Re: [GNAP] [Txauth] Revisiting the photo sharing example (a driving use case for the creation of OAuth)

Justin Richer <> Thu, 13 August 2020 18:01 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1A0703A0FF4 for <>; Thu, 13 Aug 2020 11:01:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YA5xnusWmD7q for <>; Thu, 13 Aug 2020 11:01:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 665653A0FDF for <>; Thu, 13 Aug 2020 11:01:14 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 07DI1BGw026286 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 13 Aug 2020 14:01:11 -0400
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D8818BF3-ACBB-49E5-803B-059A546E2146"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Thu, 13 Aug 2020 14:01:11 -0400
In-Reply-To: <>
Cc: "" <>
To: Denis <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [GNAP] [Txauth] Revisiting the photo sharing example (a driving use case for the creation of OAuth)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 13 Aug 2020 18:01:18 -0000

So what I’m saying is that what you’re defining as part of the RS was (in Oauth) defined as a function of the AS. As such, I contend that it needs to be its own separate functional role, neither AS nor RS.

That way it could be fulfilled by an entity either closely tied to the AS or closely tied to the RS, as appropriate. It would give us more flexibility to talk about the patterns.

 — Justin

> On Aug 13, 2020, at 1:29 PM, Denis <> wrote:
>  Justin,
> Your response does not address my point. I am talking of two different channels with the RS, i.e. not with the AS.
> Denis
>> Denis, I want to focus on one point here:
>>> In OAuth 2.0, the user consent is performed by the AS using an authorize endpoint where the user consent is solicited and captured.
>>> Since a user, with no prior experience, shall first connect to a RS to perform an operation, the user consent shall be performed by the RS, 
>>> instead of the AS. This means that we should define a "consent" endpoint at the RS.
>> One of my goals with XYZ’s design was to be able to separate the interaction with the user from the web-based flows for the delegation protocol, and that aspect is enshrined in the GNAP charter as well.
>> It points to the reality that there are two different aspects of the traditional AS that we might need to talk about separately now. One deals with delegation, issuing tokens, returning data directly to the client (not through a separate API, since that’s the RS), and other back-channel stuff. The other aspect deals with interacting with the user and/or resource owner. 
>> We already saw bits of this in OAuth 2: the AS is defined by the pair of the token endpoint and authorization endpoint, each filling the respective roles above. What if we formally separate these? Strawman names:
>> Delegation Server (DS) - handles the back-channel stuff
>> Interaction Server (IS) - handles the front-channel stuff
>>  — Justin