IETF Logo Mail Archive

Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00

Francis Pouatcha <fpo@adorsys.de> Wed, 18 November 2020 12:06 UTC

Return-Path: <fpo@adorsys.de>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C20D3A17F8 for <txauth@ietfa.amsl.com>; Wed, 18 Nov 2020 04:06:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.598
X-Spam-Level:
X-Spam-Status: No, score=-1.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=adorsys.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4Hk6_g-r-i2 for <txauth@ietfa.amsl.com>; Wed, 18 Nov 2020 04:06:55 -0800 (PST)
Received: from DEU01-BE0-obe.outbound.protection.outlook.com (mail-be0deu01on2135.outbound.protection.outlook.com [40.107.127.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C80713A17F3 for <txauth@ietf.org>; Wed, 18 Nov 2020 04:06:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Igq0qlc7YCeE1G72tvDfu8RhljzVWZl+fpiNw4r83V+BFhbywsDAWr5ZcDfgTL9G1AOAyh58AjsMcU0Ug/VLGSLU03vi8HurzcB38EmYt6Qu3fjPk4oNqTQiAT4uC5Mai0B5w0pb46lEQRfgRwW3vGSNHYcbv4s2ubWH822ctCKx/kKTfq7F3COstOeexiHETs53bNcRITX4Ds/AljMbgg0KKXLbjj/fH8myLmZETHt7COHt8eQ+iIWPzLBttBK1orldem+sn2AJggmM2nUTUTYgt7hhGyneEVj6qOOhqx4ZP0ZHMF3zDqI+dHdzUT0FzSJvspbATk5QttLeF4R0og==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KmvL3+FnLRfkWT5ZdyLhuPbW8aRbRrdtcrxkOAUvg0E=; b=N99Y3VE+AIeUWdrTEybSlzrTJ70LYZNrLke0Y7/VquCvxIAnG4D52obTjsQvfBpObuXyr7TLxy9cuyrrSPmUyUdcMsPwwrH1C8XCPhS7umj4Xsms/He5ct6jpYM/2njoNS2VRRa5QNS61R2Y+xzGmRXIbby75dXU+3SDNsiCapzTPZZcuqSO5n0ZQKKDgZchcQhEBoPwptwTW/LdzNcFXmhL8QHb7HDu1yra38xD+HahVqqGeElIMuzoRpaMKybxWQ0ndWyUdbuzsooMnVpseJ/43DcGK7b324bWOR4+Nv4JKwTdgPGYg245sKaRGTdnlXHMK7OR+X0mcCWE06GZoQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=adorsys.de; dmarc=pass action=none header.from=adorsys.de; dkim=pass header.d=adorsys.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=adorsys.de; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KmvL3+FnLRfkWT5ZdyLhuPbW8aRbRrdtcrxkOAUvg0E=; b=xPv7hP96C/tHO5jAoooNKbybsOPeEHiXxUM2dqnwfgwPVkUJpvON7bhtg5odcqEcOkjrVaILW3JUGn/DPYzAVwSUovJproc4LbKjm0vgJswfU5mKT80plRlDKvZqxKA+TMHiDli1l8mDLfVYgk0KL430d5MiEcXqi6PNz5voMoVQB+gIrnKgnR9nxH5wSFZNxG2wnEw+wJErvktnAKeiqQMguvBeqMRjekAJ/70esKJao/ybr+AXsQ9Jsfk2g9OnQOauF7TmpNdScuInf9jAehMCCpenBioTVDE8oCZccnhg1ZE5rWrcm7RyGZwxsorYkqTSFG78Jt7hTw9jczfLSg==
Received: from FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:11::11) by FR2P281MB0265.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:b::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.15; Wed, 18 Nov 2020 12:06:51 +0000
Received: from FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM ([fe80::b06b:117e:61f0:138b]) by FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM ([fe80::b06b:117e:61f0:138b%3]) with mapi id 15.20.3589.021; Wed, 18 Nov 2020 12:06:51 +0000
From: Francis Pouatcha <fpo@adorsys.de>
To: Fabien Imbault <fabien.imbault@gmail.com>, Francis Pouatcha <fpo@adorsys.de>
CC: "txauth@ietf.org" <txauth@ietf.org>, Dick Hardt <dick.hardt@gmail.com>, Tom Jones <thomasclinganjones@gmail.com>, Denis <denis.ietf@free.fr>, Justin Richer <jricher@mit.edu>
Thread-Topic: [GNAP] Review of draft-ietf-gnap-core-protocol-00
Thread-Index: AQHWsiy3H8is1hHc2keFJtXpCHRvoKnGFMOAgATzTCaAAZWSAIAABTGAgAAETgCAAAeTAIAAA4oAgAACAwCAAAZDgIABFPt3gAAJ5ACAAAKPuQ==
Date: Wed, 18 Nov 2020 12:06:51 +0000
Message-ID: <FR2P281MB0106245AD7828040C4BF0F7E8DE10@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>
References: <160433257633.23038.15047041472414640530@ietfa.amsl.com> <AB11DC08-C6ED-4045-A8F5-872AD263035D@mit.edu> <FR2P281MB01063C2EA739E892B549611D8D110@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <CAM8feuQcCdQFGUKy-ou7H3Ta38yyN1LR+0XJd9WophRMRdPDEA@mail.gmail.com> <FR2P281MB0106C83420ED3F8DF2723BFD8DE30@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM> <5b8ac79b-0c0e-18e9-9f80-b5d79e9ae59b@free.fr> <CAM8feuQ346w9EL=-qpJRmMOO_YUp_14gShxcro+pVxnfXTvkzw@mail.gmail.com> <5E214281-2974-4632-AB74-4E068B7EE66B@mit.edu> <CAK2Cwb5ACMxjiph796Lq1U3FZ6Tm_2TCmsKTJZn8Fgc0rzEgZQ@mail.gmail.com> <CAD9ie-vDS9-Cc=cVRc_SDg7z6KxMqySdcfv3ZPSjAzHorZP7UQ@mail.gmail.com> <CAK2Cwb66asqy1MCtW7KNHyW5=H23fWATBds2aKC3Xi88V34=Rw@mail.gmail.com> <CAD9ie-sGRFQMj81g4oWAS=CgHOe5ReDrAXeVzqvW9UL0W0P-Qw@mail.gmail.com> <FR2P281MB0106FEBFFB997265C8A9EF878DE10@FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM>, <CAM8feuQiBij5Be2p3he0HwWfC+WaDRVQ6HqEKoq+FfqYJVGNXA@mail.gmail.com>
In-Reply-To: <CAM8feuQiBij5Be2p3he0HwWfC+WaDRVQ6HqEKoq+FfqYJVGNXA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=adorsys.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [65.33.157.159]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5be405ba-6f8a-4acf-f65f-08d88bba6f25
x-ms-traffictypediagnostic: FR2P281MB0265:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <FR2P281MB02655CC650620729A7C27EBDCDE10@FR2P281MB0265.DEUP281.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: D88W7MZ4KwKmnreRjQk9AgHan7WNyfp6706GIdJERkH2Rt8pgvbRIo1ERCyrDH3URsZdY5QpE4mAytRa2HZQGocymYfIUlaF2uEPmw1ScgTjqBrrqGvkfwFfu6032iRO+6EejUc2dfFI8s+FxC5AaivYZsLX2FbPKqDetajAtnE+7qy78BgkFaxU8H4ISUPRvua6Yv0uBt/Dwm9oRN1z+qQbrxAOmOBnISg2PMQWJGrpiDa+1nUWGIYUi9Ocskyo/lqhbyYvkiqtBPwJzpbeHjkeuddGUE2kiCTw2+1EWehkyw1KPx5m/ogeUr1uzXjkXCng2eAPkxZKUKzOq6txy+tvO4JrMsMQ6YN34rIFT2dLNSLL6rymoVZu6Pm9HBcK9pxf66BVA7o+erq1ylcJzfKK1p1WJ4eAM80WbiSyB5oHcWgPzMVjvjaxpbHGhWi5ZOvgjHMNIpSR8jlRi+GgcKs4QUnOcAz5Jj5gY5m+cuA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(39830400003)(396003)(376002)(346002)(136003)(8936002)(966005)(76116006)(478600001)(7696005)(8676002)(316002)(5660300002)(19627405001)(6506007)(53546011)(91956017)(66946007)(66476007)(64756008)(66446008)(33656002)(26005)(66556008)(86362001)(66574015)(166002)(186003)(83380400001)(110136005)(9686003)(54906003)(2906002)(4326008)(55016002)(71200400001)(30864003)(52536014)(99710200001)(15866825006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: GCogpoXgY/23N4sGkvjVDcAX95HAQctZfc1Xuq13QHU8TFM8L4DJe+2MTgxC+yaFgZ/DL0nWtuMmTTpD91qY1PJNXasHv9WERxRFN1zV2o/0JSEr9krM0cR5hPRamQv9pCRVo0nMXwGLPYbyTux2Xr7nj5mAjqGDi1EeUrktAi/LouXXlbakdLU8GZVFWsX/7Os7wxGtBOJEOjuDNvv8qLO56beqpBUtfd2m81Y1QwDGs5Fr9IcBZgE+fm3/+kRCn+QjzKTbITbZplLYL44k14bilvFZ+etKgW5tgEQK1wEc55JIj72eylqhd8Nxb6j4PAyKlcH8lWQAL/J7pO1jCxpgQc2rP2IX/dQuzstaX4D+iM5VKcfle0kiJInOFsNrwNZWvJUNasurZBr5yDzKFpzcywr7+ZZhARyPBpxcV8x+Lfe3jOsGaay/W/jQ3mHy/VnjYG+pcth3Ud5VEQDkWSvFRZmEIJgGS/aNYEeWcvxpBNqRb9DMTvsO6GiiCDUVrm4zA7Nb5jGa3YlS/zqk9yQzew6yOLoF91cgJNugvu1fBgbyVTHeXOjAEwZl2udXdPrBetJX1+QlX2jzvvHP0wjX5pXxmitw+zdCWijZWVIKzjQTD/EyEMUjgB3L+3TvYC4f+VsjocBLGxOM7ngeceokdZgGH+y1mEdYxQvZhLBOwy0iQWazpqhe0g6biEp0MMeb35LdMbXBoUv1qGn64m7muvdORbrtEp5CVXUU+d+RTno4kI5jjsHK8OeK88hcNu+qvr0CXJi3XmHBg+xQdQ==
Content-Type: multipart/alternative; boundary="_000_FR2P281MB0106245AD7828040C4BF0F7E8DE10FR2P281MB0106DEUP_"
MIME-Version: 1.0
X-OriginatorOrg: adorsys.de
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: FR2P281MB0106.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5be405ba-6f8a-4acf-f65f-08d88bba6f25
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2020 12:06:51.6677 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5e2c5484-e522-479d-91ca-515d6e0ce228
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ULwqdaeQM5mm0TY7Ca9cUcfF4ACBL8tnKeLq1bG+oIy97/W0U83E1q+A9v07oeIaQGcODX9s8utPEystHCzoSsDyn4Qt2/+/IxdH0vawkcs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR2P281MB0265
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/5cJ98S5r5sJkP8WBIdEte184oFY>
Subject: Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 12:06:58 -0000

It would be nice if the protocol was designed at many layers of abstraction.


  *   The first layer shall design abstract protocol flows, without specification of the mode and mechanism of interaction.
  *   The second layer can instantiate the first layer for dedicated interaction. Here we can talk http, we can define interactions that presume server based token generation, we can define interaction that run on user device based token generation.

This is also the fundament of the structure I proposed for the spec (https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/30).

/Francis

________________________________
From: Fabien Imbault <fabien.imbault@gmail.com>
Sent: Wednesday, November 18, 2020 6:35 AM
To: Francis Pouatcha <fpo@adorsys.de>
Cc: txauth@ietf.org <txauth@ietf.org>; Dick Hardt <dick.hardt@gmail.com>; Tom Jones <thomasclinganjones@gmail.com>; Denis <denis.ietf@free.fr>; Justin Richer <jricher@mit.edu>
Subject: Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00

Would make sense, but not so easy as we rely heavily on HTTP. Hence the discussion about deep links and so on.

An alternative might be provided by wasm/wasi (running a local sandbox on your phone, for your own AS), but it's really early stage. This also poses another question that Denis has put forward, i.e. how do we handle the multiple AS scenario (likely to occur then).

Fabien

On Wed, Nov 18, 2020 at 12:16 PM Francis Pouatcha <fpo@adorsys.de<mailto:fpo@adorsys.de>> wrote:
We are drifting away from the original problem space.

  *   My original mention was about the "POST" request, that subsumes that the "AS" is a "Server". Designing a new protocol, we cannot afford this limitation.
  *   I just mentioned SIOP to show a known and closed example? Let us not focus on the device local discovery scheme (like openid:) for now.
  *   As capability of holding private keys on user device evolves, server-based issuing of token will be fading out giving way to device local generation of token.

While designing GNAP, let us assume the AS-Role can be exercised on a user device and design the protocol to honor that.

Best regards,
/Francis
________________________________
From: TXAuth <txauth-bounces@ietf.org<mailto:txauth-bounces@ietf.org>> on behalf of Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>>
Sent: Tuesday, November 17, 2020 1:28 PM
To: Tom Jones <thomasclinganjones@gmail.com<mailto:thomasclinganjones@gmail.com>>
Cc: Fabien Imbault <fabien.imbault@gmail.com<mailto:fabien.imbault@gmail.com>>; Denis <denis.ietf@free.fr<mailto:denis.ietf@free.fr>>; GNAP Mailing List <txauth@ietf.org<mailto:txauth@ietf.org>>; Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>>
Subject: Re: [GNAP] Review of draft-ietf-gnap-core-protocol-00

Got it.

So web apps invoke a openid: deep link and hope there is an app to handle the openid: scheme? ... and that it is the user's wallet rather than some malware that has registered openid: on the mobile device?

A native app can attempt to open a deep link associated with an app, and will fail if the app is not there. If the app is there, it will be opened, so this can't be used to silently test if an app is present, but it does allow a native app to provide an alternative experience if an app is not present. I don't think this works with custom schemes ... and I don't know how it could work from a web app on the phone with the current Safari APIs.

Apple warns against using custom schemes [1] ... but perhaps they can be convinced to make openid: a managed scheme similar to mailto:, tel:, sms:, facetime: ?

[1] https://developer.apple.com/documentation/xcode/allowing_apps_and_websites_to_link_to_your_content/defining_a_custom_url_scheme_for_your_app


[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=011490be-d3a0-4b2c-8abb-e51175e3ae19]ᐧ

On Tue, Nov 17, 2020 at 10:06 AM Tom Jones <thomasclinganjones@gmail.com<mailto:thomasclinganjones@gmail.com>> wrote:
You are - that is not standard which is opeind://
This is the one step that still needs to be optimized for SIOP to have good UX.
Peace ..tom


On Tue, Nov 17, 2020 at 9:59 AM Dick Hardt <dick.hardt@gmail.com<mailto:dick.hardt@gmail.com>> wrote:
Hi Tom

I watched your video (I watched at 2X speed)

Looks like the employment website app that is using localhost:8765 to communicate with the wallet. Am I correct?

/Dick
[https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=11a62ce6-9b4a-4d5f-86c5-d2c114395aee]ᐧ

On Tue, Nov 17, 2020 at 9:46 AM Tom Jones <thomasclinganjones@gmail.com<mailto:thomasclinganjones@gmail.com>> wrote:
Well, here's a demo. Note that in this case the AS is not online all of the time, so it is really implicit flow and the OIDC id-token comes from the siop device directly.
(whether this is front-channel or back channel is no longer an interesting question.)
Now if an always-on AS is required, that is possible, but probably beyond the scope of this effort and would require something like an agent-in-the-sky (with diamonds).
here is the link to the 9 min video   https://youtu.be/Tq4hw7X5SW0<https://urldefense.us/v2/url?u=https-3A__youtu.be_Tq4hw7X5SW0&d=DwMFaQ&c=2plI3hXH8ww3j2g8pV19QHIf4SmK_I-Eol_p9P0CttE&r=D5lnfoa2MVZWELqVbbz71ooelbP7rVGCjGDSBNvUpYQ&m=ixsudGSr_dhG-SLiatb4Sz9FWslmywnYyZAOLgZxhl8&s=jdLLy0G1JTQCAOBZ6PeUgI0kiCtVJXrru0VToYWlNZ8&e=>
Peace ..tom


On Tue, Nov 17, 2020 at 9:20 AM Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
Ultimately, in most situations like these in the real world, the hurdle isn’t technical compatibility so much as it is trust compatibility. The RP (client) needs to have some incentive to trust the assertions and identity information that’s coming from the AS. The same is true for an RS trusting tokens from the AS. The hard question is less “how” to do that (which SSI answers), but more “why” to do that (which SSI doesn’t answer very well, because it’s a hard question).

Still: it’s definitely a question about how to support this “AS on device” element. We’ve got the start of it more than OAuth2/OIDC have by allowing the bootstrap of the process from a starting call: the interaction and continuation URIs handed back by the AS don’t need to be the same URIs that the client starts with, so just like SIOP the process can start in HTTP and potentially move to other communication channels. A major difference is that we aren’t dependent on the assumption that the user will always be in a browser at some stage, and so the whole raft of front-channel messages that SIOP relies on doesn’t fly. That said, we’ve got an opportunity to more explicitly open up alternative communication channels here, and that’s something I’d like to see engineered, even if it’s an extension. I’d love to see a concrete proposal as to how that would work over specific protocols, starting with what we’ve got today.

 — Justin

On Nov 17, 2020, at 12:03 PM, Fabien Imbault <fabien.imbault@gmail.com<mailto:fabien.imbault@gmail.com>> wrote:

Hi Denis, hi Francis,

At some point integration with SSI (on the authentication side) will probably occur, including amongst other possibilities SIOP (since they work with OpenID a part of the work will probably be made easier).

That being said, Denis is right. It's not an AS. Technically it's entirely possible to rely on a decentralized wallet (for instance on your phone) and a centralized AS. I know of a few studies on how to decentralize the AS itself (for instance https://tools.ietf.org/html/draft-hardjono-oauth-decentralized-02).
Maybe it exists, but I'm still looking for real scenarios (or even architectures) where an AS is deployed directly on a phone, and under the sole authority of the RO, while being compatible with the rest of the world.

Cheers,
Fabien

On Tue, Nov 17, 2020 at 5:45 PM Denis <denis.ietf@free.fr<mailto:denis.ietf@free.fr>> wrote:
Hello  Francis,

See two comments in line.


B) Current Document

Roles description shall not hold any assumption on the physical structure of the party fulfilling the roles.
[FI] not sure what you mean
 [FP] for example, we assume the AS is a server! In most SSI based use cases, the AS will be running on the user device. See SIOP (https://identity.foundation/did-siop/).

I browsed through the two drafts, i.e. :

  *   Decentralized Identifiers (DIDs) v1.0 Core architecture, data model, and representations W3C Working Draft 08 November 2020
  *   Self-Issued OpenID Connect Provider DID Profile v0.1. DIF Working Group Draft

At no place within these two documents, it is possible to imagine that "the AS will be running on the user device".

From section 3 of the DIF Working Group Draft:

      "Unlike the OIDC Authorization Code Flow as per [OIDC.Core], the SIOP will not return an access token to the RP".

An Identity Wallet is not an AS.

Roles:
-> grant endpoint of the AS: Why is this a post request? This eliminates the chance of having user device hosted AS (no server).
[FI] what would you propose instead?
Would also be interested to understand better the deployment model when there is no server. That's something that was discussed several times but I'm still missing the underlying architecture and use case.
 [FP] See above (SIOP). There will be a lot of identity wallets operated on end user device.

See the above comment. Please, do not confuse an Identity Wallet with an Authentication Server (AS).

Denis

-> Resource Owner (RO) : Authorizes the request? Does it authorize the request or the access to a resource?
[FI] yes, we should make the wording clearer

Missing Section Interactions:
--> This section shall introduce the notion of interaction before we start listing interaction types.
[FI] yes

Interaction Types:
--> I prefer a classification with Redirect, Decoupled and Embedded is. In the draft, we have one redirect and 2 decouple interactions and nothing else.
[FI] this should be handled as a specific discussion item. As a reminder, how would you define embedded?

In practice there's at least these modes:
- redirect and redirect back
- redirect to different browser or device
- user code
- CIBA
[FP] This classification is limited.

  *   Redirect: same device, same or different user agents (browser, mobile app, desktop app, ...)
  *   Decoupled: different devices
  *   Embedded : RC carries RO authorization to AS


Resource Access Request vs. Resource Request
--> Both are mixed up. No clarification of the context of each section.
[FI] could you clarify what you'd expect.  Btw on this topic, there's a more general discussion on whether we should make a distinction or not.
​[FP]: Here:

  *   Resource Access Request: Requesting Access to a resource. Response is an access token (or any type of grant)
  *   Resource Request: Request the resource. Response is the resource (or a corresponding execution)

Token Content Negotiation
--> Not expressed as such. This is central to GNAP and not represented enough  in the document.
[FI] right. This should be a specific discussion item.

Requesting "User" Information
we identify two types of users: RQ and RO. It will be better not to refer to a user in this draft, but either to a RQ or an RO.
[FI] yes that would avoid potential misunderstandings. Although in the end, people will translate RQ into user or end-user most of the time. Cf in definition, currently we have Requesting Party (RQ, aka "user")


Interaction Again
-> For each interaction type, we will have to describe the protocol flow and the nature and behavior of involved Roles (Parties), Elements, Requests.
[FI] yes

[FP] Will these and into tickets?

Best regards.
/Francis





--
TXAuth mailing list
TXAuth@ietf.org<mailto:TXAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/txauth
--
TXAuth mailing list
TXAuth@ietf.org<mailto:TXAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/txauth

--
TXAuth mailing list
TXAuth@ietf.org<mailto:TXAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/txauth
--
TXAuth mailing list
TXAuth@ietf.org<mailto:TXAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email