Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11

Denis <> Mon, 20 July 2020 17:12 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D3AEF3A0DD4 for <>; Mon, 20 Jul 2020 10:12:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.63
X-Spam-Status: No, score=-1.63 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.267, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id LZaOOaOI1Pq2 for <>; Mon, 20 Jul 2020 10:12:54 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9EC5F3A0D86 for <>; Mon, 20 Jul 2020 10:12:53 -0700 (PDT)
Received: from [] ([]) by mwinf5d34 with ME id 5VCo2300V2bcEcA03VCpsl; Mon, 20 Jul 2020 19:12:51 +0200
X-ME-Helo: []
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 20 Jul 2020 19:12:51 +0200
To: Francis Pouatcha <>
Cc: Dick Hardt <>,
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Denis <>
Message-ID: <>
Date: Mon, 20 Jul 2020 19:12:47 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------32A6C22C8E31A7C4E58A1C6D"
Content-Language: en-GB
Archived-At: <>
Subject: Re: [Txauth] Reviewing draft-hardt-xauth-protocol-11
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 20 Jul 2020 17:13:03 -0000

Hello  Francis,

> Hello Denis,
> On Mon, Jul 20, 2020 at 5:04 AM Denis < 
> <>> wrote:
>     Hi Dick,
>>     On Fri, Jul 17, 2020 at 9:21 AM Denis <
>>     <>> wrote:
>>         Hello Francis and Dick,
>>         The good news first: we are making some progress. We are now
>>         close to an agreement with steps (1) up to (3),
>>         ... except that the place where the user consent is captured
>>         is not mentioned/indicated.
>     This major question which is currently left unanswered is where,
>     when and how the user consent is captured.
>     Another important point to consider and to explain is related to
>     the assurances that the user can obtain about
>     the respect of his choices. This point is currently left
>     unanswered in draft-hardt-xauth-protocol-13.
[Denis] These two major points are still left unanswered at this time.

>>         If a RO needs to be involved and since a RO is directly
>>         associated with a RS, why can't it be directly queried
>>         by the appropriate RS after step (2) or later on ?
>>     Good question. Perhaps you can expand on a use case where that
>>     would be useful?
>     Before I expand, would you be able to explain first under which
>     circumstances a RO needs to be queried by a GS ?
> In all circumstances. Can you name a situation where this is not the case?

[Denis] This is quite easy. The final decision is always taken by the 
RS. If a Client presents access tokens issued by ASs trusted by the RS
that contain appropriate attributes to perform the requested operation, 
then the operation is allowed.

If really a human RO needs to be involved for whatever reason, it is 
possible to get its involvement when the Client connects to the RS.
However such involvement does not need to be formalized by a protocol. 
It can be application specific.

>     How can the GS identify which RO to query ?
> There is supposed to be a preexisting relationship between GS and RO, 
> If not RO will have to register with GS in the first interaction 
> (onboarding).
> How can the GS identify how to connect with RO?
> GS must evaluate the RS provided info in step (3) 
> AuthZRequest(AuthZChallenge) to decide how to contact the RO. This is 
> where selection of interaction mode takes place.

[Denis] This means that a GS must have prior relationships with the RSs 
and ROs. While this should not be prevented for backward compatibility 
with OAuth 2.0,
this should not be the single case. Prior relationships between ROs and 
GSs is a door half-opened for Big Brother. If in addition the GS is able 
to know which operation
is attempted by the client on which RSs, then it is a door wide-opened 
for Big Brother.

>>         Which information is supposed to be presented to the RO ?
>>         Which information is supposed to be returned by the RO ?
>>     Just like how the user authenticates to an AS, how the AS and RO
>>     communicate is out of scope.
>     At the moment, the usefulness of a dialogue between a GS and a RO
>     has not been explained, nor demonstrated.
>     The question is about the functionality of that dialogue in terms
>     of input and output information (and not about
>     the design of a protocol or of a user interface). Anyway, AFAIU a
>     dialogue between a GS and a RO is optional.
>>     For many use cases, the User is the RO, and the interaction is
>>     through a user interface, not a machine protocol.
>     Wait a second. You wrote "the User is the RO". The User is
>     attempting to make an access to a RS by using a Client.
>     _That_ User is not the RO of the RS.
> The User interacts with the Client.
> The RO interacts with the GS.
> In some use cases (where we use redirect interaction) we assume the 
> person controlling the "User-Agent" is also the person
> controlling the "RO-Agent" and they reside on the same device. These 
> are cases where we say User equals RO.

[Denis] Sorry, I have difficulties to understand such a case. A person 
giving his consent to himself ?


> -- 
> Francis Pouatcha
> Co-Founder and Technical Lead
> adorsys GmbH & Co. KG