[GNAP] Re: GNAP RS-AS interaction questions
Erin Shepherd <erin.shepherd@e43.eu> Wed, 04 December 2024 21:19 UTC
Return-Path: <erin.shepherd@e43.eu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B2B8C1CAE9D for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 13:19:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=e43.eu header.b="nnNsArIZ"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="HYC/XdbO"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7lVI4RKGjuE5 for <txauth@ietfa.amsl.com>; Wed, 4 Dec 2024 13:19:12 -0800 (PST)
Received: from fhigh-b1-smtp.messagingengine.com (fhigh-b1-smtp.messagingengine.com [202.12.124.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20289C1CAE66 for <txauth@ietf.org>; Wed, 4 Dec 2024 13:19:11 -0800 (PST)
Received: from phl-compute-06.internal (phl-compute-06.phl.internal [10.202.2.46]) by mailfhigh.stl.internal (Postfix) with ESMTP id 5384C2540118; Wed, 4 Dec 2024 16:19:11 -0500 (EST)
Received: from phl-mailfrontend-02 ([10.202.2.163]) by phl-compute-06.internal (MEProxy); Wed, 04 Dec 2024 16:19:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=e43.eu; h=cc:cc :content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1733347151; x=1733433551; bh=6lk6eliyzy+p+QF3mUcDwSLS9DhQlXNIBZiMlRJZNGs=; b= nnNsArIZJEO6hJkOcc0VG04kL55rkV6XPMH1Mzth691gtD+ncLH3D4qT3Gz6OWeH KDvxMt6uJ/2tT3B8+TM0HvTUbMO+bPrY9K7xPBCD0v+VtaMbf/EC1N89t7k/vWSt wWE+zsMlLLTw+JFZcj+jwmQ+t1zb5i4gDEyYWd09XlvzD6/ksNRumaGSBZRh3lPL 5Ed4KNqUzY1Sv8GwwvaOB6Wx1ds7YEU+lqoEHxTpNXRPWpEpEw7QgpW1UWPvdVIO Lk6fAK2v0KD6pLMdMP7vRGPGE0injwjwf2yjZdm8Y8XYy8KfU8ksMiJU8dg99QC9 3761CMjw1DI4Z9c3VeK3MA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1733347151; x= 1733433551; bh=6lk6eliyzy+p+QF3mUcDwSLS9DhQlXNIBZiMlRJZNGs=; b=H YC/XdbOe2ad8cueHr5WTOvlrsHzB9ionb5GQpgbKs144ai9tJr33X9CzJVXw4Wgr DMZJ0OdtZyLrJtep45eVw54AjtCcJBw+tKzrgyAqH+AcbA/q25aFh89NftvLAmLG 7LvFQCwZkaL7mRmanQLK8Kat4sLRnmBxaFyb8NPhR/wEEYSZ9kub3PpNEh1uIvLt XlJaH7wtdbkkHcxkZqpphGbpueXQlPUYNMiz9jDywYvzZAq121X4FRASlwOq+q9p 4PLrvlkZo4QrqYftBJ5om48UoHSRAuqhbgfegHVYtn0ouOikEP/eLYUE1lSq/sCH kLq/KNAOYnf9oDNxVkg7Q==
X-ME-Sender: <xms:TsdQZwVVLfiFXfBJsVjfUTtZiSzOzTW4_b2tVgnPZDJSUswrcmQmbA> <xme:TsdQZ0nNQWR1dSsYrqq-pHo9LGt1f9-mcNRhEDyCKGvseY-FUDEsthDZvyismEDb0 8ichaXPEB4bdnjClGU>
X-ME-Received: <xmr:TsdQZ0ZWIFN_Oe8gw-f6Nhhksb9SC_TKURCcMUWiN_MZuW02aSanXwNtwHClI92KJtFjd74nB3VXnezFpnrAQH_Cm0JldBE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefuddrieehgddugeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurheptggguffhjgffvefgkfhfvffosehtqhhmtdhhtdej necuhfhrohhmpefgrhhinhcuufhhvghphhgvrhguuceovghrihhnrdhshhgvphhhvghrug esvgegfedrvghuqeenucggtffrrghtthgvrhhnpeekgeffhfekgefhveejfeeukeetteef hfekveejgfekudekkeeuleejhfejvddtgeenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpegvrhhinhdrshhhvghphhgvrhgusegvgeefrdgvuhdp nhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepjhhrih gthhgvrhesmhhithdrvgguuhdprhgtphhtthhopehtgigruhhthhesihgvthhfrdhorhhg
X-ME-Proxy: <xmx:TsdQZ_ULs_NNsHALuhzdM4B72V0ua43qwe4F4V8AeyAYn7s0dkSJNg> <xmx:T8dQZ6n5GVgyhJe1luIQNJ62Yet4ModkY07MIKckE84VHLa7y76lnA> <xmx:T8dQZ0e_DxD36icn1A7DHKm144R7AZRpjJC_P4wZV-UU4EGrMFuKOw> <xmx:T8dQZ8HMn1ZF_LB99ighD44puAljXbRkaoUH41imrHtAFBisyZ6_mA> <xmx:T8dQZ_wyoUbJ3vbWCke48S5YYafpQY_KtNEH55esL5XdNNurhwtAPHeV>
Feedback-ID: i313944f9:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Wed, 4 Dec 2024 16:19:10 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.500.171.1.1\))
From: Erin Shepherd <erin.shepherd@e43.eu>
In-Reply-To: <BCFE50BA-429A-49E3-88B4-F08436B4B49F@mit.edu>
Date: Wed, 04 Dec 2024 22:18:57 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <690FE634-5657-4394-AFFB-8CB4A9C3CA5D@e43.eu>
References: <2FE68756-A13B-4CB4-9318-26A007F261D2@e43.eu> <BCFE50BA-429A-49E3-88B4-F08436B4B49F@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3774.500.171.1.1)
Message-ID-Hash: X66KOWZ7Q42TISI4CD4V3AOZ7UABAJNH
X-Message-ID-Hash: X66KOWZ7Q42TISI4CD4V3AOZ7UABAJNH
X-MailFrom: erin.shepherd@e43.eu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "txauth@ietf.org" <txauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [GNAP] Re: GNAP RS-AS interaction questions
List-Id: GNAP <txauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/dfC-ljBhZycdlKJXmpqGKseULlg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Owner: <mailto:txauth-owner@ietf.org>
List-Post: <mailto:txauth@ietf.org>
List-Subscribe: <mailto:txauth-join@ietf.org>
List-Unsubscribe: <mailto:txauth-leave@ietf.org>
> On 4 Dec 2024, at 20:27, Justin Richer <jricher@mit.edu> wrote: > > Hi Erin, some answers inline. > >> On Dec 4, 2024, at 7:49 PM, Erin Shepherd <erin.shepherd@e43.eu> wrote: >> >> Hi, >> >> I’ve been looking at implementing GNAP with some interest (on the whole I find it a very readable and straight-forward specification!) but I’ve spotted a few of areas of difficulty: >> >> 1. The GNAP-RS spec says, in the introspection response >> >> iss (string): REQUIRED. Grant endpoint URL of the AS that issued this token. >> >> This seems a little limiting? Let’s say I have an existing OAuth IDP that I’m adding GNAP support to; it seems that the spec basically requires that a GNAP RS will see different sub+iss values from an OAuth RS? >> > > That’s likely to be the case - the issuer of a GNAP token is the AS which is itself defined by its grant endpoint URL. GNAP is largely designed to not need a discovery protocol, so starting with the single URL alone (the grant endpoint) you can kick off everything else you need with an immediate request. This was a deliberate design decision to depart from OAuth, and it prevents a host of attacks, including several forms of AS mixup that can occur in a poorly configured OAuth system. I understand the goal, but I’m a bit concerned about the implications in heterogeneous environments. If a GNAP client asks for an ID token, what sub/iss combo do I put in there? How does it even know how to validate the ID token? (I guess it actually doesn’t really need to validate it because it was received over a secured channel, unlike front-channel ID tokens in OIDC, but the thought remains) One of the things I’m concerned about is - lets say we consider an RS+RP that speaks GNAP, receives OIDC ID tokens from the AS, and handles user provisioning/synchronization with SCIM - how do we ensure consistent identity mapping across all of these? >> >> 2. The GNAP-RS spec lists five different token formats that an AS can declare support for but provides no information regarding the contents or validation of those tokens. It seems like the only way (within the written text of the specification) to validate a token would be to submit it to the introspection endpoint, which seems like it rather defeats the purpose of knowing the format. >> >> I would have liked to see some guidance on >> >> * How to locate the AS’ token signing keys for "jwt-signed” access tokens >> * How to agree encryption keys for "jwt-encrypted” access tokens >> * Required JWT claims & claim values >> * Similar for the other formats (with which I have less experience) >> >> i.e. something along the lines of RFC 9068 I guess (That could perhaps even have been referenced directly, with minor differences? >> > > In my opinion, details for that level of interoperability are better fit for a technology specific profile, than in a general specification like this. I think it would have been great to have separate specifications detailing each token type and registering them, but the most that the WG agreed on was listing the token types on their own at this level. I don’t disagree, but I also think that perhaps the registry entries shouldn’t have been created at all in that case. The purpose of registering things like that, to me, is to say we both implement the same interoperability spec. > >> 3. As far as I can tell, there’s no way for the AS to return subject information to the RS beyond the fixed set of introspection response values? >> >> I would have expected something similar to the Subject Information defined in GNAP s3.4 to be returned (or requitable) > > That’s a great idea, but would need to be defined by an extension at this point. Unfortunately the RS spec did not get as much attention as the core spec in its final days, and so features were fairly limited. > >> >> 4. Its unfortunate that the discovery URI was not defined to work by splicing /.well-known/gnap-as-rs into the start of the path segment in the same way as OAuth Authorisation Server Metadata is. Oh well, such is life, it would appear. > > This was another intentional divergence. The way that the OAuth AS Metadata document does things is problematic, as it was trying to adapt what the OIDC discovery spec did with paths — which was itself in conflict with the definition of ".well-known" in the first place. The result is a bit of an awkward compromise. We deliberately sidestepped that in the GNAP specification. I’ll also note that we did not use any .well-known path in the core specification, but the rs-facing discovery needed to be separated and so we went with .well-known here. I almost wonder why the metadata wasn’t just added to the GNAP metadata, but alas. I’m sure reasoning was solid. Anyway, thanks for the comments - Erin
- [GNAP] GNAP RS-AS interaction questions Erin Shepherd
- [GNAP] Re: GNAP RS-AS interaction questions Justin Richer
- [GNAP] Re: GNAP RS-AS interaction questions Justin Richer
- [GNAP] Re: GNAP RS-AS interaction questions Erin Shepherd
- [GNAP] Re: GNAP RS-AS interaction questions Erin Shepherd