Re: [Txauth] A model with a User Consent Element (with a clean figure)
Denis <denis.ietf@free.fr> Fri, 10 July 2020 15:45 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DCA63A0EAF for <txauth@ietfa.amsl.com>; Fri, 10 Jul 2020 08:45:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.621
X-Spam-Level:
X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.276, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Qd1YmlRsKxmQ for <txauth@ietfa.amsl.com>; Fri, 10 Jul 2020 08:45:56 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp06.smtpout.orange.fr [80.12.242.128]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 761163A0C50 for <txauth@ietf.org>; Fri, 10 Jul 2020 08:45:55 -0700 (PDT)
Received: from [192.168.1.11] ([86.238.65.197]) by mwinf5d64 with ME id 1Tlr2300C4FMSmm03TlrpR; Fri, 10 Jul 2020 17:45:53 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Fri, 10 Jul 2020 17:45:53 +0200
X-ME-IP: 86.238.65.197
To: Fabien Imbault <fabien.imbault@gmail.com>, txauth@ietf.org
References: <CAM8feuQh6ztVfLyZSx0P5DMHtsz2OYRgv-5moN_O9mRO-XGXqQ@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <382b5f57-6825-3537-c66b-fb2c38e5140c@free.fr>
Date: Fri, 10 Jul 2020 17:45:50 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CAM8feuQh6ztVfLyZSx0P5DMHtsz2OYRgv-5moN_O9mRO-XGXqQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------BDADE35EBB5A0A7B8B673C7A"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/exrk7-sLr2E-qUq321xdDnzKvM4>
Subject: Re: [Txauth] A model with a User Consent Element (with a clean figure)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2020 15:46:00 -0000
Hi Fabien, It would have been appreciated that you kept the original message in your response. I have copied it again at the end of this email. Comments are between the lines. > Hi Denis, > > I think it's interesting, but also very different to XYZ/XAuth so it > raises many questions ;-) > The figure is impossible to read. Use a PC. Copy and paste and then use the Courier font. On my PC (with the clear figure) it was perfect. > So let me try to summarize the suggested approach, with a concrete > example, to make sure we understand well: > > *0. The client authN to the AS (in whatever way is supported)* > Ex : client is a corporate financing called "finapp". finapp contacts > AS0 for authentication (say an openbanking service). > User is John Doe, CFO at NeedMoney Inc. (+ other identity claims if > needed, maybe some verified credential from NeedMoney Holding that > John is indeed CFO). > > /Dear John, / > /to access to your finapp, please identify yourself through your > prefered openbanking account./ > /Thanks/ If I understand you correctly, finapp is a local application e.g. on your smartphone. > *1. The client contacts a RS in a discovery phase, which includes the > selection of (at least) an operation, for which the RS returns the > required authZ attributes * > Ex : finapp needs to use NeedMoney's data to evaluate how much credit > it can offer. > > Op1 : compute the credit rating, from RS1 (this is outsourced to an > external credit analyst), through the external service's own AS1. > But to do that, RS needs your historic bank statements. > Op2 : get your list of banks, RS2 (as registered within finapp), > through openbanking AS0 and retrieve the bank statements : > Op3a : get historic data from his main bank, RS2a (say an > international bank), through openbanking AS0 > Op3b : same from a second bank account, RS2b (say a local bank), > through openbanking AS0 Why don't you make your very first example a little bit more complicated ? with RS1, RS2a, RS2b, ... AS0, AS1, ... :-) The intent of the /first /email was to discuss a /basic /model and to place the highlights on the way to capture the *user's consent* in an interoperable manner without letting know to any RS or AS the choices of the user. This is a fundamental feature of the model. In XAuth, the user's consent is not formalized in the protocol : "User consent is /often /required at the GS". > *2. User consent * > RS1 aggregates the list of attributes required (from all RS) and sends > it to finapp. > /Dear John, / > /To evaluate your credit request, we need the following information: / > /- your list of bank accounts (retrieved from your finapp account)/ > /- the associated banking statements over the past 12 months (from > each bank)/ > /- we'll pass that data to the credit agency, which will return your > credit score / > /Do you agree ?/ > > John approves (or not..., maybe he'll agree only for one specific > bank), via finapp directly > (I like that, albeit in a more traditional flow, I'm also separating > the UI from the rest of the protocol of XYZ, and it works too). As described, the user could simply push to the RS the banking statements over the past 12 months (from each bank). The user consent is not about : "/Do you agree that/ /we pass the data to the credit agency, which will return your credit score" /since no attributes nor ASs are involved in the question./ / I guess you want the user to get access tokens targeted for RS2x so that each bank will accept to disclose his banking statements over the past 12 months. The consent is whether the user accepts to get access tokens from some of his banks targeted for RS2x for the following operation: "Retrieval of the past 12 months banking statements" which corresponds to an API for each bank and then to send these access tokens to RS1. In practice, the client (e.g. using FIDO) will connect transparently to each of the appropriate AS from the banks and will get the requested access tokens with a requested validity period of about 5 minutes. > *3. Requests to the protected resources * > The client gets the access tokens and uses the services for which > access was granted. > > *Analysis: (maybe I didn't get everything right, if so let me know) * > The trust model is focused around the relationship between the enduser > (John) and his application (finapp), which seems fine. No. The trust model is not making a focus on that specific relationship. BTW, no access token is necessarily needed by the user to be able to use finapp. > => I see some potential issues : > > a. it will be really difficult for an end user to understand what AS0 > and AS1 are, why they're different, and why he needs to authenticate > to each of them. > How do you enable a federated experience? (especially as there could > be many) I fear that you have not fully captured what the user consent is about. See the above explanations. In addition, there is no concept of federation. > b. deciding what is the main RS (here RS1) to be called by the client > seems very critical, as it is the one that needs to orchestrate > everything. > This seems a very hierarchical and imperative model which seems > somewhat counter intuitive in terms of developer experience (as least > as it is made today, we clearly don't go into so much details). The > call hierarchy may quickly become very complex, which may also become > a problem when separate services evolve. The client calls the main RS (here RS1). What may happen next is fully dependant upon the operation that the user is willing to perform and this is unpredictable (since the back end service may change at any point of time). > c. RS1 gets all the information required to access all sub-resources, > and therefore gets also a lot of responsibility (and power). But from > finapp's > point of view, it is the one that has the relationship with the user > and is providing the core value proposition, while RS1 is just an > external service. So is it really a problem ? > d. multi-user (common B2B scenario): John wants to authorize a read > access to his finapp account to his external auditor, Ann (who is not > a direct user > of finapp herself, but might already be registered by openbanking > AS0). How do you do that? Does it require the access token itself to > be able to delegate rights? The intent of the short description I sent was to describe two simple scenarios, so that we could start discussing about them. At this point, the intent is not to cover all the scenarios you may dream of. > e. more generally, a threat model would be required, as there are many > more interactions now. There are less interactions than in XAuth: there is no protocol between ASs and RSs, nor between ROs and ASs. Before a threat model, a trust model is needed. Do we have a trust model for XAuth ? Unfortunately not, since the word "trust" is absent in the main body of draft-hardt-xauth-protocol-12. In this model, the trust relationships are as follows: * The user trusts its client. * If a user has an account opened with an AS, then he trusts that AS to deliver the requested and genuine attributes into an access token. * A RS may trust one or more ASs for one or more types of attributes _and_ for performing a given operation. * A RS may be administered remotely by one or more RO. _Note_: for authentication, a RS may accept either FIDO or one or more types of attributes from one or more ASs. Denis > Cheers, > Fabien > This is a new thread. Preamble: This model is quite different from the XAuth model. In particular, a RO has no relationship with any AS and a Client does not need to be associated with any AS prior to any access to a RS. A key point of this model is that the user's consent is handled locally by the Client and hence no AS nor RS is handling a man machine interface for the user consent. This allows to support locally the user consent for multiple ASs while keeping all ASs ignorant about the choices of the user made for accessing a particular RS. * **+--------++------------+ |User||Resource| ||| Owner (RO) | +--------++------------+ |\| |\| |\| |\| +-----------++---------------++------------+ ||---->| Authorization ||| || (2) |Server (AS)||| ||<----|||| |Client|+---------------+|| ||-------------------------->|Resource| |User|(1)|Server| |Consent|<--------------------------|(RS)| |element||| ||-------------------------->||------> ||(3)||(4) ||<--------------------------||<------ +-----------++------------+ * The flow of operations is as follows: The Client (which may have been previously authenticated using FIDO) contacts the RS and after some dialogue with the RS selects an operation that it wants to perform on the RS (1a). Note that it may also indicate directly the operation that it wants to perform on the RS without any prior dialogue. In return (1b), the RS informs the Client about which attributes are needed by the RS for performing the requested operation and from which Attributes Servers they may be obtained. This information is specifically marked to indicate that it shall be handled by the "User Consent element" from the Client. The presentation of that information is up to the man machine interface supported by the "User Consent element" from the Client. The user can see which attributes are requested by the RS for performing the requested operation and, if it consents, the Client contacts one or more appropriate Authorization Servers (2a). The user consent is hence captured locally by the Client (i.e. there is no dialogue with any AS nor any RS). When the Client got the access tokens from these authorization servers (2b), it sends all of them in a single request to the RS (3a). End of the story for a simple access Start of a subsequent story for a delegation case Let us now suppose that the RS is unable to fulfil the request by its own and that it needs to contact another RS. RS1 contacts RS2 (4a) and indicates the operation that it wants to perform on RS2 (that operation may not be the same as the original operation). In return (4b), RS2 informs RS1 about which attributes are needed by RS2 for performing the requested operation and from which Attributes Servers they may be obtained. RS1 forwards that information to the Client. This information is marked to indicate that it shall be handled by the "User Consent element" from the Client. The presentation of that information is up to the man machine interface from the Client. The user can see which attributes are requested by RS2 for performing the new requested operation and, if it consents, the Client contacts one or more appropriate Authorization Servers. The user consent is hence captured locally by the "User Consent element" from the Client. (i.e. there is no dialogue with any AS, nor RS1, nor RS2). When the Client got the access token(s) from the authorization server(s), it sends all of them in a single request to RS1. RS1 then forwards the additional access token(s) to RS2. Some observations: The user nor the Client are linked with any particular AS. A user may use today an AS of the Bank of America and may change tomorrow to the Bank of Missouri. As soon as he will be registered with the Bank of Missouri, he will be able to get access tokens from the AS of the Bank of Missouri. The AS of Bank of America has not been able to know where its access tokens have been used. This will be the same for AS of the Bank of Missouri. There is no need for any direct dialogue between any AS and any RS at the time a client is making an access. There is no need for any RO to contact any AS. This model has been constructed following a "Privacy by Design" approach. Denis
- [Txauth] A model with a User Consent Element Denis
- [Txauth] A model with a User Consent Element (wit… Denis
- Re: [Txauth] A model with a User Consent Element … Daniel Fett
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault
- Re: [Txauth] A model with a User Consent Element David Pyke
- Re: [Txauth] A model with a User Consent Element Tom Jones
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Justin Richer
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Dick Hardt
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault
- Re: [Txauth] A model with a User Consent Element … Denis
- Re: [Txauth] A model with a User Consent Element … Fabien Imbault