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 11:27:31 -0800 (PST)
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11on2136.outbound.protection.outlook.com [40.107.223.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 587DCC1E0D9B for <txauth@ietf.org>; Wed, 4 Dec 2024 11:27:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=BYBmeuHRV9Eycs+xMbz5etQb6dkLXMbR8nbBc8G75ky+T0qBtHs7LGvoJQqNPnLpJykuRvXNGa2LBPZlqFXy8S/NAP4SM0gMIXhBFwP6rvnzSlFD7DMjmWXUpDjiJur97WRegX8NWtDWTD0Nqu0FM7Cnedw+NRc6H8m/+MD4u13IIWp+hcXuu1wGgXp0cj3FO7pUIQYvpW7e2mz+qtho9r/ZNA7bkUBuelA9VNQCnG+MC0U5XNsnmOzm0goMXzNKJmpteOMhnHy81o+8dZGFdC9p61LPHnC7GuK2D5UU4UgPpiLKhjABIZdN39J8TNAET9KQZ7q8Rp3F+WTkFLw1Eg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=voz1tqnhBWOs1zGWig4pKfuWSd12LgwuvLh2KiI2Daw=; b=UPh+4wZkPwXkD/DdEoUo9G+hmReI/OYxXOY0cdZomp3tz+PpmObndd7FQ7HiDMCNPPsKGOaaWZE8Z6/Lj8T9Z0hJFTalVYmHxi5Xz2jveZ1+FmfKwKpb/45XrCLDRWRxvno+ZMmcNJoKt/PEUz12ZBBxp/hX1ZHA6YQ2+Y2xvCp0kLFqisQ68gs//ea+JbMUbWFxwwVsCPBT33EuQ8mbXiJcV8dYBLt8aU/9wQapipkt5NdnUOhV9pXVGMGt3vvXCh3KkCpLcVJ/5Geuvz0898eEG5396IyMx2mJUn5Z7BbaFogKcQ/ZtloGAL8ZuHOymo88HQucf2APWrHNj5dDMw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=voz1tqnhBWOs1zGWig4pKfuWSd12LgwuvLh2KiI2Daw=; b=dLSYZE6NIdgEMdpvKdYV6NBYk6zhqjM1GPUxbaZp86jN5RTzMnlN5wa07A3K/AjiPqzaudBkigKIfGxiG8Y85+ZnM8t35rBtvWHRsOw5AV7FLGv5tOBEXHEDqMk7NbyBhfB9lJDB4opFi7hn7WwEY1iWAgMk3RtEmj5dYuSsWqM=
Received: from LV8PR01MB8677.prod.exchangelabs.com (2603:10b6:408:1e8::20) by PH0PR01MB7523.prod.exchangelabs.com (2603:10b6:510:f6::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8230.12; Wed, 4 Dec 2024 19:27:28 +0000
Received: from LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820]) by LV8PR01MB8677.prod.exchangelabs.com ([fe80::e7d6:999:270f:a820%7]) with mapi id 15.20.8230.010; Wed, 4 Dec 2024 19:27:28 +0000
From: Justin Richer <jricher@mit.edu>
To: Erin Shepherd <erin.shepherd@e43.eu>
Thread-Topic: [GNAP] GNAP RS-AS interaction questions
Thread-Index: AQHbRn11y2EDwE4Yd0S5otAwUGHo6bLWeBSA
Date: Wed, 04 Dec 2024 19:27:28 +0000
Message-ID: <BCFE50BA-429A-49E3-88B4-F08436B4B49F@mit.edu>
References: <2FE68756-A13B-4CB4-9318-26A007F261D2@e43.eu>
In-Reply-To: <2FE68756-A13B-4CB4-9318-26A007F261D2@e43.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR01MB8677:EE_|PH0PR01MB7523:EE_
x-ms-office365-filtering-correlation-id: d7477a14-e926-4dca-3648-08dd1499b0be
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|4022899009|376014|366016|1800799024|38070700018;
x-microsoft-antispam-message-info: H7HbpAnD9bG5xLRaVVWy8MrzBjHdExdp+iQn+DQHfUGhhPk//OsczoOHv1f8SOk5UygC3tIBT0CCToqVf8BrxQG82bxAsxwKYyBVmrPiIxTPCs3tfT/SGGPQ3q7O4G+p0JqSSheQc6sZVCftF5DOTTWeyNGyUja5pdUsGJ6wZzeANtVv9TNwxQ2IL1w03F1VNUf8O1+WecnG4fd4YRQcTyv3IzzM4AW7r5JxbqvLdQ4C9uPei7aZWJVWinRC4DohYAaOB98n1w6uVCFQoM9GZ4NLMxrENcUA8GQJUN2ZaO/ZFb9++tP0N67qQAjWcKyDVEf0KlKP55X4O9XL+zWbXHfraYqKAr1WJe0XUoV3moONAvr5nUbEmGOs1srQp95uoVMSByBrV5FFOK40q3vj5c+mO5+tXxhEaxwCkuhiRFSf3t90fPb3oFG+10rd7L7IVfZ+JffBjD3nPUDVmg6FHEXLEASxpjjMUHvqZhgB4yAUEvEBIzpgmfV9NXZgVVDCFJEEVIV4E4lfZDGOsP7o21bGZoC2il96ARzD0pq2aizi7mqKLG1LqnHJQPQjOa0iCv7YzuZqFx4Nqo1z0GDNcPt+pRpcYdjNyxU0MuWtomoQFI69NVwM35B0wzWFfGiLjBmrZu1ZbwB0mSeW0+xr0hdANO4YlOnWNbMviasZq+GzVwgEQ0pMs6DdvsQCosOLUu8yAYVbZ+ROMMyDrHb8GjBQygEnb9RylnRBOLiuxzcIe/DDzLZpHdf2HPmBAdd4sXnqxLToG3JrujSJhDOeltJxfDFVLL/m4EvZW8/TFtfTZ/CFJgDV9ntXH0H7bYPj8AfnsvBFVv1H4Vez3x0L9p1op9bZ7H+3tc/Q5RJsEfGD5aOVnBE8jmyQ48l8E0gBOC/ewTIZGjbhku3lbBBn35Aug54Ug2CamIJmfaft/Q5cuzYlRDzPzTuGql3Q+oBzICGFhxvyKFt7glGbvwPfRlD/KgHQgdC3vTnOe/joOpuN0158NRqAQNKNMd0UrQLjXQVepTFEa65j1uwKpCzNrRbTrKH+k027N6siECvzK2zVYR9+UKM7lCx8k30ShAoZ8K8fciJXTM5bHKxULdIhbjt591+w1Ioxj1WzZ+6tKYzbF8he2vFN7uEUhPARv6MsWhGUMAT1+KqqLpoT4aG5I4uvy13ajdt3HI3eA6RGx2mYJtrkdLa85AorZdc9lozrRIIXmmEqCJvouQp7k49+vtIHWa7GA3aed0mkYQa34T74p0cwOqk1nEc7CJ6czgQ2ov8TgHLDfEGj1m+Lk3ExlJDD9wm2bYJA2q02JYSCTWUXyKVh4y6RY9hdULjIlDcH24or3MOKukR2hY+daOlBs1NGwt342/+WbsTzMOlQiVpBf9Idg//0UjPsIYV9dSw1w0TefCbDaJ06v8IAaWwxPg==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV8PR01MB8677.prod.exchangelabs.com;PTR:;CAT:NONE;SFS:(13230040)(4022899009)(376014)(366016)(1800799024)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: SOJfEqlexSkqVgMUiknMzgyyBj3hcAyD6H/uB1DRJyRAbR0/UDVboZ0GgUhPJcR10/ZONyK+VVApMBWHR4YHiLWbuTb4uyNiL+ckAAUNWB5NvqHva5QYN5vrxKWeQgYSeIcKTlXHcFObFCvwIE+SjwN62IQnbq26NSM5X41Nflan2bQ7JkANVLNJHPL2X3szzdRsSAvB7xLTa07sMArgZKzdzMiG2/hgGh65e+K6nybQcz3oybb6sVWdGrJcG2DpqfKqERwj5ysPvyv7UIc3nLstnuSXb+tMlFSlzxOBAW7QB0Ils4yeJwcSpbq78/us4BF2QNv7mjMTS0ixrlzNDd2LzQxRW87sAgWKvbDiNF5NayKjxHm7JtrKG/c6fzgpQNYjEbKsLTWQFaKBj8AZ6scJeaNNx1NlNFsDmWWXFca8mfW9yVupaEzusuuxk+lg72Uqwpah/r3AWn/YBmf24+gToMnABzjJYCoWiYBSJ7IWqQ/R7aJtxKimrceb6wNANisWMHAYiwJW3KVa15zmDNEvcAgE+T/tTMoOCsRAbaWuFq7f79r2HSPWCMdUyUZZK7YrdccHFM8iooCZys7ke8pcw4MlAEY/ejolzf3kodwRYDlD+cOAQBR3Y2+bjjy7SSZWath47nCb0tEXvqunt25+5bafWZIZsoCVLm+NNE9Qx06WMtpDGS/HxDOa/TirkjEPW9gck5yZeuezMtPNlPXXAC1fxCyIighYxrx4iin+3cm8bDlmbNnAI2xh6vm920A7bZahUeFdJRHZ59eaInHYjZVe0I+pYoQ5s8WYWyJl6mY4BML3PMS375bVC+e8R1MBGNxO0lmBJlzaYmiHicP5s6tMSuicO8nVASpBolAB5vFcCPZ87IS/SjLB1vQhdWm6jnSyeocIXXcHa0mZVvosPitogj+gvJlU19Hny3JwVw7eOzfYO9ReCGT3SA3BhnrXTyotElifX9VRvjpWK+cLAp0IjDoUtG+WHYcMcET13miWqO0UARnTFHE1KbPyLsaGX+8G4HAWNGjzz5NV/Yye0edznfczJcMI82Vt8OvF9VpnjC9xGwNRBKsm3pOpMSFsYvuFk1JF4ziVk+YsqhTvlu7jIfCfpaCV3j9lAxvqYgmTIeXpQ/j3L9cChnWylJH4jrpDSROVaIhETzDl2dgoleoq0iYiV+gmJRJs7DeWxcL0Tn5NvQOelhRDEDGHAf28SmKD51GCRHGnfJbpwSbXNBr5OUPh6Y9SPDh7Fxmb0RrUSKnUYzg4IW5uZSpWH0Cke2jFH3R7j+l8Z03yiaZ2GTImiVaBV4VX8jifFM0wuvbSIsb3yhryIgYYMCu87gZPGc9oC8+eWu5U8HjXEh8mP3EvMJTwMiomgIb6/mH42Vb7etAC7aTxymm+Edj5/ldL+Gotn6oCknX3YLWrUOscJEgevyznl/iHWcRqoBqgyXDurbYNR915hr89xJPFnB+TBWpRhMVA4zlttstQc0zqAYMjggKZtidnLkNynY5IlahFRK6+HRkTOpKbNFOoF5+zfXnhf4AI31HHXQq2CzGUr2QmYdijwU/2qehLPQcDnMzATIzpID3CQxSXPfYy
Content-Type: text/plain; charset="utf-8"
Content-ID: <7423193FFC0C1F4680ECDDA3AFDA9FE7@prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR01MB8677.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d7477a14-e926-4dca-3648-08dd1499b0be
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Dec 2024 19:27:28.4039 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X2/++OjwsvZR8G6J3p5T8SpvEXrm/PyPgdXjOFNNE3uiBaW3p5tvRe0sQkY96FqX
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB7523
Message-ID-Hash: YBSXVTVMIQF3GUOWDU3YZYX2GFH3A7QX
X-Message-ID-Hash: YBSXVTVMIQF3GUOWDU3YZYX2GFH3A7QX
X-MailFrom: jricher@mit.edu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "txauth@ietf.org" <txauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [GNAP] Re: GNAP RS-AS interaction questions
List-Id: GNAP <txauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/b1OMqA5EdTvQeuUwkTtDWwzXngY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Owner: <mailto:txauth-owner@ietf.org>
List-Post: <mailto:txauth@ietf.org>
List-Subscribe: <mailto:txauth-join@ietf.org>
List-Unsubscribe: <mailto:txauth-leave@ietf.org>
Hi Erin, some answers inline. > On Dec 4, 2024, at 7:49 PM, Erin Shepherd <erin.shepherd@e43.eu> wrote: > > Hi, > > I’ve been looking at implementing GNAP with some interest (on the whole I find it a very readable and straight-forward specification!) but I’ve spotted a few of areas of difficulty: > > 1. The GNAP-RS spec says, in the introspection response > > iss (string): REQUIRED. Grant endpoint URL of the AS that issued this token. > > This seems a little limiting? Let’s say I have an existing OAuth IDP that I’m adding GNAP support to; it seems that the spec basically requires that a GNAP RS will see different sub+iss values from an OAuth RS? > That’s likely to be the case - the issuer of a GNAP token is the AS which is itself defined by its grant endpoint URL. GNAP is largely designed to not need a discovery protocol, so starting with the single URL alone (the grant endpoint) you can kick off everything else you need with an immediate request. This was a deliberate design decision to depart from OAuth, and it prevents a host of attacks, including several forms of AS mixup that can occur in a poorly configured OAuth system. > > 2. The GNAP-RS spec lists five different token formats that an AS can declare support for but provides no information regarding the contents or validation of those tokens. It seems like the only way (within the written text of the specification) to validate a token would be to submit it to the introspection endpoint, which seems like it rather defeats the purpose of knowing the format. > > I would have liked to see some guidance on > > * How to locate the AS’ token signing keys for "jwt-signed” access tokens > * How to agree encryption keys for "jwt-encrypted” access tokens > * Required JWT claims & claim values > * Similar for the other formats (with which I have less experience) > > i.e. something along the lines of RFC 9068 I guess (That could perhaps even have been referenced directly, with minor differences? > In my opinion, details for that level of interoperability are better fit for a technology specific profile, than in a general specification like this. I think it would have been great to have separate specifications detailing each token type and registering them, but the most that the WG agreed on was listing the token types on their own at this level. > 3. As far as I can tell, there’s no way for the AS to return subject information to the RS beyond the fixed set of introspection response values? > > I would have expected something similar to the Subject Information defined in GNAP s3.4 to be returned (or requitable) That’s a great idea, but would need to be defined by an extension at this point. Unfortunately the RS spec did not get as much attention as the core spec in its final days, and so features were fairly limited. > > 4. Its unfortunate that the discovery URI was not defined to work by splicing /.well-known/gnap-as-rs into the start of the path segment in the same way as OAuth Authorisation Server Metadata is. Oh well, such is life, it would appear. This was another intentional divergence. The way that the OAuth AS Metadata document does things is problematic, as it was trying to adapt what the OIDC discovery spec did with paths — which was itself in conflict with the definition of ".well-known" in the first place. The result is a bit of an awkward compromise. We deliberately sidestepped that in the GNAP specification. I’ll also note that we did not use any .well-known path in the core specification, but the rs-facing discovery needed to be separated and so we went with .well-known here. > > - Erin > -- > TXAuth mailing list -- txauth@ietf.org > To unsubscribe send an email to txauth-leave@ietf.org
- [GNAP] GNAP RS-AS interaction questions Erin Shepherd
- [GNAP] Re: GNAP RS-AS interaction questions Justin Richer
- [GNAP] Re: GNAP RS-AS interaction questions Justin Richer
- [GNAP] Re: GNAP RS-AS interaction questions Erin Shepherd
- [GNAP] Re: GNAP RS-AS interaction questions Erin Shepherd