Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))

Justin Richer <> Fri, 10 July 2020 20:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 728F53A0909 for <>; Fri, 10 Jul 2020 13:09:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hsr4LldlVHpm for <>; Fri, 10 Jul 2020 13:09:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 52BA03A08FC for <>; Fri, 10 Jul 2020 13:09:38 -0700 (PDT)
Received: from [] ( []) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by (8.14.7/8.12.4) with ESMTP id 06AK9V08021189 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 10 Jul 2020 16:09:37 -0400
From: Justin Richer <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3D2C14C8-B931-40D5-A077-DFBB5DB44928"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Fri, 10 Jul 2020 16:09:36 -0400
In-Reply-To: <>
To: Dick Hardt <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [Txauth] acquiring claims (was Polymorphism (Was: JSON Schema?))
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 10 Jul 2020 20:09:43 -0000

> On Jul 10, 2020, at 2:15 PM, Dick Hardt <> wrote:
> inline ... 
> On Thu, Jul 9, 2020 at 5:44 PM Justin Richer < <>> wrote:
> Yes, the core idea is to not have to parse an assertion to get back the core authentication information, which consists of an identifier (iss/sub pair in OIDC, but could be a number of things). Sometimes the client is going to want the rest of the identity information, but If the user’s logged into the client before, the client has likely cached that info and probably won’t need it, and sending it would be a violation of privacy principles.. The client would want the info pretty much just in these cases:
>  1. The client has never seen the user before. 
>  2. The user’s information has been updated since the last time the client saw it.
> Agreed
> Now for case (1), how would the client know if it wants to request the user’s profile info or not, since it doesn’t know who the user is?
> But the client could know who the user is. The client may have used a different AS to authenticate the user.

In these cases, the client is not going to be requesting identity information from the AS to log the user in, so it’s not relevant to the use case. The client will have an opportunity to push that information to the AS.

> The User may have self identified to the client. The client may have a cookie saying who the user was and the user said that was them. While the latter cases are really a strong hint, they are likely right most of the time and can lead to a user experience basde on that hint

In these cases, the AS might be able to guess if the client has info about the user already, but probably not. And the assumptions fall apart if it’s in fact a different user that ends up logging in, which is of course possible (the hint you gave doesn’t match the identity of the current user after the AS validates them). This possibility leads to clients always asking for everything every time and the server providing everything every time. That’s a pattern I think we should avoid in an ultimate solution — but ultimately, I don’t think that this kind of protocol decision is inside of GNAP.

> And the AS won’t know if client is going to want the profile info, since the AS won’t know if the client has the user’s info or not. Sure, the AS might have seen that client and that user combo previously, but it doesn’t know if the client needs an update.
> The client can share with the AS the user it knows or thinks it is dealing with, which could let the AS respond if the information was new. This could be the case for an AS that is providing claims, but not authentication, and could happen silently. The user would only interact if the user information had changed, and the client wanted the updated information.

See above.

> And for (2), the client won’t know if the user’s info has been updated or not because it doesn’t know who the user is yet. If the AS can provide some time of updated stamp to the client, the client can pull the new info when it needs it.
> See above.

See above.

> If you ignore both of these cases and put all the user information inline with the main request/response, you end up in a situation where the client always requests everything and the server always provides everything, since you can’t be sure you’re not in situation (1) or (2) ahead of time.
> See above. There are a number of other states the client could be in.
> For example, the client could be stateless about user information, so it knows it is ALWAYS in state 1.

A stateless client would need to fetch appropriate user information every time, then. But that’s an optimization for a very specific case.

> This is really what I mean about the two-stage identity protocol.
> I know what it is. Per above, GNAP lets us support a wider set of use cases. Why limit ourselves to what OIDC supported?

We aren’t limiting the protocol, but instead limiting the scope of what we define internal to the GNAP protocol. There’s a lot of room for innovation on top of it.

> In the first stage, you push the bare minimum of what you need to get the user known to the client. In the second stage, the client uses its access token to call an API to get whatever else it needs to know about the user.
> From a privacy perspective in non-enterprise use cases, I think the user should give consent to any updated personal information to a client. In general, the client should not be able to get the latest information about a user whenever it wants.

This is about the rights associated with the access token, then. And an access token doesn’t have to keep working if the AS has a policy that says it won’t. The AS/RS could easily decide that a particular access token will only return data that hasn’t been changed. Maybe it stops working after the data changes, or it just returns old data, or any number of things. This is for the AS/RS to decide and this is pretty standard interpretation of the token, nothing special here because we’re dealing with identity.

 — Justin

> /Dick
> ᐧ