Re: [GNAP] draft-hardt-xauth-protocol-14 update - reworked introduction

Denis <denis.ietf@free.fr> Wed, 19 August 2020 08:41 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C877A3A1304 for <txauth@ietfa.amsl.com>; Wed, 19 Aug 2020 01:41:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.212, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SPCaHQ3vooPw for <txauth@ietfa.amsl.com>; Wed, 19 Aug 2020 01:41:56 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp07.smtpout.orange.fr [80.12.242.129]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08A583A1300 for <txauth@ietf.org>; Wed, 19 Aug 2020 01:41:54 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.51.120]) by mwinf5d83 with ME id HLhs2300Q2bcEcA03LhsNe; Wed, 19 Aug 2020 10:41:53 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Wed, 19 Aug 2020 10:41:53 +0200
X-ME-IP: 90.79.51.120
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
References: <CAD9ie-v_1GHHJWVeXb5cXiUELj-Un7BN6uCdqSRz4qjL_rq=UQ@mail.gmail.com> <af835def-624b-bad3-1c86-9eb55443d8fe@free.fr> <CAD9ie-sJFELQo9jd=W9234dnhcAngBk2TdEofWSswcTNX2pg1Q@mail.gmail.com> <27879318-fde2-85e4-fd9b-67da34b8be43@free.fr> <CAD9ie-tQ7A52yuZUSEqJuPx3Omi6g8+6oVBRy8MVe3dzj1KDCQ@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <0b2338ea-d7a4-bd9c-f7dc-19ebfa980c70@free.fr>
Date: Wed, 19 Aug 2020 10:41:53 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <CAD9ie-tQ7A52yuZUSEqJuPx3Omi6g8+6oVBRy8MVe3dzj1KDCQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------72A3B0F0E27804757EF7A67B"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/jlgDxVVsrtYUyuqc4Tf4AF223bc>
Subject: Re: [GNAP] draft-hardt-xauth-protocol-14 update - reworked introduction
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Aug 2020 08:42:00 -0000

Hi Dick,

> While I disagree with your interpretation of the charter -- I'll give 
> you another example.
>
> One of my use cases is for the GC to retrieve Claims directly from the 
> GS. There is no RS, so querying an RS first does not make sense.

So, let us notice this disagreement.

I was only discussing the very first exchange from the figure inserted 
in section 1.2. The use case you mention has nothing to do with section 1.2.
Moreover, the example you mention is not described, nor illustrated by 
any figure in the draft.

Nevertheless, the use case you mention is straightforward.  A User 
should be able to query at any time both the attributes _/and the 
capabilities,/_
if any, that are registered by the AS. We should define a protocol for 
this retrieval.

BTW, the sentence you are using includes the word "Claims" which is 
currently left undefined, since Section 5 from [OIDC] does not provide
any formal definition for it.

Denis

> On Tue, Aug 18, 2020 at 12:46 PM Denis <denis.ietf@free.fr 
> <mailto:denis.ietf@free.fr>> wrote:
>
>     Hi Dick,
>>     Hi Denis
>>
>>     Thanks for taking the time to review the latest draft
>>
>>     While *your* cases may require certain conditions, other use
>>     cases have other conditions.
>>
>>     For example, existing OAuth 2 flows do NOT have the client query
>>     the RS first. Per the charter, supporting OAuth 2 use cases is in
>>     scope.
>
>      I don't believe so.  The charter states: "It will *expand *upon
>     the uses cases currently supported by OAuth 2.0 and OpenID Connect
>     ..."
>
>     The charter also states: "This group is not chartered to develop
>     extensions to OAuth 2.0, and as such *will focus on new
>     technological solutions **
>     **not necessarily compatible with OAuth 2.0*".
>
>     We are not necessarily going to support all the current OAuth 2.0
>     uses cases, since such use cases can already be supported using
>     OAuth 2.0.
>
>     Denis
>
>>     ᐧ
>>
>>     On Tue, Aug 18, 2020 at 10:29 AM Denis <denis.ietf@free.fr
>>     <mailto:denis.ietf@free.fr>> wrote:
>>
>>         Hi Dick,
>>
>>         I have taken a look at the specification and there are good
>>         news but unfortunately also bad news.
>>
>>         The good news: There is a Privacy considerations section
>>         (section 11)
>>
>>         The bad news: There is the title of that section, but no text
>>         in it.
>>
>>         The good news: The first exchange is now between the client
>>         and the RS:
>>
>>             (1) The GC may query the RS to determine what the RS
>>             requires from a GS for resource access.
>>
>>         The bad news: The text is using a "may" and continues with:
>>         "This step is not in scope for this document".
>>
>>         This first flow is fundamental and if the client has never
>>         contacted the RS before, that step shall be performed.
>>         Hence, the use of the word "may" is inappropriate. In
>>         addition, using the singular "for a GS" is also inappropriate
>>         since a RS
>>         may trust more than one GS.
>>
>>         Please take a look at the uses cases I have posted today
>>         called: "Enterprise servers and Internet servers use cases"
>>         The document is available at :
>>         https://github.com/ietf-wg-gnap/general/wiki/Enterprise-servers-and-Internet-servers-use-cases
>>
>>         This post attempts to explain why this first flow is the most
>>         important. IMHO, it should be within the scope.
>>
>>         BTW, I don't like the wording "Grant Client" since it is
>>         ambiguous as it does not make any difference between what I call
>>         a "User Client" and an "Enterprise Client".
>>
>>         The text then uses the following sentence which is
>>         inappropriate for various reasons:
>>
>>             The Grant Client may be interacting with a human end-user
>>             (User),
>>
>>         A user client *must *be interacting with a human end-user
>>         (User). The User must interact using, what I call, a "User
>>         Agent".
>>
>>             and the Grant Client may need to get authorization to
>>             release the Grant from the User,
>>
>>         Further down, a grant is defined as: "the user identity
>>         claims and/or resource access the GS has granted to the Client".
>>
>>         Such a definition is inappropriate since a grant is first of
>>         all an access token issued by an AS that contains attributes
>>         and/or
>>         capabilities that allow to perform some method(s) on a data
>>         object.
>>
>>         Before an access token is issued for a User, a User Consent,
>>         as well as some choices, made by the User shall be obtained.
>>         This does not apply when an access token is issued for a
>>         client (i.e. a piece of software). The vocabulary that is
>>         being used
>>         does not allow to make these major differences.
>>
>>             or from the owner of the resources at the Resource
>>             Server, the Resource Owner (RO).
>>
>>         No authorization is needed by the owner of the resource. A
>>         Resource Controller (RC) is a piece of software that applies
>>         a set of rules
>>         to grant or to deny access to a data object using some
>>         method. No human interaction from a human being sitting next
>>         to the RS is ever needed.
>>
>>         The uses cases I posted today contain a more detailed model
>>         that is able to support both capabilities and ABAC
>>         (Attribute-based Access Control).
>>
>>         Denis
>>
>>>         Hello
>>>
>>>         I just pushed an updated version of XAuth:
>>>
>>>         https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html
>>>
>>>         Highlights:
>>>
>>>           * renamed Client -> Grant Client
>>>           * Introduced Client Owner, Grant Server Owner as new entities
>>>           * renamed Authorizations -> Access
>>>           * An Access contains an array of RAR objects now
>>>           * Reworked diagram an intro to focus on Grant, and
>>>             separate protocol roles from human interactions.
>>>
>>>         New introduction included below for your convenience
>>>
>>>         /Dick
>>>
>>>          *
>>>
>>>
>>>             1.
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1>Introduction
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-introduction>
>>>
>>>         *EDITOR NOTE*
>>>
>>>         /This document captures a number of concepts that may be
>>>         adopted by the proposed GNAP working group. Please refer to
>>>         this document as:/
>>>
>>>         *XAuth*
>>>
>>>         /The use of GNAP in this document is not intended to be a
>>>         declaration of it being endorsed by the GNAP working group./
>>>
>>>         This document describes the core Grant Negotiation and
>>>         Authorization Protocol (GNAP). The protocol supports the
>>>         widely deployed use cases supported by OAuth 2.0 [RFC6749
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>] &
>>>         [RFC6750
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6750>],
>>>         OpenID Connect [OIDC
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] -
>>>         an extension of OAuth 2.0, as well as other extensions.
>>>         Related documents include: GNAP - Advanced Features
>>>         [GNAP_Advanced
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#GNAP_Advanced>] and
>>>         JOSE Authentication [JOSE_Authentication
>>>         <https://tools.ietf..org/id/draft-hardt-xauth-protocol-14.html#JOSE_Authentication>] that
>>>         describes the JOSE mechanisms for client authentication.
>>>
>>>         The technology landscape has changed since OAuth 2.0 was
>>>         initially drafted. More interactions happen on mobile
>>>         devices than PCs. Modern browsers now directly support
>>>         asymetric cryptographic functions. Standards have emerged
>>>         for signing and encrypting tokens with rich payloads (JOSE)
>>>         that are widely deployed.
>>>
>>>         GNAP simplifies the overall architectural model, takes
>>>         advantage of today's technology landscape, provides support
>>>         for all the widely deployed use cases, offers numerous
>>>         extension points, and addresses many of the security issues
>>>         in OAuth 2.0 by passing parameters securely between parties
>>>         rather than via a browser redirection.
>>>
>>>         While GNAP is not backwards compatible with OAuth 2.0, it
>>>         strives to minimize the migration effort.
>>>
>>>         The suggested pronunciation of GNAP is "guh-nap".
>>>
>>>
>>>               1.1.
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.1>The
>>>               Grant
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-the-grant>
>>>
>>>         The Grant is at the center of the protocol between a client
>>>         and a server. A Grant Client requests a Grant from a Grant
>>>         Server. The Grant Client and Grant Server negotiate the
>>>         Grant. The Grant Server acquires authorization to grant the
>>>         Grant to the Grant Client. The Grant Server then returns the
>>>         Grant to the Grant Client.
>>>
>>>         The Grant Request may contain information about the User,
>>>         the Grant Client, the interaction modes supported by the
>>>         Grant Client, the requested identity claims, and the
>>>         requested resource access. Extensions may define additional
>>>         information to be included in the Grant Request.
>>>
>>>
>>>               1.2.
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.2>Protocol
>>>               Roles
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-protocol-roles>
>>>
>>>         There are three roles in GNAP: the Grant Client (GC), the
>>>         Grant Server (GS), and the Resource Server (RS). Below is
>>>         how the roles interact:
>>>
>>>              +--------+                               +------------+
>>>              | Grant  | - - - - - - -(1)- - - - - - ->|  Resource  |
>>>              | Client |                               |   Server   |
>>>              |  (GC)  |       +---------------+       |    (RS)    |
>>>              |        |--(2)->|     Grant     |       |            |
>>>              |        |<-(3)->|     Server    |- (6) -|            |
>>>              |        |<-(4)--|      (GS)     |       |            |
>>>              |        |       +---------------+       |            |
>>>              |        |                               |            |
>>>              |        |--------------(5)------------->|            |
>>>              +--------+                               +------------+
>>>
>>>         (1) The GC may query the RS to determine what the RS
>>>         requires from a GS for resource access. This step is not in
>>>         scope for this document.
>>>
>>>         (2) The GC makes a Grant request to the GS (Create Grant
>>>         Section 3.2
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#CreateGrant>).
>>>         How the GC authenticates to the GS is not in scope for this
>>>         document. One mechanism is [JOSE_Authentication
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#JOSE_Authentication>].
>>>
>>>         (3) The GC and GS may negotiate the Grant.
>>>
>>>         (4) The GS returns a Grant to the GC (Grant Response Section
>>>         4.1
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#GrantResponse>).
>>>
>>>         (5) The GC accesses resources at the RS (RS Access Section 6
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RSAccess>).
>>>
>>>         (6) The RS evaluates access granted by the GS to determine
>>>         access granted to the GC. This step is not in scope for this
>>>         document.
>>>
>>>
>>>               1.3.
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.3>Human
>>>               Interactions
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-human-interactions>
>>>
>>>         The Grant Client may be interacting with a human end-user
>>>         (User), and the Grant Client may need to get authorization
>>>         to release the Grant from the User, or from the owner of the
>>>         resources at the Resource Server, the Resource Owner (RO)
>>>
>>>         Below is when the human interactions may occur in the protocol:
>>>
>>>              +--------+                               +------------+
>>>              |  User  |                               |  Resource  |
>>>              |        |                               | Owner (RO) |
>>>              +--------+                               +------------+
>>>                  +     +                             +
>>>                  +      +                           +
>>>                 (A)     (B)                       (C)
>>>                  +        +                       +
>>>                  +         +                     +
>>>              +--------+     +                   +     +------------+
>>>              | Grant  | - - -+- - - -(1)- - - -+- - ->|  Resource  |
>>>              | Client |       +               +       |   Server   |
>>>              |  (GC)  |       +---------------+       |    (RS)    |
>>>              |        |--(2)->|     Grant     |       |            |
>>>              |        |<-(3)->|     Server    |- (6) -|            |
>>>              |        |<-(4)--|      (GS)     |       |            |
>>>              |        |       +---------------+       |            |
>>>              |        |                               |            |
>>>              |        |--------------(5)------------->|            |
>>>              +--------+                               +------------+
>>>
>>>         Legend
>>>         + + + indicates an interaction with a human
>>>         ----- indicates an interaction between protocol roles
>>>
>>>         Steps (1) - (6) are the same as Section 1.2
>>>         <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#ProtocolRoles>.
>>>         The addition of the human interactions (A) - (C) are
>>>         *bolded* below.
>>>
>>>         *(A) The User is interacting with a GC, and the GC needs
>>>         resource access and/or identity claims (a Grant)*
>>>
>>>         (1) The GC may query the RS to determine what the RS
>>>         requires from a GS for resource access
>>>
>>>         (2) The GC makes a Grant request to the GS
>>>
>>>         (3) The GC and GS may negotiate the Grant
>>>
>>>         *(B) The GS may interact with the User for grant authorization*
>>>
>>>         *(C) The GS may interact with the RO for grant authorization*
>>>
>>>         (4) The GS returns a Grant to the GC
>>>
>>>         (5) The GC accesses resources at the RS
>>>
>>>         (6) The RS evaluates access granted by the GS to determine
>>>         access granted to the GC
>>>
>>>         Alternatively, the Resource Owner could be a legal entity
>>>         that has a software component that the Grant Server
>>>         interacts with for Grant authorization. This interaction is
>>>         not in scope of this document.
>>>
>>>
>>>               1.4.
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1.4>Trust
>>>               Model
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-trust-model>
>>>
>>>         In addition to the User and the Resource Owner, there are
>>>         three other entities that are part of the trust model:
>>>
>>>           * *Client Owner* (CO) - the legal entity that owns the
>>>             Grant Client.
>>>           * *Grant Server Owner* (GSO) - the legal entity that owns
>>>             the Grant Server.
>>>           * *Claims Issuer* (Issuer) - a legal entity that issues
>>>             identity claims about the User. The Grant Server Owner
>>>             may be an Issuer, and the Resource Owner may be an Issuer.
>>>
>>>         These three entities do not interact in the protocol, but
>>>         are trusted by the User and the Resource Owner:
>>>
>>>            +------------+           +--------------+----------+
>>>            |    User    | >> (A) >> | Grant Server |          |
>>>            |            |           | Owner (GSO)  |          |
>>>            +------------+         > +--------------+          |
>>>                  V              /          ^       |  Claims  |
>>>                 (B)          (C)          (E)      |  Issuer  |
>>>                  V          /              ^       | (Issuer) |
>>>            +------------+ >         +--------------+          |
>>>            |  Client    |           |   Resource   |          |
>>>            | Owner (CO) | >> (D) >> |  Owner (RO)  |          |
>>>            +------------+           +--------------+----------+
>>>
>>>         (A) User trusts the GSO to acquire authorization before
>>>         making a grant to the CO
>>>
>>>         (B) User trusts the CO to act in the User's best interest
>>>         with the Grant the GSO grants to the CO
>>>
>>>         (C) CO trusts claims issued by the GSO
>>>
>>>         (D) CO trusts claims issued by the RO
>>>
>>>         (E) RO trusts the GSO to manage access to the RO resources
>>>
>>>
>>>               1.5.
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#section-1..5>Terminology
>>>               <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#name-terminology>
>>>
>>>         *Roles*
>>>
>>>          *
>>>
>>>             *Grant Client* (GC)
>>>
>>>               o may want access to resources at a Resource Server
>>>               o may be interacting with a User and want identity
>>>                 claims about the User
>>>               o requests the Grant Service to grant resource access
>>>                 and identity claims
>>>          *
>>>
>>>             *Grant Server* (GS)
>>>
>>>               o accepts Grant requests from the GC for resource
>>>                 access and identity claims
>>>               o negotiates the interaction mode with the GC if
>>>                 interaction is required with the User
>>>               o acquires authorization from the User before granting
>>>                 identity claims to the GC
>>>               o acquires authorization from the RO before granting
>>>                 resource access to the GC
>>>               o grants resource access and identity claims to the GC
>>>          *
>>>
>>>             *Resource Server* (RS)
>>>
>>>               o has resources that the GC may want to access
>>>               o expresses what the GC must obtain from the GS for
>>>                 access through documentation or an API. This is not
>>>                 in scope for this document
>>>               o verifies the GS granted access to the GC, when the
>>>                 GS makes resource access requests
>>>
>>>         *Humans*
>>>
>>>          *
>>>
>>>             *User*
>>>
>>>               o the person interacting with the Grant Client.
>>>               o has delegated access to identity claims about
>>>                 themselves to the Grant Server.
>>>               o may authenticate at the GS..
>>>          *
>>>
>>>             *Resource Owner* (RO)
>>>
>>>               o the legal entity that owns resources at the Resource
>>>                 Server (RS).
>>>               o has delegated resource access management to the GS.
>>>               o may be the User, or may be a different entity that
>>>                 the GS interacts with independently.
>>>
>>>         *Reused Terms*
>>>
>>>           * *access token* - an access token as defined in [RFC6749
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>] Section
>>>             1.4.. An GC uses an access token for resource access at
>>>             a RS.
>>>           * *Claim* - a Claim as defined in [OIDC
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] Section
>>>             5. Claims are issued by a Claims Issuer.
>>>           * *Client ID* - a GS unique identifier for a Registered
>>>             Client as defined in [RFC6749
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC6749>] Section
>>>             2.2.
>>>           * *ID Token* - an ID Token as defined in [OIDC
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#OIDC>] Section
>>>             2. ID Tokens are issued by the GS. The GC uses an ID
>>>             Token to authenticate the User.
>>>           * *NumericDate* - a NumericDate as defined in [RFC7519
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#RFC7519>] Section
>>>             2.
>>>           * *authN* - short for authentication.
>>>           * *authZ* - short for authorization.
>>>
>>>         *New Terms*
>>>
>>>           * *GS URI* - the endpoint at the GS the GC calls to create
>>>             a Grant, and is the unique identifier for the GS.
>>>           * *Registered Client* - a GC that has registered with the
>>>             GS and has a Client ID to identify itself, and can prove
>>>             it possesses a key that is linked to the Client ID. The
>>>             GS may have different policies for what different
>>>             Registered Clients can request. A Registered Client MAY
>>>             be interacting with a User.
>>>           * *Dynamic Client* - a GC that has not been previously
>>>             registered with the GS, and each instance will generate
>>>             it's own asymetric key pair so it can prove it is the
>>>             same instance of the GC on subsequent requests.. The GS
>>>             MAY return a Dynamic Client a Client Handle for the
>>>             Dynamic Client to identify itself in subsequent
>>>             requests. A single-page application with no active
>>>             server component is an example of a Dynamic Client.
>>>           * *Client Handle* - a unique identifier at the GS for a
>>>             Dynamic Client for the Dynamic Client to refer to itself
>>>             in subsequent requests.
>>>           * *Interaction* - how the GC directs the User to interact
>>>             with the GS. This document defines the interaction
>>>             modes: "redirect", "indirect", and "user_code" in
>>>             Section 5
>>>             <https://tools.ietf.org/id/draft-hardt-xauth-protocol-14.html#InteractionModes>.
>>>           * *Grant* - the user identity claims and/or resource
>>>             access the GS has granted to the Client. The GS MAY
>>>             invalidate a Grant at any time.
>>>           * *Grant URI* - the URI that represents the Grant. The
>>>             Grant URI MUST start with the GS URI.
>>>           * *Access* - the access granted by the RO to the GC and
>>>             contains an access token. The GS may invalidate an
>>>             Access at any time.
>>>           * *Access URI* - the URI that represents the Access the GC
>>>             was granted by the RO. The Access URI MUST start with
>>>             the GS URI.. The Access URI is used to refresh an access
>>>             token.
>>>
>>>
>>>
>>>
>>
>>         -- 
>>         TXAuth mailing list
>>         TXAuth@ietf.org <mailto:TXAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/txauth
>>
>
>     -- 
>     TXAuth mailing list
>     TXAuth@ietf.org <mailto:TXAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/txauth
>