Re: [GNAP] "Access Token" when calling AS is really a cookie
Fabien Imbault <fabien.imbault@gmail.com> Mon, 23 November 2020 12:53 UTC
Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE833A0A3B for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 04:53:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.196
X-Spam-Level:
X-Spam-Status: No, score=-0.196 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35y5QMcM975x for <txauth@ietfa.amsl.com>; Mon, 23 Nov 2020 04:53:27 -0800 (PST)
Received: from mail-il1-x12e.google.com (mail-il1-x12e.google.com [IPv6:2607:f8b0:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9756E3A0A35 for <txauth@ietf.org>; Mon, 23 Nov 2020 04:53:27 -0800 (PST)
Received: by mail-il1-x12e.google.com with SMTP id f5so14864172ilj.9 for <txauth@ietf.org>; Mon, 23 Nov 2020 04:53:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bKMirIbryF8gOFYzDvnwXzTrSDTSFuh3dekqcOsEFC4=; b=kGLS8/qwFyJKksEWaDwFijnkivIlvX4PqmQuxH1m72e817eSh+IboAWNHwqiGCcAjP yYlLtWsqEfOpG8Te2F71+cB+wpPheM3lp5nRvxCac2hcdVolZ1CuOeA06WbUMaft4hbI RTV4PK+KwykWoL2y4Am0OVyWP6eVsFQBEgXfemh+6auJ0+j+riOtvchienrpG7egMIES Vx2GzlwncLe/+LcGSbzcusPF1EG6AJ13lNM8Pc3ghEJt7QE3soqROd3T4LvQW5Udc0Cv Mzz6zMEwfrM0PwCWaqnX/rDlZI+wFGbfQ21EJNR7Kjc6fGhB5hh5vbHP58ptgxi23lJ9 ZlSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bKMirIbryF8gOFYzDvnwXzTrSDTSFuh3dekqcOsEFC4=; b=QXEH8VL5DI5NAQbvIMgpxZptDEPhmEhtIA8V+Lru+uWuxPhrbLqhf0F9HT0hVq6hCq 7Qf5fhhbzKHtqlMI135vvZ581sZZfKOMfcsDFNRzSOOYIAi2C/wBZxvaiXqHou61Rpom jlQZT0dpz8j6A57X+/i82br41qxgMhbCS3MfNjDKiBd2WbB02HBLBxsZjtSuIPHgDjBv AlsCDwzb6Bd4z3rJ0kAssRffDtCC4Q8nWikWBPAoL5lU6BExMux8sm9ixFDfGdsVo+fK hLOyI7CRyX8R5yuX8+IN8uVvioduD0vshbCSGcDgAtbFlrmHDMZ3FbE1xT7bMlnODDOt C8wA==
X-Gm-Message-State: AOAM530Fq3BaYI3mCyX0n9DH8f/WC9okMrRTh44+AJFVOYjVUtEEoITV Of5FCOdHpTivTU67W0AYRBs0AzZRak/oLj97zWw=
X-Google-Smtp-Source: ABdhPJwLOTv1TYMQ1vpUx+xU769mrUF+E0tyvdda5IeoR39lNxZ3UcE1cRDhpRFmfrdvPer2kk8vAplD7/qvEKCtof0=
X-Received: by 2002:a92:89d3:: with SMTP id w80mr32089964ilk.68.1606136006653; Mon, 23 Nov 2020 04:53:26 -0800 (PST)
MIME-Version: 1.0
References: <CAD9ie-vKSpV6eC3CUPzwFog5yOb+zeshLJC7+8RgNeF9CNFiww@mail.gmail.com> <CAM8feuSh0q3mf+KapqV7Sxo+k9GSaibAbGwK7J2vPh-EAAprwQ@mail.gmail.com>
In-Reply-To: <CAM8feuSh0q3mf+KapqV7Sxo+k9GSaibAbGwK7J2vPh-EAAprwQ@mail.gmail.com>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Mon, 23 Nov 2020 13:53:15 +0100
Message-ID: <CAM8feuSxPMPpkH2i_ibwMd09RAMi2ChFJ+AfwH=jfifH_AUfvw@mail.gmail.com>
To: Dick Hardt <dick.hardt@gmail.com>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023432405b4c5ae51"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/lERyHEOMtJNK4mGWarReyg8QKtE>
Subject: Re: [GNAP] "Access Token" when calling AS is really a cookie
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 12:53:29 -0000
Hi there, Following Justin's feedback, I made an alternative proposal: make the key verification the default everywhere, and allow bearer tokens for resources access only when set explicitly. https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/67#issuecomment-732119398 I believe this removes the confusion. Fabien On Mon, Nov 23, 2020 at 8:40 AM Fabien Imbault <fabien.imbault@gmail.com> wrote: > Hi Dick, > > In GNAP, the client isn't managing state (unlike a web app), the entire > point is that the lifecycle should be managed by the AS. > > As in any state machine, there are states and transitions. Here we're not > passing state, merely expressing "please continue". The client can be > completely unaware of the underlying state. > In effect the client only has the ability to ask the server to generate > the next transition. > > So I don't think you can compare that to cookies. It's a different > behavior. BTW if it was the case it would lead to a whole new class of > issues, because there's an entire legal framework around cookies... > > To avoid confusion with a standard access token, we have the "key" field. > My proposal would be to make it more explicitly (cf comment in issue 67). > > Fabien > > > Le lun. 23 nov. 2020 à 02:06, Dick Hardt <dick.hardt@gmail.com> a écrit : > >> When I look at how GNAP is using access tokens for continuation requests, >> and the pull request #129 >> <https://github.com/ietf-wg-gnap/gnap-core-protocol/pull/129> >> >> Those "access tokens" look a lot more like cookies (managing state) than >> how access tokens are usually used (representing authorization). See table >> below. >> >> If there is a real requirement for passing state back and forth between a >> server (the AS in this case) and the client when making API calls, then I >> suggest that is out of scope for GNAP as I see it being a general purpose >> mechanism for any API. >> >> /Dick >> >> >> >> *cookies*- issued by server being accessed >> - are not presented to other servers >> - issued after first access >> - may be different for different URLs >> - may be updated on each access >> - represents the context of a session (state) >> >> >> *access tokens*- issued by an independent service (AS) >> - may be used at any URL at the RS >> - new ones issued by AS as needed >> - represents authorization granted to a client at an RS >> ᐧ >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> >
- [GNAP] "Access Token" when calling AS is really a… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Justin Richer
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Fabien Imbault
- Re: [GNAP] "Access Token" when calling AS is real… Dick Hardt