IETF Logo Mail Archive

Re: [GNAP] Consensus Call on Continuation Request

Fabien Imbault <fabien.imbault@gmail.com> Mon, 14 December 2020 21:19 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC9E03A12A2 for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:19:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.186
X-Spam-Level:
X-Spam-Status: No, score=-0.186 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cjVydv6J1lXI for <txauth@ietfa.amsl.com>; Mon, 14 Dec 2020 13:19:33 -0800 (PST)
Received: from mail-io1-xd34.google.com (mail-io1-xd34.google.com [IPv6:2607:f8b0:4864:20::d34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B6C33A129A for <txauth@ietf.org>; Mon, 14 Dec 2020 13:19:33 -0800 (PST)
Received: by mail-io1-xd34.google.com with SMTP id z5so18341467iob.11 for <txauth@ietf.org>; Mon, 14 Dec 2020 13:19:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mymMN65KdMgVl3wAqg5NiaBMtjIpu5H8U2foaZl7zbw=; b=oTi+CEu2MVk/P4LnSf99FU3h9wVBm6dveKJLyjNtcjFP2FphXJwTw+ij79WUI/J1Qy tXjbFXW9oprHuNrui/WO2wjudqUWSyNWeyhK2YYBY0eXqXlbyZ3He4V7kS/6evxkoqik gVyI2e9IYD3xa2JVBejhFxIhY3bP5bSHjCno+o58TWTLpYvTZzcSNDKY12VNEmC5/gOz IsDeLmmAGbXhYQBhD0F0gDjV1SGyZp7OawxIw7kWC+5TAhsIyWmnxO5p1fuzDlFDEKlF ezhjRNYC3924CXaYxjmS3YbPCNjYS86bBl13gsvV1XmHK7A89j1RikLTylWsyVF0swaj Kc8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mymMN65KdMgVl3wAqg5NiaBMtjIpu5H8U2foaZl7zbw=; b=FP/1NjvdK61SQKuhIDU5A5DXevmFXHyW30d0wu8YgdP9L9JSztKAlZrFuAMOFKdslh Nn2CtLLzWpNKZ4FEnyBJMzBEa6225tJ5Czb9oQHHzIBN2FS5kutjnH7TZy5EABlKcCXd zgAWs4vdvlf7hmPpAS7gdGcC99ThckPW9HotVMGG5DN5wgSCv3UOYt0W8GCz4BZrspe6 oQWvL+7nq4cZtP0mXiu35pT7F6WIAjd53vVjLZGKGynXYzwhICKK+yZVKIHlMfiQ10fm cy7Co5UGCjUJOOuENDKzZX4yStNDaiaiLxhNFv0BqhmmxGHnp+qD/VSkFhAHoHZ0aP9y 3s/A==
X-Gm-Message-State: AOAM533rgUkxzGtZ+/d7iDgsvSOEWDGf0jShRGAxsiSPVyxH67lKnklh tWe8vHzDkmU7W3o8R6EhESUPn9xr0Gt2PqxMVh4=
X-Google-Smtp-Source: ABdhPJwaweLD7P3jIveXz34DeM8x5OPqnq2dOwvFXz4eD0v4g9P2g3N8i/ZvI0QSpz+/XV+zT84AafGQWZIaw38c5CU=
X-Received: by 2002:a02:4b42:: with SMTP id q63mr4910596jaa.77.1607980768063; Mon, 14 Dec 2020 13:19:28 -0800 (PST)
MIME-Version: 1.0
References: <94973397-0354-4B02-9EC8-EF972A7F1867@mit.edu> <CAD9ie-v-j=PBGjLmiWT+z1Whimfmqo=+Pqw1DVFmXZO-bm7=4w@mail.gmail.com> <8E2FF25A-4BE1-4EA1-A0FE-CB5194DEAC52@mit.edu> <CAD9ie-spy7fX-9+5cXzyrau62sX=wViqdpMYzmFBfz-Qbi63ZQ@mail.gmail.com> <CAK5Vu_DW=8V8qNH-MnjjrUsnganpdwKxCCE1ZTJmENGYEvFoew@mail.gmail.com> <CAD9ie-vWgOVqcXiTTLfBBLx2AKDw_ry0A06CuL2DpKFmjYQ8YQ@mail.gmail.com> <CAK5Vu_DqO+iZHWaov94PXTfD5tKdN9R4w08o8Dd4RxFD3UGxOA@mail.gmail.com> <CAD9ie-ud4i51dF-PEY4r+QpAu2fYNob==R7Ek69rwU6cjy-zBQ@mail.gmail.com> <CAM8feuRBvjx_2nBNy95dDtc6v8A1ebKGKfNE4SwkcFA0-7SYCw@mail.gmail.com> <CAD9ie-tEpVFfgB8KT3XK=G98wOTcVZxpXXRezCKbVuAP4hZoXQ@mail.gmail.com> <CAM8feuR9x7eMzWtTLeWHNEtjkFUk39kMw3ArFXp5rcFmXCw6BQ@mail.gmail.com> <CAD9ie-tMjNvewwof7W8Nof7D9FXuTEdwV3wTywyhB6gTurktmQ@mail.gmail.com> <CAGBSGjqer-kEz0=vbqu-=qsNg8gGRaWaxPjYd1q2eMeboF+yYg@mail.gmail.com> <CAJot-L0WAn2EqYO=mCVoq4Qm5TPTO7FNjtohriOn8tZHsNCJHQ@mail.gmail.com> <9CDE8448-B4CD-4DC5-842D-3C58C5A322ED@mit.edu> <CAJot-L17nHE2kaENOKBQG+v9g7WyErvZK4gtS9RSZh5uT4wcDA@mail.gmail.com>
In-Reply-To: <CAJot-L17nHE2kaENOKBQG+v9g7WyErvZK4gtS9RSZh5uT4wcDA@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Mon, 14 Dec 2020 22:19:15 +0100
Message-ID: <CAM8feuTgLDz+j1YuOOTFvc4XRn8q47cN15J8AgMkKP0A4rQEug@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Justin Richer <jricher@mit.edu>, Aaron Parecki <aaron@parecki.com>, Dick Hardt <dick.hardt@gmail.com>, txauth gnap <txauth@ietf.org>, Steve Moore <srmoore@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000007f0d6105b6733299"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/l3p_QOm9qmqAQxCQe53AX8kzWHA>
Subject: Re: [GNAP] Consensus Call on Continuation Request
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 21:19:36 -0000

Hi Warren,

The goal is not to force a behavior for the sake of forcing it, as Justin
explained one of the goals is to avoid to the extra complexity of
optionality when there's no fundamental reason for doing so. Which leaves
open the question of which alternative is best of course, and that's what
we're discussing here (security is not the only argument).

Just wondering. If you're ready to hardcode the same value in every request
in one case, why do you think better to have unique URIs in the other case?

Plus the problem is not that you control the AS URI, it's that you have
only limited trust for what's in front of that. A bound access token
ensures that your call is anthenticated with the same key as before, while
the alternative doesn't.

Fabien


Le lun. 14 déc. 2020 à 21:41, Warren Parad <wparad@rhosys.ch> a écrit :

> So then I would say the question becomes, why force AS to create "access
> tokens" (or whatever we want to call them) if they don't see the benefit of
> doing so. I.e. right now the Warren AS (and the Dick AS) both think we
> would not be generating "access tokens". If the spec requires it, I would
> probably just hard code the same value in every request because my AS
> doesn't see the value in requiring it when I'm in control of the URI.
>
> If I understand the discussion correctly, we are trying to prevent AS from
> exposing the uri containing the "access token", because doing so would
> hypothetically create an attack surface for the AS. If that's the case,
> then I would say, forcing the token to be in auth header only provides a
> negligible amount of surface decrease and thus the extra complexity is not
> well offset by the security improvement. So for me rather than arguing if
> there is any benefit at all, I'll make a stronger argument:
> *If there is a benefit to using the access token, it surely can't be a
> meaningful amount in such a way that it's important from the GNAP protocol
> standpoint to provide this mechanism for improvement.*
>
> Warren Parad
>
> Founder, CTO
> Secure your user data and complete your authorization architecture.
> Implement Authress <https://bit.ly/37SSO1p>.
>
>
> On Mon, Dec 14, 2020 at 9:29 PM Justin Richer <jricher@mit.edu> wrote:
>
>> Warren,
>>
>> (as editor):
>>
>> Your proposal below is not dissimilar to what’s in the current spec text:
>> the URI is required, and the access token is optional. If the access token
>> is included, the client has to include it in its request. The feedback from
>> the working group during the IETF109 meeting, and leading up to it, was
>> nearly universally that this optionality was not helpful, especially to
>> client developers. The editors’ PR being discussed here removes that
>> optionality by making both fields required with only one method of
>> presentation, and therefore a single code path for the client.
>>
>>  — Justin
>>
>> On Dec 14, 2020, at 3:11 PM, Warren Parad <wparad@rhosys.ch> wrote:
>>
>> Here's a terrible alternative:
>>
>> It would seem to me that one compromise could be making the object
>> extensible by authorization servers (and their corresponding SDK). In a
>> similar way that JWTs are extensible, we could require explicitly the URI
>> in the spec, and an optional object to be defined by the AS.
>>
>> --------
>>
>> One source of the problem could be that the language for taking the
>> response object and converting it back into a request one is not well
>> defined.
>> Instead if we allowed an optional headers object to be returned:
>> {
>>     uri: "https://as/grant/{grantId}",
>>     headers: {
>>         'Authorization': 'Bearer ${accessToken}
>>     }
>> }
>>
>> Thereby explicitly telling the client what they need to return back. It
>> avoids the problem of "what to name these things" and also ensures that the
>> data is exactly what the server expects. Additionally it sidesteps the
>> naming issue, where to include tokens, and whether to include them at all.
>>
>> Otherwise it sucks to be in a situation where the benefits/detriments
>> aren't clear to everyone, and potentially we can choose a path forward
>> where both approaches could be used without requiring other clients to jump
>> over arbritrary hurdles suchs as custom implementations.
>>
>> Warren Parad
>> Founder, CTO
>> Secure your user data and complete your authorization architecture.
>> Implement Authress <https://bit.ly/37SSO1p>.
>>
>>
>> On Mon, Dec 14, 2020 at 8:46 PM Aaron Parecki <aaron@parecki.com> wrote:
>>
>>> Thanks for the clear description. However saying "has no security
>>> concerns" is a bold claim. Can you clarify how you will ensure that there
>>> are no security concerns with this method?
>>>
>>> My main worry with this is people will start to get "creative" with the
>>> values of the things in this URL. We've seen this over and over, everything
>>> from using plaintext data in JWT access tokens in OAuth (now the access
>>> token contents are visible to clients), to putting data in the OAuth
>>> "state" parameter (easy to exploit unless it's signed/encrypted), and I'm
>>> sure someone somewhere is putting things in the authorization code that
>>> they shouldn't.
>>>
>>> Aaron
>>>
>>>
>>> On Mon, Dec 14, 2020 at 11:39 AM Dick Hardt <dick.hardt@gmail.com>
>>> wrote:
>>>
>>>>
>>>> I am proposing a URI that is straight forward, and has no
>>>> security concerns.
>>>>
>>>> For example, the URI could be:
>>>>
>>>> <as uri>/grant/<unique grant id>
>>>>
>>>> eg: https://example.com/as/grant/a3ce6053-ca48-4c04-af46-c2384ec8b89f
>>>>
>>>> The routing code in the AS then is:
>>>>
>>>> router.post(      '/', grant.create);
>>>> router.get(        '/grant/:grant', grant.read);
>>>> router.post(      '/grant/:grant', grant.update);
>>>> router.delete(   '/grant/:grant', grant.delete);
>>>> router.options( '/grant/:grant', grant.options);
>>>>
>>>>
>>>> Where there is a "grant" module to manage for working with grant
>>>> requests.
>>>>
>>>> /Dick
>>>>
>>>> ps: your previous email, and this one, are making the discussion
>>>> personal. Happy to discuss privately.
>>>>
>>>> ᐧ
>>>> --
>>>> TXAuth mailing list
>>>> TXAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>> --
>>> TXAuth mailing list
>>> TXAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/txauth
>>
>>
>>

v2.23.0 | Report a Bug | By Email