Re: [GNAP] generic HTTP resource type

Justin Richer <> Tue, 27 July 2021 23:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 511D53A0F35 for <>; Tue, 27 Jul 2021 16:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.197
X-Spam-Status: No, score=-4.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ceb6i3OnbNUG for <>; Tue, 27 Jul 2021 16:25:58 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7523F3A0F3D for <>; Tue, 27 Jul 2021 16:24:48 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 16RNOiLj014157 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Jul 2021 19:24:45 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
From: Justin Richer <>
In-Reply-To: <YP9bhNFEs3YPw1AD@eh>
Date: Tue, 27 Jul 2021 19:24:44 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <YP9bhNFEs3YPw1AD@eh>
To: Jamey Sharp <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [GNAP] generic HTTP resource type
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Jul 2021 23:26:04 -0000

Hi Jamey,

Thanks for this thorough writeup, this is a fascinating idea, and as an individual I think it has some merit and warrants discussion. Now the question is what to do with that idea, and I can think of a handful of immediate options, detailed below. There are probably others.

But first, a note: the “type” element serves an important namespace function. In particular, a general-purpose “type” value would want to be something that’s collision-resistant, like a URI. Which URI gets used here depends a lot on where this definition would go. The documentation that defines the “type” element also defines the structure and contents of the object that contains the “type” element, so the language about what goes in “locations”, “datatypes”, and “actions” would all be defined with the “type” value. Of course, it’s entirely up to an AS/RS to map a given “type” value to a given definition set, but that’s the nature of protecting general APIs with a common security protocol — we can’t dictate that people interpret things a particular way.

These are the options for this type definition I can think of right now:

1) Defined as an appendix in GNAP Core. We can also use it in some examples. It remains optional to interpret or support for a given AS/RS.
2) Defined in a separate GNAP document.
3) Defined by a different WG. Perhaps HTTP-API would want to look at this?
4) Defined on a webpage on the internet, without a standards body behind it. The URL would be the URL of the document.

All of these have equal functionality inside of GNAP because of the supremacy of the AS/RS in this decision. And even better, anything defined for this part of GNAP is immediately usable in OAuth 2 RAR as well.

I’d like to hear what people think about this proposal — is it a good one, is it worth writing down, and if so, where?

 — Justin

> On Jul 26, 2021, at 9:04 PM, Jamey Sharp <> wrote:
> In today's meeting, I asked about applying GNAP as the HTTP authentication method for arbitrary HTTP resources, such as static files, in the same way that Basic and Digest auth can be used today. Justin asked me to share the question here.
> Because the current draft includes RS-first AS discovery using the standard WWW-Authenticate response header, it might work for this use case as-is, but I think it can be improved.
> First: Am I correct in thinking that two access tokens retrieved from the same AS, by the same end user, with the same "access" list, should be indistinguishable to the client? Specifically, if a client receives two `WWW-Authenticate: GNAP` headers with the same "as_url" and "access" parameters, can it reuse the access token it got for the first request on the second request, without consulting the AS again?
> If so, I think the WWW-Authenticate "access" parameter is equivalent to the "realm" parameter defined in RFC7235 and used in RFC7617 Basic auth. (Perhaps for consistency with HTTP auth, it should in fact be called "realm" when used in that header? RFC7235 even uses "scope" terminilogy to describe it.)
> Without additional provisions, which I'm pretty sure are not currently in GNAP, checking for matching realm/access parameters still requires an extra unauthenticated request any time the client needs to access a URL it hasn't visited before, even if the response turns out to indicate that an earlier access token can be reused.
> RFC7617 defines somewhat magic rules for when a client can proactively provide Basic-scheme credentials to a URL where it hasn't previously seen a WWW-Authenticate header, in order to avoid a round-trip in the common case where the same credentials are accepted at similar URLs. In theory, GNAP could specify something similar to make RS-first AS discovery more efficient, but that level of magic seems dangerous to me.
> The Digest auth scheme in RFC7616 instead allows the server (in this context, the RS) to give an explicit list of URL prefixes which accept the same credentials, in the WWW-Authenticate "domain" parameter. I think that's a closer fit for GNAP, but rather than making it a header parameter, I think it's best to fold it into the token's access rights.
> I propose standardizing a definition of a "type" value for the rights request that describes HTTP access rights generically, rather than describing actions appropriate to a specific API. I think that would make GNAP usable anywhere that Basic or Digest auth are currently used. It might also enable a wide variety of RESTful APIs and HTTP-based standards to use GNAP without needing to define custom rights types.
> Here is a concrete suggestion as a starting point for discussion:
> "access": [{
>  "type": "http",
>  "locations": [""],
>  "datatypes": ["text/html", "image/*"],
>  "actions": ["GET", "PUT", "DELETE"]
> }]
> A resource request must match all fields to be allowed. If "datatypes" or "actions" are empty or absent, then all are permitted. (Permitting nothing is the same as not granting any rights at all.) The "locations" field is required to be present and non-empty though, and might work like the "domain" parameter in Digest: "The client can use this list to determine the set of URIs for which the same authentication information may be sent: any URI that has a URI in this list as a prefix [...] MAY be assumed to be in the same protection space."
> This allows a client to request a limited set of methods or access to a limited portion of the protection space. It also allows the AS to inform the client of exactly which requests it may use the access token on, which may be different than what the client requested.
> If I'm reading the current draft correctly, if a client sends an opaque resource reference like `"access": "WallyWorld"`, then the AS may choose to send back a non-opaque description of the rights granted by the returned access token, such as the above example for the hypothetical "http" rights type. Is that right?
> I suppose the downside of the AS transforming an opaque reference into a full rights description is that the client can't indicate which rights types it understands. If a CMS supports a proprietary API for editing blog posts, but also supports WebDAV for file attachments, it might not be clear which rights type to use, yeah?
> So here's an additional proposal: a client wishing to use this generic HTTP rights type should (must?) explicitly request it in the "access" rights request (and may also include the resource reference given in the "access" parameter of the WWW-Authenticate header, if any). It must specify the exact request URL in the "locations" field, and may also specify the method it tried to use in "actions". As usual, the AS may return a token granting rights to a wider range of locations or methods and is recommended to return the actual granted rights.
> I hope that's reasonably clear and would love to discuss this further.
> Jamey
> -- 
> TXAuth mailing list