IETF Logo Mail Archive

Re: [GNAP] RS-Token Introspection or RC-Token Introspection

Fabien Imbault <fabien.imbault@gmail.com> Fri, 11 December 2020 16:08 UTC

Return-Path: <fabien.imbault@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 506C13A0CEA for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 08:08:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3gCCYasdB0_9 for <txauth@ietfa.amsl.com>; Fri, 11 Dec 2020 08:08:25 -0800 (PST)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58EF83A0CE9 for <txauth@ietf.org>; Fri, 11 Dec 2020 08:08:25 -0800 (PST)
Received: by mail-il1-x129.google.com with SMTP id t9so9254041ilf.2 for <txauth@ietf.org>; Fri, 11 Dec 2020 08:08:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7Tt6XlHMNLrOWGsRck33pJcgspDKGAp3bl2BNiMUD4A=; b=pw87agwD++2s9i0iPJ4IH30FmqXA4LFPqI6nBA0PiGgQqpyFe3Qa47NXybNigpWSfK CFQfvuq626YRKaXJVH0OJq3BAZ+kaiTXU75KOSjYuq/7ohhZosSt1zjfDaV5tX7+5Lfi FJV6Cem6UzLZZiEVQX4FFCyPYIZTZw4JxcXwrz5LMMCjBKvHPXeRBP+csh52e8JDDSpW /WUFcgbMw0Wk431HL2vgbbuybw+lfl8k8dgImVHQJdyv9A1An0LEOCyA85PmQfST93eQ tf7GB4e03/hIAmWLv9J+qkcH/TfefmURapd6iNjc/o6qmab01RRjgocMOcESJTUVO8NY u5ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7Tt6XlHMNLrOWGsRck33pJcgspDKGAp3bl2BNiMUD4A=; b=RueiX+vNtg6R3LiHKgtCYDCZqFNfXOmASEfkcTknRjnOw1cJgk98RtHxDo0uTrUygG VA8xFs6rxCuUesajE+SLY/V9fCKT84hbseLrup9GNSIxRywTQg9GMoWbkx/yqYmoHAOq lKfO4mdURmodFhtsWPfZazUxeNxioj3Aw0yjw0fZh64q/5/WqMqRDIluoXkEQc6fQhh7 LJPFQuAkGnAJQC1C8gVStHCkCYwfjJbq1lQUFONpshEFQZN9LLsj4NeQShD5s0itmCIq abguyFHWqarRujxYhh9hIzEdVzDx/7NIpf8oybQZB0DTEig2+D7B7++ZRngv/R1Zt/en uQwA==
X-Gm-Message-State: AOAM530vU3wAxn/himpgIxK9peFfo+zn34oVApqlJrHp+VbPPfGbAYPW svBtfUBUJDPJNgUkcHo1TTYXks7zSDa4jKkfXUM=
X-Google-Smtp-Source: ABdhPJx75maVdGcpCpn0P8oE4ECcip+obhwNTL5688n7xu/xNsOCwzfdlzd3hzt37ZB2GNrOKKCgmXM6f5J8OFIcE/Y=
X-Received: by 2002:a92:d0ca:: with SMTP id y10mr17218968ila.68.1607702904466; Fri, 11 Dec 2020 08:08:24 -0800 (PST)
MIME-Version: 1.0
References: <7f06d460-a4bb-652a-bba0-fe5fe5e6478f@free.fr> <CAM8feuQd3TkD0-hYfJQW0f4C9pnZO1J646hg9cumbb22D2XK5g@mail.gmail.com> <CAM8feuSRoUvKaDkheuQa5kp52hFhK+=TBp+1dq9qQrFweGf7vg@mail.gmail.com> <56f50921-a88f-230a-20d1-aee187f09b6e@free.fr> <CAM8feuSeXjJwVdjaAP-B=mKVDePyPcx3Vpd7Ef6GFY1YwbMJ6A@mail.gmail.com> <21cf7c30-c42a-f29c-a407-7badde5c0151@free.fr>
In-Reply-To: <21cf7c30-c42a-f29c-a407-7badde5c0151@free.fr>
From: Fabien Imbault <fabien.imbault@gmail.com>
Date: Fri, 11 Dec 2020 17:08:13 +0100
Message-ID: <CAM8feuTnu6F6V8e6Fa=RP4wn2ZXocpShU1GH9UD951PFLk1avA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000086712205b632806c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/lqt8IIEaDKFFG5dkqpL6ePkjW5U>
Subject: Re: [GNAP] RS-Token Introspection or RC-Token Introspection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 16:08:27 -0000

Hi Denis,

Please note that the token introspection is not a new idea, it's already
present in OAuth2 world (rfc 7662), and allows the RS to verify the access
token.

In the current version of GNAP, there is also section 6 that introduces
management endpoints, which could potentially be extended in a similar way
(currently this is not specified, the management endpoint is here for
rotation/revocation). Then the client could require more information on
what is included in the opaque token, but of course, this relies on the
assumption that the client trusts the AS. There is also the discussion on
the "resource" description in the response, that may provide a simpler
scheme (https://github.com/ietf-wg-gnap/gnap-core-protocol/issues/141).

But if we assume the AS may be malevolent (which is more likely if the AS
becomes a less central point, at least for some implementations), then
indeed receiving opaque tokens wouldn't provide all the guarantees, as it
may lie on what is really in the token (too many claims for instance).
More specifically, while I recon there might be a risk which we'd rather
not have, I don't really think an opaque token is really an unmanageable
issue with privacy. Suppose someone adds a field in a JWT, most likely
you'll be able to detect that.

But suppose we go for non opaque tokens, then we'd need a way of describing
its format. Which might limit a bit the use cases if we're not careful.

I'd be interested to know what others think, since it is diverging quite a
bit from the OAuth2 world (not a bad thing in itself but still).

Fabien

On Fri, Dec 11, 2020 at 12:04 PM Denis <denis.ietf@free.fr> wrote:

> Hi Fabien,
>
> This is a response only to the point 7 from the "Quick review of
> draft-ietf-gnap-core-protocol-00".
> The full original text with your comments is copied after my reply.
>
> In order to allow the RC to understand the content of an opaque token, you
> are proposing to support a Token Introspection query from the RC to the AS.
> This does not solve the concerns of a RC that wants to make sure that the
> access token does not contain claims that have not been requested.
>
> Let us illustrate the case by using an example:
>
> The RC asks to the AS to deliver an access token that contains an
> identifier only unique to the RS.
> In reality, the AS delivers an access token that does contain an
> identifier only unique to the RS
> but in addition a globally unique identifier. Since the access token is
> supposed to be opaque to the RC,
> the RC calls the AS to perform a Token Introspection operation. In its
> response, the AS presents an identifier
> that is indeed only unique to the RS but the AS voluntarily *omits *to
> present the globally unique identifier to the RC.
>
> In the same way, if Token Introspection is supported by a RS, that does
> not provide confidence to the end-user or to the RC.
>
> Let us illustrate the case by using another example:
>
> The AS delivers to the RC an access token that only contains an identifier
> unique to the RS. Since the access token
> is supposed to be opaque to the RS, the RS calls the AS to perform a Token
> Introspection operation. In its response,
> the AS presents an identifier that is indeed only unique to the RS but the
> AS voluntarily *adds *a globally unique identifier.
>
> *Conclusion*: In both cases, a globally unique identifier will be used by
> the RS without the RC or the end-user knowing it.
>                       Opaque tokens are in contradiction with the
> end-user's privacy.
>
> For end-users caring about their privacy (or for systems willing to
> protect the user's privacy), access tokens should not be considered
> to be opaque to RCs, nor to RSs, and ASs should not support Token
> Introspection, whether it is RS-Token Introspection or RC-Token
> Introspection.
>
> Denis
>
>
> 7. The content and the format of access tokens shall not be considered to
>>>> be opaque to the RC so that the RC can inspect it.
>>>>     This is a matter of confidence to make sure for the RC (and for the
>>>> user) that no "extra" information has been included by the AS into the
>>>> access token.
>>>>
>>> [FI] This might go a bit further than the GNAP's mandate (especially if
>> it becomes a mandatory requirement). But supposing we support non-opaque
>> tokens,
>> does it preclude supporting opaque tokens? It's just a different trust
>> model, which makes sense if people agree with your premises (previous
>> items),
>> but that are less relevant if people still consider the AS as the central
>> piece. Also one great thing with opaque tokens is that it makes the system
>> easier to upgrade
>> (you don't really care about what a token is).
>>
>> [Denis] Privacy is not more relevant for an AS-centric model than for a
>> RS-centric model. In particular, a RC should be able to verify which kind
>> of end-user identifier claim
>> has been incorporated into the access token by the AS, in particular
>> whether it is globally unique, unique to the AS only, unique to the RS only
>> or ephemeral (valid for
>> that RS during a session with the AS).
>>
> [FI2] ok, see discussion on whether tokens should be opaque or not.
>
>> I suppose that the use of structured access tokens should be recommended.
>> This means,in particular, that from the very beginning, we should
>> incorporate a version number
>> inside each access token.
>>
>> One alternative way would be to allow RS call to AS for verification
>> (including revocation status) and include a checksum.
>>
>> [Denis]  The RC, i.e. not the RS, should be able to perform such
>> verification before presenting the access token to the RS. So this
>> alternative way would not work.
>>
> [FI2] then there could be a similar API for the client (cf discussion on
> similarities between introspection/management APIs).
>
>>
> --
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth
>

v2.23.0 | Report a Bug | By Email