IETF Logo Mail Archive

Re: [GNAP] Core protocol comments - Sec. 1-6

Justin Richer <jricher@mit.edu> Fri, 27 January 2023 17:40 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8FAAC14CE2E for <txauth@ietfa.amsl.com>; Fri, 27 Jan 2023 09:40:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ObFFcalKPHCA for <txauth@ietfa.amsl.com>; Fri, 27 Jan 2023 09:40:46 -0800 (PST)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E60DC14CE22 for <txauth@ietf.org>; Fri, 27 Jan 2023 09:40:45 -0800 (PST)
Received: from w92exedge4.exchange.mit.edu (W92EXEDGE4.EXCHANGE.MIT.EDU [18.7.73.16]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 30RHdrCx023283; Fri, 27 Jan 2023 12:40:43 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1674841244; bh=rcBKFUGkGleYS8SoxfqoSk3PenrzElQTiXsLN6IeISM=; h=From:To:CC:Subject:Date:References:In-Reply-To; b=cHDldvvyrEYmLW+kZGg9Itrjc3E4Pf3WziGryWE3kiHpd2wqY8I4m1IswIaTB5Lzz qDmXRlQxCD3fRbzVjQzIdHwXzdgQFEjvQBW3NmTLeV4khAI6Y6M6zwdStycEP61+wI /ys7DUB7waZwsQMOAUVbdspLSU16qgd9WHLhnejaFsArSiklaM9U8vIqYnsEmwD/yI 96K+7xwj3SZZ/KQI3AtmI3RBHtvEHM6Twu8wxq94x+nCE2pCVExap+5ZHG/ZzPN8er YXiT5V1CnemUaVWFf/37RsJ6pTowmqzsr4o8Ax+S+ft/NvVkDcdt91pndRUQkDkRCI wWaPlK5YxwrUA==
Received: from w92expo7.exchange.mit.edu (18.7.74.61) by w92exedge4.exchange.mit.edu (18.7.73.16) with Microsoft SMTP Server (TLS) id 15.0.1497.45; Fri, 27 Jan 2023 12:39:35 -0500
Received: from oc11exhyb8.exchange.mit.edu (18.9.1.113) by w92expo7.exchange.mit.edu (18.7.74.61) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Fri, 27 Jan 2023 12:40:04 -0500
Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.41) by oc11exhyb8.exchange.mit.edu (18.9.1.113) with Microsoft SMTP Server (TLS) id 15.0.1497.42 via Frontend Transport; Fri, 27 Jan 2023 12:40:03 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ieuFatGOeo/oGYVJTRfbEXrpysKmjPT0LednwQmbp8NgYBkILAH3QD1JObsIBJmV1XHl5kyMlF7GJhpKk6KfCOC0656WcNL7i+h1GdSaTgo5j1ua1Dasu32TuRN2ULQidCNXnMNxtsmpMT3j8zwFZfDxy8m+9T3qJhINR7oeZRQm6Y1/8wPsrYZKqojpRrE1z26Ya5nb1aOGjsXtwhZE+NliRnn+RkONif9cAOrDMHGC/I9iRpHEsLw+NZKuKq/kXHWS9aqjq4OdHAp7Pfwe6yS6EkxsSsEK1AjaUOj15sL4FD/GpQj7hu5+1vm7alBTJtPqNxgxHs3AensHaQStYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rcBKFUGkGleYS8SoxfqoSk3PenrzElQTiXsLN6IeISM=; b=hKqRrYCRk6FlgOpGXnUyjxZbJIQ3rR803ri/Gt/cryFnqcc3+4m8MV6UYcn0eOURXIHrwvfIWb35ThtuooYN2D5jM++DFl9JlpPUx1FjZkwvl1b+/W8BsHvjNhawoRiMwJn/PXa9DW+3X+VwsOcSd78m/dFzd9O2oKNw9rmdpkxpkPiLRQgWwaUEhSl/7241M2fT/6eJUXQWGW7SlE6wxnaOan7DyuKDn3yX3zSNQrrzuseeADfAfyx/h4nP3obX/h8ajm0LuYS9mXRfMnLz95tBGEc+G0QzQ12+9lMkeKVn/txmDCU1m2++XRTN0cQfKTHazk6UYLjax3/6Ok7tUw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=mit.edu; dmarc=pass action=none header.from=mit.edu; dkim=pass header.d=mit.edu; arc=none
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by BYAPR01MB3717.prod.exchangelabs.com (2603:10b6:a02:8e::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6002.33; Fri, 27 Jan 2023 17:40:01 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::a9b:b1f2:da45:501f]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::a9b:b1f2:da45:501f%7]) with mapi id 15.20.6043.021; Fri, 27 Jan 2023 17:40:01 +0000
From: Justin Richer <jricher@mit.edu>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
CC: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: [GNAP] Core protocol comments - Sec. 1-6
Thread-Index: AQHZMEWneWyZbvk50UqlNNaDep8XIa6xGHcAgAFzvwA=
Date: Fri, 27 Jan 2023 17:40:01 +0000
Message-ID: <E15A88D2-0418-4ECA-84EA-5396CB5524BF@mit.edu>
References: <417A84D1-27D7-4B78-BA0C-FE45A45E56C1@gmail.com> <CF87DD79-E6BE-4585-8B7F-BD2FDE5F4F18@mit.edu>
In-Reply-To: <CF87DD79-E6BE-4585-8B7F-BD2FDE5F4F18@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|BYAPR01MB3717:EE_
x-ms-office365-filtering-correlation-id: dc6150ad-2187-4acc-5da0-08db008d8433
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MvLO70uXe9fg2iq+1H8mcHTMZk0dc9UR2ZDe/EbTNpqHYRSA7u6hKLAffYzgnnLP1mIAv09gVDWSC6QT6ITMeLW4OIVyzvZqdKi7UV+Hq53d1FMhLCz+bL3X8WQQIIQhMC4C5cQPXXiGQ3I6EjEwWuFVOIoQig5ZMEb7iTdgElbFX5IQppF7zDL8yhS04/W6cx0F21IXFZVeKolnbiMGdXYBepcdjZCSLh4gD4q4xAQ9ny35KXznvW8gStYp/pKn1mFAC6O3acp0RbaT1HqKYyi11VUen4rMRKfGkqyOqr/XBzIB83Yjc2dVzW0bBzjDMJRpd04tW8MNv1icsfWeqYyAsRc8OMw7qWpzB7MDzjYA7jYFssGdDztXNmdzkB7L7WP9m/sk7F/FaGgdMM5vCfj6k0kqr1deknucK+vv6XI4irb6rMlyQgwaKqR97MsikdshMCC1q8ZtscU5gO96ITastye1C+qHdraG+ARhaQirjHdg5xf5R4NEDkCvCaq6Dhon8oApKit6NYcQmQG8mBulGkF4uaqbm+xIPMSX1ZTFeRudZknPbDPE9zlRFl8pAym4Arkp6HpSoAKHiAN1/iWukrMc8NBUufAPrNKt+YjEE5qRbv4tzdjXbpc6n1oq/ZxWkjYg3QdH9chAQ2nT/FNyU9ltZRyFfom7QAvjYhXuRRM5jK3Gge2kDGakEuac+WyqtPZX53yBXKls37aed7Qxs6e3VkQkAmb6gAihixg=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230025)(4636009)(396003)(136003)(39860400002)(346002)(376002)(366004)(451199018)(71200400001)(316002)(38070700005)(166002)(2616005)(2906002)(36756003)(786003)(26005)(83380400001)(76116006)(122000001)(41300700001)(75432002)(8936002)(5660300002)(91956017)(6486002)(66946007)(66556008)(6916009)(6506007)(8676002)(33656002)(38100700002)(64756008)(966005)(4326008)(86362001)(66476007)(186003)(478600001)(6512007)(66446008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8lzvdm1bcyRCWiKcQQowOH8chQM6xZOwJdupE1NL8ERRoj/3VJ8Xc9KEVrZh4Lve8XadCqO1mdxz/wt6seUxwMC58OEczKjvJunHex/a6bUPgadvh3zK3Ikirk6PwC6j6K8suRk62DWMTnXsv1detCuN5KriUQV1cDrhiqzMFfQpmWkfI/rVJxT2plcG8gu5gl2wITKecI+Z3JGkaur47bSvA+DiaKzmv4SCb+w9PdP1Zw0pRuMyj77PsCoOIJY3K+QRwFDbQW2IBUKfQNReOxTErhRX9BhsVpV8D2nAeRrmhRTekMGrfPy3fo1vixZfqx2HF5ygDtvNcEPxNT340orJ3ZezE2GIla83btypbYtvfA3tgX5t2XsA1mCEsGMniJ+nSGVP0YWGNg0Zk/Utjii+VoVwp4X9XmDjOMZ0rc1Y1oQZhPz4bKejQGdQBq/HZHwYR9N6rGAYwntWytIiXHANwUcEa8fKuWlyrF3/6OalOhGPDFAzcg6loXO/u4uKRvSsI36RSf7T3rpyRU7OxWUDVFUTST2qiGjFnDoq9Qo/gKsA3Z1becHKVFJeQZp3I8NzpR20rwIuagVmn+CAuB3S41U4f80ARe+rcn+Sme/TicGyw6ljcYJ6gMAjR8/ZYVV0Zy00EEE7KH3vBedbhKHKyYhNWYynXfJYBmqpV+mxCJfSNYXNC3KgQmVe8Zh3yPVjWdzj5v4meNpon2labXUUlUPRH6hvWauV0Nbrg/wjD7JkMbleyf2FGox166inT8GcKJAoBsQHsETmIm6JgoRa03pQHIcO/RtFGQzkFkSwhANsG+z3SWQETuEiuJps7JuzGIiS6YQ+wwHCwRXlWtd5hHLELWV6KWg6ATDqhNBaBYv1WWhWnH0Nwnm3BT/T2YFy2zs7MCf+IkcqSMzU1yMfm4VQOCS85mzwmQbuxW2JUrpTQ9zmkq1JPWqAOSPpr7MX8IRZlTEEsr4uRt4DiO+PgTSz0MK5wJBFAq+OU9PUHyg4B/B11vC2aZ46fc79QQMdupFEzZKPeF1zMBEAXdQgarxR/A0gzvhaWqAZp0y8POxCRwo9Vtuk8b9BaYWTIe5NDQR/liCg4k1WUX9DVdttjvrOrFWRXuyVaXdnFfVPelPuBS3PRFMEt5gExyBCxDtzOwIXCGfSId2vVSKlNvbdRkcQ4XIJJSjBmoCK0qb3eNU3WVXIEoa/4I/n5tOyEKsk7fvZHVcsXA/Pm4D2w1YlmGX16l95QbeBD1AbZW1XG7878wKxfo5BZ+oQfLMereRCz6Cjzy+gDMavXa9FFRE0qhmgoWqLgaEaxANVu+9wIi9n4nMi6WUN3pzSdgvyLLB11i1YB3TiIsIvfTHzEiA8jRKaUa3GAWVM7JxnR/x7XBU1XTXlxwF4v0Gx/XN5PMfdGqsVebOpn/ZwG0f42MW9BumhKUCUoSaP9VQDJxC7iujfPwQ9p1Gz06XIdeEPP0hPn6QoFIVGPU05ArkaVQeRtkVahHTTxjQO1OrJNSxVmL5Dl0ongpz6cwDfilvv+Vr3Xz9Vpb3Z/Ro9yxQRyFbLxrmEvsNb4mLZaXyhx/BTNc2EZw3ghD6qkuzK+Oix
Content-Type: multipart/alternative; boundary="_000_E15A88D204184ECA84EA5396CB5524BFmitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dc6150ad-2187-4acc-5da0-08db008d8433
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jan 2023 17:40:01.1248 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /3PGn2JGAyrcuaT7OLXt47UJHx45eGfAPLvmpvdunwsQuZfEmg3TRFLKU+74r3Wy
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR01MB3717
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ddQQ-P1nrpUhEAKGxi2RLVjMA-s>
Subject: Re: [GNAP] Core protocol comments - Sec. 1-6
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jan 2023 17:40:48 -0000

Hi Yaron, I had one more note about this last point:




  *   6.1: Requiring an access token to be unexpired when it is rotated would simplify the text as well as the implementation logic (e.g. around expiration vs. revocation). Why not have the client responsible to rotate the token in a timely manner? If it doesn't, it can always request a new one.

This sounds great in practice, but that puts it on the client to proactively rotate the token before it needs to. In practice, what happens in the OAuth world is that a client wakes up, uses its token, sees a failure, then goes to try the refresh token to get a new access token.

That said, since we have the ability to get new access tokens from an existing grant, in addition to rotation, we could limit rotation to only “currently valid” tokens and sidestep the whole question. That is, if your token is still good then you can rotate it, but if it’s not you need a new one which might be from a grant continuation.

Even though this is a bit of a change I think it would help so I’m inclined to go in this direction.


I realized after thinking on this some more that this gets trickier with token revocation, which uses the same management system. You want a token revocation call to be idempotent — if you revoke a token that’s already dead, you still want to say “ok that’s fine” because the result is the same: the token can’t be used after the call. The only difference is that it couldn’t be used :before: the call either, but that’s immaterial to the action at hand.

Another alternative was brought up in this issue: https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/485

Specifically, if there’s a separate token used to authorize the call to the token management endpoint, instead of using the token itself (plus whatever key binding is appropriate). This would parallel the grant management API, but it also seems a bit weird and complex, to me, to have a token used to manage a token. That said, it would get around the disconnect of allowing an expired token to be “used”.

 — Justin

v2.23.0 | Report a Bug | By Email