Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
Dick Hardt <dick.hardt@gmail.com> Thu, 02 July 2020 18:16 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9DA63A0A9E for <txauth@ietfa.amsl.com>; Thu, 2 Jul 2020 11:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J55_zMY1cjzX for <txauth@ietfa.amsl.com>; Thu, 2 Jul 2020 11:16:05 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2BDF3A0A96 for <txauth@ietf.org>; Thu, 2 Jul 2020 11:16:04 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id o4so16804495lfi.7 for <txauth@ietf.org>; Thu, 02 Jul 2020 11:16:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XrCOjjWPnSMmHebs4vkenagJUw66jGMcYWwIhWZR48A=; b=E+Z6po/aQTReOtcOWXV6ocZbwiHhIqR/n514mqYoUBiHlHEXPOYSCgV6OX4L5G311q 2PYiOzDUrzOcnoQBsoNSPRysZSrV2tm1uwyo14JX/kEYVovWZgHv/qDy0o0S1u4thHrs VsC91LLapz1uxFCL97LS1hhufUsKALWSw5kd9pU0H2Zt2IxKiud62iYzR6Tk3tOEd/27 4ljwvutEOnKB089jGS2pbyrUXpiCJIScltTGrY1ROTBtm0YlW7XRZ3w/GnyBkboYVaZL xAYxL+DaiUMEPhkmcRfPHNFELePy7fgVVeYZ6z1D1yWcnZ+qnM2izjZIQovik8Uu0rFO oCtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XrCOjjWPnSMmHebs4vkenagJUw66jGMcYWwIhWZR48A=; b=icGIrqR91drz/NNCmKdMKb4S4vXdVwIrM3TUMNzEKvfD3vWFcp0tC/vE14L9cmTt/w VFEuaIHLU0sDu3+JEnIWoLa7UMiCqXf63CecCFgIrbSVH0M02WZtGHpVu6F3IckzsFHn PtdHo2ocHa4LzKzNiArkQTsmiLT84AoJ1J/g3ioydUOp4GhZ+Lb2+CoAoIbdaqAXRs3p 4KvSCWZY4aGd/E03fEVx5Z147bUI6kiQ6bd+7BlsstfiAb1thUYAP0LHDf9+BQ3nyuT0 vc0rlCWLKPS5bT/yfXV2F5vGYIAHAT7dOvZwEcg1eME/84Db2YEro/lovMp/S6HPsQYp LlVw==
X-Gm-Message-State: AOAM531h1VrIJ7n3BjW+TBgA35Q2fqn45GJgBdDwiQdxmaQM57lIG/2/ VVBRqm+9/0N06hCN/eCBw2bn8R3VeCdhA3adOqs=
X-Google-Smtp-Source: ABdhPJwT09oSnyw06U4IX4Njmo7lzgHBJ13raV2POPld7m26MYH1628sksOm8toJJ4JApgcAzlYQB08tVMNw32zYaW0=
X-Received: by 2002:ac2:5093:: with SMTP id f19mr19365726lfm.10.1593713762604; Thu, 02 Jul 2020 11:16:02 -0700 (PDT)
MIME-Version: 1.0
References: <159318778098.29096.6482921706088845432@ietfa.amsl.com> <cdbb228a-1412-e2e2-fe15-852fdd4649ac@free.fr> <CAD9ie-vrMk_D8WSz7h5aAw_FmnBJDkRJyWQeXTTsAP3ofH0iNg@mail.gmail.com> <a21d84cc-02d2-8140-bb4c-e4d6a05d737f@free.fr> <CAD9ie-tswzXQPgn13SMdQYQFfSxiuVu1hCuwsuUT5XbzbhmsKw@mail.gmail.com>
In-Reply-To: <CAD9ie-tswzXQPgn13SMdQYQFfSxiuVu1hCuwsuUT5XbzbhmsKw@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Thu, 02 Jul 2020 11:15:26 -0700
Message-ID: <CAD9ie-vUqskz3-r5eyaJUMHLkbgwndH0_cdKe5SnjaTtYdGfnw@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: txauth@ietf.org, Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b19dce05a979669a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/oTMgU5GliQasSsBn5GpuLrQRZqk>
Subject: Re: [Txauth] WG Review: Grant Negotiation and Authorization Protocol (gnap)
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2020 18:16:08 -0000
(dropping IESG, adding Nat as Denis is quoting him) On Thu, Jul 2, 2020 at 10:59 AM Dick Hardt <dick.hardt@gmail.com> wrote: > Catching up on this email ... comments inserted ... > > On Mon, Jun 29, 2020 at 12:06 AM Denis <denis.ietf@free.fr> wrote: > >> Hello Dick, >> >> Denis, thanks for sharing your thoughts, some clarifications on your >> statements inserted: >> >> On Fri, Jun 26, 2020 at 9:42 AM Denis <denis.ietf@free.fr> wrote: >> <snip> >> >>> *New proposed charter* >>> >>> <snip> >> >>> >>> Resource servers inform their clients about which access token formats >>> are acceptable and depending upon the king of operation >>> that is requested, which kind of attributes are needed and from which >>> ASs that my be obtained. >>> >>> While at times this may be appropriate, at other times disclosing the >> attributes the RS requires is not needed by the client. >> For example, an enterprise client accessing a resource does not need to >> know which groups a user belongs to, >> but the RS may require that to determine if the user running the client >> has access. >> >> As soon as there is a desire to implement privacy by default, the client >> should not provide more attributes than strictly necessary. >> Even after three readings of your example, I failed to understand it. >> >> >>> A major difference with OAuth 2.0 is that there is no bilateral trust >>> relationship between an authorization server and a resource server: >>> for a given category of attributes, a resource server may trust one or >>> more authorization servers. Another major difference with OAuth 2.0. >>> is that the content of an attributes token is meant to be accessible to >>> the client. >>> >>> This is not how OAuth 2.0 works. See slides 7 and 8 from my original >> IETF presentation on what became OAuth 2.0 >> >> https://www.slideshare.net/gueste648b/ietf-77-oauth-wrap-presentation >> >> I looked at the two slides. >> >> Unfortunately slide 7 has just one arrow with the word "trust". This is >> insufficient to understand what is meant unless being present >> at the presentation. Does it mean that the PR (RS) trusts one AS or that >> it may trust multiple ASs ? >> > Unfortunately slide 8 has just one arrow between the PR and the AS which >> is red-crossed but no text at all. This is insufficient to understand >> what is meant unless being present at the presentation. Does it mean that >> the PR and the AS never communicate directly ? >> Does it mean that they have no relationships at all, besides the one way >> trust relationship mentioned in slide 7 ? >> >> So it hard to say whether these two slides are indeed meaning that there >> is no bilateral relationship between an authorization server and a resource >> server. >> > Apologies for not providing an explanation on the slides. > > Slide 7 shows that trust between the AS and PR (now RS) was > unidirectional, from the RS to the AS. > Slide 8 indicates that trust is not bidirectional. > > There is no limit on how many ASs an RS may trust. > > >> On June 12, Nat Sakimura recently answered to an email with the >> following topic: >> >> Re: [OAUTH-WG] Comments on draft-ietf-oauth-jwsreq-22 (The OAuth 2.0 >> Authorization Framework: JWT Secured Authorization Request)) >> >> My arguments were: >> >> The original model for OAuth was making the assumption that the AS >> and the RS had a strong bilateral relationship. >> >> *A key question is whether such strong relationship will be >> maintained for ever *or >> whether it will be allowed to perform some evolutions of this >> relationship. >> >> In order to respect the privacy of the users, there is the need to >> encompass other scenarios. One of these scenarios is that the AS and the RS >> do not need any longer to have such a strong relationship. In terms >> of trust relationships, a RS simply needs to trust the access tokens issued >> by an AS. >> The AS does have any more a "need to know" of all the RSs that are >> accepting its access tokens. This would be a major simplification of the >> current global architecture. >> >> Nat's position was: >> >> "My take is that the basic assumption of OAuth 2.0 Framework is that >> there is a strong relationship between AS and RS. >> I feel that it is quite unrealistic that an RS would trust the access >> token issued by an AS that it has no strong relationship with". >> >> There are indeed different positions on this topic. >> > > I don't think Nat and I have different opinions, but I will let Nat > clarify. > Just because there is a strong relationship between the AS and RS, does > not mean it is bidirectional. I would understand > > "I feel that it is quite unrealistic that an RS would trust the access > token issued by an AS that it has no strong relationship with" > > to indicate Nat is expecting the trust to be from the RS to the AS. > > > >> >> The AS may not even know who the RS (or PR in the slides) is. >> >> <snip> >> >>> >>> I got rid of the word "delegation": the client does not delegate >>> anything to an authorization server. If it would, this would mean that the >>> authorization server >>> would be able to act as the client and could know everything that the >>> client will do, which comes into contradiction with the user's privacy. >>> >> >> The above is not true. >> >> The Resource Owner is delegating access control to the AS in >> authorization use cases. >> >> The OAuth 2.0 model does not mandate any more the presence of a Resource >> Owner. >> > > Why do you say that? The RO is who owns the RS. Your statement does not > make sense. > > >> >> The client is may be delegating user authentication to the AS in identity >> claim use cases. >> >> Delegating user authentication to the AS is different from delegating >> access control to the AS. >> > > Agreed. Your statement was there was no delegation. I'm explaining there > are potentially two delegations. > >> >> The AS can act as the client in many OAuth deployments, as the access >> token is a bearer token. >> >> A bearer token is rather insecure. >> > Cookies are also bearer tokens. But we use them all the time in web apps > for storing session state and prior authentication! :) > > > >> That does not mean the AS knows what the client is doing. >> >> There are currently two attempts in the OAuth WG to let know to the AS >> what the client is doing: >> >> - draft-ietf-oauth-jwsreq-22 (The OAuth 2.0 Authorization >> Framework: JWT Secured Authorization Request) >> - draft-ietf-oauth-rar-01 (OAuth 2.0 Rich Authorization >> Requests) >> >> Those are optional, and in some situations are a desired property. > > /Dick > >
- [Txauth] WG Review: Grant Negotiation and Authori… The IESG
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Mike Varley
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Dick Hardt
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Roman Danyliw
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Denis
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Tom Jones
- Re: [Txauth] WG Review: Grant Negotiation and Aut… Justin Richer