Re: [Txauth] Polymorphism (Was: JSON Schema?)

Justin Richer <jricher@mit.edu> Wed, 08 July 2020 14:03 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A67C73A0C03 for <txauth@ietfa.amsl.com>; Wed, 8 Jul 2020 07:03:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcUqgVq1JWDH for <txauth@ietfa.amsl.com>; Wed, 8 Jul 2020 07:03:42 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31B163A0C02 for <txauth@ietf.org>; Wed, 8 Jul 2020 07:03:41 -0700 (PDT)
Received: from [192.168.1.7] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 068E3cbW008512 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 8 Jul 2020 10:03:38 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <097FB93E-96DA-4DF6-8511-0B32FD321211@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9BEC7DA0-1F6A-4DEC-8C9A-F2A9C8604219"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 8 Jul 2020 10:03:38 -0400
In-Reply-To: <CAD9ie-u9z7Mc-wNjztoOTy4N_Z9jFDc2Sb6quLspasMGAMKdSw@mail.gmail.com>
Cc: txauth@ietf.org
To: Dick Hardt <dick.hardt@gmail.com>
References: <CAD9ie-vnA98pobbboS00SAHneEG52_8eMxh_sE3r3jg6gyooGg@mail.gmail.com> <E9EC90C9-7A9A-4909-8627-A161B33E941F@mit.edu> <CAD9ie-vyB8+5jS=K_qUHfvxsF2wPV5APRo+7WUDfJxNzJONJpg@mail.gmail.com> <8CC8B466-FD6F-4C23-8DAA-99B8A9BDF548@mit.edu> <CAD9ie-u9z7Mc-wNjztoOTy4N_Z9jFDc2Sb6quLspasMGAMKdSw@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/dVqYycqDL8wcBhhlB4FJqovdGJ8>
Subject: Re: [Txauth] Polymorphism (Was: JSON Schema?)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 14:03:45 -0000

I’m glad that you’re looking at polymorphism as a possible solution to this, though I would contend that this particular style of polymorphism is not doing much more than pushing the mutual-exclusivity check down a layer instead of solving it. 

Using multiple types can in fact solve this problem, and several others, as long as you’re willing to let go of the syntax that OAuth 2 invented to solve a problem that we don’t have to solve here (passing an array-type value over the front channel). In XYZ’s syntax, the request for a single access token would look like this:

{
  “resources”: [ “read”, “write” ]
}

And the request for the multiple access tokens would look like this:

{
  “resources": {
     “reader": [ “read” ],
     “writer”: [ “write” ]
  }
}

I find this to be much simpler to parse and generate, as you no longer need to check for a specially-reserved field name (“type”), and you no longer have to do a sub-parse on one of the values to get what you really want (the space-separated scope string into a set). It’s also a lot simpler for the developers that need to write this.

 — Justin

> On Jul 7, 2020, at 7:30 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> 
> 
> On Tue, Jul 7, 2020 at 3:40 AM Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
> I wanted to respond to this comment more fully:
> 
> > wrt. my authorization / authorizations oddness, polymorphism would not solve it as the contents of both authorization / authorizations in XAuth are objects. 
> 
> It’s not surprising that this is the case, as the XAuth protocol was not designed with polymorphism as a tool to consider. This is exactly the reason that I say we should have polymorphism in the toolbox from the start, as it allows us to avoid this kind of awkwardness in many cases.
> 
>  What evidence do you have to make this statement? "XAuth protocol was not designed with polymorphism as a tool to consider"
> 
> It sounds like you are saying I did not consider polymorphism in the XAuth protocol design.
> 
> I will restate my comment above about polymorphism. 
> 
> Using different JSON types does not solve the problem, but as I suggest in my comments, polymorphism of different JSON objects is one solution. An authorization, or a dictionary of authorizations. It has the restriction that the string "type" cannot be used as a label in the dictionary. An example:
> 
> {
>     "authorizations" {
>         "type": "oauth_scope",
>         "scope": "read write"
>     }
> }
> 
> {
>     "authorizations" {
>         "reader": {
>             "type": "oauth_scope",
>             "scope": "read"
>         },
>         "writer": {
>             "type": "oauth_scope",
>             "scope": "write"
>         },
>     }
> }
> 
> 
> I am looking at making this change in XAuth and in the implementation.
> 
> 
> 
> ᐧ