Re: [GNAP] "Access Token" when calling AS is really a cookie
Fabien Imbault <fabien.imbault@gmail.com> Mon, 23 November 2020 17:45 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FACA3A0B87 for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 09:45:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydhRO_bUSJgQ for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 09:45:00 -0800 (PST)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E83D3A0B0E for <txauth@ietf.org>; Mon, 23 Nov 2020 09:45:00 -0800 (PST)
Received: by mail-il1-x12f.google.com with SMTP id b8so1210076ila.13 for <txauth@ietf.org>; Mon, 23 Nov 2020 09:45:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5LOeJ6l8jv7BWEYwI7ahvZ1pvOSK5UIGLO2ntm4yOhI=; b=cCLHz1zfQYeWST/b2DZ44GN/oGwRhpUhjR6emgCp8f81tsPr0rtcDjX2vW92nO0xfa cFojBnt/XYrc3SYV53hWjCpy7fVWnk/CsUzPKbs8GNrf2lzFN+Jglo2xvRPzaAlBU/nf uyPLQKmSVYfM5k2YO2K+VhE5L+m+rZAjc8I9uJg1vXly9lLsHWs8e/AfcWTHLKcQxsYb 8n3oGiIHgdQthWCiPhjGGRoQ2Nj8LCfa8THThFjyUiISYC5RUYWZOIowSU+0Pw25B2OD Nz99REx4n/vepYLgmRG/xL3sWnfqXn2Lgnh0s1Grd3pWGvtbWhkg/cl2n/DZ2V2t+VaG geGw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5LOeJ6l8jv7BWEYwI7ahvZ1pvOSK5UIGLO2ntm4yOhI=; b=aTuLjp70bleQi99R2pRvSVhpStl4sz842KvwdvQnBw2KYysjJgUQMff+OW/dFeC3ZL DIog0zU+yKW4c8NwRxfaHqWYzWOT0v/5I5kEcyj2SU31GmqkWzfid4Gnx/NroUAvBlo/ IBnq+kkV0OFYCuULpV85vAz7g7fWyVJchv3hG9lKNPb6WaZkjECpUcfYc55RY6Njf6UN fNgq5xM5QEDButsx9z7aKPk1CYejLZUu9LHmp1Z16O0PubytBIMg/ucGmj3ER/6LYEv/ QB/JxFQGRaK6WNbjibVxTJUXJljtCNYicxU7/+/tbXzUuYT2DlUDY34BGV84xfTcdgFP K2Tw==
X-Gm-Message-State: AOAM533LtAx7/d1tMfg0rGb0uYQ5/hneqOXJLjNZ/8irFCLG86ZrpdEg GxxU+kKh39aSawIHOYxUhw0j3MFJeziPUBR4QxY=
X-Google-Smtp-Source: ABdhPJy4FfF/0XWmpLKjm68mJzTXOWjcVPere8lk2L7TyGNYjlbXscwsjBmPXq96G5oEPPzY3+bKuGQGqdxt151Kn10=
X-Received: by 2002:a92:d489:: with SMTP id p9mr754859ilg.123.1606153499414; Mon, 23 Nov 2020 09:44:59 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-vKSpV6eC3CUPzwFog5yOb+zeshLJC7+8RgNeF9CNFiww@mail.gmail.com> <CAM8feuSh0q3mf+KapqV7Sxo+k9GSaibAbGwK7J2vPh-EAAprwQ@mail.gmail.com> <CAD9ie-vpURieTiZpeCfLscPCtU1VY_CrtOP3UAxFogku6gL0iw@mail.gmail.com> <CAM8feuRLNwvN9VP2w9L9WYtSTpyUR1Wbe8nT88RKb6jhaMWY6w@mail.gmail.com> <CAD9ie-vnZH-zexJ8yiRyozzbCLJKe1sVVfoeKtgysUG32UhAGQ@mail.gmail.com>
In-Reply-To: <CAD9ie-vnZH-zexJ8yiRyozzbCLJKe1sVVfoeKtgysUG32UhAGQ@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Mon, 23 Nov 2020 18:44:47 +0100
Message-ID: <CAM8feuT3DLCOc7nj2zS4XLy4ktZ5TaBJv=W52YnEY8DzWfyvZA@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c9974a05b4c9c007"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/fYcq-WocYbA8bnYz8Az3l2Af5Ig>
Subject: Re: [GNAP] "Access Token" when calling AS is really a cookie
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 17:45:02 -0000
Yes. "Cookies were designed to be a reliable mechanism for websites to remember stateful <https://en.wikipedia.org/wiki/Program_state> information". We're not storing anything, it's just a reference. On Mon, Nov 23, 2020 at 6:38 PM Dick Hardt <dick.hardt@gmail.com> wrote: > To clarify, I am talking about HTTP cookies, which are effectively opaque > to the web browser, and used by the web server to store state. > > https://en.wikipedia.org/wiki/HTTP_cookie > > A client may use local storage for saving state, but that is completely > different from an HTTP cookie which is issued by the server. > ᐧ > > On Mon, Nov 23, 2020 at 8:30 AM Fabien Imbault <fabien.imbault@gmail.com> > wrote: > >> If the client was directly managing/storing its state, then it would >> indeed effectively work as a cookie. >> But here the access token merely provides a map to the current state >> (opaque to the client), as managed/controlled by the AS. >> It's a very different use case compared to what cookies are used for in >> webapps. >> >> Having a unique URL is a different design (XAuth was more aligned with >> that idea). >> >> Fabien >> >> >> On Mon, Nov 23, 2020 at 5:09 PM Dick Hardt <dick.hardt@gmail.com> wrote: >> >>> If all the access token is doing is expressing "please continue" ... why >>> do we need an access token? >>> >>> Why not just have a unique URL for the grant request? The URL is the >>> identifier for the grant request that allows the client to delete, update, >>> etc. >>> >>> How the access token is being used is just like a cookie. The AS gives a >>> string to the client and the client must pass the string back to the AS >>> when it calls it, the AS may then give a new string to the client for the >>> next call. Works like a cookie. I don't know why you think there are legal >>> issues around this. >>> >>> /Dick >>> >>> >>> >>> ᐧ >>> >>> On Sun, Nov 22, 2020 at 11:40 PM Fabien Imbault < >>> fabien.imbault@gmail.com> wrote: >>> >>>> Hi Dick, >>>> >>>> In GNAP, the client isn't managing state (unlike a web app), the entire >>>> point is that the lifecycle should be managed by the AS. >>>> >>>> As in any state machine, there are states and transitions. Here we're >>>> not passing state, merely expressing "please continue". The client can be >>>> completely unaware of the underlying state. >>>> In effect the client only has the ability to ask the server to generate >>>> the next transition. >>>> >>>> So I don't think you can compare that to cookies. It's a different >>>> behavior. BTW if it was the case it would lead to a whole new class of >>>> issues, because there's an entire legal framework around cookies... >>>> >>>> To avoid confusion with a standard access token, we have the "key" >>>> field. My proposal would be to make it more explicitly (cf comment in issue >>>> 67). >>>> >>>> Fabien >>>> >>>> >>>> Le lun. 23 nov. 2020 à 02:06, Dick Hardt <dick.hardt@gmail.com> a >>>> écrit : >>>> >>>>> When I look at how GNAP is using access tokens for continuation >>>>> requests, and the pull request #129 >>>>> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129> >>>>> >>>>> Those "access tokens" look a lot more like cookies (managing state) >>>>> than how access tokens are usually used (representing authorization). See >>>>> table below. >>>>> >>>>> If there is a real requirement for passing state back and forth >>>>> between a server (the AS in this case) and the client when making API >>>>> calls, then I suggest that is out of scope for GNAP as I see it being a >>>>> general purpose mechanism for any API. >>>>> >>>>> /Dick >>>>> >>>>> >>>>> >>>>> *cookies*- issued by server being accessed >>>>> - are not presented to other servers >>>>> - issued after first access >>>>> - may be different for different URLs >>>>> - may be updated on each access >>>>> - represents the context of a session (state) >>>>> >>>>> >>>>> *access tokens*- issued by an independent service (AS) >>>>> - may be used at any URL at the RS >>>>> - new ones issued by AS as needed >>>>> - represents authorization granted to a client at an RS >>>>> ᐧ >>>>> -- >>>>> TXAuth mailing list >>>>> TXAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/txauth >>>>> >>>>
- [GNAP] "Access Token" when calling AS is really a… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Justin Richer
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt