IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 12 December 2020 10:33 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C48473A0FEE for <txauth@ietfa.amsl.com>; Sat, 12 Dec 2020 02:33:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l0wGq_GE8QCS for <txauth@ietfa.amsl.com>; Sat, 12 Dec 2020 02:33:27 -0800 (PST)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AA983A0FEB for <txauth@ietf.org>; Sat, 12 Dec 2020 02:33:26 -0800 (PST)
Received: by mail-wm1-x32d.google.com with SMTP id q75so10808020wme.2 for <txauth@ietf.org>; Sat, 12 Dec 2020 02:33:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=UwmXGXX/OVG5Zf+772Iv0vjzbPwHub5Lvtjj9MavoYk=; b=PdXOR0ZlmOz2hunL0mwSvUaQZJ0ugmnUMS0MwZBa/lIOVWNE0X2bACXDXCRWfqqUSO RvgHSO+UoRQ/yXmkWZxPwLaJlB34Z04OP4Xj/y1D4Is0JcIu2xXVcXmR6CnT/x+hDQ7V SXy7dCHf+uMtX6oWTbVThk+miEBqQA0l63jHzVGBnfiwwiHv5yYmyXmWFAFB14fdTD9g aFYaSXoBbbj5k6HpCQCqS1dwH47IkM0ikPW85TB87UXF/Fmn68ByGTsRKxh6lQg1MAbD tJLWGUHriEN2JCJV5tbwNglaRnWsR9rIOopE3G8A4OKLK22BrqwmRjrBkoBGb5JGa8cs nkvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=UwmXGXX/OVG5Zf+772Iv0vjzbPwHub5Lvtjj9MavoYk=; b=id0wBEeXPlOBdgnn7LEOmbwCFj3TF8vQ2ZXGpoqrk9hhvXKBqzftuejEPV+5UDMukL KLXCOxBrC3SFtDCMKoZmhIUW1phn1wndsi5qCVBtJg71BifXusi6nESX2ac7wEwKVG62 Eh4rLEkATF/rocyTMjlwwaDWR87qV2RE3qE+vYdz90nvVWvRruS6QC+vnV8rME7Tkyon X4uMvE48rv6EEaCM8fsq0TnrwnWRNKTC6v3BReq+ARdrV6b6waJ3HFnk5NR6Yy+Hjz/C f4kcdhsLtbuWlH1kLjENpWTZxdh73gJN2PzwZSBCoGwL/Z/ApfShzjKmdbMstckkoBVa EtJA==
X-Gm-Message-State: AOAM531xcekwZOxpRpTrVlDn5mkx+grRRQB/dY1d+a7zM4omtatefMN9 uZYXgtXNJk999hH/6oMlDZK2tw==
X-Google-Smtp-Source: ABdhPJwJmR/q7k1cjo8jvtakjOBEdpgCNm2qV1ARjnE20XAQ4ZvAQe5c06Qd8fIvTGMt8+x36wCh7Q==
X-Received: by 2002:a1c:1c1:: with SMTP id 184mr17744733wmb.112.1607769204829; Sat, 12 Dec 2020 02:33:24 -0800 (PST)
Received: from ?IPv6:2003:eb:8f1b:fae3:5541:8cbe:7369:6453? (p200300eb8f1bfae355418cbe73696453.dip0.t-ipconnect.de. [2003:eb:8f1b:fae3:5541:8cbe:7369:6453]) by smtp.gmail.com with ESMTPSA id s25sm174145wrs.49.2020.12.12.02.33.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 12 Dec 2020 02:33:23 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail-D8CA3CF8-A01B-440D-9A6D-3AA2F95CA733"; protocol="application/pkcs7-signature"; micalg="sha-256"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Sat, 12 Dec 2020 11:33:22 +0100
Message-Id: <F6620639-2CE9-4A0A-A44C-6E973A5039BD@lodderstedt.net>
References: <CAM8feuSVX9dqfGXtmywBUz=wRkHRqaSOkvzmX0pvQuM6T=10nA@mail.gmail.com>
Cc: Stephen Moore <srmoore@gmail.com>, txauth gnap <txauth@ietf.org>, Justin Richer <jricher@mit.edu>, Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <CAM8feuSVX9dqfGXtmywBUz=wRkHRqaSOkvzmX0pvQuM6T=10nA@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
X-Mailer: iPad Mail (18B92)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/ibttyYYvnJbGunl_JquJtgcTNjQ>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2020 10:33:30 -0000

Hi all,

I didn’t follow GNAP closely so bear with me if me question seems naive.

After having skimmed through the current draft and the PR, I‘m not sure whether the continuation requests accepts any access token issued to the RC or the particular access token returned in the „continue“ element in section 3.1..

Can you please shed some light on this?

kind regards,
Torsten.

> Am 12.12.2020 um 03:35 schrieb Fabien Imbault <fabien.imbault@gmail.com>:
> 
> 
> You're completely right. Allowing the dev to be lazy is a very good thing in general, because it's what we know will work :-) 
> 
>> Le sam. 12 déc. 2020 à 03:15, Stephen Moore <srmoore@gmail.com> a écrit :
>> Hi Fabien,
>> 
>> For #3) Even after I typed out the hypothetical attack, that was sort of in the back of my mind, it isn't a huge risk there. So I actually agree with Dick there. Something doesn't sit right with me for the unique URL solution, so I don't like it and came up with a hypothetical that seems like it could be a down side.
>> 
>> I still think the access token model with the signed request is the way I'd like to go, because again, it's a mechanism I'd be implementing anyway to talk to any 'normal' resource. The fact is there is _something_ representing context that has to pass back and forth here, whether that is an access token (which I feel like is more flexible for extensions etc), a unique url, or even a cookie sent in the cookie header. So just to re-iterate, I'm a +1 on this pull request, speaking as a lazy developer ;)
>> -steve
>> 
>>> On Fri, Dec 11, 2020 at 8:51 PM Fabien Imbault <fabien.imbault@gmail.com> wrote:
>>> Again speaking in my own name here. 
>>> 
>>> Dick, we know you'd prefer to have a different design, but this PR shouldn't be about that. 
>>> 
>>> Back on your 3 items :
>>> 
>>> 1) yes we could make pre-register mandatory, but we already decided that wouldn't be how that would work. We have a client instance that allows a more generic and flexible pattern (which BTW also allows what you want) 
>>> 
>>> 2) instead of blame arguments of who's less restful/HATEOAS/whatever that have the tenancy to flame conversations, I suggest we speak in less abstract terms and ask ourselves what that means in practice for devs. Stephen and several others (myself included) have expressed that it wouldn't be harder to implement, it would even simplify things quite a lot. If you disagree please send us a code sample to really show that point by example, because that's really not obvious. 
>>> 
>>> 3) "If someone has the client credentials, they can impersonate the client, and all bets are off." Are you seriously making this argument? Because if you have a better proposal than using cryptographic keys, I'm all hears. You make it look like there's a problem, while in reality we're only relying on the basic assumption of all modern digital communications. 
>>>  
>>> And more importantly you never responded to the issues of how to avoid the security pitfalls of what you proposed. 
>>> 
>>> Fabien 
>>> 
>>> 
>>>> Le sam. 12 déc. 2020 à 00:35, Dick Hardt <dick.hardt@gmail.com> a écrit :
>>>> 
>>>> 
>>>>> On Fri, Dec 11, 2020 at 2:53 PM Stephen Moore <srmoore@gmail.com> wrote:
>>>>> But from the spec:
>>>>> "
>>>>> When sending a non-continuation request to the AS, the RC MUST identify itself by including the client field of the request...
>>>>> ...
>>>>> key (object / string) : The public key of the RC to be used in this request as described in {{request-key}}. This field is REQUIRED. 
>>>>> ...
>>>>> "
>>>>> So on the initial request, the key will be there. 
>>>> 
>>>> 
>>>> The client field can be an object or a string. If the client is pre-registered, then a string could be provided instead of an object.
>>>>  
>>>>> 
>>>>> If you don't have the access token, then how do you differentiate between two requests from the same web application by two different users? Is the web application supposed to have different credentials for every request?
>>>> 
>>>> The AS returns a URI for manipulating the request. I would change the spec so that each request would have a unique URI. This is the usually RESTful pattern that the resource (the grant request) has an URI.
>>>> 
>>>>  
>>>>> So in this case, the easy way out is to pass the access token to the client, who then, as i stated before, treats the continue request as a RS call (albeit a specialized version of the RS where the RS is the AS) OR to use the unique URL, 
>>>>> but that seems open to a brute force attack by a malicious RC. (What would be the point of that attack, I don't know, I guess if someone had the client credentials but not any subjects/resources they could try to intercept the grant via continue... I just don't feel right locking things down to unique URLs that way.)
>>>> 
>>>> If someone has the client credentials, they can impersonate the client, and all bets are off.
>>>> 
>>>> LOTS of RS servers return a resource specific URL -- my proposal is no different.
>>>> 
>>>> 
>>>>  
>>>>> -steve
>>>>> 
>>>>>> On Fri, Dec 11, 2020 at 5:33 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>>>>> Hi Stephen
>>>>>> 
>>>>>> The client is signing the first request. The key *might* be in the body. The client is signing all the subsequent requests as well. The "access token" is not needed by the client to prove it is authorized as the client is proving it is the same client again.
>>>>>> 
>>>>>> In other words, I don't see the need for an access token, so it does not need to be put in a URL or an auth header.
>>>>>> 
>>>>>> If a developer really, really wants to hand context back to the client for subsequent calls, they can put it in the URL or some other method. Putting it in the HTTP Authorization header is confusing because it is NOT an access token -- it is the context of the request.
>>>>>> 
>>>>>> ᐧ
>>>>>> 
>>>>>>> On Fri, Dec 11, 2020 at 2:01 PM Stephen Moore <srmoore@gmail.com> wrote:
>>>>>>> Even though I've only been lightly following things, I feel the need to voice my preference as a developer since I will probably someday have to either write a RC or RS... 
>>>>>>> 
>>>>>>> The way I see it is the RC makes the initial request to the AS as part of this request, it provides it's key in the body... (So no use of the Authorization header)
>>>>>>> At this point that request, represented by the continue URL + "Access Token", from my lazy developer standpoint, is a Resource Endpoint and Access Token, and the AS is acting as a specialized RS in this case.
>>>>>>> So my client posts to whatever URL with the 'access token' in the authorization header, just like acting on any other resource I have a token for. YES, I get a new token value to use every call, and there is a decision point of "Do I have another continue, or do I have a real token for the resource..." But the mechanism is the same to me in the client.
>>>>>>> Personally I like that, because if I have an access_token, I already think "Put it in the auth header." 
>>>>>>> 
>>>>>>> So my vote would be +1 for the pull request at this time.
>>>>>>> -steve
>>>>>>> 
>>>>>>>> On Fri, Dec 11, 2020 at 3:04 PM Dick Hardt <dick.hardt@gmail.com> wrote:
>>>>>>>> inline ... 
>>>>>>>> 
>>>>>>>>> On Fri, Dec 11, 2020 at 9:58 AM Justin Richer <jricher@mit.edu> wrote:
>>>>>>>>> Others had already responded to this previous thread, but I wanted to add a couple points to clarify some things.
>>>>>>>>> 
>>>>>>>>>> 3) What the client has to do with the "access token" is not the same as access tokens for an RS. The client gets a new "access token" for each grant request, and for each API call to the AS, and the client learns it can not make any more API calls for that specific request when it does not get an "access token" back. This is a completely different design pattern than calling an RS API with an access token, and is a new design pattern for calling APIs. This adds complexity to the client that it would not normally have, and I don't think GNAP is the right place to start a new design pattern.
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> I’m not sure what you mean by these being different — the whole point of the design is that the client would be doing the same thing with the access token at the AS that it does with the RS by re-using the access token structure. Can you please describe what the differences are, apart from the rotation? Presentation of the token and signing of the message are identical.
>>>>>>>> 
>>>>>>>> The client is getting the "access token" from its API. It is not using an "access_token" in other API calls to the AS.
>>>>>>>>  
>>>>>>>>> 
>>>>>>>>> Rotation of the access token and artifacts for ongoing continuation responses is a separate issue to be discussed: https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/87
>>>>>>>>> 
>>>>>>>>> And for what it’s worth, GNAP is absolutely the right place to have new designs — not that this is one.
>>>>>>>> 
>>>>>>>> You are proposing a new way for an API to provide context for subsequent API calls. Looks out of scope to me.
>>>>>>>>  
>>>>>>>>> 
>>>>>>>>>> 4) Clients that only want claims from the AS and no access tokens will be required to support an API calling mechanism they would not have to support otherwise. 
>>>>>>>>> 
>>>>>>>>> Correct, but the delta between the calls a client would make with and without an access token is vanishingly small. The client has to sign the initial request in some fashion, and it will sign the continuation request in the same exact fashion, but now include an access token in that request. 
>>>>>>>> 
>>>>>>>> Per my other point, there is no value to me in my implementations of passing context back and forth between the client and AS -- so it is extra work providing no value.
>>>>>>>> 
>>>>>>>> Also, any client authentication mechanism that wants to use the HTTP Authentication header is precluded from using it.
>>>>>>>> 
>>>>>>>>  
>>>>>>>>> 
>>>>>>>>> Clients making a request to an AS and not getting an access token is a new design pattern. I think it has value and should be included, but OAuth today shows us the immense value of getting access tokens for calling APIs, and so we shouldn’t optimize away from that pattern.
>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 5) If the AS does not provide an "access token", there is no mechanism for a client to delete the request, as the client is not allowed to make a call without an "access token".
>>>>>>>>> 
>>>>>>>>> More properly, if the AS does not provide a “continue” field then the client can’t delete the request — and yes, that’s intentional. The AS is telling this client instance that it can’t do anything else with this ongoing request. If the AS wants to allow the client to manage it, it will include the mechanisms to do so in the “continue” field.
>>>>>>>> 
>>>>>>>> There is nuance in that intention. A related concern is that deleting a request does not seem like it is a "continue" operation.
>>>>>>>>  
>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> 6) There is no standard identifier for the request. Debugging and auditing are hampered by the client and AS having no standard way to identifying a request. While one AS may provide a unique URL for each grant request, another AS may use a persistent "access token" to identify the grant request, and other ASs may issue a new "access token" on each API call, providing no persistent identifier for the request.
>>>>>>>>> 
>>>>>>>>> Debugging and auditing this kind of thing are functions of the AS. How is interoperability harmed by different ASs having different methods to identify their internal data elements? The client doesn’t need any knowledge of the AS’s identifiers, it just needs to know the next steps for continuing the negotiation.
>>>>>>>> 
>>>>>>>> Debugging between the client and the AS was what I was referring to. How does a client developer identify the request when communicating to the AS developer. Seems complicated.
>>>>>>>>  
>>>>>>>> ᐧ
>>>>>>>> -- 
>>>>>>>> TXAuth mailing list
>>>>>>>> TXAuth@ietf.org
>>>>>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>> 
>>>> ᐧ
>>>> -- 
>>>> TXAuth mailing list
>>>> TXAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
> -- 
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/txauth&source=gmail-imap&ust=1608345320000000&usg=AOvVaw0r39lH4qVOu0IQPJJYtSpI

v2.23.0 | Report a Bug | By Email