IETF Logo Mail Archive

[GNAP] Should access tokens be opaque or not for the clients ?

Denis <denis.ietf@free.fr> Thu, 18 March 2021 17:21 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B13853A301D for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 10:21:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.117
X-Spam-Level:
X-Spam-Status: No, score=-1.117 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZgeIHqK8g6IC for <txauth@ietfa.amsl.com>; Thu, 18 Mar 2021 10:21:09 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5E283A301A for <txauth@ietf.org>; Thu, 18 Mar 2021 10:21:08 -0700 (PDT)
Received: from [192.168.1.11] ([90.79.53.231]) by mwinf5d55 with ME id htM22400H4zJUWJ03tM229; Thu, 18 Mar 2021 18:21:06 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 18 Mar 2021 18:21:06 +0100
X-ME-IP: 90.79.53.231
To: txauth@ietf.org
References: <CAM8feuQ5Q1LrGtniCH3WN5gyf6QhBa-9e+2kzaV0fxzA5D5m7w@mail.gmail.com> <CAM8feuQEQyCEOErds8rpcipaqyPm3L3XMdrbQ6X2t3y9xcO4dQ@mail.gmail.com> <CAJmmfSQKZWm=YsjBVV8O+vU9zzC+eka0CCaQO-xFP-GcWzEigw@mail.gmail.com> <CANYRo8jw9gHQESDk__aKM3jK-C9FvYTFYOzb-8iYzbc_hVjMPA@mail.gmail.com> <EDB79C39-D706-43B2-B7D6-234CB32F7411@mit.edu> <CANYRo8inRJa0bAe6gqOkLKqHnt-qxPrzhDufBLwXd-S4wfjdxg@mail.gmail.com> <CAM8feuS98hqZ36hjCHg_=wpueDyXHb7t156OXnL_8MXtzpiyjA@mail.gmail.com> <CANYRo8i4gVpV5Fv7Yr9AFLNSq658EayHK5yJ+vp2ecUaRJ6fYw@mail.gmail.com> <CAM8feuSC2EDHbVHXjHAkgV8jfYP9+gQ_ZV-+y=aoEjf97Rbyqg@mail.gmail.com> <CANYRo8hdA0vLRXwOMDDg99qQHWC=DAzk+ht=ykjZ42bPmUxdPA@mail.gmail.com> <CANpA1Z2jv1ye234SKXa3n=z1yoVY5nW72Xqzj2bk_+_KjnK-+g@mail.gmail.com> <C4DC413B-32C7-432C-AE14-FC743D45319A@mit.edu> <CANpA1Z1b8FVXNgJKbv9wDyWsuva5PRrWvrgsoymCK9bj_Zt1wg@mail.gmail.com> <43447446-4061-49F2-8486-5A196C3C75E2@mit.edu> <CAM8feuSncUCkqWAA975kCTUdv69VG41a9s7HYD2LP5xCVmkkiQ@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <37a04505-84ef-aecf-6913-5aad8330c97c@free.fr>
Date: Thu, 18 Mar 2021 18:21:01 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <CAM8feuSncUCkqWAA975kCTUdv69VG41a9s7HYD2LP5xCVmkkiQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------84426050735C88B0CAB42E59"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/oAZYYYzrhm9WbiASi-Xt4QkFmls>
Subject: [GNAP] Should access tokens be opaque or not for the clients ?
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 17:21:13 -0000

I have changed the title of this thread, since the original topic has 
been closed.

Justin, you are raising the following question:

    The question I have is — why does the client need to know what’s in
    the token?
    Not if they could possibly know, but why would we expect a client to
    know and manage the contents of the token?

The answer is quite simple: so that the end-user may have confidence 
into the architecture.
The seventh of the eleven privacy principles from ISO 29100 (page 14) is:

    *7. Openness, transparency and notice *

If the access token is considered as a black box for the end-user, it 
cannot be confident about the content of the access token.
Such access token may disclose some private information without the 
consent of the end-user. If the access token that it has obtained
does not match with what has been requested, the client will first not 
forward the access token to the RS and then will complain about the AS.

Denis


> Hi Justin,
>
> "The access token is fundamentally a conversational artifact between 
> the AS and the RS which the client is the carrier of."
> That's right, and a good opportunity to distinguish between the need 
> for token inspection (i.e. a runtime verification, wherever that may be)
> and the need to negotiate the token format (a discovery). That last 
> part could very well be an extension, as a way to open up the ecosystem
> beyond JWTs (which are fine, but come with their own limitations).
>
> Fabien
>
> On Thu, Mar 18, 2021 at 5:59 PM Justin Richer <jricher@mit.edu 
> <mailto:jricher@mit.edu>> wrote:
>
>     On Mar 18, 2021, at 11:30 AM, Alan Karp <alanhkarp@gmail.com
>     <mailto:alanhkarp@gmail.com>> wrote:
>>
>>     Justin Richer <jricher@mit.edu <mailto:jricher@mit.edu>> wrote:
>>
>>         On Mar 18, 2021, at 12:08 AM, Alan Karp <alanhkarp@gmail.com
>>         <mailto:alanhkarp@gmail.com>> wrote:
>>>
>>>         Adrian Gropper <agropper@healthurl.com
>>>         <mailto:agropper@healthurl.com>> wrote:
>>>
>>>
>>>             Is there an AS involved in the delegation? How and where
>>>             in the lifecycle of the protected resource?
>>>
>>>
>>>         If tokens are certificates, the AS need not be involved in
>>>         subsequent delegations.  The AS must be involved if the
>>>         tokens are opaque.
>>
>>         Tokens are opaque to the client instance. They are not opaque
>>         to the AS. They might be opaque to the RS, but that depends
>>         on the kind of relationship the RS and AS have. GNAP should
>>         allow different options here as there are different use cases
>>         for that.
>>
>>
>>     Tokens are not opaque to the client in SPKI, zcap-ld, Orie's
>>     implementation with VCs, or our Zebra Copy work.  Why must they
>>     be in GNAP?
>
>     The existence of the AS is exactly the reason for this. The AS is
>     the role that “knowledge about the token contents” has been
>     outsourced to in the GNAP model (which is based on the OAuth model).
>
>     It brings significant simplicity for the client developer. The
>     question I have is — why does the client need to know what’s in
>     the token? Not if they could possibly know, but why would we
>     expect a client to know and manage the contents of the token?
>
>     The access token is fundamentally a conversational artifact
>     between the AS and the RS which the client is the carrier of. The
>     client is not the audience of the token, nor the creator of the
>     token, nor even the manager of the token and the rights it
>     represents. The client as a simple carrier is a powerful model
>     that allows the security layer to get out of the way of the actual
>     application logic that developers want to do.
>
>      — Justin
>
>>
>>     --------------
>>     Alan Karp
>>
>>
>>     On Thu, Mar 18, 2021 at 4:56 AM Justin Richer <jricher@mit.edu
>>     <mailto:jricher@mit.edu>> wrote:
>>
>>         On Mar 18, 2021, at 12:08 AM, Alan Karp <alanhkarp@gmail.com
>>         <mailto:alanhkarp@gmail.com>> wrote:
>>>
>>>         Adrian Gropper <agropper@healthurl.com
>>>         <mailto:agropper@healthurl.com>> wrote:
>>>
>>>
>>>             Is there an AS involved in the delegation? How and where
>>>             in the lifecycle of the protected resource?
>>>
>>>
>>>         If tokens are certificates, the AS need not be involved in
>>>         subsequent delegations.  The AS must be involved if the
>>>         tokens are opaque.
>>
>>         Tokens are opaque to the client instance. They are not opaque
>>         to the AS. They might be opaque to the RS, but that depends
>>         on the kind of relationship the RS and AS have. GNAP should
>>         allow different options here as there are different use cases
>>         for that.
>>
>>         It would probably be worthwhile to separate the portions of
>>         the spec that talk about the RS-AS relationship into its own
>>         standalone document. A similar approach was taken in UMA2 and
>>         it was helpful. (Though admittedly, as with anything, there
>>         are missteps there that we can hopefully learn from.)
>>
>>          — Justin
>>
>>>
>>>         --------------
>>>         Alan Karp
>>>
>>>
>>>         On Wed, Mar 17, 2021 at 8:54 PM Adrian Gropper
>>>         <agropper@healthurl.com <mailto:agropper@healthurl.com>> wrote:
>>>
>>>             Sure!
>>>
>>>             Is there an AS involved in the delegation? How and where
>>>             in the lifecycle of the protected resource?
>>>
>>>             Also your use of "the client" seems to imply that either
>>>             there is only one client or the client doesn't matter.
>>>             Which is it?
>>>
>>>             Adrian
>>>
>>>             On Wed, Mar 17, 2021 at 11:43 PM Fabien Imbault
>>>             <fabien.imbault@gmail.com
>>>             <mailto:fabien.imbault@gmail.com>> wrote:
>>>
>>>                 Thanks for that.
>>>
>>>                 Trying to reframe it:
>>>                 GNAP is defined as a delegation protocol so the main
>>>                 intent is related to a delegate of the RO (i.e. the
>>>                 end user) that wishes to access the RO's protected
>>>                 resources, through the client.
>>>
>>>                 Fabien
>>>
>>>                 Le jeu. 18 mars 2021 à 04:29, Adrian Gropper
>>>                 <agropper@healthurl.com
>>>                 <mailto:agropper@healthurl.com>> a écrit :
>>>
>>>                     At various points in the lifecycle of the
>>>                     protected resource the client at the resource
>>>                     server (RS) might be:
>>>
>>>                       * The RO (subject) user agent trading payment
>>>                         for a service promise
>>>                       * The RO user agent using the promise to
>>>                         access the protected resource
>>>                       * A delegate of the RO user agent using a
>>>                         different client
>>>
>>>                     What's vague is where the GNAP AS enters the
>>>                     picture as described above. How would you
>>>                     describe it?
>>>
>>>                     Adrian
>>>
>>>
>>>                     On Wed, Mar 17, 2021 at 10:20 PM Fabien Imbault
>>>                     <fabien.imbault@gmail.com
>>>                     <mailto:fabien.imbault@gmail.com>> wrote:
>>>
>>>                         Hi Adrian
>>>
>>>                         I'm still confused why you're saying the
>>>                         terminology is vague.
>>>                         I get the "power" neutrality is not to your
>>>                         liking, but RQ / user agent is no better in
>>>                         my view.
>>>
>>>                         Can you elaborate?
>>>
>>>                         Fabien
>>>
>>>                         Le jeu. 18 mars 2021 à 00:18, Adrian Gropper
>>>                         <agropper@healthurl.com
>>>                         <mailto:agropper@healthurl.com>> a écrit :
>>>
>>>                             I'm sure you're right. Our vague
>>>                             terminology around client and end-user
>>>                             leads to my confusion. If GNAP is
>>>                             primarily about delegation then, of
>>>                             course, we should avoid any incentives
>>>                             to impersonate or we're wasting our
>>>                             time. This is partly why I'm trying to
>>>                             study up on capabilities and asking for
>>>                             expert advice from folks like Alan Karp
>>>                             and Mark Miller (cc'd)
>>>
>>>                             As best I can understand it, the RS has
>>>                             only two choices, it can:
>>>
>>>                               * store an attribute of the RO a [DID,
>>>                                 email address, GNAP AS URL], or
>>>                               * hand the RO a capability as a
>>>                                 sort-of promise and avoid making any
>>>                                 entries in an ACL or equivalent.
>>>
>>>                             When a token comes back to the RS, it
>>>                             will either be:
>>>
>>>                               * validated according to something
>>>                                 associated with the stored RO
>>>                                 attribute, or
>>>                               * signed by the RS itself.
>>>
>>>                             Either way, trust in the client seems moot.
>>>
>>>                             Adrian
>>>
>>>
>>>
>>>                             On Wed, Mar 17, 2021 at 5:29 PM Justin
>>>                             Richer <jricher@mit.edu
>>>                             <mailto:jricher@mit.edu>> wrote:
>>>
>>>                                 On Mar 17, 2021, at 4:55 PM, Adrian
>>>                                 Gropper <agropper@healthurl.com
>>>                                 <mailto:agropper@healthurl.com>> wrote:
>>>>
>>>>                                 On Wed, Mar 17, 2021 at 4:23 PM
>>>>                                 Tobias Looker
>>>>                                 <tobias.looker@mattr.global
>>>>                                 <mailto:tobias.looker@mattr.global>>
>>>>                                 wrote:
>>>>
>>>>                                     <snip>
>>>>                                     > A client might not have a DID
>>>>                                     but it could have a VC as a
>>>>                                     certificate of authenticity
>>>>                                     linked to some audit mechanism.
>>>>
>>>>                                     To me a VC would come under the
>>>>                                     assertions umbrella (that is to
>>>>                                     say a VC could be one type of
>>>>                                     valid assertion). The client
>>>>                                     may possess or been presented
>>>>                                     with a VC that it could include
>>>>                                     in its request to the AS as a
>>>>                                     way to identify the subject and
>>>>                                     perhaps prove authentication
>>>>                                     and authorization.
>>>>
>>>>
>>>>                                 I do not assume that the client
>>>>                                 that interacts with the AS to make
>>>>                                 a request and receive a token is
>>>>                                 the same as the client that will
>>>>                                 present the token to the RS. In the
>>>>                                 US HIPAA use-case, for example, the
>>>>                                 root of trust is a contract between
>>>>                                 the patient-subject and the
>>>>                                 doctor-requesting party but the
>>>>                                 doctor workflow is expected to
>>>>                                 delegate the token to some other
>>>>                                 end-user that may be using a
>>>>                                 totally different client such as an
>>>>                                 EHR.
>>>>
>>>
>>>                                 If the client that gets the token is
>>>                                 not same as the client that uses the
>>>                                 token, that is a violation of core
>>>                                 security principles as it allows for
>>>                                 (and really designs for)
>>>                                 impersonation by client software. I
>>>                                 would have no reason to trust client
>>>                                 software that would hand its
>>>                                 credentials over to another piece of
>>>                                 software, and in fact I shouldn’t
>>>                                 trust it.
>>>
>>>                                 I think you may be conflating
>>>                                 several different kinds of parties
>>>                                 under the “client” umbrella here,
>>>                                 though. It’s entirely possible that
>>>                                 one client might call an RS that in
>>>                                 turn acts as a client for something
>>>                                 else down stream. But each of those
>>>                                 hops is different from the last.
>>>
>>>                                  — Justin
>>>
>>
>
>

v2.23.0 | Report a Bug | By Email