[GNAP] Addition of optional 'access_token' in interact callback section

Mike Varley <mike.varley@securekey.com> Fri, 21 January 2022 14:39 UTC

Return-Path: <mike.varley@securekey.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 628643A112F for <txauth@ietfa.amsl.com>; Fri, 21 Jan 2022 06:39:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=securekey.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDdTg5nkf7ZJ for <txauth@ietfa.amsl.com>; Fri, 21 Jan 2022 06:39:37 -0800 (PST)
Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-to1can01on0719.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5d::719]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 871823A1124 for <txauth@ietf.org>; Fri, 21 Jan 2022 06:39:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IB/bHbpk/Z7PwteO41mij8J/qH1CZTQPcmCY/f/XS7yQs6/D5Fd3W6rKhMi9xkaDEjFM5kUcpmFPD4nEFSwSK2lFOGxHcjedWIJV+wgjjx5B3bT3bgBhkFeG52E0/Ulu5/OhC8cBU5IH8H3Ql2UG8NdrLTZLryLUH1KP8HvPKDa4CavrfJ/YuWDKg2vXrP83p/1ZCJmjSTgrLjkwKOajwbPI0cRdHGbH+tpMXsNg1zavxcadlF8Supo5O20FvpcdKOZDLUVCJLTqUyw5RUfn/00lwLqWc5aoE34oAXDs8dda1gL32uAsieL46iNTOtCxG+TU4bdI8e4wN0BHkSJKHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BWbohk05BwZf9SdFWoPQbyIurRxIjCXzVnMSFztdPl8=; b=GTugD9+a4lwFfXl9agW2rlXt7NYTeSDHyXRoEz67RYCQOfllfRRbDA9e2gK9PHk0Oo/2hZovP2ru6UDtdoFNoYsnqUUJ3UdnZ+48NuRHCB88fMkqB+jzATPRdmXyasC5okeqH0P3ITnYkIPCoJI5QXIUGp9UsLxqeG7CtQLp7AaW83zDYoQ9eG+detVkFybcvtWjS/yMv4K9kO2H5vZz/vmuNbCUVg+t7zqm4N2yVipengiC80/Z9Uc/Pp4IXL1neimqASMiLNrJoJ9bnWWvTdTyWmt8M8+2fL2/NacymU036YQJGgw/EbppWB6layQSkcPCqPNMdOIMA+urxiI6Hw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securekey.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BWbohk05BwZf9SdFWoPQbyIurRxIjCXzVnMSFztdPl8=; b=tJVwXa/+JO/vF2XKe/NPINOFrWRZhCGWL03r+yfrOPxQIioCKnWo4VshmqrOj24UUuQbh2l8R8iUVSkexpVCl+DHcXgoEPQET8lBgM21AQq3QxAXCvjdyKW75g/oVFgvepGtmWmR1fLX6mlaoj1zbejcxy/b65kLrGtg6cBJ1Sg=
Received: from YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:8::32) by YT1PR01MB8426.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:c4::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4909.7; Fri, 21 Jan 2022 14:39:31 +0000
Received: from YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM ([fe80::5d08:8315:57f9:617f]) by YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM ([fe80::5d08:8315:57f9:617f%6]) with mapi id 15.20.4909.012; Fri, 21 Jan 2022 14:39:31 +0000
From: Mike Varley <mike.varley@securekey.com>
To: "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: Addition of optional 'access_token' in interact callback section
Thread-Index: AQHYCVuLXSjiHDOFqEeTmBF69QY8cqxtlXdW
Date: Fri, 21 Jan 2022 14:39:31 +0000
Message-ID: <YT1PR01MB3099EEADBB4C78C6BD0807D5E45B9@YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM>
References: <YT1PR01MB30997386FF4252950B34E9F2E4549@YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM>
In-Reply-To: <YT1PR01MB30997386FF4252950B34E9F2E4549@YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-CA
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=securekey.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: fb22d62b-8433-45ac-a28c-08d9dcebd63a
x-ms-traffictypediagnostic: YT1PR01MB8426:EE_
x-microsoft-antispam-prvs: <YT1PR01MB842632087F2F0C68F062DBCDE45B9@YT1PR01MB8426.CANPRD01.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vW74hIyajV5kZU/58WyZr3UgIP6JVTePWZmiuoj7UR1iWjmbNOABy+/Buyfwr7KXZNo1BQ0oXQAurX6Tbq4DKFCTSqcMFizxu8+GIc9tDvf/DlfhULSj22Xt/I0SyHcOX2yENGrddbFJ8mDk4zaqS+bGV9m8nR7kJCM1cgxaLCJDg0d3zd5R84Cq+c38UUKnDwwVdcIe/rteUBMbl69o4KnCK8E339wXCslzmpifBEGM30ehS7+dEJUv4fcc/ioK7TXreOiggNNTCP8Oal1HF8K7aAs3jeKM4A9JiyGPL6JFluPSW4mWvbg686pvun7kiIDzWgh6qgloU28E7PfMJ0QlIdnxr0Gl6i6uW/bqP/L6D7+vjDZFcwOElTTV/RPm7EcWyR5Vo7YK7CNIQ1b3BMFObWkVP+xjeJLiD5zkEnrlzVKGolv9YC0ouVyl2pX+SOCRgUJCbTFkFMDsRpSPD9M+rK7MsJZ7xIHeDhIBPXf4eZsysEF9lPrXOxBBX6W/H8OCBP3+U62wU5v0vVXFvk5rNNImto2qBnEsirgPr2WhZ+2qsgFHF24TnKfR7wB9jnfYpytwnwRPpF6KztO5Kt/E8lf1BGlvghPcn/gzFQNJX7fi1M+5lr+JuARBYpjV5u3y1agcza/sAk9XMQuA9kbXgjmVzKt0HXq64O+FblMJCn2oVG/OKJVR3y3AjEc2UumUoCL/pRIVs4jF0V4dtw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(366004)(6506007)(66946007)(8936002)(26005)(5660300002)(38070700005)(8676002)(64756008)(66476007)(2906002)(44832011)(66556008)(66446008)(71200400001)(76116006)(186003)(86362001)(122000001)(55016003)(83380400001)(9686003)(7696005)(33656002)(6916009)(508600001)(52536014)(316002)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: zQ9HWHg5kHaValjImA9s490wzwVxs/HA6enDEnjOHLn+GexKn28tHgHrrdAJN0ds/DXA149/YqYgpxys1z2ivuVSEzmgYG7OXEBMwjsEQnIE153yrxkNG7jcgI8N/3Z6jPe0Q44D4cJ+xFaYO73evDoqJiQRJxVaxFW0KxaGTEx0LfvLUAqfQK2dv0bzgIZ4w1/1yUw05jDdISnAfDadbTatkBiypWSg7Fgf56x9sQwwpxh2JwYsMCxFfm9/deHU3H5VEpyL39vAHCiRGvDRVHfo5i5YEP4TA++Cq5UiKcNUCATJe4h9yYkF30YzBq1EzqpPMi2FywSwTmKikKdz+5pkyn01X0oGS8WmYkmxumflSzu9WI31ZJOAQI4X/HNwn3te/yNt7RHUAMIgR9GYrUmWue+Fn+jUEn/YVQ7UcrxAIjgOVk8VFW2iyFiuyt8yuNW8bs6G/ISAIwoMSo68Zwr5PEeGDkfx0VtkfmQu14P7zgCigXhlwz0kARXVugKBa7O8QRGhVqzDQkzSYRee9IXXHeCeLz6ID21RJcV6qlvXdMh724mBz6/+XbuxWNPNo/7tPXXQ0EEGDGLv5fjzASDiv1jucOZK0jnxAYHUbsnwYVFs3j52tguRR0JhdvSII/NUje56eEjTvlWvHUHcATPyNnVFIAkz4xqJzxfmoZ+C67VDUewqXXwT6fV5SiiA9UA2w8HrWidQE7AOXpzGR5iwP2DeKblMoHaTdzef26vndXEerot92IL+QpPaepAhJVOaTeQnXw/HIsLzNwn/Hc87Y2wnGooHT9WAHyhrWtzwoENfO0NqmCOEe4vN/Jz6t3GwuOFaj56iW6XUtdQYDO6AEULg5m/TJLQgYsTPnL36S6nWhlC1ECOYRenEEjgTnD6atvf0BhFIL4ArEgVYC80/0YimBTnvGvcylYh2I9bfsfjstD/JAr054anpMTmkWwXE7EyUMpmidS+P+/UexS99osPVvioQKYZt5Ahw5qXOXvjTGRGBuAj/EC5o6VwQ8WGV28EVYW6al/O+bC9f0vdS/9/Kqf7uoihMfSOqV+IB0rM5lIejU/d1mO7+lE9m5v95oFQdYaGuc/WNtHgLzMazIC2qgWl9R6tAuSQAZYNosISEaPuk7Oa/SR5POmLBnn7by3Avyi90N9s9vqx2KuLc0V1y30xisQX+oo1igds27CVt1LHoJrdKs2uiuvPjxwnd2yUQvMUGGaD/YJkg4VpZPu0geoOksVDfBLO/W9a+WIYFiZAt7/5nXExh/2nuPvDKCfbcDanwgtU2MegWTsSkg9QjKajHXyCnqs0cK9oVFvCI+jr7KgRaentFbHj3Vx+GZuzRjmV+yN2tumGu3sKMmIprwDRDXzvm0K/hyHPkYIrIUZ7YUZfRpW3GOk7ykZwP+VCf8NacmrTWh1rd9SMTrvuZQyehsqV+Wf4W9aN0x3VFiVZnrAaGSqBHRKy5DzjLwKYWFfu16HXrsviQ3eM5wOS/if+BvF1AnrG7vzUOcFVFeZ3sM3xyHTvZ8gVuTe6/qNzNyOM6hDUu//gLlfqt5aIj6Mm9tj4wQZ6nQ9W9wWGVBGWWFn8E36lGJ8TGZ9HsbxLG7NI4jKfV2ZL7/uvcC3f0rKxwyds8onPq/SXHO3aL6iSZnYuVKvqerJIFxQNUNv1Lq3P0Q6oOLAGCxqfH4Q3vkjn+LAKOXpKdSPM=
Content-Type: multipart/alternative; boundary="_000_YT1PR01MB3099EEADBB4C78C6BD0807D5E45B9YT1PR01MB3099CANP_"
MIME-Version: 1.0
X-OriginatorOrg: securekey.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: YT1PR01MB3099.CANPRD01.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: fb22d62b-8433-45ac-a28c-08d9dcebd63a
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2022 14:39:31.8915 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: e211fbf0-7d88-4a7c-b5b5-09a66b0b7ad0
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PHKSIi52x2pkk7kLj7fDtSg81Tdk+Uj5OxOmu2RF93Q2zntIAQg61YItKGx+QING1KU2GDEOoWvfz4bf09CBhiWI/Djwq3RFNLxGJVY0YgU=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YT1PR01MB8426
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/kNRuWA-Wo8KiZBlWfl7pOV6LurI>
Subject: [GNAP] Addition of optional 'access_token' in interact callback section
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Jan 2022 14:39:42 -0000

Hello GNAP’ers,

I would like to float the idea of adding an optional core parameter to the ‘interact’ request object parameter called ‘access_token’. Specifically relevant to the finish.method = push function.

For example:
{
    "client" : "protected.client.ca",
    "access_token" : {
        "access" : [  "idproof1"],
        "flags" : "bearer"
    }
    "interact" : {
        "start" : [ "app", "user_code" ],
        "finish" : {
            "method" : "push",
            "uri" : "https://protected.client.ca/callback/session/abc-123",
            "nonce" : "client_nonce_random",
            "access_token" : "callback_access_token"
        }
    }
}

The result of the above would be that when the POST callback is made to the client API endpoint, the bearer access token would be included as authorization.

The motivation is clients who have API endpoints may require that all API calls be made with an access token -  there are no open server API endpoints. The motivation for including it in the core spec is too ensure there is a standard way of providing this security parameter, and AS developers are not left re-inventing this parameter for clients. Some clients I have worked with have been adverse to putting access tokens in the URI as parameters as these may get logged by proxies and gateways.

There are a couple drawbacks that I see to supporting this parameter; first, it currently only covers “bearer” tokens – so other security parameters or requirements either get included (making the protocol and the AS life much more difficult), and second there wouldn’t be much guidance on how the client is expected to generate this access token (most access_token generating services require a client request to kick things off…) and then this may cascade into more complicated nuanced steps.

I am very much interested in other’s experience on this topic; “this is a good idea/bad idea because…” and also “this should be core/extension because”. I believe adding lots of optional parameters for not-so-well defined use cases that may never practically occur in the wild to be detrimental to a spec as it just leads to more developer guesswork and customization, so I would like to avoid that also :)

Thanks all!

MV

---
Mike Varley                                       mike.varley@securekey.com
Architect – Office of the CTO
SecureKey Technologies Inc.





This email and any attachments are for the sole use of the intended recipients and may be privileged, confidential or otherwise exempt from disclosure under law. Any distribution, printing or other use by anyone other than the intended recipient is prohibited. If you are not an intended recipient, please contact the sender immediately, and permanently delete this email and its attachments.