[Txauth] XYZ-08 vs XAuth-08
Dick Hardt <dick.hardt@gmail.com> Sun, 07 June 2020 19:28 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33AE33A0854 for <txauth@ietfa.amsl.com>; Sun, 7 Jun 2020 12:28:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S8PLT5tKV7ai for <txauth@ietfa.amsl.com>; Sun, 7 Jun 2020 12:28:08 -0700 (PDT)
Received: from mail-lf1-x142.google.com (mail-lf1-x142.google.com [IPv6:2a00:1450:4864:20::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9A093A0853 for <txauth@ietf.org>; Sun, 7 Jun 2020 12:28:07 -0700 (PDT)
Received: by mail-lf1-x142.google.com with SMTP id d7so8883132lfi.12 for <txauth@ietf.org>; Sun, 07 Jun 2020 12:28:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=kCk3SXftkBLihIOoskYM4va5cXf5S8uUaHALe3v+WrM=; b=H598OxEE0LoB96rk6IhBL31Cbw6Hi4pnnruko2nStR4XH80uOntxtcLzwNahT8Wsh+ ug7FH9Rk5AH0wZKJLFlLzCRLE+G0Kuy3lpKIUMcgdT/ujadGuxR14KelcenbnQOxwNTb 37AeVqu8mUfHMOdsC3raKey9tQgrGCxwHcB3F/GSU7/cFG7MrL/Zj1WyBlHEkiW3maUG m/Hbax1lKCw5OAB9A4aT0fKJ3/BADXxZ5AWL0PZj55bPuqwnLFpMMGJ5SRbKCuOQMP3Q 3uLCeTwlAVTkgxQwhWS5+CPMJa6+Og3tGgHLHLb16iJ/S2BTuenet9DxTB4rxSNB0ptn vx+w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=kCk3SXftkBLihIOoskYM4va5cXf5S8uUaHALe3v+WrM=; b=fY9Bz210Ceqjkg/IK1dK2BSvteoJS+3DeuplixZo4fyH+bemKiV9/U4mdVuOvz1Db3 ftTpRCzE1R95F1kIQhVJKjdndTvnxBwUGuhEvdjKo4PU3IwT8KoD4kLtQGj0cBY80PYs UYPCAPAjoFXggeRTzjH5Ii1Pnk8KPv5Fr5963BDHL74Vz3qr7DZZaHc4VzI2dv2sSbpl aAMg9uAKnjaCt4NMAUgrPYViZiwFReiR6MpNtFUZzTRAdbAU2vBh4YkO2SyGJW+LV7CR leSdXaPwUfZy5VFtyN+o4hd7cUcFZWdwy0hcLYFEoKx6t3ScsI3b47B/RY8CNdwEY2RN h4BQ==
X-Gm-Message-State: AOAM533UQOHouPr61JvEvM3+OkOMZpxIlW+MQWGDE0iHPJvw/darp6Ar clw0Etbno8In7LhHYT/NKWTQDUU+peHjufV65IZ8zVk/rxo=
X-Google-Smtp-Source: ABdhPJw6rMiToWf5+mlWDtPbtpL8VcDvB81C7qaS4DDAA1QxZTD68F3f3H6E+28HVhT+JdzoWa8zBNCrGo2dzUGEUzg=
X-Received: by 2002:a19:8453:: with SMTP id g80mr10888737lfd.167.1591558085544; Sun, 07 Jun 2020 12:28:05 -0700 (PDT)
MIME-Version: 1.0
From: Dick Hardt <dick.hardt@gmail.com>
Date: Sun, 07 Jun 2020 12:27:39 -0700
Message-ID: <CAD9ie-uH5Zun_jhiqnoP=Gye19TVyvgqa4b+Z=a3_Y830yqLtg@mail.gmail.com>
To: txauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000540dc505a7837ec3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/oI86jQfDC6PJBXhWjyBelAwTdDo>
Subject: [Txauth] XYZ-08 vs XAuth-08
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Jun 2020 19:28:10 -0000
Hello I have just posed some updates on the XAuth draft: In -07 I added the XYZ features of interaction negotiation, and a Client Handle for dynamic clients. I also updated the name to GNAP, but preserved the draft-hardt-xauth-protocol filename for ease of tracking changes. In -08 I split the doc into: core protocol, advanced features, and JOSE authentication. https://www.ietf.org/id/draft-hardt-xauth-protocol-08.html https://www.ietf.org/id/draft-hardt-gnap-advanced-00.html https://www.ietf.org/id/draft-hardt-gnap-jose-00.html IMHO, the main doc is much more readable. :) *XYZ vs XAuth* The remaining major differences between XYZ and XAuth are areas I have concerns about. (I will continue to use XYZ and XAuth refer to each draft). The concerns are: *1) API in JSON vs URI and HTTP Verb* In XYZ, all calls are to the same endpoint as an HTTP POST. The AS must parse the JSON to determine what to do. XAuth has a RESTful interface. A Grant Request starts at the GS URI, and Grants and Authorizations are returned as URI resources. Creating a Grant is done with a POST, reading a Grant is done with a GET. With URIs and HTTP verbs, A large scale GS can easily implement independent services for each functionality as routing of requests can be done at the HTTP layer based on the URI and HTTP verb. This allows a separation of concerns, independent deployment, and resiliency. *2) Handles for all Clients vs Client ID and Client Handle* In XYZ, both pre-registered clients and dynamic clients use a handle. In XAuth, the Client ID refers to a pre-registered client, and the Client Handle is specific to an instance of a dynamic client. Using separate terms clearly differentiates which identifier is being presented to the GS. This allows a GS to use separate mechanisms for managing pre-registered clients and dynamic clients, an important consideration as there can easily be millions of instances of a single dynamic client. Additionally, developers are already familiar with what a Client ID is for pre-registered clients. *3) Transaction Handles are One Time Use* In XYZ, transaction handles are one time use [1]. In the OAuth WG discussion on one time use refresh tokens, clients are often distributed across components, which complicates one time use references. One time use transaction handles also makes them inconsistent with the display, resource, user, and key handles. *4) New User Identifier* XYZ introduces a new identifier for the user, a User Handle. Unclear why a new type of user identifier is needed, except for the desire to have a handle for everything. *5) Interaction Capabilities vs Modes* In XYZ, the capabilities are expressed by the client, and the GS states which capabilities it will accept. This can make it difficult for the GS to enforce the interaction choices as the client can mix and match which capabilities are returned. For example, a GS may not want to support a redirect without a callback to protect itself from session fixation attacks. In XAuth, the interaction modes provide clarity on the mode of interaction and the security properties. For example the GS may support both user_code and redirect modes, but not the indirect mode which is subject to session fixation attacks. *6) Claims at Top Level vs Namespaced * In XYZ, there is one schema for claims, and they are requested as: "claims": { "subject": true, "email": true } Whereas in XAuth, claims are in their own namespace: "claims": { "oidc": { "id_token" : { "email" : { "essential" : true }, "email_verified" : { "essential" : true } }, "userinfo" : { "name" : { "essential" : true }, "picture" : null } } In this example, the client is requesting OIDC defined claims, the email to be in an ID Token, and the name and picture to be as text. While the XYZ schema may be extended, there are already numerous schemas being used. The XAuth approach is to support existing and new schemas, rather than pick one and/or create another one, and allows a Grant Request to contain claims from multiple schemas at the same time. *7) No Authorization Type* Similar to (6), XYZ has a single schema for how to request access to a resource. While that schema is extensible, it requires adaption from any system with an existing schema. XAuth has a type for each authorization request (oauth2, rar), allowing existing schemas and new schemas to be supported. *Summary* While concerns (3-7) can be addressed in XYZ, (1-2) look fundamental to the XYZ architecture. [1] https://tools.ietf.org/html/draft-richer-transactional-authz-08#section-7 [2] https://w3c.github.io/vc-data-model/ ᐧ
- [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] XYZ-08 vs XAuth-08 Justin Richer
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] XYZ-08 vs XAuth-08 Justin Richer
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] XYZ-08 vs XAuth-08 Justin Richer
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] XYZ-08 vs XAuth-08 Justin Richer
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] adding identity claim schemas (was: … Dick Hardt
- Re: [Txauth] adding identity claim schemas (was: … Mike Jones
- Re: [Txauth] XYZ-08 vs XAuth-08 Justin Richer
- Re: [Txauth] adding identity claim schemas (was: … Justin Richer
- Re: [Txauth] XYZ-08 vs XAuth-08 Benjamin Kaduk
- Re: [Txauth] XYZ-08 vs XAuth-08 Benjamin Kaduk
- Re: [Txauth] XYZ-08 vs XAuth-08 Justin Richer
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] adding identity claim schemas (was: … Dick Hardt
- Re: [Txauth] XYZ-08 vs XAuth-08 Dick Hardt
- Re: [Txauth] adding identity claim schemas (was: … Mike Jones
- Re: [Txauth] adding identity claim schemas (was: … Dick Hardt