IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Fabien Imbault <fabien.imbault@gmail.com> Tue, 15 December 2020 00:37 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B80C23A1111 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 16:37:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.186
X-Spam-Level:
X-Spam-Status: No, score=-0.186 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XBz2pbty7EKF for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 16:37:12 -0800 (PST)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD7713A1106 for <txauth@ietf.org>; Mon, 14 Dec 2020 16:37:12 -0800 (PST)
Received: by mail-il1-x12c.google.com with SMTP id t9so17618012ilf.2 for <txauth@ietf.org>; Mon, 14 Dec 2020 16:37:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uwZv8oy+wv4MjhH8nu0IX9MJzDxgbVgpSYCanB4W9Ao=; b=sU1c6zwohl4PIbOXyVnNKI9wouZLeKGbQJ+KLZOffBpPQNBjnp+nXd18xepU5li55v uU0HpIiz+eDjcKGbpFge2VnGSRyVJPx54bDPt8xBTfd2/V3ihl+RFbR71AhGMULiT1a/ Vzq4DDPWMJKBjjAAYFu4N/ERS5e8YQJDF75m5nWh+5DDYVdbImYLEeDoHVK63ffT1IbT h5qpd7+ylCJeugk8gK+Snh1m2lvWk47wkIwiGeWYvN4BKTU7ZVTJZzmy/Q5i3gfqyoXJ WKkDs9Py1k8CDREnteN26BMVoAoEg1VrmYuYZLjwXeHrKvNcjsCIwxGf+hjEdX82UEBd ouNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uwZv8oy+wv4MjhH8nu0IX9MJzDxgbVgpSYCanB4W9Ao=; b=Z/gvwoFJa9PU9xt3D6ugcN6FW602nYcaPk7p0U+Gh4of28aJM1qsH8TsTDDOlLbDzN mtiotXelTphILre3E1HwmadhZcEQMppARcqUJ/P9oLAGs5NWKSoOa7QnNEPpCMHan89m Yupjuyxu9T4uEkDUZPO5Nu2R2KH9c94tapgQ01LJ6B5lW8eErTotM92Rg7h7YlXITwAf ya+lquTvcnxkb7X2EcJPhwNAuMCWZhK6PxmeY08m08dFmH8jOXTXnN8EE1GCab55zq6p pir0Of+TyFRaeXsoG8eZjl5/UqnEi0KwZtBMEHy4oR9rvCI0k3epTlymZxLHqaCKrbg7 HzZQ==
X-Gm-Message-State: AOAM533Mwcpt2UqbElgvwlI9sUV+kSBWBxGZVFFP9J4loIgmOqKGGc4b p4jJazpqyaxDIPxTjBtvONe/Abw15Vs41LSKFY0=
X-Google-Smtp-Source: ABdhPJwr4TtE+9AHKnC4NkOOOET3nFwXksjlSj4vUMVDhlsDO4kgWCbl87eLmsqH6z1MLonAZp89aKUsYAM2jf3kuBU=
X-Received: by 2002:a92:aa4c:: with SMTP id j73mr37372255ili.123.1607992631875; Mon, 14 Dec 2020 16:37:11 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com> <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com> <CAD9ie-sMSN9Jm+W7ZgsjL_7JiHAMpe1Y-Q+avrE3Xi8G0ETPJg@mail.gmail.com> <CAP-T6TQ-YiTqG8vpV6dVb2jSJRRoVCVeghD+qYt3ENHoxyGbjQ@mail.gmail.com> <CAJot-L3Wy9Gqd199=jc_2B_iZeCpcnv90sdca_hw=KNkB41w+g@mail.gmail.com>
In-Reply-To: <CAJot-L3Wy9Gqd199=jc_2B_iZeCpcnv90sdca_hw=KNkB41w+g@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Tue, 15 Dec 2020 01:36:59 +0100
Message-ID: <CAM8feuQZxzni+A_9cG+TZfC12z8AspF7kuhT9YettYoLpMFcGQ@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Dave Tonge <dave.tonge@moneyhub.com>, Dick Hardt <dick.hardt@gmail.com>, Stephen Moore <srmoore@gmail.com>, txauth gnap <txauth@ietf.org>, Aaron Parecki <aaron@parecki.com>, Justin Richer <jricher@mit.edu>
Content-Type: multipart/alternative; boundary="0000000000009fdcc905b675f52e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/hl4IIytp-QVklHs47U0OdJgi4Ik>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2020 00:37:16 -0000

It's not acting as a session id, as least not in the way you describe it.

A big difference is that you may encode (and encrypt) the content of the
access token, so it may for instance :
- indicate a start time and end time for the request
- specify a client instance and maybe a dynamic client posture
- and contain any other info the server may wish to embed
- plus this is bound to a key which might be rotated if needed

So it's really a token, with a content and format that is fully opaque to
the client. That answers to your question "why wouldn't it?". Because you
have a more powerful and generic mechanism using tokens.

But since you're referring to sessions, it gives you one hint on the
difference between the initial request and the continuations. Of course at
the initialization, there's no server state yet.


Le lun. 14 déc. 2020 à 23:21, Warren Parad <wparad@rhosys.ch> a écrit :

> Based on the information shared, my preference would be to call the
> "access token", *session token*, I'll continue to do so in further
> communication. It's really how it's being used and now I can understand why
> conversation about cookies has come up. The "access token" is a session
> token, and session tokens have historically been transmitted via cookies,
> but in this case we are looking to transfer session token via the
> authorization header.
>
>
>>  And the AS can still look up the client’s instance information based on
>> that request, just like any RS with access to that information would be
>> able to
>
>
> If the AS can use the existing information in the request to look up the
> client to ensure it is the same party, the question for me is "Why wouldn't
> it?".
>
> What's the benefit of changing the auth mechanism between the first call
> and subsequent ones to identify the calling party?
>
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress <https://bit.ly/37SSO1p>.
>
>
> On Mon, Dec 14, 2020 at 10:26 PM Dave Tonge <dave.tonge@moneyhub.com>
> wrote:
>
>> On the call I voiced my opinion that opionality should be reduced in the
>> spec where possible. At the time I was in favour of access tokens being
>> required. However, after reading the thread and looking again at the spec
>> I'm no longer convinced.
>>
>> The only advantage I can see of the access token, is that it provides a
>> way for the AS to be stateless, but I'm not sure how common or desirable
>> that use-case is? As soon as the AS has to look some information up about a
>> grant in order to continue, then there is no benefit in the access token.
>> The identity of the grant can be in the url, and the authenticity of the
>> client is provided by the signature.
>>
>> I know this is beyond the scope of this pull request, but for the
>> majority of use-cases, my personal opinion is that a consistent identifier
>> for each grant and a mandated REST like URL structure would be far more
>> useful.
>>
>> The GNAP spec is being designed in an extensible manner that will allow a
>> huge amount of use cases. Maybe in the future there will be new endpoints
>> dreamed up at the AS that require tokens. But the current ones described
>> in  the spec don't (create grant, continue grant, modify grant, get grant,
>> cancel grant, rotate token & revoke token).
>>
>> I also think there is some confusion that "binding" is being used for:
>>  - client authentication
>>  - sender constraining access tokens
>>  - http request signing
>>
>> If the signing mechanism is ok to authenticate the client in the first
>> request, why is it not sufficient to authenticate the client on the
>> continuation request?
>>
>> I think we need a stronger use-case for access tokens at the AS to
>> warrant even its optional inclusion in the spec.
>>
>> On Mon, 14 Dec 2020 at 21:25, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>>> I don't understand what security risks are unique with the GNAP URI
>>> relative to other API URIs that have a unique identifier in them.
>>>
>>> Developers can get "creative" and put "inappropriate" values in any API
>>> URI they design.
>>>
>>> What are the security implications of using a large random value as the
>>> <unique grant id>?
>>>
>>>
>>> ᐧ
>>>
>>> On Mon, Dec 14, 2020 at 11:46 AM Aaron Parecki <aaron@parecki.com>
>>> wrote:
>>>
>>>> Thanks for the clear description. However saying "has no security
>>>> concerns" is a bold claim. Can you clarify how you will ensure that there
>>>> are no security concerns with this method?
>>>>
>>>> My main worry with this is people will start to get "creative" with the
>>>> values of the things in this URL. We've seen this over and over, everything
>>>> from using plaintext data in JWT access tokens in OAuth (now the access
>>>> token contents are visible to clients), to putting data in the OAuth
>>>> "state" parameter (easy to exploit unless it's signed/encrypted), and I'm
>>>> sure someone somewhere is putting things in the authorization code that
>>>> they shouldn't.
>>>>
>>>> Aaron
>>>>
>>>>
>>>> On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>> I am proposing a URI that is straight forward, and has no
>>>>> security concerns.
>>>>>
>>>>> For example, the URI could be:
>>>>>
>>>>> <as uri>/grant/<unique grant id>
>>>>>
>>>>> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f
>>>>>
>>>>> The routing code in the AS then is:
>>>>>
>>>>> router.post(      '/', grant.create);
>>>>> router.get(        '/grant/:grant', grant.read);
>>>>> router.post(      '/grant/:grant', grant.update);
>>>>> router.delete(   '/grant/:grant', grant.delete);
>>>>> router.options( '/grant/:grant', grant.options);
>>>>>
>>>>>
>>>>> Where there is a "grant" module to manage for working with grant
>>>>> requests.
>>>>>
>>>>> /Dick
>>>>>
>>>>> ps: your previous email, and this one, are making the discussion
>>>>> personal. Happy to discuss privately.
>>>>>
>>>>> ᐧ
>>>>> --
>>>>> TXAuth mailing list
>>>>> TXAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>>
>>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>>
>>
>>
>> --
>> Dave Tonge
>> CTO
>> [image: Moneyhub Enterprise]
>> <http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A>
>> Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL
>> t: +44 (0)117 280 5120
>>
>> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
>> Limited which is authorised and regulated by the Financial Conduct
>> Authority ("FCA"). Moneyhub Financial Technology is entered on the
>> Financial Services Register (FRN 809360) at *https://register.fca.org.uk/
>> <https://register.fca.org.uk/>*. Moneyhub Financial Technology is
>> registered in England & Wales, company registration number  06909772 .
>> Moneyhub Financial Technology Limited 2019 ©
>>
>> DISCLAIMER: This email (including any attachments) is subject to
>> copyright, and the information in it is confidential. Use of this email or
>> of any information in it other than by the addressee is unauthorised and
>> unlawful. Whilst reasonable efforts are made to ensure that any attachments
>> are virus-free, it is the recipient's sole responsibility to scan all
>> attachments for viruses. All calls and emails to and from this company may
>> be monitored and recorded for legitimate purposes relating to this
>> company's business. Any opinions expressed in this email (or in any
>> attachments) are those of the author and do not necessarily represent the
>> opinions of Moneyhub Financial Technology Limited or of any other group
>> company.
>>
>> Moneyhub Enterprise is a trading style of Moneyhub Financial Technology
>> Limited which is authorised and regulated by the Financial Conduct
>> Authority ("FCA"). Moneyhub Financial Technology is entered on the
>> Financial Services Register (FRN 809360) at https://register.fca.org.uk/.
>> Moneyhub Financial Technology is registered in England & Wales, company
>> registration number 06909772. Moneyhub Financial Technology Limited 2020 ©
>> Moneyhub Enterprise, Regus Building, Temple Quay, 1 Friary, Bristol, BS1
>> 6EA.
>>
>> DISCLAIMER: This email (including any attachments) is subject to
>> copyright, and the information in it is confidential. Use of this email or
>> of any information in it other than by the addressee is unauthorised and
>> unlawful. Whilst reasonable efforts are made to ensure that any attachments
>> are virus-free, it is the recipient's sole responsibility to scan all
>> attachments for viruses. All calls and emails to and from this company may
>> be monitored and recorded for legitimate purposes relating to this
>> company's business. Any opinions expressed in this email (or in any
>> attachments) are those of the author and do not necessarily represent the
>> opinions of Moneyhub Financial Technology Limited or of any other group
>> company.
>>
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>

v2.23.0 | Report a Bug | By Email