Re: [GNAP] Distinct role used by End-user to give permissions to client instances.

Adrian Gropper <> Fri, 03 September 2021 19:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A7EBA3A2B57 for <>; Fri, 3 Sep 2021 12:50:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.645
X-Spam-Status: No, score=-1.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Q8n5eV91Ko8G for <>; Fri, 3 Sep 2021 12:50:43 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9C29B3A2B56 for <>; Fri, 3 Sep 2021 12:50:43 -0700 (PDT)
Received: by with SMTP id s15so172350qta.10 for <>; Fri, 03 Sep 2021 12:50:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9gY3GZDTyiEvevwJeo75sEbahuqEtQolaIiy8RtLOkg=; b=cU2vaNIzO9uq4AukkhAWYBfzlgMaEZWN4bYwE3cYWS37XO0wdTnw3k4wG4drVYKHIP murqAVsREkPB5pS4uOyz7vc86sAdELRqU2gHQTVR5lkoJd/irhSn1QhGc+ihY1y12Kw8 O5JicbJGsFsuK3hL9XlbJBL2Kmf12n45dDhvYSJcl6HNE7O5+7F0X9ILyF5fVQJ2hO8l dS7pl4GfOOPfmbxsDXAEknFQ2mwdR2LHrB0YGhrRMUve7L2d/M+jbMfo3GC77V+MmzaM LAP4L0KTNe3mVLL1Zani/lbWvMnfOkH/3ebe2Fl/jNrIqER5B1ADnuHE0/dtWsj5nRXU 0/CA==
X-Gm-Message-State: AOAM530ERJaDqaL+YrI+TCM0ldVedrTjSexRX+bEWrcEN/7mJZgoLekz 73qSOx/3Wh6cajFDUC1v9z4JBodQrSwJnyRIQFj20/ypXRbEKg==
X-Google-Smtp-Source: ABdhPJyfpZZcHalWjN5ZTZNTtwHTF0RC7jww+26Qb0vL/gQdLKUqS7qH1mSeH/P28kx0cj1OERmjTiS7Sf6Gr7R6wE4=
X-Received: by 2002:ac8:5693:: with SMTP id h19mr653335qta.84.1630698642457; Fri, 03 Sep 2021 12:50:42 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Adrian Gropper <>
Date: Fri, 03 Sep 2021 15:50:31 -0400
Message-ID: <>
Content-Type: multipart/alternative; boundary="00000000000051ca3e05cb1c9de4"
Archived-At: <>
Subject: Re: [GNAP] Distinct role used by End-user to give permissions to client instances.
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 03 Sep 2021 19:50:49 -0000

An interesting use-case. One way to discuss the protocol issues is from a
transparency perspective.

If the RS / RO is presumed to be operating as a (regulated or informal)
fiduciary with no conflict of interest for its own profit, then both Alice
and Bob should have total transparency on what is actually shared with the
other. That transparency and potentially semi-autonomous behavior would be
managed by the respective EUXS agents.

If the RS / RO is truly acting as an RO and owes relatively little to Alice
and Bob, then the protocol would be easier because the EUXS would have less
information to work with. In the limit, Alice’s EUXS would not even be
notified of Bob’s access to the shared RS.

Notification as part of an authorization protocol is, in my experience with
UMA 2, an option. Even when the RO is the subject and separate from the RS,
the RS may override the scope of an access token. This could be due to
security (e.g. DoS attack) or jurisdictional constraints (cross-border
clients). In these cases, transparency demands that the RS notify the RO or
the AS of the exception.

- Adrian

On Fri, Sep 3, 2021 at 9:57 AM <> wrote:

> Hello,
> I'm participating in AuthN and AuthZ related work of
> I will intentionally keep this email short and provide further details
> based on responses.
> Given that I'll try to focus on one problem we are trying to address and
> we can start zooming out from there as needed.
> In our scenarios different End-user and Resource Owner is very common
> scenario.
> We are working on few proposals for handing User Authorization, in that
> case ACME organization (Resource Owner) could authorize Alice (End-user)
> to access specific data.
> In the same way ACME authorizes Bob (another End-user) to access some
> specific data. Data that Alice and Bob can access have certain overlap.
> Now both Alice and Bob should be able to independently permission /
> authorize various applications (Client instances) they wan to access
> that data owned by ACME.
> In fact both Alice and Bob have broader peer networks, including other
> Organizations and Individuals. We are also defining common permission
> model,
> which would allow expressing application access to span across data
> owned by any number of owners.
> In the scenario above, we consider assumption that given Resource Owner
> owns all the data on given Resource Server.
> In that case Authorization Server which issues Access Tokens stays
> associated with RS, so also with specific Resource Owner.
> Since each End-user needs some party which would take responsibility for
> them to give consent and permission apps (Client instances) they are
> using.
> We look at another role let's just call it EUXS (End-user's X Server),
> similar to OIDC Provider. It stays associated with End-user in similar
> way to rel="" links to OP.
>  From here it would be really great to see how GNAP would help handing
> following:
> End-user's X Server, in a similar way to OIDC Provider, issues at token
> (let's call it a permissions token) to Client instance representing
> permissions applicable to a specific RS.
> Once again very often that RS is controlled by Resource Owner other than
> End-user.
> Client instance uses that 'permissions' token with AS to get Access
> Token which finally can be used when making requests to RS.
> Here I make assumption that AS understands that permissions token and
> later either makes it available to RS or translates it to something that
> RS can enforce.
> Oh, also RS would hint their AS with as_uri in WWW-Authenticate, since
> client doesn't have that prior knowledge.
> As I mentioned User Authorization is handled separately so AS & RS have
> prior knowledge of what access Resource Owner granted to End-user.
> In this email I mostly focus on End-user having another party associated
> with them (EUXS for the sake of this discussion) where they
> can further delegate that access their received to apps (Client
> instances) which they want to use to exercise access to data.
> I hope description above is sufficient to roughly illustrate the
> scenario. I can fill in more details as needed.
> I very much appreciate any hints on how GNAP can handle described
> scenario in elegant way.
> Best regards,
> elf Pavlik
> --
> TXAuth mailing list