Re: [Txauth] A model with a User Consent Element (with a clean figure)

[Denis <denis.ietf@free.fr>]

Hi Fabien,

> Thanks Denis for your answers.
>
> I think what you call delegation is a slightly different requirement 
> than how the term is generally used in our context.
> Instead of delegation, I would rather suggest to call it a "resource 
> chain" (and as in any supply chain, those could come from different 
> parties).

Whatever you call it, I believe that the model should be able to support 
it.

> I think the privacy concern is important, and it would be interesting 
> to get back to prior art on the issue.
> for instance, https://github.com/samuelgoto/WebID provides an 
> interesting analysis on RP or IdP collusion
> (here more focused on the ID part), a similar vein of work may enable 
> richer discussions whether/when the GS
> is the right place for user consent, or not.

The way and the place the user consent is captured is indeed critical.

> Then on user consent : implementations of XYZ do handle user consent. 
> In our case, we've also decoupled the consent part (as a separate 
> project).

You are using the word "we". Do you mean that you are part of the design 
team or of the implementers team of XYZ ?

> Initially we did that to simplify the implementation of the AS core 
> flow (between client and AS), while covering the UX requirements in a 
> separate project.
> But the nice thing about that is that it doesn't change the core flow, 
> and depending on the use case, one may either place it on the AS part 
> (as we've implemented so far,
> and as most people would do today) or on the client part (as you think 
> it should be). This demonstrates that depending how we assemble parts, 
> we may end up
> with a solution that may fit various requirements.

In addition to the place where the user consent is captured, there is 
the need to consider the assurances that the user can obtain about the 
respect of his choices.

I have explained that such assurance can be obtained when the choice is 
made by the client and when the returned access tokens are not 
considered to be opaque to the client.
It is also obvious that the GS/AS is kept ignorant of the proposed 
choices and is only informed about which user attributes should be 
inserted into the access token.

At this time, no equivalent explanations have been provided when/if the 
user consent interface is handled by the GS/AS.

Denis

>
> Fabien
>
> On Mon, Jul 13, 2020 at 10:40 AM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hi Fabien,
>
>     Thank you for your responses. Rather than responding in the text,
>     I will pick up two of your comments:
>
>         FI : as far as I'm concerned, there are many more interactions
>         than Oauth/XYZ/Xauth.
>         Your view seems to be that it is simpler because AS are way
>         less central, but it seems to me
>         that RS are much more complex to implement correctly.
>
>     In XYZ/Xauth there is a protocol needed between the GS and many
>     ROs. This protocol is "out of the scope" of these drafts and this
>     is where the complexity is hidden.
>     So it looks simpler for the client but it is much more complicated
>     for the management of the delegation at the GS. This also makes
>     the assumption that a single GS
>     will be able to handle the delegation case because all the RSs are
>     supposed to be in the same domain which is a very restrictive
>     case. My proposal is able to handle
>     the multi-domain case.
>
>     Every RS is best placed to know where to forward an operation when
>     it can't respond to it of its own. A RO should not need to inform
>     a GS to tell what its relationships
>     with other RSs are. A GS should not be in a position to know
>     everything about the relationships between RSs and to be informed
>     in real time of any change about these
>     relationships.
>
>     In term of trust, I mentioned:
>
>       * If a user has an account opened with an AS, then he trusts
>         that AS to deliver the requested and genuine attributes into
>         an access token.
>
>     This is it. There is no other trust relationship. The user does
>     not trust or rely on any collaboration between a RO and a GS.
>
>
>     A second of your comments:
>
>         FI: if we can't do it with maximum privacy, then we won't do
>         it; which is a design choice,
>
>     I would rather say: If we can do it with maximum privacy, let us
>     do it. At this time :
>
>       * in draft-hardt-xauth-protocol-12, the word "privacy" does not
>         even exist.
>       * in draft-richer-transactional-authz-06, there is a single
>         sentence in the privacy considerations section:
>
>              Handles are passed between parties and therefore should
>     be stateful and not contain any internal structure or information,
>              which could leak private data.
>
>     About the user consent. At this time :
>
>       * in draft-richer-transactional-authz-06, the user consent is
>         never addressed.
>       * in draft-hardt-xauth-protocol-12, the user consent is captured
>         by the GS whereas it should be captured by the Client.
>
>              The client has no way to verify that the user consent has
>     indeed been followed by the GS because the client
>              cannot verify that what happens "behind the scenery" at
>     the GS is conformant with what the user has consented.
>
>     Denis
>
>>     Hi Denis,
>>
>>     Thanks for your answer.
>>
>>     My comments are embedded in the text, marked with FI.
>>
>>     Fabien
>>
>>
>>     Le ven. 10 juil. 2020 à 17:53, Denis <denis.ietf@free.fr
>>     <mailto:denis.ietf@free.fr>> a écrit :
>>
>>         Hi Fabien,
>>
>>         It would have been appreciated that you kept the original
>>         message in your response. I have copied it again at the end
>>         of this email.
>>
>>
>>     FI : sorry, not always easy on a mobile. Will make sure that's
>>     the case next time.
>>
>>
>>         Comments are between the lines.
>>
>>>         Hi Denis,
>>>
>>>         I think it's interesting, but also very different to
>>>         XYZ/XAuth so it raises many questions ;-)
>>>         The figure is impossible to read.
>>
>>         Use a PC. Copy and paste and then use the Courier font. On my
>>         PC (with the clear figure) it was perfect.
>>
>>>         So let me try to summarize the suggested approach, with a
>>>         concrete example, to make sure we understand well:
>>>
>>>         *0. The client authN to the AS (in whatever way is supported)*
>>>         Ex : client is a corporate financing called "finapp". finapp
>>>         contacts AS0 for authentication (say an openbanking service).
>>>         User is John Doe, CFO at NeedMoney Inc. (+ other identity
>>>         claims if needed, maybe some verified credential from
>>>         NeedMoney Holding that John is indeed CFO).
>>>
>>>         /Dear John, /
>>>         /to access to your finapp, please identify yourself through
>>>         your prefered openbanking account./
>>>         /Thanks/
>>
>>         If I understand you correctly,  finapp is a local application
>>         e.g. on your smartphone.
>>
>>     FI : not necessarily, the client could be a mobile app, a web
>>     app, etc., making api calls to backend protected services.
>>
>>>         *1. The client contacts a RS in a discovery phase, which
>>>         includes the selection of (at least) an operation, for which
>>>         the RS returns the required authZ attributes *
>>>         Ex : finapp needs to use NeedMoney's data to evaluate how
>>>         much credit it can offer.
>>>
>>>         Op1 : compute the credit rating, from RS1 (this is
>>>         outsourced to an external credit analyst), through the
>>>         external service's own AS1.
>>>         But to do that, RS needs your historic bank statements.
>>>         Op2 : get your list of banks, RS2 (as registered within
>>>         finapp), through openbanking AS0 and retrieve the bank
>>>         statements :
>>>         Op3a : get historic data from his main bank, RS2a (say an
>>>         international bank), through openbanking AS0
>>>         Op3b : same from a second bank account, RS2b (say a local
>>>         bank), through openbanking AS0
>>
>>         Why don't you make your very first example a little bit more
>>         complicated ? with RS1, RS2a, RS2b, ... AS0, AS1, ...
>>
>>         :-)
>>
>>     FI : fair point. But i believe it's important to grasp what it
>>     means on a realistic example, especially as the proposed protocol
>>     would be very much dependant on the way RS calls are made.
>>
>>
>>         The intent of the /first /email was to discuss a /basic
>>         /model and to place the highlights on the way to capture the
>>         *user's consent*
>>         in an interoperable manner without letting know to any RS or
>>         AS the choices of the user. This is a fundamental feature of
>>         the model.
>>         In XAuth, the user's consent is not formalized in the
>>         protocol : "User consent is /often /required at the GS".
>>
>>     FI : in the context of xauth, this seems pretty clear I think.
>>
>>>         *2. User consent *
>>>         RS1 aggregates the list of attributes required (from all RS)
>>>         and sends it to finapp.
>>>         /Dear John, /
>>>         /To evaluate your credit request, we need the following
>>>         information: /
>>>         /- your list of bank accounts (retrieved from your finapp
>>>         account)/
>>>         /- the associated banking statements over the past 12 months
>>>         (from each bank)/
>>>         /- we'll pass that data to the credit agency, which will
>>>         return your credit score /
>>>         /Do you agree ?/
>>>
>>>         John approves (or not..., maybe he'll agree only for one
>>>         specific bank), via finapp directly
>>>         (I like that, albeit in a more traditional flow, I'm also
>>>         separating the UI from the rest of the protocol of XYZ, and
>>>         it works too).
>>
>>         As described, the user could simply push to the RS the
>>         banking statements over the past 12 months (from each bank).
>>         The user consent is not about : "/Do you agree that/ /we pass
>>         the data to the credit agency, which will return your credit
>>         score"
>>         /since no attributes nor ASs are involved in the question.
>>
>>     FI : this is possible of course, but pretty surprising. Today
>>     most implementations are using oauth to delegate the
>>     implementation to some specialized component, while here each RS
>>     would be responsible for authentication. That is not an innocent
>>     choice from an implementation and deployment perspective.
>>
>>         /
>>         /
>>
>>         I guess you want the user to get access tokens targeted for
>>         RS2x so that each bank will accept to disclose his banking
>>         statements over the past 12 months.
>>
>>         The consent is whether the user accepts to get access tokens
>>         from some of his banks targeted for RS2x for the following
>>         operation:
>>         "Retrieval of the past 12 months banking statements" which
>>         corresponds to an API for each bank and then to send these
>>         access tokens to RS1.
>>
>>         In practice, the client (e.g. using FIDO) will connect
>>         transparently to each of the appropriate AS from the banks
>>         and will get the requested access tokens
>>         with a requested validity period of about 5 minutes.
>>
>>     FI : yes.
>>
>>>         *3. Requests to the protected resources *
>>>         The client gets the access tokens and uses the services for
>>>         which access was granted.
>>>
>>>         *Analysis: (maybe I didn't get everything right, if so let
>>>         me know) *
>>>         The trust model is focused around the relationship between
>>>         the enduser (John) and his application (finapp), which seems
>>>         fine.
>>
>>         No. The trust model is not making a focus on that specific
>>         relationship. BTW, no access token is necessarily needed by
>>         the user to be able to use finapp.
>>
>>     FI : maybe, maybe not. As soon as I want to fetch api calls, I
>>     need access tokens.
>>
>>>         => I see some potential issues :
>>>
>>>         a. it will be really difficult for an end user to understand
>>>         what AS0 and AS1 are, why they're different, and why he
>>>         needs to authenticate to each of them.
>>>         How do you enable a federated experience? (especially as
>>>         there could be many)
>>
>>         I fear that you have not fully captured what the user consent
>>         is about. See the above explanations. In addition, there is
>>         no concept of federation.
>>
>>     FI : your notion of consent is very specific to what you have in
>>     mind. It would require a kind of automated system to work.
>>     As for the concept of federation, this is required in practice in
>>     you don't hypothesize a dependancy on FIDO. The Uma2 standard is
>>     probably the closest to some of your ideas and focuses a lot on
>>     federation.
>>
>>>         b. deciding what is the main RS (here RS1) to be called by
>>>         the client seems very critical, as it is the one that needs
>>>         to orchestrate everything.
>>>         This seems a very hierarchical and imperative model which
>>>         seems somewhat counter intuitive in terms of developer
>>>         experience (as least
>>>         as it is made today, we clearly don't go into so much
>>>         details). The call hierarchy may quickly become very
>>>         complex, which may also become
>>>         a problem when separate services evolve.
>>
>>         The client calls the main RS (here RS1). What may happen next
>>         is fully dependant upon the operation that the user is
>>         willing to perform and
>>         this is unpredictable (since the back end service may change
>>         at any point of time).
>>
>>     FI : OK, but is it good engineering practice to have to deal with
>>     the internals of service calls? The reason why people delegate
>>     APIs is precisely to avoid that complexity. Today with OAuth, and
>>     tomorrow with XYZ/Xauth, the programming model is way simpler.
>>     Privacy may be a good reason to change that, but we need to be
>>     very thoughtful about that.
>>
>>>         c. RS1 gets all the information required to access all
>>>         sub-resources, and therefore gets also a lot of
>>>         responsibility (and power). But from finapp's
>>>         point of view, it is the one that has the relationship with
>>>         the user and is providing the core value proposition, while
>>>         RS1 is just an external service.
>>
>>          So is it really a problem ?
>>
>>     FI : I think so. If I'm finapp, I don't want to be this dependant
>>     on RS1 for a lot of good and bad reasons. What I hope the example
>>     conveys is that there's no reason why RS1 would suddenly become
>>     the center of orchestration for all queries, while all the
>>     underlying data is actually elsewhere.
>>     The fact that the proposed protocol mandates this behaviour is
>>     surprising and I don't see why that is.
>>
>>>         d. multi-user (common B2B scenario): John wants to authorize
>>>         a read access to his finapp account to his external auditor,
>>>         Ann (who is not a direct user
>>>         of finapp herself, but might already be registered by
>>>         openbanking AS0). How do you do that? Does it require the
>>>         access token itself to be able to delegate rights?
>>
>>         The intent of the short description I sent was to describe
>>         two simple scenarios, so that we could start discussing about
>>         them.
>>         At this point, the intent is not to cover all the scenarios
>>         you may dream of.
>>
>>     FI : fair point. However, as previously discussed, this is a big
>>     concern as we don't know whether you think this is a valid use
>>     case or whether this is out of scope (so far, I understood it was
>>     more, if we can't do it with maximum privacy, then we won't do
>>     it; which is a design choice, but standards are usually about
>>     consensus with people that need to deal with real life problems).
>>
>>>         e. more generally, a threat model would be required, as
>>>         there are many more interactions now.
>>
>>         There are less interactions than in XAuth: there is no
>>         protocol between ASs and RSs, nor between ROs and ASs.
>>
>>     FI : as far as I'm concerned, there are many more interactions
>>     than Oauth/XYZ/Xauth. Your view seems to be that it is simpler
>>     because AS are way less central, but it seems to me that RS are
>>     much more complex to implement correctly.
>>
>>
>>         Before a threat model, a trust model is needed. Do we have a
>>         trust model for XAuth ?
>>         Unfortunately not, since the word "trust" is absent in the
>>         main body of draft-hardt-xauth-protocol-12.
>>
>>     FI : sorry but I don't need the word trust to do threat modeling...
>>
>>         In this model, the trust relationships are as follows:
>>
>>           * The user trusts its client.
>>           * If a user has an account opened with an AS, then he
>>             trusts that AS to deliver the requested and genuine
>>             attributes into an access token.
>>           * A RS may trust one or more ASs for one or more types of
>>             attributes _and_ for performing a given operation.
>>           * A RS may be administered remotely by one or more RO.
>>
>>         _Note_: for authentication, a RS may accept either FIDO or
>>         one or more types of attributes from one or more ASs.
>>
>>         Denis
>>
>>>         Cheers,
>>>         Fabien
>>>
>>
>>         This is a new thread.
>>
>>
>>         Preamble: This model is quite different from the XAuth model.
>>         In particular, a RO has no relationship with any AS and a
>>         Client does not need to be associated with any AS prior to
>>         any access to a RS.
>>
>>         A key point of this model is that the user's consent is
>>         handled locally by the Client and hence no AS nor RS is
>>         handling a man machine interface
>>         for the user consent. This allows to support locally the user
>>         consent for multiple ASs while keeping all ASs ignorant about
>>         the choices of the user
>>         made for accessing a particular RS.
>>         *
>>
>>         **+--------++------------+
>>         |User||Resource|
>>         ||| Owner (RO) |
>>         +--------++------------+
>>         |\|
>>         |\|
>>         |\|
>>         |\|
>>         +-----------++---------------++------------+
>>         ||---->| Authorization |||
>>         || (2) |Server (AS)|||
>>         ||<----||||
>>         |Client|+---------------+||
>>         ||-------------------------->|Resource|
>>         |User|(1)|Server|
>>         |Consent|<--------------------------|(RS)|
>>         |element|||
>>         ||-------------------------->||------>
>>         ||(3)||(4)
>>         ||<--------------------------||<------
>>         +-----------++------------+
>>         *
>>         The flow of operations is as follows:
>>
>>         The Client (which may have been previously authenticated
>>         using FIDO) contacts the RS and after some dialogue with the
>>         RS selects an operation
>>         that it wants to perform on the RS (1a). Note that it may
>>         also indicate directly the operation that it wants to perform
>>         on the RS without any prior dialogue.
>>         In return (1b), the RS informs the Client about which
>>         attributes are needed by the RS for performing the requested
>>         operation and from which Attributes Servers
>>         they may be obtained.
>>
>>         This information is specifically marked to indicate that it
>>         shall be handled by the "User Consent element" from the Client.
>>         The presentation of that information is up to the man machine
>>         interface supported by the "User Consent element" from the
>>         Client.
>>
>>         The user can see which attributes are requested by the RS for
>>         performing the requested operation and, if it consents, the
>>         Client contacts one or more
>>         appropriate Authorization Servers (2a). The user consent is
>>         hence captured locally by the Client (i.e. there is no
>>         dialogue with any AS nor any RS).
>>
>>         When the Client got the access tokens from these
>>         authorization servers (2b), it sends all of them in a single
>>         request to the RS (3a).
>>
>>         End of the story for a simple access
>>
>>
>>         Start of a subsequent story for a delegation case
>>
>>         Let us now suppose that the RS is unable to fulfil the
>>         request by its own and that it needs to contact another RS.
>>         RS1 contacts RS2 (4a) and indicates the operation
>>         that it wants to perform on RS2 (that operation may not be
>>         the same as the original operation). In return (4b), RS2
>>         informs RS1 about which attributes are needed
>>         by RS2 for performing the requested operation and from which
>>         Attributes Servers they may be obtained. RS1 forwards that
>>         information to the Client.
>>
>>         This information is marked to indicate that it shall be
>>         handled by the "User Consent element" from the Client. The
>>         presentation of that information is up to the man machine
>>         interface from the Client. The user can see which attributes
>>         are requested by RS2 for performing the new requested
>>         operation and, if it consents, the Client contacts one or more
>>         appropriate Authorization Servers. The user consent is hence
>>         captured locally by the "User Consent element" from the
>>         Client. (i.e. there is no dialogue with any AS, nor RS1, nor
>>         RS2).
>>
>>         When the Client got the access token(s) from the
>>         authorization server(s), it sends all of them in a single
>>         request to RS1. RS1 then forwards the additional access
>>         token(s) to RS2.
>>
>>
>>         Some observations:
>>
>>         The user nor the Client are linked with any particular AS. A
>>         user may use today an AS of the Bank of America and may
>>         change tomorrow to the Bank of Missouri.
>>         As soon as he will be registered with the Bank of Missouri,
>>         he will be able to get access tokens from the AS of the Bank
>>         of Missouri. The AS of Bank of America
>>         has not been able to know where its access tokens have been
>>         used. This will be the same for AS of the Bank of Missouri.
>>         There is no need for any direct dialogue
>>         between any AS and any RS at the time a client is making an
>>         access. There is no need for any RO to contact any AS.
>>
>>         This model has been constructed following a "Privacy by
>>         Design" approach.
>>
>>         Denis
>>
>
>     -- 
>     Txauth mailing list
>     Txauth@ietf.org <mailto:Txauth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/txauth
>