IETF Logo Mail Archive

Re: [Txauth] Additional implementation

Dick Hardt <dick.hardt@gmail.com> Thu, 02 July 2020 17:34 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C2923A0B12 for <txauth@ietfa.amsl.com>; Thu, 2 Jul 2020 10:34:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k5GC64ejha7m for <txauth@ietfa.amsl.com>; Thu, 2 Jul 2020 10:34:02 -0700 (PDT)
Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57A163A0B0E for <txauth@ietf.org>; Thu, 2 Jul 2020 10:34:02 -0700 (PDT)
Received: by mail-lf1-x135.google.com with SMTP id o4so16733601lfi.7 for <txauth@ietf.org>; Thu, 02 Jul 2020 10:34:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=DE8mjb1UnbuX3sFxnGZboJfS1LwAavXEiU9c99IqBMY=; b=R4qfk/eAyXf5dS+PDjQR152UPAdMSBwBD1jh8lCN8BoEsWHCnuK4xm9/nZdspqiAum QyL+5mkp0vxOmv1e945bSiTc2YCvHHHmFY1UyLgHDv7chmHE0a2hDZHHtdDcE/EWVoCS D8Waxq9R0nX2mjF3iHkCaHnG4vHv32SgGZ4NVscutPkNJShvlJhDZvSKxkMKxp/o/hC8 KaasEq5Xxx39T32yiC6bKvav1l2PrzvMVMh7d7N9J7g4yafQW5GivpPCjuTjRwNYkZfL ui1pbaQ7XWvwoj8P6xVowDflbj3+cOWYG00N75ZIegxnwVdoVjF8fmywAP2kJ6s/4MNd kfcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=DE8mjb1UnbuX3sFxnGZboJfS1LwAavXEiU9c99IqBMY=; b=Mc4fuTF8UlX1bN1QnZQ23Za1TXBQzZ07XxV7+UIu/c7QtowZ+6TuhOpdBCDqkvedhd T2cSFMS8EKkA4foPtLol/dYOdghEMUlnDLtvsfFitMAt1mu3Dmbr3Q6IBmuBtL4li2pa GNj/sdGE+Qnc8eCodwJJocXFLEAjwS8y5HuJkBueKtw4OLOqquymdOPlxbgJ+bohTTuF FZXOeIzLSubFc4AdU2WqZu4Ji3DkQr/CxekAPIscwrQbx1lHhTMjlMv2qT2sgr/ZDCWW 7X7v7obKtzMip0umpAROPFRamskld00MY23FPx3i9E8kJlukTgZb2Ov3zcpWHpWeJJqD b+Ng==
X-Gm-Message-State: AOAM530/yKrQD6JVa9jgQ3RKfM1GJjL26MuDe0bRHnibjcw50n7M+6AD QxNg7hbxdVQkemwJWsSxnPm2UwAGlcvaMkcGyo8=
X-Google-Smtp-Source: ABdhPJzV1y0naxspd9n2wX6tfhVILOJ6iTdmsG/gLdFkYGmknq+Vn1wZEeGQDZBQe7c/tBS7cyigho7XN0COU+rpoc4=
X-Received: by 2002:a19:c8a:: with SMTP id 132mr18933460lfm.23.1593711239940; Thu, 02 Jul 2020 10:33:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAM8feuRA1VfPs6bdrGgssBeBNe4wPySHjKcjiP6HexKMUff4DQ@mail.gmail.com> <CAD9ie-t7Lzt8S09YKPqwhc__7fKU6XpsyL1m8CGYUqfQwj8+ww@mail.gmail.com> <CAM8feuQK7HnKWd4TuusKy6z5q0K8V1+fO7xdqnLwOckThgtfNw@mail.gmail.com> <CAM8feuT5VO3w-PJWX-SWL0tdoCH4TfzfTnabD5kNLfZ=T8nAZw@mail.gmail.com>
In-Reply-To: <CAM8feuT5VO3w-PJWX-SWL0tdoCH4TfzfTnabD5kNLfZ=T8nAZw@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 02 Jul 2020 10:33:24 -0700
Message-ID: <CAD9ie-vUGGRcsv2mC6OD=p2P-jRLbpWo1dOfq3AVYc9gU1S8hA@mail.gmail.com>
To: Fabien Imbault <fabien.imbault@gmail.com>
Cc: txauth@ietf.org
Content-Type: multipart/alternative; boundary="00000000000054e83405a978d076"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/mts56MwpoGnm6buQGiWQKWMiJzM>
Subject: Re: [Txauth] Additional implementation
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 17:34:04 -0000

Hi Fabien, sorry for the late reply

Comments and questions inserted ...

On Wed, Jun 17, 2020 at 3:47 AM Fabien Imbault <fabien.imbault@gmail.com>
wrote:
<snip>

>
> Beyond what I said on the redirect, we could probably benefit from a more
> formal definition of the flows (a bit different between the 2 proposals),
> as proposed recently by Francis Pouatcha for instance
> (interact/decoupled/embedded flows, TBD).
>

Which proposal was that?


>
> What I'm missing in both proposals (personal opinion):
>
> - I know that JSON is the usual format, but it would be really useful to
> complement the schemas with some JSON-LD descriptions as well. It would
> ease extensions and interoperability (by avoiding conflicting schemas), and
> could even provide a more generic way of representing verifiable
> presentations (challenge/nonce associated to a domain for instance). While
> most of this work on linked data has been done at W3C, it would add value
> to the current proposal so I think we should consider it.
>

I'm not understanding how JSON-LD would fit in. Would you provide an
example?


>
> - from an extensibility point of view, I'm not sure it's very useful to
> list all possibilities. For instance, as of now, it wouldn't be possible to
> use the protocol for constrained devices, so there's no real value in
> saying that it could be extended with CoAP (then we need a separate
> document, that references the current GNAP rfc). What's more useful to know
> if the context of the current document, when you're implementing it, is
> what behaviour can really be extended in a fairly straightforward
> way, without changing anything in the core spec. For instance, what can I
> do with other types of tokens than JWT? Neither proposal is very clear as
> to how we would implement extensions in practice.
>

In XAuth I refer to CoAP not as an extension, but as an one example of
other client authentication mechanisms. While it only applies to CoAP, I
think it is useful to call out how we intend GNAP to be extended.

Just like OAuth 2.0, the access token is opaque to the client, and it is
not specified, so I'm confused what you mean by "other types of tokens than
JWT"?




>
> - from an implementation perspective, it would make sense to decompose the
> flow between the Grant Server (GS) and the login/consent part (as done for
> instance by ory.sh). This way you would separate the concerns: on one side
> you have the HTTP flows (managed by the GS, which can be very optimized
> from a backend perspective), but you can delegate/customize the interaction
> UI to some agreed dedicated endpoint (typically a JS site). Maybe that's
> just a detail which doesn't have its place in the spec, but since it would
> change the flow, it might be important to consider, at least as a
> possibility/extension.
>

Is the interaction UI not part of the GS though? I agree that an
implementation can decompose those, but that sounds like an implementation
choice of the GS, and not something that requires standardization. I agree
that we want to anticipate the decomposition.* Is there a change in the
flow that would make that easier?

*One of the reasons I favor using URIs and methods for the different
functionality of the GS API is that it is easy for a router to route a
request to different components of the GS.

/Dick

>

v2.23.0 | Report a Bug | By Email