IETF Logo Mail Archive

Re: [GNAP] Authentication mechanisms discovery

Denis <denis.ietf@free.fr> Tue, 25 August 2020 09:37 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E413A0BDA for <txauth@ietfa.amsl.com>; Tue, 25 Aug 2020 02:37:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.456
X-Spam-Level:
X-Spam-Status: No, score=0.456 tagged_above=-999 required=5 tests=[FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.399, NICE_REPLY_A=-0.948, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jGjOTob5Qb-r for <txauth@ietfa.amsl.com>; Tue, 25 Aug 2020 02:37:50 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C7463A0BE4 for <txauth@ietf.org>; Tue, 25 Aug 2020 02:37:49 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d38 with ME id Kldm2300F2bcEcA03ldmMe; Tue, 25 Aug 2020 11:37:47 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 25 Aug 2020 11:37:47 +0200
X-ME-IP: 90.79.51.120
To: Dick Hardt <dick.hardt@gmail.com>
Cc: "txauth@ietf.org" <txauth@ietf.org>
References: <fdf69c9e-6950-b2d2-f889-dd4219fec6f1@free.fr> <CAD9ie-tRG5F=z_Py3RVFOjELPYcGxQPJxepzO_rFQg=XSG+Yaw@mail.gmail.com> <CAD9ie-t=qFWT=0vezac8dUV7e2TxfswNkr3Qz9TB4XnCmHjSzQ@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <320d584f-ce34-5230-66d5-d7dc6cdceb69@free.fr>
Date: Tue, 25 Aug 2020 11:37:45 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CAD9ie-t=qFWT=0vezac8dUV7e2TxfswNkr3Qz9TB4XnCmHjSzQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------7EDBBE08E80BB93B9F43D392"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/fswOVBsPdf1nrl1iebTeR_WmxHQ>
Subject: Re: [GNAP] Authentication mechanisms discovery
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2020 09:37:52 -0000

Hi Dick,

A few arguments:

  * The 401 (Unauthorized) status code indicates that the request has
    not  been applied because it lacks valid authentication credentials
    for the target resource.
    Information about how to authenticate is NOT in the HTTP
    Authorization header. So it is not a discovery mechanism but, at
    best, a trial and error mechanism.

  * As already said, reading the documentation is one way, but making a
    real time inquiry is another way which is better for clients acting
    on behalf of a User.

  * If the OPTIONS method call can be used at the GS, it should not be
    forbidden to be used as well at the RS.

The missing point in draft-hardt-xauth-protocol-13 is the lack of 
difference between an authentication made by the client application on 
its own behalf or on behalf of a User.

Denis

> A comment about an OPTIONS call being the first call in the protocol.
>
> While that is possible, I expect most use of the discovery will happen 
> by tooling rather than client software. IE, when developing against an 
> GS, the developers tool chain will check what the GS supports.
>
> On Mon, Aug 24, 2020 at 9:05 AM Dick Hardt <dick.hardt@gmail.com 
> <mailto:dick.hardt@gmail.com>> wrote:
>
>     Hi Denis
>
>     While it is an interesting idea to use the OPTIONS method at the
>     RS, the standard way to indicate authentication mechanisms is with
>     a 401 HTTP response per
>     https://tools.ietf.org/html/rfc7235#section-3.1
>
>     And then information about how to authenticate may be in the HTTP
>     Authorization header.
>
>     This allows an RS to respond to any request including an OPTIONS
>     method call.
>
>     /Dick
>
>
>     ᐧ
>
>     On Mon, Aug 24, 2020 at 1:16 AM Denis <denis.ietf@free.fr
>     <mailto:denis.ietf@free.fr>> wrote:
>
>         Hi Dick*,
>         *
>
>         The following comments have been elaborated after an analysis
>         of your draft: draft-hardt-xauth-protocol-13.
>
>         *1 ) Authentication mechanisms discovery at the GS*
>
>         Sections 3 and 3.7 from draft-hardt-xauth-protocol-13 are
>         proposing to support an HTTP OPTIONS request which would be
>         the first request
>         when talking to a GS. The goal is to be able to query the
>         authentication mechanisms supported by the GS. This would
>         indeed be very useful.
>
>         The HTTP OPTIONS request has been first defined in RFC 2616
>         and refined in RFC 7231 (see
>         https://tools.ietf.org/html/rfc7231#section-4.3.7).
>
>         RFC 7231 mentions:
>
>               A standard format for such a representation is not
>         defined by this specification, but might be defined by future
>         extensions to HTTP.
>               A client that generates an OPTIONS request containing a
>         payload body MUST send a valid Content-Type header field
>         describing
>               the representation media type.Although this
>         specification does not define any use for such a payload,
>         future extensions to HTTP
>               might use the OPTIONS body to make more detailed queries
>         about the target resource.
>
>         RFC 7231 also mentions:
>
>               A server generating a successful response to OPTIONS
>         SHOULD send an header fields that might indicate optional
>         features
>               implemented by the server and applicable to the target
>         resource, including potential extensions not defined by this
>         specification.
>
>         However, two types of authentication are possible: user
>         authentication and client authentication. If both are
>         supported by the GS, it would be possible
>         to address this concern either by returning two lists of
>         authentication methods or even better by using two different
>         Content-Type header fields describing
>         the representation media type, since the client is knowing
>         whether it is acting or not on behalf of a User.*
>         *
>
>         *2) Authentication mechanisms discovery at the RS*
>
>         This HTTP OPTIONS request should also be supported by a RS.
>         When a client first contacts a RS, it does not necessarily
>         know the authentication
>         methods that are /currently/ supported by the RS. This means
>         that the same request as the one used for the GS should be
>         available for a RS as well.
>
>         Denis
>
>         -- 
>         TXAuth mailing list
>         TXAuth@ietf.org <mailto:TXAuth@ietf.org>
>         https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email