IETF Logo Mail Archive

Re: [GNAP] Authentication mechanisms discovery

Dick Hardt <dick.hardt@gmail.com> Tue, 25 August 2020 15:54 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37173A0E51 for <txauth@ietfa.amsl.com>; Tue, 25 Aug 2020 08:54:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sazyaNZ7eupe for <txauth@ietfa.amsl.com>; Tue, 25 Aug 2020 08:54:12 -0700 (PDT)
Received: from mail-lf1-x141.google.com (mail-lf1-x141.google.com [IPv6:2a00:1450:4864:20::141]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DF763A0EE5 for <txauth@ietf.org>; Tue, 25 Aug 2020 08:54:12 -0700 (PDT)
Received: by mail-lf1-x141.google.com with SMTP id c8so6701434lfh.9 for <txauth@ietf.org>; Tue, 25 Aug 2020 08:54:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=jePiaHpGpucJ41DWmROd+5bQeO5VthvgFmvbhyxsOdc=; b=ItYXyKtdBxRZbE49zL4FMj49t68W7WfTuWNI/Me2QYo3UgTOXYddVCRXQn+6wsiZqf 6RK7rqDF2emtXcVbYkPpwmB0ButHh0D2ElcgmblKVL2+o9HlgoP1hlh/yZs5Mlu4F5Fq 2TyUweXCO8tdNg57dZGda7jcOEYUPVb8U2oqjRq+yuRjxhDR9lcdWlFfEWBSjXVvyw+/ qKmifdsCtMUUa6jQx3QuWa0BO799a0nrq87X8pHLyKtQ4ODtBCMO8RIPKdG+oiqNiWQU JG+T7UfhDi6KReJczChX51EMqiTAA3TAFp+WBkvfT3A3oZDGHD+fNRGEi64WG4HJeg7h NJtw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=jePiaHpGpucJ41DWmROd+5bQeO5VthvgFmvbhyxsOdc=; b=JZuzGdYRRtdS01prJCFGVkPjtW5nJ7YK1RVoKx/XfC3f1embt1py0pgiq+VjJQwUlw rzXBsTu93slpAzVY0ertw+2zT87PHahmTyGSymyAD3AdtxnxbQ1NLF8CG3SZbLTRVnXf kG2AjslK0kLPSyfKIwgOJOaK/ap/gWSBL49sn5NZSiddiv8a9JLCpmo0mXTAn1psjfez WGCyJOYhPy8DVBnLshS37igtiNeLtmZ22yykxyAINAVyzb5egFvaTvQhvQ36zrRmPOKN Ai3zXXhZ+9egucq4+cWZgr9bmFusD80CLguETkOuqIU9B/xCO8jkrqFDmALY7Icyxjl/ 0zsg==
X-Gm-Message-State: AOAM532PYAHU/ZiykXGAQ/4SY1QhDboqdzh3BBAywvYZYUeB0X1xmYYP z4MgD7e68nFKjooe2BVvFVaRJDbBaTky78nCBr8=
X-Google-Smtp-Source: ABdhPJyJueRQJWhj/8+rLj4Kvd1rCmaOWxL3XyiRcO25gkgP5WMssiguTt4D5MvMpcisX+dBxjDEQC8ve0PHUleHAaM=
X-Received: by 2002:ac2:43c5:: with SMTP id u5mr5260292lfl.0.1598370850399; Tue, 25 Aug 2020 08:54:10 -0700 (PDT)
MIME-Version: 1.0
References: <fdf69c9e-6950-b2d2-f889-dd4219fec6f1@free.fr> <CAD9ie-tRG5F=z_Py3RVFOjELPYcGxQPJxepzO_rFQg=XSG+Yaw@mail.gmail.com> <CAD9ie-t=qFWT=0vezac8dUV7e2TxfswNkr3Qz9TB4XnCmHjSzQ@mail.gmail.com> <320d584f-ce34-5230-66d5-d7dc6cdceb69@free.fr>
In-Reply-To: <320d584f-ce34-5230-66d5-d7dc6cdceb69@free.fr>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 25 Aug 2020 08:53:34 -0700
Message-ID: <CAD9ie-vKYT7thYGehYAYMKMT0B8u9_Vyq-yCvKVnfbo2eZDNew@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: "txauth@ietf.org" <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c1ec0505adb5b603"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/cSK3_8hZbT7jRxT6v4dQflr5dvY>
Subject: Re: [GNAP] Authentication mechanisms discovery
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 15:54:15 -0000

I agree, the 401 response is not the ideal architecture, but it works for
any URI or method. What if the OPTIONS method itself requires
authentication? How does the RS return how to authenticate? Does the RS
need to support the OPTIONS method on all API endpoints?

An OPTIONS method at the RS is not forbidden, but just like at the GS,
OPTIONS is a general discovery mechanism, not just for authentication.

As I have stated previously:

- a real time query only works if the results are standardized. There are
few standardized APIs or standardized "scopes".

- there are a very wide set of choices on how the user can authenticate.
I'm not saying GNAP should not support your model of the user
authenticating somewhere other than the GS, but I don't see that as being
in the core protocol.

ᐧ

On Tue, Aug 25, 2020 at 2:37 AM Denis <denis.ietf@free.fr> wrote:

> Hi Dick,
>
> A few arguments:
>
>    - The 401 (Unauthorized) status code indicates that the request has
>    not  been applied because it lacks valid authentication credentials for the
>    target resource.
>    Information about how to authenticate is NOT in the HTTP Authorization
>    header. So it is not a discovery mechanism but, at best, a trial and error
>    mechanism.
>
>    - As already said, reading the documentation is one way, but making a
>    real time inquiry is another way which is better for clients acting on
>    behalf of a User.
>
>    - If the OPTIONS method call can be used at the GS, it should not be
>    forbidden to be used as well at the RS.
>
> The missing point in draft-hardt-xauth-protocol-13 is the lack of
> difference between an authentication made by the client application on its
> own behalf or on behalf of a User.
>
> Denis
>
> A comment about an OPTIONS call being the first call in the protocol.
>
> While that is possible, I expect most use of the discovery will happen by
> tooling rather than client software. IE, when developing against an GS, the
> developers tool chain will check what the GS supports.
>
> On Mon, Aug 24, 2020 at 9:05 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> Hi Denis
>>
>> While it is an interesting idea to use the OPTIONS method at the RS, the
>> standard way to indicate authentication mechanisms is with a 401 HTTP
>> response per
>> https://tools.ietf.org/html/rfc7235#section-3.1
>>
>> And then information about how to authenticate may be in the HTTP
>> Authorization header.
>>
>> This allows an RS to respond to any request including an OPTIONS method
>> call.
>>
>> /Dick
>>
>>
>> ᐧ
>>
>> On Mon, Aug 24, 2020 at 1:16 AM Denis <denis.ietf@free.fr> wrote:
>>
>>> Hi Dick
>>> *, *
>>>
>>> The following comments have been elaborated after an analysis of your
>>> draft: draft-hardt-xauth-protocol-13.
>>>
>>> *1 ) Authentication mechanisms discovery at the GS*
>>>
>>> Sections 3 and 3.7 from draft-hardt-xauth-protocol-13 are proposing to
>>> support an HTTP OPTIONS request which would be the first request
>>> when talking to a GS. The goal is to be able to query the authentication
>>> mechanisms supported by the GS. This would indeed be very useful.
>>>
>>> The HTTP OPTIONS request has been first defined in RFC 2616 and refined
>>> in RFC 7231 (see https://tools.ietf.org/html/rfc7231#section-4.3.7).
>>>
>>> RFC 7231 mentions:
>>>
>>>       A standard format for such a representation is not defined by this
>>> specification, but might be defined by future extensions to HTTP.
>>>       A client that generates an OPTIONS request containing a payload
>>> body MUST send a valid Content-Type header field describing
>>>       the representation media type.  Although this specification does
>>> not define any use for such a payload, future extensions to HTTP
>>>       might use the OPTIONS body to make more detailed queries about the
>>> target resource.
>>>
>>> RFC 7231 also mentions:
>>>
>>>       A server generating a successful response to OPTIONS SHOULD send
>>> an header fields that might indicate optional features
>>>       implemented by the server and applicable to the target resource,
>>> including potential extensions not defined by this specification.
>>>
>>> However, two types of authentication are possible: user authentication
>>> and client authentication. If both are supported by the GS, it would be
>>> possible
>>> to address this concern either by returning two lists of authentication
>>> methods or even better by using two different Content-Type header fields
>>> describing
>>> the representation media type, since the client is knowing whether it is
>>> acting or not on behalf of a User.
>>>
>>> *2) Authentication mechanisms discovery at the RS*
>>>
>>> This HTTP OPTIONS request should also be supported by a RS. When a
>>> client first contacts a RS, it does not necessarily know the authentication
>>> methods that are *currently* supported by the RS. This means that the
>>> same request as the one used for the GS should be available for a RS as
>>> well.
>>>
>>> Denis
>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>>
>

v2.23.0 | Report a Bug | By Email